587 files changed, 0 insertions, 136713 deletions

diff --git a/security/nss/cmd/.cvsignore b/security/nss/cmd/.cvsignore
deleted file mode 100644
index 6329db22e..000000000
--- a/security/nss/cmd/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-.gdbinit
diff --git a/security/nss/cmd/Makefile b/security/nss/cmd/Makefile
deleted file mode 100644
index ed5819847..000000000
--- a/security/nss/cmd/Makefile
+++ /dev/null
@@ -1,61 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../..
-DEPTH = ../..
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-
-ifdef BUILD_LIBPKIX_TESTS
-DIRS += libpkix
-endif
-
-ifndef USE_SYSTEM_ZLIB
-ZLIB_SRCDIR = zlib  # Add the zlib directory to DIRS.
-endif
-
-INCLUDES += \
-	-I$(DIST)/../public/security \
-	-I./include \
-	$(NULL)
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-symbols::
-	@echo "TARGETS	= $(TARGETS)"
diff --git a/security/nss/cmd/addbuiltin/Makefile b/security/nss/cmd/addbuiltin/Makefile
deleted file mode 100644
index fe7991878..000000000
--- a/security/nss/cmd/addbuiltin/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
- 
diff --git a/security/nss/cmd/addbuiltin/addbuiltin.c b/security/nss/cmd/addbuiltin/addbuiltin.c
deleted file mode 100644
index 8bb99547c..000000000
--- a/security/nss/cmd/addbuiltin/addbuiltin.c
+++ /dev/null
@@ -1,391 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Tool for converting builtin CA certs.
- *
- * $Id$
- */
-
-#include "nssrenam.h"
-#include "nss.h"
-#include "cert.h"
-#include "certdb.h"
-#include "secutil.h"
-#include "pk11func.h"
-
-#if defined(WIN32)
-#include <fcntl.h>
-#include <io.h>
-#endif
-
-void dumpbytes(unsigned char *buf, int len)
-{
-    int i;
-    for (i=0; i < len; i++) {
-	if ((i !=0) && ((i & 0xf) == 0)) {
-	    printf("\n");
-	}
-	printf("\\%03o",buf[i]);
-    }
-    printf("\n");
-}
-
-char *getTrustString(unsigned int trust)
-{
-    if (trust & CERTDB_TRUSTED) {
-	if (trust & CERTDB_TRUSTED_CA) {
-		return "CKT_NETSCAPE_TRUSTED_DELEGATOR|CKT_NETSCAPE_TRUSTED";
-	} else {
-		return "CKT_NETSCAPE_TRUSTED";
-	}
-    } else {
-	if (trust & CERTDB_TRUSTED_CA) {
-		return "CKT_NETSCAPE_TRUSTED_DELEGATOR";
-	} else if (trust & CERTDB_VALID_CA) {
-		return "CKT_NETSCAPE_VALID_DELEGATOR";
-	} else {
-		return "CKT_NETSCAPE_TRUST_UNKNOWN";
-	}
-    }
-    return "CKT_NETSCAPE_TRUST_UNKNOWN"; /* not reached */
-}
-
-static const SEC_ASN1Template serialTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(CERTCertificate,serialNumber) },
-    { 0 }
-};
-
-static SECStatus
-ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust)
-{
-    SECStatus rv = SECSuccess;
-    CERTCertificate *cert;
-    unsigned char sha1_hash[SHA1_LENGTH];
-    unsigned char md5_hash[MD5_LENGTH];
-    SECItem *serial = NULL;
-
-    cert = CERT_DecodeDERCertificate(sdder, PR_FALSE, nickname);
-    if (!cert) {
-	return SECFailure;
-    }
-    serial = SEC_ASN1EncodeItem(NULL,NULL,cert,serialTemplate);
-    if (!serial) {
-	return SECFailure;
-    }
-
-    printf("\n#\n# Certificate \"%s\"\n#\n",nickname);
-    printf("CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n");
-    printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
-    printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
-    printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
-    printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
-    printf("CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n");
-    printf("CKA_SUBJECT MULTILINE_OCTAL\n");
-    dumpbytes(cert->derSubject.data,cert->derSubject.len);
-    printf("END\n");
-    printf("CKA_ID UTF8 \"0\"\n");
-    printf("CKA_ISSUER MULTILINE_OCTAL\n");
-    dumpbytes(cert->derIssuer.data,cert->derIssuer.len);
-    printf("END\n");
-    printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
-    dumpbytes(serial->data,serial->len);
-    printf("END\n");
-    printf("CKA_VALUE MULTILINE_OCTAL\n");
-    dumpbytes(sdder->data,sdder->len);
-    printf("END\n");
-
-    PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len);
-    PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len);
-    printf("\n# Trust for Certificate \"%s\"\n",nickname);
-    printf("CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST\n");
-    printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
-    printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
-    printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
-    printf("CKA_LABEL UTF8 \"%s\"\n",nickname);
-    printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n");
-    dumpbytes(sha1_hash,SHA1_LENGTH);
-    printf("END\n");
-    printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n");
-    dumpbytes(md5_hash,MD5_LENGTH);
-    printf("END\n");
-
-    printf("CKA_ISSUER MULTILINE_OCTAL\n");
-    dumpbytes(cert->derIssuer.data,cert->derIssuer.len);
-    printf("END\n");
-    printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
-    dumpbytes(serial->data,serial->len);
-    printf("END\n");
-    
-    printf("CKA_TRUST_SERVER_AUTH CK_TRUST %s\n",
-				 getTrustString(trust->sslFlags));
-    printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST %s\n",
-				 getTrustString(trust->emailFlags));
-    printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n",
-				 getTrustString(trust->objectSigningFlags));
-#ifdef notdef
-    printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED\n");*/
-    printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-#endif
-    printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n",
-                trust->sslFlags & CERTDB_GOVT_APPROVED_CA ? 
-                "CK_TRUE" : "CK_FALSE");
-
-
-    PORT_Free(sdder->data);
-    return(rv);
-
-}
-
-void printheader() {
-    printf("# \n"
-"# ***** BEGIN LICENSE BLOCK *****\n"
-"# Version: MPL 1.1/GPL 2.0/LGPL 2.1\n"
-"#\n"
-"# The contents of this file are subject to the Mozilla Public License Version\n"
-"# 1.1 (the \"License\"); you may not use this file except in compliance with\n"
-"# the License. You may obtain a copy of the License at\n"
-"# http://www.mozilla.org/MPL/\n"
-"#\n"
-"# Software distributed under the License is distributed on an \"AS IS\" basis,\n"
-"# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License\n"
-"# for the specific language governing rights and limitations under the\n"
-"# License.\n"
-"#\n"
-"# The Original Code is the Netscape security libraries..\n"
-"#\n"
-"# The Initial Developer of the Original Code is\n"
-"# Netscape Communications Corporation.\n"
-"# Portions created by the Initial Developer are Copyright (C) 1994-2000\n"
-"# the Initial Developer. All Rights Reserved.\n"
-"#\n"
-"# Contributor(s):\n"
-"#\n"
-"# Alternatively, the contents of this file may be used under the terms of\n"
-"# either the GNU General Public License Version 2 or later (the \"GPL\"), or\n"
-"# the GNU Lesser General Public License Version 2.1 or later (the \"LGPL\"),\n"
-"# in which case the provisions of the GPL or the LGPL are applicable instead\n"
-"# of those above. If you wish to allow use of your version of this file only\n"
-"# under the terms of either the GPL or the LGPL, and not to allow others to\n"
-"# use your version of this file under the terms of the MPL, indicate your\n"
-"# decision by deleting the provisions above and replace them with the notice\n"
-"# and other provisions required by the GPL or the LGPL. If you do not delete\n"
-"# the provisions above, a recipient may use your version of this file under\n"
-"# the terms of any one of the MPL, the GPL or the LGPL.\n"
-"#\n"
-"# ***** END LICENSE BLOCK *****\n"
-     "#\n"
-     "CVS_ID \"@(#) $RCSfile$ $Revision$ $Date$\"\n"
-     "\n"
-     "#\n"
-     "# certdata.txt\n"
-     "#\n"
-     "# This file contains the object definitions for the certs and other\n"
-     "# information \"built into\" NSS.\n"
-     "#\n"
-     "# Object definitions:\n"
-     "#\n"
-     "#    Certificates\n"
-     "#\n"
-     "#  -- Attribute --          -- type --              -- value --\n"
-     "#  CKA_CLASS                CK_OBJECT_CLASS         CKO_CERTIFICATE\n"
-     "#  CKA_TOKEN                CK_BBOOL                CK_TRUE\n"
-     "#  CKA_PRIVATE              CK_BBOOL                CK_FALSE\n"
-     "#  CKA_MODIFIABLE           CK_BBOOL                CK_FALSE\n"
-     "#  CKA_LABEL                UTF8                    (varies)\n"
-     "#  CKA_CERTIFICATE_TYPE     CK_CERTIFICATE_TYPE     CKC_X_509\n"
-     "#  CKA_SUBJECT              DER+base64              (varies)\n"
-     "#  CKA_ID                   byte array              (varies)\n"
-     "#  CKA_ISSUER               DER+base64              (varies)\n"
-     "#  CKA_SERIAL_NUMBER        DER+base64              (varies)\n"
-     "#  CKA_VALUE                DER+base64              (varies)\n"
-     "#  CKA_NETSCAPE_EMAIL       ASCII7                  (unused here)\n"
-     "#\n"
-     "#    Trust\n"
-     "#\n"
-     "#  -- Attribute --              -- type --          -- value --\n"
-     "#  CKA_CLASS                    CK_OBJECT_CLASS     CKO_TRUST\n"
-     "#  CKA_TOKEN                    CK_BBOOL            CK_TRUE\n"
-     "#  CKA_PRIVATE                  CK_BBOOL            CK_FALSE\n"
-     "#  CKA_MODIFIABLE               CK_BBOOL            CK_FALSE\n"
-     "#  CKA_LABEL                    UTF8                (varies)\n"
-     "#  CKA_ISSUER                   DER+base64          (varies)\n"
-     "#  CKA_SERIAL_NUMBER            DER+base64          (varies)\n"
-     "#  CKA_CERT_HASH                binary+base64       (varies)\n"
-     "#  CKA_EXPIRES                  CK_DATE             (not used here)\n"
-     "#  CKA_TRUST_DIGITAL_SIGNATURE  CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_NON_REPUDIATION    CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_KEY_ENCIPHERMENT   CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_DATA_ENCIPHERMENT  CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_KEY_AGREEMENT      CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_KEY_CERT_SIGN      CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_CRL_SIGN           CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_SERVER_AUTH        CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_CLIENT_AUTH        CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_CODE_SIGNING       CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_EMAIL_PROTECTION   CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_IPSEC_END_SYSTEM   CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_IPSEC_TUNNEL       CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_IPSEC_USER         CK_TRUST            (varies)\n"
-     "#  CKA_TRUST_TIME_STAMPING      CK_TRUST            (varies)\n"
-     "#  (other trust attributes can be defined)\n"
-     "#\n"
-     "\n"
-     "#\n"
-     "# The object to tell NSS that this is a root list and we don't\n"
-     "# have to go looking for others.\n"
-     "#\n"
-     "BEGINDATA\n"
-     "CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST\n"
-     "CKA_TOKEN CK_BBOOL CK_TRUE\n"
-     "CKA_PRIVATE CK_BBOOL CK_FALSE\n"
-     "CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
-     "CKA_LABEL UTF8 \"Mozilla Builtin Roots\"\n");
-}
-
-static void Usage(char *progName)
-{
-    fprintf(stderr, "%s -n nickname -t trust [-i certfile]\n", progName);
-    fprintf(stderr, 
-            "\tRead a der-encoded cert from certfile or stdin, and output\n"
-            "\tit to stdout in a format suitable for the builtin root module.\n"
-            "\tExample: %s -n MyCA -t \"C,C,C\" -i myca.der >> certdata.txt\n"
-            "\t(pipe through atob if the cert is b64-encoded)\n", progName);
-    fprintf(stderr, "%-15s nickname to assign to builtin cert.\n", 
-                    "-n nickname");
-    fprintf(stderr, "%-15s trust flags (cCTpPuw).\n", "-t trust");
-    fprintf(stderr, "%-15s file to read (default stdin)\n", "-i certfile");
-    exit(-1);
-}
-
-enum {
-    opt_Input = 0,
-    opt_Nickname,
-    opt_Trust
-};
-
-static secuCommandFlag addbuiltin_options[] =
-{
-	{ /* opt_Input         */  'i', PR_TRUE, 0, PR_FALSE },
-	{ /* opt_Nickname      */  'n', PR_TRUE, 0, PR_FALSE },
-	{ /* opt_Trust         */  't', PR_TRUE, 0, PR_FALSE }
-};
-
-int main(int argc, char **argv)
-{
-    SECStatus rv;
-    char *nickname;
-    char *trusts;
-    char *progName;
-    PRFileDesc *infile;
-    CERTCertTrust trust = { 0 };
-    SECItem derCert = { 0 };
-
-    secuCommand addbuiltin = { 0 };
-    addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag);
-    addbuiltin.options = addbuiltin_options;
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin);
-
-    if (rv != SECSuccess)
-	Usage(progName);
-
-    if (!addbuiltin.options[opt_Nickname].activated &&
-        !addbuiltin.options[opt_Trust].activated) {
-	fprintf(stderr, "%s: you must specify both a nickname and trust.\n",
-		progName);
-	Usage(progName);
-    }
-
-    if (addbuiltin.options[opt_Input].activated) {
-	infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660);
-	if (!infile) {
-	    fprintf(stderr, "%s: failed to open input file.\n", progName);
-	    exit(1);
-	}
-    } else {
-#if defined(WIN32)
-	/* If we're going to read binary data from stdin, we must put stdin
-	** into O_BINARY mode or else incoming \r\n's will become \n's,
-	** and latin-1 characters will be altered.
-	*/
-
-	int smrv = _setmode(_fileno(stdin), _O_BINARY);
-	if (smrv == -1) {
-	    fprintf(stderr,
-	    "%s: Cannot change stdin to binary mode. Use -i option instead.\n",
-	            progName);
-	    exit(1);
-	}
-#endif
-	infile = PR_STDIN;
-    }
-
-    nickname = strdup(addbuiltin.options[opt_Nickname].arg);
-    trusts = strdup(addbuiltin.options[opt_Trust].arg);
-
-    NSS_NoDB_Init(NULL);
-
-    rv = CERT_DecodeTrustString(&trust, trusts);
-    if (rv) {
-	fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
-	Usage(progName);
-    }
-
-    SECU_FileToItem(&derCert, infile);
-    
-    /*printheader();*/
-
-    rv = ConvertCertificate(&derCert, nickname, &trust);
-    if (rv) {
-	fprintf(stderr, "%s: failed to convert certificate.\n", progName);
-	exit(1);
-    }
-    
-    if (NSS_Shutdown() != SECSuccess) {
-        exit(1);
-    }
-
-    return(SECSuccess);
-}
diff --git a/security/nss/cmd/addbuiltin/manifest.mn b/security/nss/cmd/addbuiltin/manifest.mn
deleted file mode 100644
index 0729834a7..000000000
--- a/security/nss/cmd/addbuiltin/manifest.mn
+++ /dev/null
@@ -1,52 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-CSRCS = \
-	addbuiltin.c \
-	$(NULL)
-
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = seccmd
-
-PROGRAM = addbuiltin
-
diff --git a/security/nss/cmd/atob/Makefile b/security/nss/cmd/atob/Makefile
deleted file mode 100644
index 61e2cb359..000000000
--- a/security/nss/cmd/atob/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/atob/atob.c b/security/nss/cmd/atob/atob.c
deleted file mode 100644
index e5fad05ec..000000000
--- a/security/nss/cmd/atob/atob.c
+++ /dev/null
@@ -1,180 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "plgetopt.h"
-#include "secutil.h"
-#include "nssb64.h"
-#include <errno.h>
-
-#if defined(XP_WIN) || (defined(__sun) && !defined(SVR4))
-#if !defined(WIN32)
-extern int fread(char *, size_t, size_t, FILE*);
-extern int fwrite(char *, size_t, size_t, FILE*);
-extern int fprintf(FILE *, char *, ...);
-#endif
-#endif
-
-#if defined(WIN32)
-#include "fcntl.h"
-#include "io.h"
-#endif
-
-static PRInt32 
-output_binary (void *arg, const unsigned char *obuf, PRInt32 size)
-{
-    FILE *outFile = arg;
-    int nb;
-
-    nb = fwrite(obuf, 1, size, outFile);
-    if (nb != size) {
-	PORT_SetError(SEC_ERROR_IO);
-	return -1;
-    }
-
-    return nb;
-}
-
-static SECStatus
-decode_file(FILE *outFile, FILE *inFile)
-{
-    NSSBase64Decoder *cx;
-    int nb;
-    SECStatus status = SECFailure;
-    char ibuf[4096];
-
-    cx = NSSBase64Decoder_Create(output_binary, outFile);
-    if (!cx) {
-	return -1;
-    }
-
-    for (;;) {
-	if (feof(inFile)) break;
-	nb = fread(ibuf, 1, sizeof(ibuf), inFile);
-	if (nb != sizeof(ibuf)) {
-	    if (nb == 0) {
-		if (ferror(inFile)) {
-		    PORT_SetError(SEC_ERROR_IO);
-		    goto loser;
-		}
-		/* eof */
-		break;
-	    }
-	}
-
-	status = NSSBase64Decoder_Update(cx, ibuf, nb);
-	if (status != SECSuccess) goto loser;
-    }
-
-    return NSSBase64Decoder_Destroy(cx, PR_FALSE);
-
-  loser:
-    (void) NSSBase64Decoder_Destroy(cx, PR_TRUE);
-    return status;
-}
-
-static void Usage(char *progName)
-{
-    fprintf(stderr,
-	    "Usage: %s [-i input] [-o output]\n",
-	    progName);
-    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
-	    "-i input");
-    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
-	    "-o output");
-    exit(-1);
-}
-
-int main(int argc, char **argv)
-{
-    char *progName;
-    SECStatus rv;
-    FILE *inFile, *outFile;
-    PLOptState *optstate;
-    PLOptStatus status;
-
-    inFile = 0;
-    outFile = 0;
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    /* Parse command line arguments */
-    optstate = PL_CreateOptState(argc, argv, "i:o:");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case '?':
-	    Usage(progName);
-	    break;
-
-	  case 'i':
-	    inFile = fopen(optstate->value, "r");
-	    if (!inFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 'o':
-	    outFile = fopen(optstate->value, "wb");
-	    if (!outFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-	}
-    }
-    if (!inFile) inFile = stdin;
-    if (!outFile) {
-#if defined(WIN32)
-	int smrv = _setmode(_fileno(stdout), _O_BINARY);
-	if (smrv == -1) {
-	    fprintf(stderr,
-	    "%s: Cannot change stdout to binary mode. Use -o option instead.\n",
-	            progName);
-	    return smrv;
-	}
-#endif
-    	outFile = stdout;
-    }
-    rv = decode_file(outFile, inFile);
-    if (rv != SECSuccess) {
-	fprintf(stderr, "%s: lossage: error=%d errno=%d\n",
-		progName, PORT_GetError(), errno);
-	return -1;
-    }
-    return 0;
-}
diff --git a/security/nss/cmd/atob/manifest.mn b/security/nss/cmd/atob/manifest.mn
deleted file mode 100644
index 363cad192..000000000
--- a/security/nss/cmd/atob/manifest.mn
+++ /dev/null
@@ -1,54 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH	= ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = seccmd dbm 
-
-DEFINES = -DNSPR20
-
-CSRCS = atob.c
-
-PROGRAM	= atob
-
diff --git a/security/nss/cmd/bltest/Makefile b/security/nss/cmd/bltest/Makefile
deleted file mode 100644
index 115886cd7..000000000
--- a/security/nss/cmd/bltest/Makefile
+++ /dev/null
@@ -1,86 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-#MKPROG = purify -cache-dir=/u/mcgreer/pcache -best-effort \
-#	-always-use-cache-dir $(CC)
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#EXTRA_SHARED_LIBS += \
-#	-L/usr/lib \
-#	-lposix4 \
-#	$(NULL)
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include ../platrules.mk
diff --git a/security/nss/cmd/bltest/blapitest.c b/security/nss/cmd/bltest/blapitest.c
deleted file mode 100644
index 051ea7c43..000000000
--- a/security/nss/cmd/bltest/blapitest.c
+++ /dev/null
@@ -1,3745 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include "blapi.h"
-#include "secrng.h"
-#include "prmem.h"
-#include "prprf.h"
-#include "prtime.h"
-#include "prsystem.h"
-#include "plstr.h"
-#include "nssb64.h"
-#include "secutil.h"
-#include "plgetopt.h"
-#include "softoken.h"
-#include "nspr.h"
-#include "nss.h"
-#include "secoid.h"
-
-#ifdef NSS_ENABLE_ECC
-#include "ecl-curve.h"
-SECStatus EC_DecodeParams(const SECItem *encodedParams, 
-	ECParams **ecparams);
-SECStatus EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
-	      const ECParams *srcParams);
-#endif
-
-/* Temporary - add debugging ouput on windows for RSA to track QA failure */
-#ifdef _WIN32
-#define TRACK_BLTEST_BUG
-    char __bltDBG[] = "BLTEST DEBUG";
-#endif
-
-char *progName;
-char *testdir = NULL;
-
-#define BLTEST_DEFAULT_CHUNKSIZE 4096
-
-#define WORDSIZE sizeof(unsigned long)
-
-#define CHECKERROR(rv, ln) \
-    if (rv) { \
-	PRErrorCode prerror = PR_GetError(); \
-	PR_fprintf(PR_STDERR, "%s: ERR %d (%s) at line %d.\n", progName, \
-                   prerror, SECU_Strerror(prerror), ln); \
-	exit(-1); \
-    }
-
-/* Macros for performance timing. */
-#define TIMESTART() \
-    time1 = PR_IntervalNow();
-
-#define TIMEFINISH(time, reps) \
-    time2 = (PRIntervalTime)(PR_IntervalNow() - time1); \
-    time1 = PR_IntervalToMilliseconds(time2); \
-    time = ((double)(time1))/reps;
-
-#define TIMEMARK(seconds) \
-    time1 = PR_SecondsToInterval(seconds); \
-    { \
-        PRInt64 tmp, L100; \
-        LL_I2L(L100, 100); \
-        if (time2 == 0) { \
-            time2 = 1; \
-        } \
-        LL_DIV(tmp, time1, time2); \
-        if (tmp < 10) { \
-            if (tmp == 0) { \
-                opsBetweenChecks = 1; \
-            } else { \
-                LL_L2I(opsBetweenChecks, tmp); \
-            } \
-        } else { \
-            opsBetweenChecks = 10; \
-        } \
-    } \
-    time2 = time1; \
-    time1 = PR_IntervalNow();
-
-#define TIMETOFINISH() \
-    PR_IntervalNow() - time1 >= time2
-
-static void Usage()
-{
-#define PRINTUSAGE(subject, option, predicate) \
-    fprintf(stderr, "%10s %s\t%s\n", subject, option, predicate);
-    fprintf(stderr, "\n");
-    PRINTUSAGE(progName, "[-DEHSV]", "List available cipher modes"); /* XXX */
-    fprintf(stderr, "\n");
-    PRINTUSAGE(progName, "-E -m mode ", "Encrypt a buffer");
-    PRINTUSAGE("",	"", "[-i plaintext] [-o ciphertext] [-k key] [-v iv]");
-    PRINTUSAGE("",	"", "[-b bufsize] [-g keysize] [-e exp] [-r rounds]");
-    PRINTUSAGE("",	"", "[-w wordsize] [-p repetitions | -5 time_interval]");
-    PRINTUSAGE("",	"", "[-4 th_num]");
-    PRINTUSAGE("",	"-m", "cipher mode to use");
-    PRINTUSAGE("",	"-i", "file which contains input buffer");
-    PRINTUSAGE("",	"-o", "file for output buffer");
-    PRINTUSAGE("",	"-k", "file which contains key");
-    PRINTUSAGE("",	"-v", "file which contains initialization vector");
-    PRINTUSAGE("",	"-b", "size of input buffer");
-    PRINTUSAGE("",	"-g", "key size (in bytes)");
-    PRINTUSAGE("",	"-p", "do performance test");
-    PRINTUSAGE("",	"-4", "run test in multithread mode. th_num number of parallel threads");
-    PRINTUSAGE("",	"-5", "run test for specified time interval(in seconds)");
-    PRINTUSAGE("(rsa)", "-e", "rsa public exponent");
-    PRINTUSAGE("(rc5)", "-r", "number of rounds");
-    PRINTUSAGE("(rc5)", "-w", "wordsize (32 or 64)");
-    fprintf(stderr, "\n");
-    PRINTUSAGE(progName, "-D -m mode", "Decrypt a buffer");
-    PRINTUSAGE("",	"", "[-i plaintext] [-o ciphertext] [-k key] [-v iv]");
-    PRINTUSAGE("",	"", "[-p repetitions | -5 time_interval] [-4 th_num]");
-    PRINTUSAGE("",	"-m", "cipher mode to use");
-    PRINTUSAGE("",	"-i", "file which contains input buffer");
-    PRINTUSAGE("",	"-o", "file for output buffer");
-    PRINTUSAGE("",	"-k", "file which contains key");
-    PRINTUSAGE("",	"-v", "file which contains initialization vector");
-    PRINTUSAGE("",	"-p", "do performance test");
-    PRINTUSAGE("",	"-4", "run test in multithread mode. th_num number of parallel threads");
-    PRINTUSAGE("",	"-5", "run test for specified time interval(in seconds)");
-    fprintf(stderr, "\n");
-    PRINTUSAGE(progName, "-H -m mode", "Hash a buffer");
-    PRINTUSAGE("",	"", "[-i plaintext] [-o hash]");
-    PRINTUSAGE("",	"", "[-b bufsize]");
-    PRINTUSAGE("",	"", "[-p repetitions | -5 time_interval] [-4 th_num]");
-    PRINTUSAGE("",	"-m", "cipher mode to use");
-    PRINTUSAGE("",	"-i", "file which contains input buffer");
-    PRINTUSAGE("",	"-o", "file for hash");
-    PRINTUSAGE("",	"-b", "size of input buffer");
-    PRINTUSAGE("",	"-p", "do performance test");
-    PRINTUSAGE("",	"-4", "run test in multithread mode. th_num number of parallel threads");
-    PRINTUSAGE("",	"-5", "run test for specified time interval(in seconds)");
-    fprintf(stderr, "\n");
-    PRINTUSAGE(progName, "-S -m mode", "Sign a buffer");
-    PRINTUSAGE("",	"", "[-i plaintext] [-o signature] [-k key]");
-    PRINTUSAGE("",	"", "[-b bufsize]");
-#ifdef NSS_ENABLE_ECC
-    PRINTUSAGE("",	"", "[-n curvename]");
-#endif
-    PRINTUSAGE("",	"", "[-p repetitions | -5 time_interval] [-4 th_num]");
-    PRINTUSAGE("",	"-m", "cipher mode to use");
-    PRINTUSAGE("",	"-i", "file which contains input buffer");
-    PRINTUSAGE("",	"-o", "file for signature");
-    PRINTUSAGE("",	"-k", "file which contains key");
-#ifdef NSS_ENABLE_ECC
-    PRINTUSAGE("",	"-n", "name of curve for EC key generation; one of:");
-    PRINTUSAGE("",  "",   "  sect163k1, nistk163, sect163r1, sect163r2,");
-    PRINTUSAGE("",  "",   "  nistb163, sect193r1, sect193r2, sect233k1, nistk233,");
-    PRINTUSAGE("",  "",   "  sect233r1, nistb233, sect239k1, sect283k1, nistk283,");
-    PRINTUSAGE("",  "",   "  sect283r1, nistb283, sect409k1, nistk409, sect409r1,");
-    PRINTUSAGE("",  "",   "  nistb409, sect571k1, nistk571, sect571r1, nistb571,");
-    PRINTUSAGE("",  "",   "  secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,");
-    PRINTUSAGE("",  "",   "  nistp192, secp224k1, secp224r1, nistp224, secp256k1,");
-    PRINTUSAGE("",  "",   "  secp256r1, nistp256, secp384r1, nistp384, secp521r1,");
-    PRINTUSAGE("",  "",   "  nistp521, prime192v1, prime192v2, prime192v3,");
-    PRINTUSAGE("",  "",   "  prime239v1, prime239v2, prime239v3, c2pnb163v1,");
-    PRINTUSAGE("",  "",   "  c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,");
-    PRINTUSAGE("",  "",   "  c2tnb191v2, c2tnb191v3, c2onb191v4, c2onb191v5,");
-    PRINTUSAGE("",  "",   "  c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,");
-    PRINTUSAGE("",  "",   "  c2onb239v4, c2onb239v5, c2pnb272w1, c2pnb304w1,");
-    PRINTUSAGE("",  "",   "  c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1,");
-    PRINTUSAGE("",  "",   "  secp112r2, secp128r1, secp128r2, sect113r1, sect113r2,");
-    PRINTUSAGE("",  "",   "  sect131r1, sect131r2");
-#endif
-    PRINTUSAGE("",	"-p", "do performance test");
-    PRINTUSAGE("",	"-4", "run test in multithread mode. th_num number of parallel threads");
-    PRINTUSAGE("",	"-5", "run test for specified time interval(in seconds)");
-    fprintf(stderr, "\n");
-    PRINTUSAGE(progName, "-V -m mode", "Verify a signed buffer");
-    PRINTUSAGE("",	"", "[-i plaintext] [-s signature] [-k key]");
-    PRINTUSAGE("",	"", "[-p repetitions | -5 time_interval] [-4 th_num]");
-    PRINTUSAGE("",	"-m", "cipher mode to use");
-    PRINTUSAGE("",	"-i", "file which contains input buffer");
-    PRINTUSAGE("",	"-s", "file which contains signature of input buffer");
-    PRINTUSAGE("",	"-k", "file which contains key");
-    PRINTUSAGE("",	"-p", "do performance test");
-    PRINTUSAGE("",	"-4", "run test in multithread mode. th_num number of parallel threads");
-    PRINTUSAGE("",	"-5", "run test for specified time interval(in seconds)");
-    fprintf(stderr, "\n");
-    PRINTUSAGE(progName, "-N -m mode -b bufsize", 
-                                            "Create a nonce plaintext and key");
-    PRINTUSAGE("",      "", "[-g keysize] [-u cxreps]");
-    PRINTUSAGE("",	"-g", "key size (in bytes)");
-    PRINTUSAGE("",      "-u", "number of repetitions of context creation");
-    fprintf(stderr, "\n");
-    PRINTUSAGE(progName, "-F", "Run the FIPS self-test");
-    fprintf(stderr, "\n");
-    PRINTUSAGE(progName, "-T [-m mode1,mode2...]", "Run the BLAPI self-test");
-    fprintf(stderr, "\n");
-    exit(1);
-}
-
-/*  Helper functions for ascii<-->binary conversion/reading/writing */
-
-/* XXX argh */
-struct item_with_arena {
-    SECItem	*item;
-    PRArenaPool *arena;
-};
-
-static PRInt32
-get_binary(void *arg, const unsigned char *ibuf, PRInt32 size)
-{
-    struct item_with_arena *it = arg;
-    SECItem *binary = it->item;
-    SECItem *tmp;
-    int index;
-    if (binary->data == NULL) {
-	tmp = SECITEM_AllocItem(it->arena, NULL, size);
-	binary->data = tmp->data;
-	binary->len = tmp->len;
-	index = 0;
-    } else {
-	SECITEM_ReallocItem(NULL, binary, binary->len, binary->len + size);
-	index = binary->len;
-    }
-    PORT_Memcpy(&binary->data[index], ibuf, size);
-    return binary->len;
-}
-
-static SECStatus
-atob(SECItem *ascii, SECItem *binary, PRArenaPool *arena)
-{
-    SECStatus status;
-    NSSBase64Decoder *cx;
-    struct item_with_arena it;
-    int len;
-    binary->data = NULL;
-    binary->len = 0;
-    it.item = binary;
-    it.arena = arena;
-    len = (strncmp(&ascii->data[ascii->len-2],"\r\n",2)) ? 
-           ascii->len : ascii->len-2;
-    cx = NSSBase64Decoder_Create(get_binary, &it);
-    status = NSSBase64Decoder_Update(cx, (const char *)ascii->data, len);
-    status = NSSBase64Decoder_Destroy(cx, PR_FALSE);
-    return status;
-}
-
-static PRInt32
-output_ascii(void *arg, const char *obuf, PRInt32 size)
-{
-    PRFileDesc *outfile = arg;
-    PRInt32 nb = PR_Write(outfile, obuf, size);
-    if (nb != size) {
-	PORT_SetError(SEC_ERROR_IO);
-	return -1;
-    }
-    return nb;
-}
-
-static SECStatus
-btoa_file(SECItem *binary, PRFileDesc *outfile)
-{
-    SECStatus status;
-    NSSBase64Encoder *cx;
-    SECItem ascii;
-    ascii.data = NULL;
-    ascii.len = 0;
-    if (binary->len == 0)
-	return SECSuccess;
-    cx = NSSBase64Encoder_Create(output_ascii, outfile);
-    status = NSSBase64Encoder_Update(cx, binary->data, binary->len);
-    status = NSSBase64Encoder_Destroy(cx, PR_FALSE);
-    status = PR_Write(outfile, "\r\n", 2);
-    return status;
-}
-
-SECStatus
-hex_from_2char(unsigned char *c2, unsigned char *byteval)
-{
-    int i;
-    unsigned char offset;
-    *byteval = 0;
-    for (i=0; i<2; i++) {
-	if (c2[i] >= '0' && c2[i] <= '9') {
-	    offset = c2[i] - '0';
-	    *byteval |= offset << 4*(1-i);
-	} else if (c2[i] >= 'a' && c2[i] <= 'f') {
-	    offset = c2[i] - 'a';
-	    *byteval |= (offset + 10) << 4*(1-i);
-	} else if (c2[i] >= 'A' && c2[i] <= 'F') {
-	    offset = c2[i] - 'A';
-	    *byteval |= (offset + 10) << 4*(1-i);
-	} else {
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-char2_from_hex(unsigned char byteval, unsigned char *c2)
-{
-    int i;
-    unsigned char offset;
-    for (i=0; i<2; i++) {
-	offset = (byteval >> 4*(1-i)) & 0x0f;
-	if (offset < 10) {
-	    c2[i] = '0' + offset;
-	} else {
-	    c2[i] = 'A' + offset - 10;
-	}
-    }
-    return SECSuccess;
-}
-
-void
-serialize_key(SECItem *it, int ni, PRFileDesc *file)
-{
-    unsigned char len[4];
-    int i;
-    SECStatus status;
-    NSSBase64Encoder *cx;
-    SECItem ascii;
-    ascii.data = NULL;
-    ascii.len = 0;
-    cx = NSSBase64Encoder_Create(output_ascii, file);
-    for (i=0; i<ni; i++, it++) {
-	len[0] = (it->len >> 24) & 0xff;
-	len[1] = (it->len >> 16) & 0xff;
-	len[2] = (it->len >>  8) & 0xff;
-	len[3] = (it->len	 & 0xff);
-	status = NSSBase64Encoder_Update(cx, len, 4);
-	status = NSSBase64Encoder_Update(cx, it->data, it->len);
-    }
-    status = NSSBase64Encoder_Destroy(cx, PR_FALSE);
-    status = PR_Write(file, "\r\n", 2);
-}
-
-void
-key_from_filedata(PRArenaPool *arena, SECItem *it, int ns, int ni, SECItem *filedata)
-{
-    int fpos = 0;
-    int i, len;
-    unsigned char *buf = filedata->data;
-    for (i=0; i<ni; i++) {
-	len  = (buf[fpos++] & 0xff) << 24;
-	len |= (buf[fpos++] & 0xff) << 16;
-	len |= (buf[fpos++] & 0xff) <<  8;
-	len |= (buf[fpos++] & 0xff);
-	if (ns <= i) {
-	    if (len > 0) {
-		it->len = len;
-		it->data = PORT_ArenaAlloc(arena, it->len);
-		PORT_Memcpy(it->data, &buf[fpos], it->len);
-	    } else {
-		it->len = 0;
-		it->data = NULL;
-	    }
-	    it++;
-	}
-	fpos += len;
-    }
-}
-
-static RSAPrivateKey *
-rsakey_from_filedata(SECItem *filedata)
-{
-    RSAPrivateKey *key;
-    PRArenaPool *arena;
-    arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
-    key = (RSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(RSAPrivateKey));
-    key->arena = arena;
-    key_from_filedata(arena, &key->version, 0, 9, filedata);
-    return key;
-}
-
-static PQGParams *
-pqg_from_filedata(SECItem *filedata)
-{
-    PQGParams *pqg;
-    PRArenaPool *arena;
-    arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
-    pqg = (PQGParams *)PORT_ArenaZAlloc(arena, sizeof(PQGParams));
-    pqg->arena = arena;
-    key_from_filedata(arena, &pqg->prime, 0, 3, filedata);
-    return pqg;
-}
-
-static DSAPrivateKey *
-dsakey_from_filedata(SECItem *filedata)
-{
-    DSAPrivateKey *key;
-    PRArenaPool *arena;
-    arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
-    key = (DSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DSAPrivateKey));
-    key->params.arena = arena;
-    key_from_filedata(arena, &key->params.prime, 0, 5, filedata);
-    return key;
-}
-
-#ifdef NSS_ENABLE_ECC
-static ECPrivateKey *
-eckey_from_filedata(SECItem *filedata)
-{
-    ECPrivateKey *key;
-    PRArenaPool *arena;
-    SECStatus rv;
-    ECParams *tmpECParams = NULL;
-    arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
-    key = (ECPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(ECPrivateKey));
-    /* read and convert params */
-    key->ecParams.arena = arena;
-    key_from_filedata(arena, &key->ecParams.DEREncoding, 0, 1, filedata);
-    rv = SECOID_Init();
-    CHECKERROR(rv, __LINE__);
-    rv = EC_DecodeParams(&key->ecParams.DEREncoding, &tmpECParams);
-    CHECKERROR(rv, __LINE__);
-    rv = EC_CopyParams(key->ecParams.arena, &key->ecParams, tmpECParams);
-    CHECKERROR(rv, __LINE__);
-    rv = SECOID_Shutdown();
-    CHECKERROR(rv, __LINE__);
-    PORT_FreeArena(tmpECParams->arena, PR_TRUE);
-    /* read key */
-    key_from_filedata(arena, &key->publicValue, 1, 3, filedata);
-    return key;
-}
-
-typedef struct curveNameTagPairStr {
-    char *curveName;
-    SECOidTag curveOidTag;
-} CurveNameTagPair;
-
-#define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP192R1
-/* #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP160R1 */
-
-static CurveNameTagPair nameTagPair[] =
-{ 
-  { "sect163k1", SEC_OID_SECG_EC_SECT163K1},
-  { "nistk163", SEC_OID_SECG_EC_SECT163K1},
-  { "sect163r1", SEC_OID_SECG_EC_SECT163R1},
-  { "sect163r2", SEC_OID_SECG_EC_SECT163R2},
-  { "nistb163", SEC_OID_SECG_EC_SECT163R2},
-  { "sect193r1", SEC_OID_SECG_EC_SECT193R1},
-  { "sect193r2", SEC_OID_SECG_EC_SECT193R2},
-  { "sect233k1", SEC_OID_SECG_EC_SECT233K1},
-  { "nistk233", SEC_OID_SECG_EC_SECT233K1},
-  { "sect233r1", SEC_OID_SECG_EC_SECT233R1},
-  { "nistb233", SEC_OID_SECG_EC_SECT233R1},
-  { "sect239k1", SEC_OID_SECG_EC_SECT239K1},
-  { "sect283k1", SEC_OID_SECG_EC_SECT283K1},
-  { "nistk283", SEC_OID_SECG_EC_SECT283K1},
-  { "sect283r1", SEC_OID_SECG_EC_SECT283R1},
-  { "nistb283", SEC_OID_SECG_EC_SECT283R1},
-  { "sect409k1", SEC_OID_SECG_EC_SECT409K1},
-  { "nistk409", SEC_OID_SECG_EC_SECT409K1},
-  { "sect409r1", SEC_OID_SECG_EC_SECT409R1},
-  { "nistb409", SEC_OID_SECG_EC_SECT409R1},
-  { "sect571k1", SEC_OID_SECG_EC_SECT571K1},
-  { "nistk571", SEC_OID_SECG_EC_SECT571K1},
-  { "sect571r1", SEC_OID_SECG_EC_SECT571R1},
-  { "nistb571", SEC_OID_SECG_EC_SECT571R1},
-  { "secp160k1", SEC_OID_SECG_EC_SECP160K1},
-  { "secp160r1", SEC_OID_SECG_EC_SECP160R1},
-  { "secp160r2", SEC_OID_SECG_EC_SECP160R2},
-  { "secp192k1", SEC_OID_SECG_EC_SECP192K1},
-  { "secp192r1", SEC_OID_SECG_EC_SECP192R1},
-  { "nistp192", SEC_OID_SECG_EC_SECP192R1},
-  { "secp224k1", SEC_OID_SECG_EC_SECP224K1},
-  { "secp224r1", SEC_OID_SECG_EC_SECP224R1},
-  { "nistp224", SEC_OID_SECG_EC_SECP224R1},
-  { "secp256k1", SEC_OID_SECG_EC_SECP256K1},
-  { "secp256r1", SEC_OID_SECG_EC_SECP256R1},
-  { "nistp256", SEC_OID_SECG_EC_SECP256R1},
-  { "secp384r1", SEC_OID_SECG_EC_SECP384R1},
-  { "nistp384", SEC_OID_SECG_EC_SECP384R1},
-  { "secp521r1", SEC_OID_SECG_EC_SECP521R1},
-  { "nistp521", SEC_OID_SECG_EC_SECP521R1},
-
-  { "prime192v1", SEC_OID_ANSIX962_EC_PRIME192V1 },
-  { "prime192v2", SEC_OID_ANSIX962_EC_PRIME192V2 },
-  { "prime192v3", SEC_OID_ANSIX962_EC_PRIME192V3 },
-  { "prime239v1", SEC_OID_ANSIX962_EC_PRIME239V1 },
-  { "prime239v2", SEC_OID_ANSIX962_EC_PRIME239V2 },
-  { "prime239v3", SEC_OID_ANSIX962_EC_PRIME239V3 },
-
-  { "c2pnb163v1", SEC_OID_ANSIX962_EC_C2PNB163V1 },
-  { "c2pnb163v2", SEC_OID_ANSIX962_EC_C2PNB163V2 },
-  { "c2pnb163v3", SEC_OID_ANSIX962_EC_C2PNB163V3 },
-  { "c2pnb176v1", SEC_OID_ANSIX962_EC_C2PNB176V1 },
-  { "c2tnb191v1", SEC_OID_ANSIX962_EC_C2TNB191V1 },
-  { "c2tnb191v2", SEC_OID_ANSIX962_EC_C2TNB191V2 },
-  { "c2tnb191v3", SEC_OID_ANSIX962_EC_C2TNB191V3 },
-  { "c2onb191v4", SEC_OID_ANSIX962_EC_C2ONB191V4 },
-  { "c2onb191v5", SEC_OID_ANSIX962_EC_C2ONB191V5 },
-  { "c2pnb208w1", SEC_OID_ANSIX962_EC_C2PNB208W1 },
-  { "c2tnb239v1", SEC_OID_ANSIX962_EC_C2TNB239V1 },
-  { "c2tnb239v2", SEC_OID_ANSIX962_EC_C2TNB239V2 },
-  { "c2tnb239v3", SEC_OID_ANSIX962_EC_C2TNB239V3 },
-  { "c2onb239v4", SEC_OID_ANSIX962_EC_C2ONB239V4 },
-  { "c2onb239v5", SEC_OID_ANSIX962_EC_C2ONB239V5 },
-  { "c2pnb272w1", SEC_OID_ANSIX962_EC_C2PNB272W1 },
-  { "c2pnb304w1", SEC_OID_ANSIX962_EC_C2PNB304W1 },
-  { "c2tnb359v1", SEC_OID_ANSIX962_EC_C2TNB359V1 },
-  { "c2pnb368w1", SEC_OID_ANSIX962_EC_C2PNB368W1 },
-  { "c2tnb431r1", SEC_OID_ANSIX962_EC_C2TNB431R1 },
-
-  { "secp112r1", SEC_OID_SECG_EC_SECP112R1},
-  { "secp112r2", SEC_OID_SECG_EC_SECP112R2},
-  { "secp128r1", SEC_OID_SECG_EC_SECP128R1},
-  { "secp128r2", SEC_OID_SECG_EC_SECP128R2},
-
-  { "sect113r1", SEC_OID_SECG_EC_SECT113R1},
-  { "sect113r2", SEC_OID_SECG_EC_SECT113R2},
-  { "sect131r1", SEC_OID_SECG_EC_SECT131R1},
-  { "sect131r2", SEC_OID_SECG_EC_SECT131R2},
-};
-
-static SECKEYECParams * 
-getECParams(const char *curve)
-{
-    SECKEYECParams *ecparams;
-    SECOidData *oidData = NULL;
-    SECOidTag curveOidTag = SEC_OID_UNKNOWN; /* default */
-    int i, numCurves;
-
-    if (curve != NULL) {
-        numCurves = sizeof(nameTagPair)/sizeof(CurveNameTagPair);
-	for (i = 0; ((i < numCurves) && (curveOidTag == SEC_OID_UNKNOWN)); 
-	     i++) {
-	    if (PL_strcmp(curve, nameTagPair[i].curveName) == 0)
-	        curveOidTag = nameTagPair[i].curveOidTag;
-	}
-    }
-
-    /* Return NULL if curve name is not recognized */
-    if ((curveOidTag == SEC_OID_UNKNOWN) || 
-	(oidData = SECOID_FindOIDByTag(curveOidTag)) == NULL) {
-        fprintf(stderr, "Unrecognized elliptic curve %s\n", curve);
-	return NULL;
-    }
-
-    ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
-
-    /* 
-     * ecparams->data needs to contain the ASN encoding of an object ID (OID)
-     * representing the named curve. The actual OID is in 
-     * oidData->oid.data so we simply prepend 0x06 and OID length
-     */
-    ecparams->data[0] = SEC_ASN1_OBJECT_ID;
-    ecparams->data[1] = oidData->oid.len;
-    memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
-
-    return ecparams;
-}
-#endif /* NSS_ENABLE_ECC */
-
-static void
-dump_pqg(PQGParams *pqg)
-{
-    SECU_PrintInteger(stdout, &pqg->prime, "PRIME:", 0);
-    SECU_PrintInteger(stdout, &pqg->subPrime, "SUBPRIME:", 0);
-    SECU_PrintInteger(stdout, &pqg->base, "BASE:", 0);
-}
-
-static void
-dump_dsakey(DSAPrivateKey *key)
-{
-    dump_pqg(&key->params);
-    SECU_PrintInteger(stdout, &key->publicValue, "PUBLIC VALUE:", 0);
-    SECU_PrintInteger(stdout, &key->privateValue, "PRIVATE VALUE:", 0);
-}
-
-#ifdef NSS_ENABLE_ECC
-static void
-dump_ecp(ECParams *ecp)
-{
-    /* TODO other fields */
-    SECU_PrintInteger(stdout, &ecp->base, "BASE POINT:", 0);
-}
-
-static void
-dump_eckey(ECPrivateKey *key)
-{
-    dump_ecp(&key->ecParams);
-    SECU_PrintInteger(stdout, &key->publicValue, "PUBLIC VALUE:", 0);
-    SECU_PrintInteger(stdout, &key->privateValue, "PRIVATE VALUE:", 0);
-}
-#endif
-
-static void
-dump_rsakey(RSAPrivateKey *key)
-{
-    SECU_PrintInteger(stdout, &key->version, "VERSION:", 0);
-    SECU_PrintInteger(stdout, &key->modulus, "MODULUS:", 0);
-    SECU_PrintInteger(stdout, &key->publicExponent, "PUBLIC EXP:", 0);
-    SECU_PrintInteger(stdout, &key->privateExponent, "PRIVATE EXP:", 0);
-    SECU_PrintInteger(stdout, &key->prime1, "CRT PRIME 1:", 0);
-    SECU_PrintInteger(stdout, &key->prime2, "CRT PRIME 2:", 0);
-    SECU_PrintInteger(stdout, &key->exponent1, "CRT EXP 1:", 0);
-    SECU_PrintInteger(stdout, &key->exponent2, "CRT EXP 2:", 0);
-    SECU_PrintInteger(stdout, &key->coefficient, "CRT COEFFICIENT:", 0);
-}
-
-typedef enum {
-    bltestBase64Encoded,       /* Base64 encoded ASCII */
-    bltestBinary,	       /* straight binary */
-    bltestHexSpaceDelim,       /* 0x12 0x34 0xab 0xCD ... */
-    bltestHexStream 	       /* 1234abCD ... */
-} bltestIOMode;
-
-typedef struct
-{
-    SECItem	   buf;
-    SECItem	   pBuf;
-    bltestIOMode   mode;
-    PRFileDesc*	   file;
-} bltestIO;
-
-typedef SECStatus (* bltestSymmCipherFn)(void *cx,
-					 unsigned char *output,
-					 unsigned int *outputLen,
-					 unsigned int maxOutputLen,
-					 const unsigned char *input,
-					 unsigned int inputLen);
-
-typedef SECStatus (* bltestPubKeyCipherFn)(void *key,
-					   SECItem *output,
-					   const SECItem *input);
-
-typedef SECStatus (* bltestHashCipherFn)(unsigned char *dest,
-					 const unsigned char *src,
-					 uint32 src_length);
-
-typedef enum {
-    bltestINVALID = -1,
-    bltestDES_ECB,	  /* Symmetric Key Ciphers */
-    bltestDES_CBC,	  /* .			   */
-    bltestDES_EDE_ECB,	  /* .			   */
-    bltestDES_EDE_CBC,	  /* .			   */
-    bltestRC2_ECB,	  /* .			   */
-    bltestRC2_CBC,	  /* .			   */
-    bltestRC4,		  /* .			   */
-#ifdef NSS_SOFTOKEN_DOES_RC5
-    bltestRC5_ECB,	  /* .			   */
-    bltestRC5_CBC,	  /* .			   */
-#endif
-    bltestAES_ECB,        /* .                     */
-    bltestAES_CBC,        /* .                     */
-    bltestCAMELLIA_ECB,   /* .                     */
-    bltestCAMELLIA_CBC,   /* .                     */
-    bltestSEED_ECB,       /* SEED algorithm	   */
-    bltestSEED_CBC,       /* SEED algorithm	   */
-    bltestRSA,		  /* Public Key Ciphers	   */
-#ifdef NSS_ENABLE_ECC
-    bltestECDSA,	  /* . (Public Key Sig.)   */
-#endif
-    bltestDSA,		  /* .                     */
-    bltestMD2,		  /* Hash algorithms	   */
-    bltestMD5,		  /* .			   */
-    bltestSHA1,           /* .			   */
-    bltestSHA256,         /* .			   */
-    bltestSHA384,         /* .			   */
-    bltestSHA512,         /* .			   */
-    NUMMODES
-} bltestCipherMode;
-
-static char *mode_strings[] =
-{
-    "des_ecb",
-    "des_cbc",
-    "des3_ecb",
-    "des3_cbc",
-    "rc2_ecb",
-    "rc2_cbc",
-    "rc4",
-#ifdef NSS_SOFTOKEN_DOES_RC5
-    "rc5_ecb",
-    "rc5_cbc",
-#endif
-    "aes_ecb",
-    "aes_cbc",
-    "camellia_ecb",
-    "camellia_cbc",
-    "seed_ecb",
-    "seed_cbc",
-    "rsa",
-#ifdef NSS_ENABLE_ECC
-    "ecdsa",
-#endif
-    /*"pqg",*/
-    "dsa",
-    "md2",
-    "md5",
-    "sha1",
-    "sha256",
-    "sha384",
-    "sha512",
-};
-
-typedef struct
-{
-    bltestIO key;
-    bltestIO iv;
-} bltestSymmKeyParams;
-
-typedef struct
-{
-    bltestIO key;
-    bltestIO iv;
-    int	     rounds;
-    int	     wordsize;
-} bltestRC5Params;
-
-typedef struct
-{
-    bltestIO key;
-    int	     keysizeInBits;
-    RSAPrivateKey *rsakey;
-} bltestRSAParams;
-
-typedef struct
-{
-    bltestIO   key;
-    bltestIO   pqgdata;
-    unsigned int j;
-    bltestIO   keyseed;
-    bltestIO   sigseed;
-    bltestIO   sig; /* if doing verify, have additional input */
-    PQGParams *pqg;
-    DSAPrivateKey *dsakey;
-} bltestDSAParams;
-
-#ifdef NSS_ENABLE_ECC
-typedef struct
-{
-    bltestIO   key;
-    char      *curveName;
-    bltestIO   sigseed;
-    bltestIO   sig; /* if doing verify, have additional input */
-    ECPrivateKey *eckey;
-} bltestECDSAParams;
-#endif
-
-typedef struct
-{
-    bltestIO   key; /* unused */
-    PRBool     restart;
-} bltestHashParams;
-
-typedef union
-{
-    bltestIO		key;
-    bltestSymmKeyParams sk;
-    bltestRC5Params	rc5;
-    bltestRSAParams	rsa;
-    bltestDSAParams	dsa;
-#ifdef NSS_ENABLE_ECC
-    bltestECDSAParams	ecdsa;
-#endif
-    bltestHashParams	hash;
-} bltestParams;
-
-typedef struct bltestCipherInfoStr bltestCipherInfo;
-
-struct  bltestCipherInfoStr {
-    PRArenaPool *arena;
-    /* link to next in multithreaded test */
-    bltestCipherInfo *next;
-    PRThread         *cipherThread;
-
-    /* MonteCarlo test flag*/
-    PRBool mCarlo;
-    /* cipher context */
-    void *cx;
-    /* I/O streams */
-    bltestIO input;
-    bltestIO output;
-    /* Cipher-specific parameters */
-    bltestParams params;
-    /* Cipher mode */
-    bltestCipherMode  mode;
-    /* Cipher function (encrypt/decrypt/sign/verify/hash) */
-    union {
-	bltestSymmCipherFn   symmkeyCipher;
-	bltestPubKeyCipherFn pubkeyCipher;
-	bltestHashCipherFn   hashCipher;
-    } cipher;
-    /* performance testing */
-    int   repetitionsToPerfom;
-    int   seconds;
-    int	  repetitions;
-    int   cxreps;
-    double cxtime;
-    double optime;
-};
-
-PRBool
-is_symmkeyCipher(bltestCipherMode mode)
-{
-    /* change as needed! */
-    if (mode >= bltestDES_ECB && mode <= bltestSEED_CBC)
-	return PR_TRUE;
-    return PR_FALSE;
-}
-
-PRBool
-is_pubkeyCipher(bltestCipherMode mode)
-{
-    /* change as needed! */
-    if (mode >= bltestRSA && mode <= bltestDSA)
-	return PR_TRUE;
-    return PR_FALSE;
-}
-
-PRBool
-is_hashCipher(bltestCipherMode mode)
-{
-    /* change as needed! */
-    if (mode >= bltestMD2 && mode <= bltestSHA512)
-	return PR_TRUE;
-    return PR_FALSE;
-}
-
-PRBool
-is_sigCipher(bltestCipherMode mode)
-{
-    /* change as needed! */
-#ifdef NSS_ENABLE_ECC
-    if (mode >= bltestECDSA && mode <= bltestDSA)
-#else
-    if (mode >= bltestDSA && mode <= bltestDSA)
-#endif
-	return PR_TRUE;
-    return PR_FALSE;
-}
-
-PRBool
-cipher_requires_IV(bltestCipherMode mode)
-{
-    /* change as needed! */
-    if (mode == bltestDES_CBC || mode == bltestDES_EDE_CBC ||
-	mode == bltestRC2_CBC || 
-#ifdef NSS_SOFTOKEN_DOES_RC5
-        mode == bltestRC5_CBC     ||
-#endif
-        mode == bltestAES_CBC || mode == bltestCAMELLIA_CBC||
-	mode == bltestSEED_CBC)
-	return PR_TRUE;
-    return PR_FALSE;
-}
-
-SECStatus finishIO(bltestIO *output, PRFileDesc *file);
-
-SECStatus
-setupIO(PRArenaPool *arena, bltestIO *input, PRFileDesc *file,
-	char *str, int numBytes)
-{
-    SECStatus rv = SECSuccess;
-    SECItem fileData;
-    SECItem *in;
-    unsigned char *tok;
-    unsigned int i, j;
-
-    if (file && (numBytes == 0 || file == PR_STDIN)) {
-	/* grabbing data from a file */
-	rv = SECU_FileToItem(&fileData, file);
-	if (rv != SECSuccess) {
-	    PR_Close(file);
-	    return SECFailure;
-	}
-	in = &fileData;
-    } else if (str) {
-	/* grabbing data from command line */
-	fileData.data = str;
-	fileData.len = PL_strlen(str);
-	in = &fileData;
-    } else if (file) {
-	/* create nonce */
-	SECITEM_AllocItem(arena, &input->buf, numBytes);
-	RNG_GenerateGlobalRandomBytes(input->buf.data, numBytes);
-	return finishIO(input, file);
-    } else {
-	return SECFailure;
-    }
-
-    switch (input->mode) {
-    case bltestBase64Encoded:
-	rv = atob(in, &input->buf, arena);
-	break;
-    case bltestBinary:
-	if (in->data[in->len-1] == '\n') --in->len;
-	if (in->data[in->len-1] == '\r') --in->len;
-	SECITEM_CopyItem(arena, &input->buf, in);
-	break;
-    case bltestHexSpaceDelim:
-	SECITEM_AllocItem(arena, &input->buf, in->len/5);
-	for (i=0, j=0; i<in->len; i+=5, j++) {
-	    tok = &in->data[i];
-	    if (tok[0] != '0' || tok[1] != 'x' || tok[4] != ' ')
-		/* bad hex token */
-		break;
-
-	    rv = hex_from_2char(&tok[2], input->buf.data + j);
-	    if (rv)
-		break;
-	}
-	break;
-    case bltestHexStream:
-	SECITEM_AllocItem(arena, &input->buf, in->len/2);
-	for (i=0, j=0; i<in->len; i+=2, j++) {
-	    tok = &in->data[i];
-	    rv = hex_from_2char(tok, input->buf.data + j);
-	    if (rv)
-		break;
-	}
-	break;
-    }
-
-    if (file)
-	SECITEM_FreeItem(&fileData, PR_FALSE);
-    return rv;
-}
-
-SECStatus
-finishIO(bltestIO *output, PRFileDesc *file)
-{
-    SECStatus rv = SECSuccess;
-    PRInt32 nb;
-    unsigned char byteval;
-    SECItem *it;
-    char hexstr[5];
-    unsigned int i;
-    if (output->pBuf.len > 0) {
-	it = &output->pBuf;
-    } else {
-	it = &output->buf;
-    }
-    switch (output->mode) {
-    case bltestBase64Encoded:
-	rv = btoa_file(it, file);
-	break;
-    case bltestBinary:
-	nb = PR_Write(file, it->data, it->len);
-	rv = (nb == (PRInt32)it->len) ? SECSuccess : SECFailure;
-	break;
-    case bltestHexSpaceDelim:
-	hexstr[0] = '0';
-	hexstr[1] = 'x';
-	hexstr[4] = ' ';
-	for (i=0; i<it->len; i++) {
-	    byteval = it->data[i];
-	    rv = char2_from_hex(byteval, hexstr + 2);
-	    nb = PR_Write(file, hexstr, 5);
-	    if (rv)
-		break;
-	}
-	PR_Write(file, "\n", 1);
-	break;
-    case bltestHexStream:
-	for (i=0; i<it->len; i++) {
-	    byteval = it->data[i];
-	    rv = char2_from_hex(byteval, hexstr);
-	    if (rv)
-		break;
-	    nb = PR_Write(file, hexstr, 2);
-	}
-	PR_Write(file, "\n", 1);
-	break;
-    }
-    return rv;
-}
-
-void
-bltestCopyIO(PRArenaPool *arena, bltestIO *dest, bltestIO *src)
-{
-    SECITEM_CopyItem(arena, &dest->buf, &src->buf);
-    if (src->pBuf.len > 0) {
-	dest->pBuf.len = src->pBuf.len;
-	dest->pBuf.data = dest->buf.data + (src->pBuf.data - src->buf.data);
-    }
-    dest->mode = src->mode;
-    dest->file = src->file;
-}
-
-void
-misalignBuffer(PRArenaPool *arena, bltestIO *io, int off)
-{
-    ptrdiff_t offset = (ptrdiff_t)io->buf.data % WORDSIZE;
-    int length = io->buf.len;
-    if (offset != off) {
-	SECITEM_ReallocItem(arena, &io->buf, length, length + 2*WORDSIZE);
-	io->buf.len = length + 2*WORDSIZE; /* why doesn't realloc do this? */
-	/* offset may have changed? */
-	offset = (ptrdiff_t)io->buf.data % WORDSIZE;
-	if (offset != off) {
-	    memmove(io->buf.data + off, io->buf.data, length);
-	    io->pBuf.data = io->buf.data + off;
-	    io->pBuf.len = length;
-	} else {
-	    io->pBuf.data = io->buf.data;
-	    io->pBuf.len = length;
-	}
-    } else {
-	io->pBuf.data = io->buf.data;
-	io->pBuf.len = length;
-    }
-}
-
-SECStatus
-des_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
-            unsigned int maxOutputLen, const unsigned char *input,
-            unsigned int inputLen)
-{
-    return DES_Encrypt((DESContext *)cx, output, outputLen, maxOutputLen,
-                       input, inputLen);
-}
-
-SECStatus
-des_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
-            unsigned int maxOutputLen, const unsigned char *input,
-            unsigned int inputLen)
-{
-    return DES_Decrypt((DESContext *)cx, output, outputLen, maxOutputLen,
-                       input, inputLen);
-}
-
-SECStatus
-rc2_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
-            unsigned int maxOutputLen, const unsigned char *input,
-            unsigned int inputLen)
-{
-    return RC2_Encrypt((RC2Context *)cx, output, outputLen, maxOutputLen,
-                       input, inputLen);
-}
-
-SECStatus
-rc2_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
-            unsigned int maxOutputLen, const unsigned char *input,
-            unsigned int inputLen)
-{
-    return RC2_Decrypt((RC2Context *)cx, output, outputLen, maxOutputLen,
-                       input, inputLen);
-}
-
-SECStatus
-rc4_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
-            unsigned int maxOutputLen, const unsigned char *input,
-            unsigned int inputLen)
-{
-    return RC4_Encrypt((RC4Context *)cx, output, outputLen, maxOutputLen,
-                       input, inputLen);
-}
-
-SECStatus
-rc4_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
-            unsigned int maxOutputLen, const unsigned char *input,
-            unsigned int inputLen)
-{
-    return RC4_Decrypt((RC4Context *)cx, output, outputLen, maxOutputLen,
-                       input, inputLen);
-}
-
-SECStatus
-aes_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
-            unsigned int maxOutputLen, const unsigned char *input,
-            unsigned int inputLen)
-{
-    return AES_Encrypt((AESContext *)cx, output, outputLen, maxOutputLen,
-                       input, inputLen);
-}
-
-SECStatus
-aes_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
-            unsigned int maxOutputLen, const unsigned char *input,
-            unsigned int inputLen)
-{
-    return AES_Decrypt((AESContext *)cx, output, outputLen, maxOutputLen,
-                       input, inputLen);
-}
-
-SECStatus
-camellia_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
-		 unsigned int maxOutputLen, const unsigned char *input,
-		 unsigned int inputLen)
-{
-    return Camellia_Encrypt((CamelliaContext *)cx, output, outputLen,
-			    maxOutputLen,
-			    input, inputLen);
-}
-
-SECStatus
-camellia_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
-		 unsigned int maxOutputLen, const unsigned char *input,
-		 unsigned int inputLen)
-{
-    return Camellia_Decrypt((CamelliaContext *)cx, output, outputLen,
-			    maxOutputLen,
-			    input, inputLen);
-}
-
-SECStatus
-seed_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
-            unsigned int maxOutputLen, const unsigned char *input,
-            unsigned int inputLen)
-{
-    return SEED_Encrypt((SEEDContext *)cx, output, outputLen, maxOutputLen,
-                       input, inputLen);
-}
-
-SECStatus
-seed_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
-            unsigned int maxOutputLen, const unsigned char *input,
-            unsigned int inputLen)
-{
-    return SEED_Decrypt((SEEDContext *)cx, output, outputLen, maxOutputLen,
-                       input, inputLen);
-}
-
-SECStatus
-rsa_PublicKeyOp(void *key, SECItem *output, const SECItem *input)
-{
-    return RSA_PublicKeyOp((RSAPublicKey *)key, output->data, input->data);
-}
-
-SECStatus
-rsa_PrivateKeyOp(void *key, SECItem *output, const SECItem *input)
-{
-    return RSA_PrivateKeyOp((RSAPrivateKey *)key, output->data, input->data);
-}
-
-SECStatus
-dsa_signDigest(void *key, SECItem *output, const SECItem *input)
-{
-    return DSA_SignDigest((DSAPrivateKey *)key, output, input);
-}
-
-SECStatus
-dsa_verifyDigest(void *key, SECItem *output, const SECItem *input)
-{
-    return DSA_VerifyDigest((DSAPublicKey *)key, output, input);
-}
-
-#ifdef NSS_ENABLE_ECC
-SECStatus
-ecdsa_signDigest(void *key, SECItem *output, const SECItem *input)
-{
-    return ECDSA_SignDigest((ECPrivateKey *)key, output, input);
-}
-
-SECStatus
-ecdsa_verifyDigest(void *key, SECItem *output, const SECItem *input)
-{
-    return ECDSA_VerifyDigest((ECPublicKey *)key, output, input);
-}
-#endif
-
-SECStatus
-bltest_des_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
-{
-    PRIntervalTime time1, time2;
-    bltestSymmKeyParams *desp = &cipherInfo->params.sk;
-    int minorMode;
-    int i;
-    switch (cipherInfo->mode) {
-    case bltestDES_ECB:	    minorMode = NSS_DES;	  break;
-    case bltestDES_CBC:	    minorMode = NSS_DES_CBC;	  break;
-    case bltestDES_EDE_ECB: minorMode = NSS_DES_EDE3;	  break;
-    case bltestDES_EDE_CBC: minorMode = NSS_DES_EDE3_CBC; break;
-    default:
-	return SECFailure;
-    }
-    cipherInfo->cx = (void*)DES_CreateContext(desp->key.buf.data,
-					      desp->iv.buf.data,
-					      minorMode, encrypt);
-    if (cipherInfo->cxreps > 0) {
-	DESContext **dummycx;
-	dummycx = PORT_Alloc(cipherInfo->cxreps * sizeof(DESContext *));
-	TIMESTART();
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    dummycx[i] = (void*)DES_CreateContext(desp->key.buf.data,
-					          desp->iv.buf.data,
-					          minorMode, encrypt);
-	}
-	TIMEFINISH(cipherInfo->cxtime, 1.0);
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    DES_DestroyContext(dummycx[i], PR_TRUE);
-	}
-	PORT_Free(dummycx);
-    }
-    if (encrypt)
-	cipherInfo->cipher.symmkeyCipher = des_Encrypt;
-    else
-	cipherInfo->cipher.symmkeyCipher = des_Decrypt;
-    return SECSuccess;
-}
-
-SECStatus
-bltest_rc2_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
-{
-    PRIntervalTime time1, time2;
-    bltestSymmKeyParams *rc2p = &cipherInfo->params.sk;
-    int minorMode;
-    int i;
-    switch (cipherInfo->mode) {
-    case bltestRC2_ECB: minorMode = NSS_RC2;	 break;
-    case bltestRC2_CBC: minorMode = NSS_RC2_CBC; break;
-    default:
-	return SECFailure;
-    }
-    cipherInfo->cx = (void*)RC2_CreateContext(rc2p->key.buf.data,
-					      rc2p->key.buf.len,
-					      rc2p->iv.buf.data,
-					      minorMode,
-					      rc2p->key.buf.len);
-    if (cipherInfo->cxreps > 0) {
-	RC2Context **dummycx;
-	dummycx = PORT_Alloc(cipherInfo->cxreps * sizeof(RC2Context *));
-	TIMESTART();
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    dummycx[i] = (void*)RC2_CreateContext(rc2p->key.buf.data,
-	                                          rc2p->key.buf.len,
-	                                          rc2p->iv.buf.data,
-	                                          minorMode,
-	                                          rc2p->key.buf.len);
-	}
-	TIMEFINISH(cipherInfo->cxtime, 1.0);
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    RC2_DestroyContext(dummycx[i], PR_TRUE);
-	}
-	PORT_Free(dummycx);
-    }
-    if (encrypt)
-	cipherInfo->cipher.symmkeyCipher = rc2_Encrypt;
-    else
-	cipherInfo->cipher.symmkeyCipher = rc2_Decrypt;
-    return SECSuccess;
-}
-
-SECStatus
-bltest_rc4_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
-{
-    PRIntervalTime time1, time2;
-    int i;
-    bltestSymmKeyParams *rc4p = &cipherInfo->params.sk;
-    cipherInfo->cx = (void*)RC4_CreateContext(rc4p->key.buf.data,
-					      rc4p->key.buf.len);
-    if (cipherInfo->cxreps > 0) {
-	RC4Context **dummycx;
-	dummycx = PORT_Alloc(cipherInfo->cxreps * sizeof(RC4Context *));
-	TIMESTART();
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    dummycx[i] = (void*)RC4_CreateContext(rc4p->key.buf.data,
-	                                          rc4p->key.buf.len);
-	}
-	TIMEFINISH(cipherInfo->cxtime, 1.0);
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    RC4_DestroyContext(dummycx[i], PR_TRUE);
-	}
-	PORT_Free(dummycx);
-    }
-    if (encrypt)
-	cipherInfo->cipher.symmkeyCipher = rc4_Encrypt;
-    else
-	cipherInfo->cipher.symmkeyCipher = rc4_Decrypt;
-    return SECSuccess;
-}
-
-SECStatus
-bltest_rc5_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
-{
-#ifdef NSS_SOFTOKEN_DOES_RC5
-    PRIntervalTime time1, time2;
-    bltestRC5Params *rc5p = &cipherInfo->params.rc5;
-    int minorMode;
-    switch (cipherInfo->mode) {
-    case bltestRC5_ECB: minorMode = NSS_RC5;	 break;
-    case bltestRC5_CBC: minorMode = NSS_RC5_CBC; break;
-    default:
-	return SECFailure;
-    }
-    TIMESTART();
-    cipherInfo->cx = (void*)RC5_CreateContext(&rc5p->key.buf,
-					      rc5p->rounds, rc5p->wordsize,
-					      rc5p->iv.buf.data, minorMode);
-    TIMEFINISH(cipherInfo->cxtime, 1.0);
-    if (encrypt)
-	cipherInfo->cipher.symmkeyCipher = RC5_Encrypt;
-    else
-	cipherInfo->cipher.symmkeyCipher = RC5_Decrypt;
-    return SECSuccess;
-#else
-    return SECFailure;
-#endif
-}
-
-SECStatus
-bltest_aes_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
-{
-    bltestSymmKeyParams *aesp = &cipherInfo->params.sk;
-    int minorMode;
-    int i;
-    int keylen   = aesp->key.buf.len;
-    int blocklen = AES_BLOCK_SIZE; 
-    PRIntervalTime time1, time2;
-
-    switch (cipherInfo->mode) {
-    case bltestAES_ECB:	    minorMode = NSS_AES;	  break;
-    case bltestAES_CBC:	    minorMode = NSS_AES_CBC;	  break;
-    default:
-	return SECFailure;
-    }
-    cipherInfo->cx = (void*)AES_CreateContext(aesp->key.buf.data,
-					      aesp->iv.buf.data,
-					      minorMode, encrypt, 
-                                              keylen, blocklen);
-    if (cipherInfo->cxreps > 0) {
-	AESContext **dummycx;
-	dummycx = PORT_Alloc(cipherInfo->cxreps * sizeof(AESContext *));
-	TIMESTART();
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    dummycx[i] = (void*)AES_CreateContext(aesp->key.buf.data,
-					          aesp->iv.buf.data,
-					          minorMode, encrypt,
-	                                          keylen, blocklen);
-	}
-	TIMEFINISH(cipherInfo->cxtime, 1.0);
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    AES_DestroyContext(dummycx[i], PR_TRUE);
-	}
-	PORT_Free(dummycx);
-    }
-    if (encrypt)
-	cipherInfo->cipher.symmkeyCipher = aes_Encrypt;
-    else
-	cipherInfo->cipher.symmkeyCipher = aes_Decrypt;
-    return SECSuccess;
-}
-
-SECStatus
-bltest_camellia_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
-{
-    bltestSymmKeyParams *camelliap = &cipherInfo->params.sk;
-    int minorMode;
-    int i;
-    int keylen   = camelliap->key.buf.len;
-    int blocklen = CAMELLIA_BLOCK_SIZE; 
-    PRIntervalTime time1, time2;
-    
-    switch (cipherInfo->mode) {
-    case bltestCAMELLIA_ECB:	    minorMode = NSS_CAMELLIA;	  break;
-    case bltestCAMELLIA_CBC:	    minorMode = NSS_CAMELLIA_CBC;  break;
-    default:
-	return SECFailure;
-    }
-    cipherInfo->cx = (void*)Camellia_CreateContext(camelliap->key.buf.data,
-						   camelliap->iv.buf.data,
-						   minorMode, encrypt, 
-						   keylen);
-    if (cipherInfo->cxreps > 0) {
-	CamelliaContext **dummycx;
-	dummycx = PORT_Alloc(cipherInfo->cxreps * sizeof(CamelliaContext *));
-	TIMESTART();
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    dummycx[i] = (void*)Camellia_CreateContext(camelliap->key.buf.data,
-						       camelliap->iv.buf.data,
-						       minorMode, encrypt,
-						       keylen);
-	}
-	TIMEFINISH(cipherInfo->cxtime, 1.0);
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    Camellia_DestroyContext(dummycx[i], PR_TRUE);
-	}
-	PORT_Free(dummycx);
-    }
-    if (encrypt)
-	cipherInfo->cipher.symmkeyCipher = camellia_Encrypt;
-    else
-	cipherInfo->cipher.symmkeyCipher = camellia_Decrypt;
-    return SECSuccess;
-}
-
-SECStatus
-bltest_seed_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
-{
-    PRIntervalTime time1, time2;
-    bltestSymmKeyParams *seedp = &cipherInfo->params.sk;
-    int minorMode;
-    int i;
-
-    switch (cipherInfo->mode) {
-    case bltestSEED_ECB:	minorMode = NSS_SEED;		break;
-    case bltestSEED_CBC:	minorMode = NSS_SEED_CBC;	break;
-    default:
-	return SECFailure;
-    }
-    cipherInfo->cx = (void*)SEED_CreateContext(seedp->key.buf.data,
-					      seedp->iv.buf.data,
-					      minorMode, encrypt);
-    if (cipherInfo->cxreps > 0) {
-	SEEDContext **dummycx;
-	dummycx = PORT_Alloc(cipherInfo->cxreps * sizeof(SEEDContext *));
-	TIMESTART();
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    dummycx[i] = (void*)SEED_CreateContext(seedp->key.buf.data,
-					          seedp->iv.buf.data,
-					          minorMode, encrypt);
-	}
-	TIMEFINISH(cipherInfo->cxtime, 1.0);
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    SEED_DestroyContext(dummycx[i], PR_TRUE);
-	}
-	PORT_Free(dummycx);
-    }
-    if (encrypt)
-	cipherInfo->cipher.symmkeyCipher = seed_Encrypt;
-    else
-	cipherInfo->cipher.symmkeyCipher = seed_Decrypt;
-	
-	return SECSuccess;
-}
-
-SECStatus
-bltest_rsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
-{
-    int i;
-    RSAPrivateKey **dummyKey;
-    PRIntervalTime time1, time2;
-    bltestRSAParams *rsap = &cipherInfo->params.rsa;
-    /* RSA key gen was done during parameter setup */
-    cipherInfo->cx = cipherInfo->params.rsa.rsakey;
-    /* For performance testing */
-    if (cipherInfo->cxreps > 0) {
-	/* Create space for n private key objects */
-	dummyKey = (RSAPrivateKey **)PORT_Alloc(cipherInfo->cxreps *
-						sizeof(RSAPrivateKey *));
-	/* Time n keygens, storing in the array */
-	TIMESTART();
-	for (i=0; i<cipherInfo->cxreps; i++)
-	    dummyKey[i] = RSA_NewKey(rsap->keysizeInBits, 
-	                             &rsap->rsakey->publicExponent);
-	TIMEFINISH(cipherInfo->cxtime, cipherInfo->cxreps);
-	/* Free the n key objects */
-	for (i=0; i<cipherInfo->cxreps; i++)
-	    PORT_FreeArena(dummyKey[i]->arena, PR_TRUE);
-	PORT_Free(dummyKey);
-    }
-    if (encrypt) {
-	/* Have to convert private key to public key.  Memory
-	 * is freed with private key's arena  */
-	RSAPublicKey *pubkey;
-	RSAPrivateKey *key = (RSAPrivateKey *)cipherInfo->cx;
-	pubkey = (RSAPublicKey *)PORT_ArenaAlloc(key->arena,
-						 sizeof(RSAPublicKey));
-	pubkey->modulus.len = key->modulus.len;
-	pubkey->modulus.data = key->modulus.data;
-	pubkey->publicExponent.len = key->publicExponent.len;
-	pubkey->publicExponent.data = key->publicExponent.data;
-	cipherInfo->cx = (void *)pubkey;
-	cipherInfo->cipher.pubkeyCipher = rsa_PublicKeyOp;
-    } else {
-	cipherInfo->cipher.pubkeyCipher = rsa_PrivateKeyOp;
-    }
-    return SECSuccess;
-}
-
-SECStatus
-bltest_pqg_init(bltestDSAParams *dsap)
-{
-    SECStatus rv, res;
-    PQGVerify *vfy = NULL;
-    rv = PQG_ParamGen(dsap->j, &dsap->pqg, &vfy);
-    CHECKERROR(rv, __LINE__);
-    rv = PQG_VerifyParams(dsap->pqg, vfy, &res);
-    CHECKERROR(res, __LINE__);
-    CHECKERROR(rv, __LINE__);
-    return rv;
-}
-
-SECStatus
-bltest_dsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
-{
-    int i;
-    DSAPrivateKey **dummyKey;
-    PQGParams *dummypqg;
-    PRIntervalTime time1, time2;
-    bltestDSAParams *dsap = &cipherInfo->params.dsa;
-    PQGVerify *ignore = NULL;
-    /* DSA key gen was done during parameter setup */
-    cipherInfo->cx = cipherInfo->params.dsa.dsakey;
-    /* For performance testing */
-    if (cipherInfo->cxreps > 0) {
-	/* Create space for n private key objects */
-	dummyKey = (DSAPrivateKey **)PORT_ZAlloc(cipherInfo->cxreps *
-	                                         sizeof(DSAPrivateKey *));
-	/* Time n keygens, storing in the array */
-	TIMESTART();
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    dummypqg = NULL;
-	    PQG_ParamGen(dsap->j, &dummypqg, &ignore);
-	    DSA_NewKey(dummypqg, &dummyKey[i]);
-	}
-	TIMEFINISH(cipherInfo->cxtime, cipherInfo->cxreps);
-	/* Free the n key objects */
-	for (i=0; i<cipherInfo->cxreps; i++)
-	    PORT_FreeArena(dummyKey[i]->params.arena, PR_TRUE);
-	PORT_Free(dummyKey);
-    }
-    if (!dsap->pqg && dsap->pqgdata.buf.len > 0) {
-	dsap->pqg = pqg_from_filedata(&dsap->pqgdata.buf);
-    }
-    if (!cipherInfo->cx && dsap->key.buf.len > 0) {
-	cipherInfo->cx = dsakey_from_filedata(&dsap->key.buf);
-    }
-    if (encrypt) {
-	cipherInfo->cipher.pubkeyCipher = dsa_signDigest;
-    } else {
-	/* Have to convert private key to public key.  Memory
-	 * is freed with private key's arena  */
-	DSAPublicKey *pubkey;
-	DSAPrivateKey *key = (DSAPrivateKey *)cipherInfo->cx;
-	pubkey = (DSAPublicKey *)PORT_ArenaZAlloc(key->params.arena,
-						  sizeof(DSAPublicKey));
-	pubkey->params.prime.len = key->params.prime.len;
-	pubkey->params.prime.data = key->params.prime.data;
-	pubkey->params.subPrime.len = key->params.subPrime.len;
-	pubkey->params.subPrime.data = key->params.subPrime.data;
-	pubkey->params.base.len = key->params.base.len;
-	pubkey->params.base.data = key->params.base.data;
-	pubkey->publicValue.len = key->publicValue.len;
-	pubkey->publicValue.data = key->publicValue.data;
-	cipherInfo->cipher.pubkeyCipher = dsa_verifyDigest;
-    }
-    return SECSuccess;
-}
-
-#ifdef NSS_ENABLE_ECC
-SECStatus
-bltest_ecdsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
-{
-    int i;
-    ECPrivateKey **dummyKey;
-    PRIntervalTime time1, time2;
-    bltestECDSAParams *ecdsap = &cipherInfo->params.ecdsa;
-    /* ECDSA key gen was done during parameter setup */
-    cipherInfo->cx = cipherInfo->params.ecdsa.eckey;
-    /* For performance testing */
-    if (cipherInfo->cxreps > 0) {
-	/* Create space for n private key objects */
-	dummyKey = (ECPrivateKey **)PORT_ZAlloc(cipherInfo->cxreps *
-	                                         sizeof(ECPrivateKey *));
-	/* Time n keygens, storing in the array */
-	TIMESTART();
-	for (i=0; i<cipherInfo->cxreps; i++) {
-	    EC_NewKey(&ecdsap->eckey->ecParams, &dummyKey[i]);
-	}
-	TIMEFINISH(cipherInfo->cxtime, cipherInfo->cxreps);
-	/* Free the n key objects */
-	for (i=0; i<cipherInfo->cxreps; i++)
-	    PORT_FreeArena(dummyKey[i]->ecParams.arena, PR_TRUE);
-	PORT_Free(dummyKey);
-    }
-    if (!cipherInfo->cx && ecdsap->key.buf.len > 0) {
-	cipherInfo->cx = eckey_from_filedata(&ecdsap->key.buf);
-    }
-    if (encrypt) {
-	cipherInfo->cipher.pubkeyCipher = ecdsa_signDigest;
-    } else {
-	/* Have to convert private key to public key.  Memory
-	 * is freed with private key's arena  */
-	ECPublicKey *pubkey;
-	ECPrivateKey *key = (ECPrivateKey *)cipherInfo->cx;
-	pubkey = (ECPublicKey *)PORT_ArenaZAlloc(key->ecParams.arena,
-						  sizeof(ECPublicKey));
-	pubkey->ecParams.type = key->ecParams.type;
-	pubkey->ecParams.fieldID.size = key->ecParams.fieldID.size;
-	pubkey->ecParams.fieldID.type = key->ecParams.fieldID.type;
-	pubkey->ecParams.fieldID.u.prime.len = key->ecParams.fieldID.u.prime.len;
-	pubkey->ecParams.fieldID.u.prime.data = key->ecParams.fieldID.u.prime.data;
-	pubkey->ecParams.fieldID.k1 = key->ecParams.fieldID.k1;
-	pubkey->ecParams.fieldID.k2 = key->ecParams.fieldID.k2;
-	pubkey->ecParams.fieldID.k3 = key->ecParams.fieldID.k3;
-	pubkey->ecParams.curve.a.len = key->ecParams.curve.a.len;
-	pubkey->ecParams.curve.a.data = key->ecParams.curve.a.data;
-	pubkey->ecParams.curve.b.len = key->ecParams.curve.b.len;
-	pubkey->ecParams.curve.b.data = key->ecParams.curve.b.data;
-	pubkey->ecParams.curve.seed.len = key->ecParams.curve.seed.len;
-	pubkey->ecParams.curve.seed.data = key->ecParams.curve.seed.data;
-	pubkey->ecParams.base.len = key->ecParams.base.len;
-	pubkey->ecParams.base.data = key->ecParams.base.data;
-	pubkey->ecParams.order.len = key->ecParams.order.len;
-	pubkey->ecParams.order.data = key->ecParams.order.data;
-	pubkey->ecParams.cofactor = key->ecParams.cofactor;
-	pubkey->ecParams.DEREncoding.len = key->ecParams.DEREncoding.len;
-	pubkey->ecParams.DEREncoding.data = key->ecParams.DEREncoding.data;
-	pubkey->ecParams.name= key->ecParams.name;
-	pubkey->publicValue.len = key->publicValue.len;
-	pubkey->publicValue.data = key->publicValue.data;
-	cipherInfo->cipher.pubkeyCipher = ecdsa_verifyDigest;
-    }
-    return SECSuccess;
-}
-#endif
-
-/* XXX unfortunately, this is not defined in blapi.h */
-SECStatus
-md2_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-    unsigned int len;
-    MD2Context *cx = MD2_NewContext();
-    if (cx == NULL) return SECFailure;
-    MD2_Begin(cx);
-    MD2_Update(cx, src, src_length);
-    MD2_End(cx, dest, &len, MD2_LENGTH);
-    MD2_DestroyContext(cx, PR_TRUE);
-    return SECSuccess;
-}
-
-SECStatus
-md2_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-    MD2Context *cx, *cx_cpy;
-    unsigned char *cxbytes;
-    unsigned int len;
-    unsigned int i, quarter;
-    SECStatus rv = SECSuccess;
-    cx = MD2_NewContext();
-    MD2_Begin(cx);
-    /* divide message by 4, restarting 3 times */
-    quarter = (src_length + 3)/ 4;
-    for (i=0; i < 4 && src_length > 0; i++) {
-	MD2_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
-	len = MD2_FlattenSize(cx);
-	cxbytes = PORT_Alloc(len);
-	MD2_Flatten(cx, cxbytes);
-	cx_cpy = MD2_Resurrect(cxbytes, NULL);
-	if (!cx_cpy) {
-	    PR_fprintf(PR_STDERR, "%s: MD2_Resurrect failed!\n", progName);
-	    goto finish;
-	}
-	rv = PORT_Memcmp(cx, cx_cpy, len);
-	if (rv) {
-	    MD2_DestroyContext(cx_cpy, PR_TRUE);
-	    PR_fprintf(PR_STDERR, "%s: MD2_restart failed!\n", progName);
-	    goto finish;
-	}
-	MD2_DestroyContext(cx_cpy, PR_TRUE);
-	PORT_Free(cxbytes);
-	src_length -= quarter;
-    }
-    MD2_End(cx, dest, &len, MD2_LENGTH);
-finish:
-    MD2_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
-
-SECStatus
-md5_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-    SECStatus rv = SECSuccess;
-    MD5Context *cx, *cx_cpy;
-    unsigned char *cxbytes;
-    unsigned int len;
-    unsigned int i, quarter;
-    cx = MD5_NewContext();
-    MD5_Begin(cx);
-    /* divide message by 4, restarting 3 times */
-    quarter = (src_length + 3)/ 4;
-    for (i=0; i < 4 && src_length > 0; i++) {
-	MD5_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
-	len = MD5_FlattenSize(cx);
-	cxbytes = PORT_Alloc(len);
-	MD5_Flatten(cx, cxbytes);
-	cx_cpy = MD5_Resurrect(cxbytes, NULL);
-	if (!cx_cpy) {
-	    PR_fprintf(PR_STDERR, "%s: MD5_Resurrect failed!\n", progName);
-	    rv = SECFailure;
-	    goto finish;
-	}
-	rv = PORT_Memcmp(cx, cx_cpy, len);
-	if (rv) {
-	    MD5_DestroyContext(cx_cpy, PR_TRUE);
-	    PR_fprintf(PR_STDERR, "%s: MD5_restart failed!\n", progName);
-	    goto finish;
-	}
-	MD5_DestroyContext(cx_cpy, PR_TRUE);
-	PORT_Free(cxbytes);
-	src_length -= quarter;
-    }
-    MD5_End(cx, dest, &len, MD5_LENGTH);
-finish:
-    MD5_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
-
-SECStatus
-sha1_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-    SECStatus rv = SECSuccess;
-    SHA1Context *cx, *cx_cpy;
-    unsigned char *cxbytes;
-    unsigned int len;
-    unsigned int i, quarter;
-    cx = SHA1_NewContext();
-    SHA1_Begin(cx);
-    /* divide message by 4, restarting 3 times */
-    quarter = (src_length + 3)/ 4;
-    for (i=0; i < 4 && src_length > 0; i++) {
-	SHA1_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
-	len = SHA1_FlattenSize(cx);
-	cxbytes = PORT_Alloc(len);
-	SHA1_Flatten(cx, cxbytes);
-	cx_cpy = SHA1_Resurrect(cxbytes, NULL);
-	if (!cx_cpy) {
-	    PR_fprintf(PR_STDERR, "%s: SHA1_Resurrect failed!\n", progName);
-	    rv = SECFailure;
-	    goto finish;
-	}
-	rv = PORT_Memcmp(cx, cx_cpy, len);
-	if (rv) {
-	    SHA1_DestroyContext(cx_cpy, PR_TRUE);
-	    PR_fprintf(PR_STDERR, "%s: SHA1_restart failed!\n", progName);
-	    goto finish;
-	}
-	SHA1_DestroyContext(cx_cpy, PR_TRUE);
-	PORT_Free(cxbytes);
-	src_length -= quarter;
-    }
-    SHA1_End(cx, dest, &len, MD5_LENGTH);
-finish:
-    SHA1_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
-
-SECStatus
-SHA256_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-    SECStatus rv = SECSuccess;
-    SHA256Context *cx, *cx_cpy;
-    unsigned char *cxbytes;
-    unsigned int len;
-    unsigned int i, quarter;
-    cx = SHA256_NewContext();
-    SHA256_Begin(cx);
-    /* divide message by 4, restarting 3 times */
-    quarter = (src_length + 3)/ 4;
-    for (i=0; i < 4 && src_length > 0; i++) {
-	SHA256_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
-	len = SHA256_FlattenSize(cx);
-	cxbytes = PORT_Alloc(len);
-	SHA256_Flatten(cx, cxbytes);
-	cx_cpy = SHA256_Resurrect(cxbytes, NULL);
-	if (!cx_cpy) {
-	    PR_fprintf(PR_STDERR, "%s: SHA256_Resurrect failed!\n", progName);
-	    rv = SECFailure;
-	    goto finish;
-	}
-	rv = PORT_Memcmp(cx, cx_cpy, len);
-	if (rv) {
-	    SHA256_DestroyContext(cx_cpy, PR_TRUE);
-	    PR_fprintf(PR_STDERR, "%s: SHA256_restart failed!\n", progName);
-	    goto finish;
-	}
-	SHA256_DestroyContext(cx_cpy, PR_TRUE);
-	PORT_Free(cxbytes);
-	src_length -= quarter;
-    }
-    SHA256_End(cx, dest, &len, MD5_LENGTH);
-finish:
-    SHA256_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
-
-SECStatus
-SHA384_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-    SECStatus rv = SECSuccess;
-    SHA384Context *cx, *cx_cpy;
-    unsigned char *cxbytes;
-    unsigned int len;
-    unsigned int i, quarter;
-    cx = SHA384_NewContext();
-    SHA384_Begin(cx);
-    /* divide message by 4, restarting 3 times */
-    quarter = (src_length + 3)/ 4;
-    for (i=0; i < 4 && src_length > 0; i++) {
-	SHA384_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
-	len = SHA384_FlattenSize(cx);
-	cxbytes = PORT_Alloc(len);
-	SHA384_Flatten(cx, cxbytes);
-	cx_cpy = SHA384_Resurrect(cxbytes, NULL);
-	if (!cx_cpy) {
-	    PR_fprintf(PR_STDERR, "%s: SHA384_Resurrect failed!\n", progName);
-	    rv = SECFailure;
-	    goto finish;
-	}
-	rv = PORT_Memcmp(cx, cx_cpy, len);
-	if (rv) {
-	    SHA384_DestroyContext(cx_cpy, PR_TRUE);
-	    PR_fprintf(PR_STDERR, "%s: SHA384_restart failed!\n", progName);
-	    goto finish;
-	}
-	SHA384_DestroyContext(cx_cpy, PR_TRUE);
-	PORT_Free(cxbytes);
-	src_length -= quarter;
-    }
-    SHA384_End(cx, dest, &len, MD5_LENGTH);
-finish:
-    SHA384_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
-
-SECStatus
-SHA512_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-    SECStatus rv = SECSuccess;
-    SHA512Context *cx, *cx_cpy;
-    unsigned char *cxbytes;
-    unsigned int len;
-    unsigned int i, quarter;
-    cx = SHA512_NewContext();
-    SHA512_Begin(cx);
-    /* divide message by 4, restarting 3 times */
-    quarter = (src_length + 3)/ 4;
-    for (i=0; i < 4 && src_length > 0; i++) {
-	SHA512_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
-	len = SHA512_FlattenSize(cx);
-	cxbytes = PORT_Alloc(len);
-	SHA512_Flatten(cx, cxbytes);
-	cx_cpy = SHA512_Resurrect(cxbytes, NULL);
-	if (!cx_cpy) {
-	    PR_fprintf(PR_STDERR, "%s: SHA512_Resurrect failed!\n", progName);
-	    rv = SECFailure;
-	    goto finish;
-	}
-	rv = PORT_Memcmp(cx, cx_cpy, len);
-	if (rv) {
-	    SHA512_DestroyContext(cx_cpy, PR_TRUE);
-	    PR_fprintf(PR_STDERR, "%s: SHA512_restart failed!\n", progName);
-	    goto finish;
-	}
-	SHA512_DestroyContext(cx_cpy, PR_TRUE);
-	PORT_Free(cxbytes);
-	src_length -= quarter;
-    }
-    SHA512_End(cx, dest, &len, MD5_LENGTH);
-finish:
-    SHA512_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
-
-SECStatus
-pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file,
-#ifdef NSS_ENABLE_ECC
-	      int keysize, int exponent, char *curveName)
-#else
-	      int keysize, int exponent)
-#endif
-{
-    int i;
-    SECStatus rv = SECSuccess;
-    bltestRSAParams *rsap;
-    bltestDSAParams *dsap;
-#ifdef NSS_ENABLE_ECC
-    bltestECDSAParams *ecdsap;
-    SECItem *tmpECParamsDER;
-    ECParams *tmpECParams = NULL;
-    SECItem ecSerialize[3];
-#endif
-    switch (cipherInfo->mode) {
-    case bltestRSA:
-	rsap = &cipherInfo->params.rsa;
-	if (keysize > 0) {
-	    SECItem expitem = { 0, 0, 0 };
-	    SECITEM_AllocItem(cipherInfo->arena, &expitem, sizeof(int));
-	    for (i = 1; i <= sizeof(int); i++)
-		expitem.data[i-1] = exponent >> (8*(sizeof(int) - i));
-	    rsap->rsakey = RSA_NewKey(keysize * 8, &expitem);
-	    serialize_key(&rsap->rsakey->version, 9, file);
-	    rsap->keysizeInBits = keysize * 8;
-	} else {
-	    setupIO(cipherInfo->arena, &cipherInfo->params.key, file, NULL, 0);
-	    rsap->rsakey = rsakey_from_filedata(&cipherInfo->params.key.buf);
-	    rsap->keysizeInBits = rsap->rsakey->modulus.len * 8;
-	}
-	break;
-    case bltestDSA:
-	dsap = &cipherInfo->params.dsa;
-	if (keysize > 0) {
-	    dsap->j = PQG_PBITS_TO_INDEX(8*keysize);
-	    if (!dsap->pqg)
-		bltest_pqg_init(dsap);
-	    rv = DSA_NewKey(dsap->pqg, &dsap->dsakey);
-	    CHECKERROR(rv, __LINE__);
-	    serialize_key(&dsap->dsakey->params.prime, 5, file);
-	} else {
-	    setupIO(cipherInfo->arena, &cipherInfo->params.key, file, NULL, 0);
-	    dsap->dsakey = dsakey_from_filedata(&cipherInfo->params.key.buf);
-	    dsap->j = PQG_PBITS_TO_INDEX(8*dsap->dsakey->params.prime.len);
-	}
-	break;
-#ifdef NSS_ENABLE_ECC
-    case bltestECDSA:
-	ecdsap = &cipherInfo->params.ecdsa;
-	if (curveName != NULL) {
-	    tmpECParamsDER = getECParams(curveName);
-	    rv = SECOID_Init();
-	    CHECKERROR(rv, __LINE__);
-	    rv = EC_DecodeParams(tmpECParamsDER, &tmpECParams) == SECFailure;
-	    CHECKERROR(rv, __LINE__);
-	    rv = EC_NewKey(tmpECParams, &ecdsap->eckey);
-	    CHECKERROR(rv, __LINE__);
-	    ecSerialize[0].type = tmpECParamsDER->type;
-	    ecSerialize[0].data = tmpECParamsDER->data;
-	    ecSerialize[0].len  = tmpECParamsDER->len;
-	    ecSerialize[1].type = ecdsap->eckey->publicValue.type;
-	    ecSerialize[1].data = ecdsap->eckey->publicValue.data;
-	    ecSerialize[1].len  = ecdsap->eckey->publicValue.len;
-	    ecSerialize[2].type = ecdsap->eckey->privateValue.type;
-	    ecSerialize[2].data = ecdsap->eckey->privateValue.data;
-	    ecSerialize[2].len  = ecdsap->eckey->privateValue.len;
-	    serialize_key(&(ecSerialize[0]), 3, file);
-	    SECITEM_FreeItem(tmpECParamsDER, PR_TRUE);
-	    PORT_FreeArena(tmpECParams->arena, PR_TRUE);
-	    rv = SECOID_Shutdown();
-	    CHECKERROR(rv, __LINE__);
-	} else {
-	    setupIO(cipherInfo->arena, &cipherInfo->params.key, file, NULL, 0);
-	    ecdsap->eckey = eckey_from_filedata(&cipherInfo->params.key.buf);
-	}
-	break;
-#endif
-    default:
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-SECStatus
-cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
-{
-    PRBool restart;
-    switch (cipherInfo->mode) {
-    case bltestDES_ECB:
-    case bltestDES_CBC:
-    case bltestDES_EDE_ECB:
-    case bltestDES_EDE_CBC:
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  cipherInfo->input.pBuf.len);
-	return bltest_des_init(cipherInfo, encrypt);
-	break;
-    case bltestRC2_ECB:
-    case bltestRC2_CBC:
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  cipherInfo->input.pBuf.len);
-	return bltest_rc2_init(cipherInfo, encrypt);
-	break;
-    case bltestRC4:
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  cipherInfo->input.pBuf.len);
-	return bltest_rc4_init(cipherInfo, encrypt);
-	break;
-#ifdef NSS_SOFTOKEN_DOES_RC5
-    case bltestRC5_ECB:
-    case bltestRC5_CBC:
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  cipherInfo->input.pBuf.len);
-#endif
-	return bltest_rc5_init(cipherInfo, encrypt);
-	break;
-    case bltestAES_ECB:
-    case bltestAES_CBC:
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  cipherInfo->input.pBuf.len);
-	return bltest_aes_init(cipherInfo, encrypt);
-	break;
-    case bltestCAMELLIA_ECB:
-    case bltestCAMELLIA_CBC:
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  cipherInfo->input.pBuf.len);
-	return bltest_camellia_init(cipherInfo, encrypt);
-	break;
-    case bltestSEED_ECB:
-    case bltestSEED_CBC:
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  cipherInfo->input.pBuf.len);
-	return bltest_seed_init(cipherInfo, encrypt);
-	break;
-    case bltestRSA:
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  cipherInfo->input.pBuf.len);
-	return bltest_rsa_init(cipherInfo, encrypt);
-	break;
-    case bltestDSA:
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  DSA_SIGNATURE_LEN);
-	return bltest_dsa_init(cipherInfo, encrypt);
-	break;
-#ifdef NSS_ENABLE_ECC
-    case bltestECDSA:
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  2 * MAX_ECKEY_LEN);
-	return bltest_ecdsa_init(cipherInfo, encrypt);
-	break;
-#endif
-    case bltestMD2:
-	restart = cipherInfo->params.hash.restart;
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  MD2_LENGTH);
-	cipherInfo->cipher.hashCipher = (restart) ? md2_restart : md2_HashBuf;
-	return SECSuccess;
-	break;
-    case bltestMD5:
-	restart = cipherInfo->params.hash.restart;
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  MD5_LENGTH);
-	cipherInfo->cipher.hashCipher = (restart) ? md5_restart : MD5_HashBuf;
-	return SECSuccess;
-	break;
-    case bltestSHA1:
-	restart = cipherInfo->params.hash.restart;
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  SHA1_LENGTH);
-	cipherInfo->cipher.hashCipher = (restart) ? sha1_restart : SHA1_HashBuf;
-	return SECSuccess;
-	break;
-    case bltestSHA256:
-	restart = cipherInfo->params.hash.restart;
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  SHA256_LENGTH);
-	cipherInfo->cipher.hashCipher = (restart) ? SHA256_restart 
-	                                          : SHA256_HashBuf;
-	return SECSuccess;
-	break;
-    case bltestSHA384:
-	restart = cipherInfo->params.hash.restart;
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  SHA384_LENGTH);
-	cipherInfo->cipher.hashCipher = (restart) ? SHA384_restart 
-	                                          : SHA384_HashBuf;
-	return SECSuccess;
-	break;
-    case bltestSHA512:
-	restart = cipherInfo->params.hash.restart;
-	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
-			  SHA512_LENGTH);
-	cipherInfo->cipher.hashCipher = (restart) ? SHA512_restart 
-	                                          : SHA512_HashBuf;
-	return SECSuccess;
-	break;
-    default:
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-SECStatus
-dsaOp(bltestCipherInfo *cipherInfo)
-{
-    PRIntervalTime time1, time2;
-    SECStatus rv = SECSuccess;
-    int i;
-    int maxLen = cipherInfo->output.pBuf.len;
-    SECItem dummyOut = { 0, 0, 0 };
-    SECITEM_AllocItem(NULL, &dummyOut, maxLen);
-    if (cipherInfo->cipher.pubkeyCipher == dsa_signDigest) {
-	if (cipherInfo->params.dsa.sigseed.buf.len > 0) {
-            bltestDSAParams *dsa = &cipherInfo->params.dsa;
-            DSAPrivateKey *key = (DSAPrivateKey *)cipherInfo->cx;
-
-            TIMESTART();
-            rv = DSA_SignDigestWithSeed(key,
-                                        &cipherInfo->output.pBuf,
-                                        &cipherInfo->input.pBuf,
-                                        dsa->sigseed.buf.data);
-            TIMEFINISH(cipherInfo->optime, 1.0);
-            CHECKERROR(rv, __LINE__);
-            cipherInfo->repetitions = 0;
-            if (cipherInfo->repetitionsToPerfom != 0) {
-                TIMESTART();
-                for (i=0; i<cipherInfo->repetitionsToPerfom;
-                     i++, cipherInfo->repetitions++) {
-                    rv = DSA_SignDigestWithSeed(key, &dummyOut,
-                                                &cipherInfo->input.pBuf,
-                                                dsa->sigseed.buf.data);
-                    CHECKERROR(rv, __LINE__);
-                }
-            } else {
-                int opsBetweenChecks = 0;
-                TIMEMARK(cipherInfo->seconds);
-                while (! (TIMETOFINISH())) {
-                    int j = 0;
-                    for (;j < opsBetweenChecks;j++) {
-                        rv = DSA_SignDigestWithSeed(key, &dummyOut,
-                                                    &cipherInfo->input.pBuf,
-                                                    dsa->sigseed.buf.data);
-                        CHECKERROR(rv, __LINE__);
-                    }
-                    cipherInfo->repetitions += j;
-                }
-            }
-            TIMEFINISH(cipherInfo->optime, 1.0);
-        } else {
-            TIMESTART();
-            rv = DSA_SignDigest((DSAPrivateKey *)cipherInfo->cx,
-                                &cipherInfo->output.pBuf,
-                                &cipherInfo->input.pBuf);
-            TIMEFINISH(cipherInfo->optime, 1.0);
-            CHECKERROR(rv, __LINE__);
-            cipherInfo->repetitions = 0;
-            if (cipherInfo->repetitionsToPerfom != 0) {
-                TIMESTART();
-                for (i=0; i<cipherInfo->repetitionsToPerfom;
-                     i++, cipherInfo->repetitions++) {
-                    rv = DSA_SignDigest((DSAPrivateKey *)cipherInfo->cx,
-                                        &dummyOut,
-                                        &cipherInfo->input.pBuf);
-                    CHECKERROR(rv, __LINE__);
-                }
-            } else {
-                int opsBetweenChecks = 0;
-                TIMEMARK(cipherInfo->seconds);
-                while (! (TIMETOFINISH())) {
-                    int j = 0;
-                    for (;j < opsBetweenChecks;j++) {
-                        rv = DSA_SignDigest((DSAPrivateKey *)cipherInfo->cx,
-                                            &dummyOut,
-                                            &cipherInfo->input.pBuf);
-                        CHECKERROR(rv, __LINE__);
-                    }
-                    cipherInfo->repetitions += j;
-                }
-            }
-            TIMEFINISH(cipherInfo->optime, 1.0);
-        }
-        bltestCopyIO(cipherInfo->arena, &cipherInfo->params.dsa.sig, 
-                     &cipherInfo->output);
-    } else {
-        TIMESTART();
-        rv = DSA_VerifyDigest((DSAPublicKey *)cipherInfo->cx,
-                              &cipherInfo->params.dsa.sig.buf,
-                              &cipherInfo->input.pBuf);
-        TIMEFINISH(cipherInfo->optime, 1.0);
-        CHECKERROR(rv, __LINE__);
-        cipherInfo->repetitions = 0;
-        if (cipherInfo->repetitionsToPerfom != 0) {
-            TIMESTART();
-            for (i=0; i<cipherInfo->repetitionsToPerfom;
-                 i++, cipherInfo->repetitions++) {
-                rv = DSA_VerifyDigest((DSAPublicKey *)cipherInfo->cx,
-                                      &cipherInfo->params.dsa.sig.buf,
-                                      &cipherInfo->input.pBuf);
-                CHECKERROR(rv, __LINE__);
-            }
-        } else {
-            int opsBetweenChecks = 0;
-            TIMEMARK(cipherInfo->seconds);
-            while (! (TIMETOFINISH())) {
-                int j = 0;
-                for (;j < opsBetweenChecks;j++) {
-                    rv = DSA_VerifyDigest((DSAPublicKey *)cipherInfo->cx,
-                                          &cipherInfo->params.dsa.sig.buf,
-                                          &cipherInfo->input.pBuf);
-                    CHECKERROR(rv, __LINE__);
-                }
-                cipherInfo->repetitions += j;
-            }
-        }
-        TIMEFINISH(cipherInfo->optime, 1.0);
-    }
-    SECITEM_FreeItem(&dummyOut, PR_FALSE);
-    return rv;
-}
-
-#ifdef NSS_ENABLE_ECC
-SECStatus
-ecdsaOp(bltestCipherInfo *cipherInfo)
-{
-    PRIntervalTime time1, time2;
-    SECStatus rv = SECSuccess;
-    int i;
-    int maxLen = cipherInfo->output.pBuf.len;
-    SECItem dummyOut = { 0, 0, 0 };
-    SECITEM_AllocItem(NULL, &dummyOut, maxLen);
-    if (cipherInfo->cipher.pubkeyCipher == ecdsa_signDigest) {
-        if (cipherInfo->params.ecdsa.sigseed.buf.len > 0) {
-            ECPrivateKey *key = (ECPrivateKey *)cipherInfo->cx;
-            bltestECDSAParams *ecdsa = &cipherInfo->params.ecdsa;
-
-            TIMESTART();
-            rv = ECDSA_SignDigestWithSeed(key,
-                                          &cipherInfo->output.pBuf,
-                                          &cipherInfo->input.pBuf,
-                                          ecdsa->sigseed.buf.data,
-                                          ecdsa->sigseed.buf.len);
-            TIMEFINISH(cipherInfo->optime, 1.0);
-            CHECKERROR(rv, __LINE__);
-            cipherInfo->repetitions = 0;
-            if (cipherInfo->repetitionsToPerfom != 0) {
-                TIMESTART();
-                for (i=0; i<cipherInfo->repetitionsToPerfom;
-                     i++, cipherInfo->repetitions++) {
-                    rv = ECDSA_SignDigestWithSeed(key, &dummyOut,
-                                                  &cipherInfo->input.pBuf,
-                                                  ecdsa->sigseed.buf.data,
-                                                  ecdsa->sigseed.buf.len);
-                    CHECKERROR(rv, __LINE__);
-                }
-            } else {
-                int opsBetweenChecks = 0;
-                TIMEMARK(cipherInfo->seconds);
-                while (! (TIMETOFINISH())) {
-                    int j = 0;
-                    for (;j < opsBetweenChecks;j++) {
-                        rv = ECDSA_SignDigestWithSeed(key, &dummyOut,
-                                                      &cipherInfo->input.pBuf,
-                                                      ecdsa->sigseed.buf.data,
-                                                      ecdsa->sigseed.buf.len);
-                        CHECKERROR(rv, __LINE__);
-                    }
-                    cipherInfo->repetitions += j;
-                }
-            }
-            TIMEFINISH(cipherInfo->optime, 1.0);
-        } else {
-            TIMESTART();
-            rv = ECDSA_SignDigest((ECPrivateKey *)cipherInfo->cx,
-                                  &cipherInfo->output.pBuf,
-                                  &cipherInfo->input.pBuf);
-            TIMEFINISH(cipherInfo->optime, 1.0);
-            CHECKERROR(rv, __LINE__);
-            cipherInfo->repetitions = 0;
-            if (cipherInfo->repetitionsToPerfom != 0) {
-                TIMESTART();
-                for (i=0; i<cipherInfo->repetitionsToPerfom;
-                     i++, cipherInfo->repetitions++) {
-                    rv = ECDSA_SignDigest((ECPrivateKey *)cipherInfo->cx,
-                                          &dummyOut,
-                                          &cipherInfo->input.pBuf);
-                    CHECKERROR(rv, __LINE__);
-                }
-            } else {
-                int opsBetweenChecks = 0;
-                TIMEMARK(cipherInfo->seconds);
-                while (! (TIMETOFINISH())) {
-                    int j = 0;
-                    for (;j < opsBetweenChecks;j++) {
-                        rv = ECDSA_SignDigest((ECPrivateKey *)cipherInfo->cx,
-                                              &dummyOut,
-                                              &cipherInfo->input.pBuf);
-                        CHECKERROR(rv, __LINE__);
-                    }
-                    cipherInfo->repetitions += j;
-                }
-            }
-            TIMEFINISH(cipherInfo->optime, 1.0);
-        }
-        bltestCopyIO(cipherInfo->arena, &cipherInfo->params.ecdsa.sig, 
-                     &cipherInfo->output);
-    } else {
-        TIMESTART();
-        rv = ECDSA_VerifyDigest((ECPublicKey *)cipherInfo->cx,
-                                &cipherInfo->params.ecdsa.sig.buf,
-                                &cipherInfo->input.pBuf);
-        TIMEFINISH(cipherInfo->optime, 1.0);
-        CHECKERROR(rv, __LINE__);
-        cipherInfo->repetitions = 0;
-        if (cipherInfo->repetitionsToPerfom != 0) {
-            TIMESTART();
-            for (i=0; i<cipherInfo->repetitionsToPerfom;
-                 i++, cipherInfo->repetitions++) {
-                rv = ECDSA_VerifyDigest((ECPublicKey *)cipherInfo->cx,
-                                        &cipherInfo->params.ecdsa.sig.buf,
-                                        &cipherInfo->input.pBuf);
-                CHECKERROR(rv, __LINE__);
-            }
-        } else {
-            int opsBetweenChecks = 0;
-            TIMEMARK(cipherInfo->seconds);
-            while (! (TIMETOFINISH())) {
-                int j = 0;
-                for (;j < opsBetweenChecks;j++) {
-                    rv = ECDSA_VerifyDigest((ECPublicKey *)cipherInfo->cx,
-                                            &cipherInfo->params.ecdsa.sig.buf,
-                                            &cipherInfo->input.pBuf);
-                    CHECKERROR(rv, __LINE__);
-                }
-                cipherInfo->repetitions += j;
-            }
-        }
-        TIMEFINISH(cipherInfo->optime, 1.0);
-    }
-    SECITEM_FreeItem(&dummyOut, PR_FALSE);
-    return rv;
-}
-#endif
-
-SECStatus
-cipherDoOp(bltestCipherInfo *cipherInfo)
-{
-    PRIntervalTime time1, time2;
-    SECStatus rv = SECSuccess;
-    int i, len;
-    int maxLen = cipherInfo->output.pBuf.len;
-    unsigned char *dummyOut;
-    if (cipherInfo->mode == bltestDSA)
-	return dsaOp(cipherInfo);
-#ifdef NSS_ENABLE_ECC
-    else if (cipherInfo->mode == bltestECDSA)
-	return ecdsaOp(cipherInfo);
-#endif
-    dummyOut = PORT_Alloc(maxLen);
-    if (is_symmkeyCipher(cipherInfo->mode)) {
-        TIMESTART();
-        rv = (*cipherInfo->cipher.symmkeyCipher)(cipherInfo->cx,
-                                                 cipherInfo->output.pBuf.data,
-                                                 &len, maxLen,
-                                                 cipherInfo->input.pBuf.data,
-                                                 cipherInfo->input.pBuf.len);
-        TIMEFINISH(cipherInfo->optime, 1.0);
-        CHECKERROR(rv, __LINE__);
-        cipherInfo->repetitions = 0;
-        if (cipherInfo->repetitionsToPerfom != 0) {
-            TIMESTART();
-            for (i=0; i<cipherInfo->repetitionsToPerfom; i++,
-                     cipherInfo->repetitions++) {
-                (*cipherInfo->cipher.symmkeyCipher)(cipherInfo->cx, dummyOut,
-                                                    &len, maxLen,
-                                                    cipherInfo->input.pBuf.data,
-                                                    cipherInfo->input.pBuf.len);
-                
-                CHECKERROR(rv, __LINE__);
-            }
-        } else {
-            int opsBetweenChecks = 0;
-            bltestIO *input = &cipherInfo->input;
-            TIMEMARK(cipherInfo->seconds);
-            while (! (TIMETOFINISH())) {
-                int j = 0;
-                for (;j < opsBetweenChecks;j++) {
-                    (*cipherInfo->cipher.symmkeyCipher)(cipherInfo->cx,
-                                                        dummyOut,
-                                                        &len, maxLen,
-                                                        input->pBuf.data,
-                                                        input->pBuf.len);
-                }
-                cipherInfo->repetitions += j;
-            }
-        }
-        TIMEFINISH(cipherInfo->optime, 1.0);
-    } else if (is_pubkeyCipher(cipherInfo->mode)) {
-        TIMESTART();
-        rv = (*cipherInfo->cipher.pubkeyCipher)(cipherInfo->cx,
-                                                &cipherInfo->output.pBuf,
-                                                &cipherInfo->input.pBuf);
-        TIMEFINISH(cipherInfo->optime, 1.0);
-        CHECKERROR(rv, __LINE__);
-        cipherInfo->repetitions = 0;
-        if (cipherInfo->repetitionsToPerfom != 0) {
-            TIMESTART();
-            for (i=0; i<cipherInfo->repetitionsToPerfom;
-                 i++, cipherInfo->repetitions++) {
-                SECItem dummy;
-                dummy.data = dummyOut;
-                dummy.len = maxLen;
-                (*cipherInfo->cipher.pubkeyCipher)(cipherInfo->cx, &dummy, 
-                                                   &cipherInfo->input.pBuf);
-                CHECKERROR(rv, __LINE__);
-            }
-        } else {
-            int opsBetweenChecks = 0;
-            TIMEMARK(cipherInfo->seconds);
-            while (! (TIMETOFINISH())) {
-                int j = 0;
-                for (;j < opsBetweenChecks;j++) {
-                    SECItem dummy;
-                    dummy.data = dummyOut;
-                    dummy.len = maxLen;
-                    (*cipherInfo->cipher.pubkeyCipher)(cipherInfo->cx, &dummy,
-                                                       &cipherInfo->input.pBuf);
-                    CHECKERROR(rv, __LINE__);
-                }
-                cipherInfo->repetitions += j;
-            }
-        }
-        TIMEFINISH(cipherInfo->optime, 1.0);
-    } else if (is_hashCipher(cipherInfo->mode)) {
-        TIMESTART();
-        rv = (*cipherInfo->cipher.hashCipher)(cipherInfo->output.pBuf.data,
-                                              cipherInfo->input.pBuf.data,
-                                              cipherInfo->input.pBuf.len);
-        TIMEFINISH(cipherInfo->optime, 1.0);
-        CHECKERROR(rv, __LINE__);
-        cipherInfo->repetitions = 0;
-        if (cipherInfo->repetitionsToPerfom != 0) {
-            TIMESTART();
-            for (i=0; i<cipherInfo->repetitionsToPerfom;
-                 i++, cipherInfo->repetitions++) {
-                (*cipherInfo->cipher.hashCipher)(dummyOut,
-                                                 cipherInfo->input.pBuf.data,
-                                                 cipherInfo->input.pBuf.len);
-                CHECKERROR(rv, __LINE__);
-            }
-        } else {
-            int opsBetweenChecks = 0;
-            TIMEMARK(cipherInfo->seconds);
-            while (! (TIMETOFINISH())) {
-                int j = 0;
-                for (;j < opsBetweenChecks;j++) {
-                    bltestIO *input = &cipherInfo->input;
-                    (*cipherInfo->cipher.hashCipher)(dummyOut,
-                                                     input->pBuf.data,
-                                                     input->pBuf.len);
-                    CHECKERROR(rv, __LINE__);
-                }
-                cipherInfo->repetitions += j;
-            }
-        }
-        TIMEFINISH(cipherInfo->optime, 1.0);
-    }
-    PORT_Free(dummyOut);
-    return rv;
-}
-
-SECStatus
-cipherFinish(bltestCipherInfo *cipherInfo)
-{
-    switch (cipherInfo->mode) {
-    case bltestDES_ECB:
-    case bltestDES_CBC:
-    case bltestDES_EDE_ECB:
-    case bltestDES_EDE_CBC:
-	DES_DestroyContext((DESContext *)cipherInfo->cx, PR_TRUE);
-	break;
-    case bltestAES_ECB:
-    case bltestAES_CBC:
-	AES_DestroyContext((AESContext *)cipherInfo->cx, PR_TRUE);
-	break;
-    case bltestCAMELLIA_ECB:
-    case bltestCAMELLIA_CBC:
-	Camellia_DestroyContext((CamelliaContext *)cipherInfo->cx, PR_TRUE);
-	break;
-    case bltestSEED_ECB:
-    case bltestSEED_CBC:
-	SEED_DestroyContext((SEEDContext *)cipherInfo->cx, PR_TRUE);
-	break;
-    case bltestRC2_ECB:
-    case bltestRC2_CBC:
-	RC2_DestroyContext((RC2Context *)cipherInfo->cx, PR_TRUE);
-	break;
-    case bltestRC4:
-	RC4_DestroyContext((RC4Context *)cipherInfo->cx, PR_TRUE);
-	break;
-#ifdef NSS_SOFTOKEN_DOES_RC5
-    case bltestRC5_ECB:
-    case bltestRC5_CBC:
-	RC5_DestroyContext((RC5Context *)cipherInfo->cx, PR_TRUE);
-	break;
-#endif
-    case bltestRSA: /* keys are alloc'ed within cipherInfo's arena, */
-    case bltestDSA: /* will be freed with it. */
-#ifdef NSS_ENABLE_ECC
-    case bltestECDSA:
-#endif
-    case bltestMD2: /* hash contexts are ephemeral */
-    case bltestMD5:
-    case bltestSHA1:
-    case bltestSHA256:
-    case bltestSHA384:
-    case bltestSHA512:
-	return SECSuccess;
-	break;
-    default:
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-void
-print_exponent(SECItem *exp)
-{
-    int i;
-    int e = 0;
-    if (exp->len <= 4) {
-	for (i=exp->len; i >=0; --i) e |= exp->data[exp->len-i] << 8*(i-1);
-	fprintf(stdout, "%12d", e);
-    } else {
-	e = 8*exp->len;
-	fprintf(stdout, "~2**%-8d", e);
-    }
-}
-
-static void
-splitToReportUnit(PRInt64 res, int *resArr, int *del, int size)
-{
-    PRInt64 remaining = res, tmp = 0;
-    PRInt64 Ldel;
-    int i = -1;
-
-    while (remaining > 0 && ++i < size) {
-        LL_I2L(Ldel, del[i]);
-        LL_MOD(tmp, remaining, Ldel);
-        LL_L2I(resArr[i], tmp);
-        LL_DIV(remaining, remaining, Ldel);
-    }
-}
-
-static char*
-getHighUnitBytes(PRInt64 res)
-{
-    int spl[] = {0, 0, 0, 0};
-    int del[] = {1024, 1024, 1024, 1024};
-    char *marks[] = {"b", "Kb", "Mb", "Gb"};
-    int i = 3;
-
-    splitToReportUnit(res, spl, del, 4);
-
-    for (;i>0;i--) {
-        if (spl[i] != 0) {
-            break;
-        }
-    }
-
-    return PR_smprintf("%d%s", spl[i], marks[i]);
-}
-
-
-static void
-printPR_smpString(const char *sformat, char *reportStr,
-                  const char *nformat, PRInt64 rNum)
-{
-    if (reportStr) {
-        fprintf(stdout, sformat, reportStr);
-        PR_smprintf_free(reportStr);
-    } else {
-        int prnRes;
-        LL_L2I(prnRes, rNum);
-        fprintf(stdout, nformat, rNum);
-    }
-}
-
-static char*
-getHighUnitOps(PRInt64 res)
-{
-    int spl[] = {0, 0, 0, 0};
-    int del[] = {1000, 1000, 1000, 1000};
-    char *marks[] = {"", "T", "M", "B"};
-    int i = 3;
-
-    splitToReportUnit(res, spl, del, 4);
-
-    for (;i>0;i--) {
-        if (spl[i] != 0) {
-            break;
-        }
-    }
-
-    return PR_smprintf("%d%s", spl[i], marks[i]);
-}
-
-void
-dump_performance_info(bltestCipherInfo *infoList, double totalTimeInt,
-                      PRBool encrypt, PRBool cxonly)
-{
-    bltestCipherInfo *info = infoList;
-    
-    PRInt64 totalIn = 0;
-    PRBool td = PR_TRUE;
-
-    int   repetitions = 0;
-    int   cxreps = 0;
-    double cxtime = 0;
-    double optime = 0;
-    while (info != NULL) {
-        repetitions += info->repetitions;
-        cxreps += info->cxreps;
-        cxtime += info->cxtime;
-        optime += info->optime;
-        totalIn += (PRInt64) info->input.buf.len * (PRInt64) info->repetitions;
-        
-        info = info->next;
-    }
-    info = infoList;
-
-    fprintf(stdout, "#%9s", "mode");
-    fprintf(stdout, "%12s", "in");
-print_td:
-    switch (info->mode) {
-      case bltestDES_ECB:
-      case bltestDES_CBC:
-      case bltestDES_EDE_ECB:
-      case bltestDES_EDE_CBC:
-      case bltestAES_ECB:
-      case bltestAES_CBC:
-      case bltestCAMELLIA_ECB:
-      case bltestCAMELLIA_CBC:
-      case bltestSEED_ECB:
-      case bltestSEED_CBC:
-      case bltestRC2_ECB:
-      case bltestRC2_CBC:
-      case bltestRC4:
-          if (td)
-              fprintf(stdout, "%8s", "symmkey");
-          else
-              fprintf(stdout, "%8d", 8*info->params.sk.key.buf.len);
-          break;
-#ifdef NSS_SOFTOKEN_DOES_RC5
-      case bltestRC5_ECB:
-      case bltestRC5_CBC:
-          if (info->params.sk.key.buf.len > 0)
-              printf("symmetric key(bytes)=%d,", info->params.sk.key.buf.len);
-          if (info->rounds > 0)
-              printf("rounds=%d,", info->params.rc5.rounds);
-          if (info->wordsize > 0)
-              printf("wordsize(bytes)=%d,", info->params.rc5.wordsize);
-          break;
-#endif
-      case bltestRSA:
-          if (td) {
-              fprintf(stdout, "%8s", "rsa_mod");
-              fprintf(stdout, "%12s", "rsa_pe");
-          } else {
-              fprintf(stdout, "%8d", info->params.rsa.keysizeInBits);
-              print_exponent(&info->params.rsa.rsakey->publicExponent);
-          }
-          break;
-      case bltestDSA:
-          if (td)
-              fprintf(stdout, "%8s", "pqg_mod");
-          else
-              fprintf(stdout, "%8d", PQG_INDEX_TO_PBITS(info->params.dsa.j));
-          break;
-#ifdef NSS_ENABLE_ECC
-      case bltestECDSA:
-          if (td)
-              fprintf(stdout, "%12s", "ec_curve");
-          else {
-	      ECCurveName curveName = info->params.ecdsa.eckey->ecParams.name;
-              fprintf(stdout, "%12s",
-                      ecCurve_map[curveName]? ecCurve_map[curveName]->text:
-					      "Unsupported curve");
-	  }
-          break;
-#endif
-      case bltestMD2:
-      case bltestMD5:
-      case bltestSHA1:
-      case bltestSHA256:
-      case bltestSHA384:
-      case bltestSHA512:
-      default:
-          break;
-    }
-    if (!td) {
-        PRInt64 totalThroughPut;
-
-        printPR_smpString("%8s", getHighUnitOps(repetitions),
-                          "%8d", repetitions);
-
-        printPR_smpString("%8s", getHighUnitOps(cxreps), "%8d", cxreps);
-
-        fprintf(stdout, "%12.3f", cxtime);
-        fprintf(stdout, "%12.3f", optime);
-        fprintf(stdout, "%12.03f", totalTimeInt / 1000);
-
-        totalThroughPut = (PRInt64)(totalIn / totalTimeInt * 1000);
-        printPR_smpString("%12s", getHighUnitBytes(totalThroughPut),
-                          "%12d", totalThroughPut);
-
-        fprintf(stdout, "\n");
-        return;
-    }
-    
-    fprintf(stdout, "%8s", "opreps");
-    fprintf(stdout, "%8s", "cxreps");
-    fprintf(stdout, "%12s", "context");
-    fprintf(stdout, "%12s", "op");
-    fprintf(stdout, "%12s", "time(sec)");
-    fprintf(stdout, "%12s", "thrgput");
-    fprintf(stdout, "\n");
-    fprintf(stdout, "%8s", mode_strings[info->mode]);
-    fprintf(stdout, "_%c", (cxonly) ? 'c' : (encrypt) ? 'e' : 'd');
-    printPR_smpString("%12s", getHighUnitBytes(totalIn), "%12d", totalIn);
-    
-    td = !td;
-    goto print_td;
-}
-
-void
-printmodes()
-{
-    bltestCipherMode mode;
-    int nummodes = sizeof(mode_strings) / sizeof(char *);
-    fprintf(stderr, "%s: Available modes (specify with -m):\n", progName);
-    for (mode=0; mode<nummodes; mode++)
-	fprintf(stderr, "%s\n", mode_strings[mode]);
-}
-
-bltestCipherMode
-get_mode(const char *modestring)
-{
-    bltestCipherMode mode;
-    int nummodes = sizeof(mode_strings) / sizeof(char *);
-    for (mode=0; mode<nummodes; mode++)
-	if (PL_strcmp(modestring, mode_strings[mode]) == 0)
-	    return mode;
-    fprintf(stderr, "%s: invalid mode: %s\n", progName, modestring);
-    return bltestINVALID;
-}
-
-void
-load_file_data(PRArenaPool *arena, bltestIO *data,
-	       char *fn, bltestIOMode ioMode)
-{
-    PRFileDesc *file;
-    data->mode = ioMode;
-    data->file = NULL; /* don't use -- not saving anything */
-    data->pBuf.data = NULL;
-    data->pBuf.len = 0;
-    file = PR_Open(fn, PR_RDONLY, 00660);
-    if (file)
-	setupIO(arena, data, file, NULL, 0);
-}
-
-void
-get_params(PRArenaPool *arena, bltestParams *params, 
-	   bltestCipherMode mode, int j)
-{
-    char filename[256];
-    char *modestr = mode_strings[mode];
-#ifdef NSS_SOFTOKEN_DOES_RC5
-    FILE *file;
-    char *mark, *param, *val;
-    int index = 0;
-#endif
-    switch (mode) {
-    case bltestDES_CBC:
-    case bltestDES_EDE_CBC:
-    case bltestRC2_CBC:
-    case bltestAES_CBC:
-    case bltestCAMELLIA_CBC:
-    case bltestSEED_CBC: 
-	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "iv", j);
-	load_file_data(arena, &params->sk.iv, filename, bltestBinary);
-    case bltestDES_ECB:
-    case bltestDES_EDE_ECB:
-    case bltestRC2_ECB:
-    case bltestRC4:
-    case bltestAES_ECB:
-    case bltestCAMELLIA_ECB:
-    case bltestSEED_ECB:
-	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
-	load_file_data(arena, &params->sk.key, filename, bltestBinary);
-	break;
-#ifdef NSS_SOFTOKEN_DOES_RC5
-    case bltestRC5_ECB:
-    case bltestRC5_CBC:
-	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "iv", j);
-	load_file_data(arena, &params->sk.iv, filename, bltestBinary);
-	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
-	load_file_data(arena, &params->sk.key, filename, bltestBinary);
-	    sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr,
-			      "params", j);
-	file = fopen(filename, "r");
-	if (!file) return;
-	param = malloc(100);
-	len = fread(param, 1, 100, file);
-	while (index < len) {
-	    mark = PL_strchr(param, '=');
-	    *mark = '\0';
-	    val = mark + 1;
-	    mark = PL_strchr(val, '\n');
-	    *mark = '\0';
-	    if (PL_strcmp(param, "rounds") == 0) {
-		params->rc5.rounds = atoi(val);
-	    } else if (PL_strcmp(param, "wordsize") == 0) {
-		params->rc5.wordsize = atoi(val);
-	    }
-	    index += PL_strlen(param) + PL_strlen(val) + 2;
-	    param = mark + 1;
-	}
-	break;
-#endif
-    case bltestRSA:
-	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
-	load_file_data(arena, &params->rsa.key, filename, bltestBase64Encoded);
-	params->rsa.rsakey = rsakey_from_filedata(&params->key.buf);
-	break;
-    case bltestDSA:
-	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
-	load_file_data(arena, &params->dsa.key, filename, bltestBase64Encoded);
-	params->dsa.dsakey = dsakey_from_filedata(&params->key.buf);
-	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "pqg", j);
-	load_file_data(arena, &params->dsa.pqgdata, filename,
-		       bltestBase64Encoded);
-	params->dsa.pqg = pqg_from_filedata(&params->dsa.pqgdata.buf);
-	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "keyseed", j);
-	load_file_data(arena, &params->dsa.keyseed, filename, 
-	               bltestBase64Encoded);
-	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
-	load_file_data(arena, &params->dsa.sigseed, filename, 
-	               bltestBase64Encoded);
-	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext",j);
-	load_file_data(arena, &params->dsa.sig, filename, bltestBase64Encoded);
-	break;
-#ifdef NSS_ENABLE_ECC
-    case bltestECDSA:
-	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
-	load_file_data(arena, &params->ecdsa.key, filename, bltestBase64Encoded);
-	params->ecdsa.eckey = eckey_from_filedata(&params->key.buf);
-	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
-	load_file_data(arena, &params->ecdsa.sigseed, filename, 
-	               bltestBase64Encoded);
-	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext",j);
-	load_file_data(arena, &params->ecdsa.sig, filename, bltestBase64Encoded);
-	break;
-#endif
-    case bltestMD2:
-    case bltestMD5:
-    case bltestSHA1:
-    case bltestSHA256:
-    case bltestSHA384:
-    case bltestSHA512:
-	/*params->hash.restart = PR_TRUE;*/
-	params->hash.restart = PR_FALSE;
-	break;
-    default:
-	break;
-    }
-}
-
-SECStatus
-verify_self_test(bltestIO *result, bltestIO *cmp, bltestCipherMode mode,
-		 PRBool forward, SECStatus sigstatus)
-{
-    int res;
-    char *modestr = mode_strings[mode];
-    res = SECITEM_CompareItem(&result->pBuf, &cmp->buf);
-    if (is_sigCipher(mode)) {
-	if (forward) {
-	    if (res == 0) {
-		printf("Signature self-test for %s passed.\n", modestr);
-	    } else {
-		printf("Signature self-test for %s failed!\n", modestr);
-	    }
-	} else {
-	    if (sigstatus == SECSuccess) {
-		printf("Verification self-test for %s passed.\n", modestr);
-	    } else {
-		printf("Verification self-test for %s failed!\n", modestr);
-	    }
-	}
-	return sigstatus;
-    } else if (is_hashCipher(mode)) {
-	if (res == 0) {
-	    printf("Hash self-test for %s passed.\n", modestr);
-	} else {
-	    printf("Hash self-test for %s failed!\n", modestr);
-	}
-    } else {
-	if (forward) {
-	    if (res == 0) {
-		printf("Encryption self-test for %s passed.\n", modestr);
-	    } else {
-		printf("Encryption self-test for %s failed!\n", modestr);
-	    }
-	} else {
-	    if (res == 0) {
-		printf("Decryption self-test for %s passed.\n", modestr);
-	    } else {
-		printf("Decryption self-test for %s failed!\n", modestr);
-	    }
-	}
-    }
-    return (res != 0);
-}
-
-static SECStatus
-blapi_selftest(bltestCipherMode *modes, int numModes, int inoff, int outoff,
-               PRBool encrypt, PRBool decrypt)
-{
-    bltestCipherInfo cipherInfo;
-    bltestIO pt, ct;
-    bltestCipherMode mode;
-    bltestParams *params;
-    int i, j, nummodes, numtests;
-    char *modestr;
-    char filename[256];
-    PRFileDesc *file;
-    PRArenaPool *arena;
-    SECItem item;
-    PRBool finished;
-    SECStatus rv = SECSuccess, srv;
-
-    PORT_Memset(&cipherInfo, 0, sizeof(cipherInfo));
-    arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
-    cipherInfo.arena = arena;
-
-    finished = PR_FALSE;
-    nummodes = (numModes == 0) ? NUMMODES : numModes;
-    for (i=0; i < nummodes && !finished; i++) {
-	if (numModes > 0)
-	    mode = modes[i];
-	else
-	    mode = i;
-	if (mode == bltestINVALID) {
-	    fprintf(stderr, "%s: Skipping invalid mode.\n",progName);
-	    continue;
-	}
-	modestr = mode_strings[mode];
-	cipherInfo.mode = mode;
-	params = &cipherInfo.params;
-#ifdef TRACK_BLTEST_BUG
-	if (mode == bltestRSA) {
-	    fprintf(stderr, "[%s] Self-Testing RSA\n", __bltDBG);
-	}
-#endif
-	/* get the number of tests in the directory */
-	sprintf(filename, "%s/tests/%s/%s", testdir, modestr, "numtests");
-	file = PR_Open(filename, PR_RDONLY, 00660);
-	if (!file) {
-	    fprintf(stderr, "%s: File %s does not exist.\n", progName,filename);
-	    return SECFailure;
-	}
-	rv = SECU_FileToItem(&item, file);
-#ifdef TRACK_BLTEST_BUG
-	if (mode == bltestRSA) {
-	    fprintf(stderr, "[%s] Loaded data from %s\n", __bltDBG, filename);
-	}
-#endif
-	PR_Close(file);
-	/* loop over the tests in the directory */
-	numtests = 0;
-	for (j=0; j<item.len; j++) {
-	    if (!isdigit(item.data[j])) {
-		break;
-	    }
-	    numtests *= 10;
-	    numtests += (int) (item.data[j] - '0');
-	}
-	for (j=0; j<numtests; j++) {
-#ifdef TRACK_BLTEST_BUG
-	    if (mode == bltestRSA) {
-		fprintf(stderr, "[%s] Executing self-test #%d\n", __bltDBG, j);
-	    }
-#endif
-	    sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr,
-			      "plaintext", j);
-	    load_file_data(arena, &pt, filename, 
-#ifdef NSS_ENABLE_ECC
-	                   ((mode == bltestDSA) || (mode == bltestECDSA))
-#else
-	                   (mode == bltestDSA)
-#endif
-	                   ? bltestBase64Encoded : bltestBinary);
-	    sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr,
-			      "ciphertext", j);
-	    load_file_data(arena, &ct, filename, bltestBase64Encoded);
-#ifdef TRACK_BLTEST_BUG
-	    if (mode == bltestRSA) {
-		fprintf(stderr, "[%s] Loaded data for  self-test #%d\n", __bltDBG, j);
-	    }
-#endif
-	    get_params(arena, params, mode, j);
-#ifdef TRACK_BLTEST_BUG
-	    if (mode == bltestRSA) {
-		fprintf(stderr, "[%s] Got parameters for #%d\n", __bltDBG, j);
-	    }
-#endif
-	    /* Forward Operation (Encrypt/Sign/Hash)
-	    ** Align the input buffer (plaintext) according to request
-	    ** then perform operation and compare to ciphertext
-	    */
-	    /* XXX for now */
-	    rv = SECSuccess;
-	    if (encrypt) {
-		bltestCopyIO(arena, &cipherInfo.input, &pt);
-		misalignBuffer(arena, &cipherInfo.input, inoff);
-		memset(&cipherInfo.output.buf, 0, sizeof cipherInfo.output.buf);
-		rv |= cipherInit(&cipherInfo, PR_TRUE);
-		misalignBuffer(arena, &cipherInfo.output, outoff);
-#ifdef TRACK_BLTEST_BUG
-		if (mode == bltestRSA) {
-		    fprintf(stderr, "[%s] Inited cipher context and buffers for #%d\n", __bltDBG, j);
-		}
-#endif
-		rv |= cipherDoOp(&cipherInfo);
-#ifdef TRACK_BLTEST_BUG
-		if (mode == bltestRSA) {
-		    fprintf(stderr, "[%s] Performed encrypt for #%d\n", __bltDBG, j);
-		}
-#endif
-		rv |= cipherFinish(&cipherInfo);
-#ifdef TRACK_BLTEST_BUG
-		if (mode == bltestRSA) {
-		    fprintf(stderr, "[%s] Finished encrypt for #%d\n", __bltDBG, j);
-		}
-#endif
-		rv |= verify_self_test(&cipherInfo.output, 
-		                       &ct, mode, PR_TRUE, 0);
-#ifdef TRACK_BLTEST_BUG
-		if (mode == bltestRSA) {
-		    fprintf(stderr, "[%s] Verified self-test for #%d\n", __bltDBG, j);
-		}
-#endif
-		/* If testing hash, only one op to test */
-		if (is_hashCipher(mode))
-		    continue;
-		/*if (rv) return rv;*/
-	    }
-	    if (!decrypt)
-		continue;
-	    /* XXX for now */
-	    rv = SECSuccess;
-	    /* Reverse Operation (Decrypt/Verify)
-	    ** Align the input buffer (ciphertext) according to request
-	    ** then perform operation and compare to plaintext
-	    */
-#ifdef NSS_ENABLE_ECC
-	    if ((mode != bltestDSA) && (mode != bltestECDSA))
-#else
-	    if (mode != bltestDSA)
-#endif
-		bltestCopyIO(arena, &cipherInfo.input, &ct);
-	    else
-		bltestCopyIO(arena, &cipherInfo.input, &pt);
-	    misalignBuffer(arena, &cipherInfo.input, inoff);
-	    memset(&cipherInfo.output.buf, 0, sizeof cipherInfo.output.buf);
-	    rv |= cipherInit(&cipherInfo, PR_FALSE);
-	    misalignBuffer(arena, &cipherInfo.output, outoff);
-#ifdef TRACK_BLTEST_BUG
-	    if (mode == bltestRSA) {
-		fprintf(stderr, "[%s] Inited cipher context and buffers for #%d\n", __bltDBG, j);
-	    }
-#endif
-	    srv = SECSuccess;
-	    srv |= cipherDoOp(&cipherInfo);
-#ifdef TRACK_BLTEST_BUG
-	    if (mode == bltestRSA) {
-		fprintf(stderr, "[%s] Performed decrypt for #%d\n", __bltDBG, j);
-	    }
-#endif
-	    rv |= cipherFinish(&cipherInfo);
-#ifdef TRACK_BLTEST_BUG
-	    if (mode == bltestRSA) {
-		fprintf(stderr, "[%s] Finished decrypt for #%d\n", __bltDBG, j);
-	    }
-#endif
-	    rv |= verify_self_test(&cipherInfo.output, 
-	                           &pt, mode, PR_FALSE, srv);
-#ifdef TRACK_BLTEST_BUG
-	    if (mode == bltestRSA) {
-		fprintf(stderr, "[%s] Verified self-test for #%d\n", __bltDBG, j);
-	    }
-#endif
-	    /*if (rv) return rv;*/
-	}
-    }
-    return rv;
-}
-
-SECStatus
-dump_file(bltestCipherMode mode, char *filename)
-{
-    bltestIO keydata;
-    PRArenaPool *arena = NULL;
-    arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
-    if (mode == bltestRSA) {
-	RSAPrivateKey *key;
-	load_file_data(arena, &keydata, filename, bltestBase64Encoded);
-	key = rsakey_from_filedata(&keydata.buf);
-	dump_rsakey(key);
-    } else if (mode == bltestDSA) {
-#if 0
-	PQGParams *pqg;
-	get_file_data(filename, &item, PR_TRUE);
-	pqg = pqg_from_filedata(&item);
-	dump_pqg(pqg);
-#endif
-	DSAPrivateKey *key;
-	load_file_data(arena, &keydata, filename, bltestBase64Encoded);
-	key = dsakey_from_filedata(&keydata.buf);
-	dump_dsakey(key);
-#ifdef NSS_ENABLE_ECC
-    } else if (mode == bltestECDSA) {
-	ECPrivateKey *key;
-	load_file_data(arena, &keydata, filename, bltestBase64Encoded);
-	key = eckey_from_filedata(&keydata.buf);
-	dump_eckey(key);
-#endif
-    }
-    PORT_FreeArena(arena, PR_FALSE);
-    return SECFailure;
-}
-
-void ThreadExecTest(void *data)
-{
-    bltestCipherInfo *cipherInfo = (bltestCipherInfo*)data;
-
-    if (cipherInfo->mCarlo == PR_TRUE) {
-        int mciter;
-        for (mciter=0; mciter<10000; mciter++) {
-            cipherDoOp(cipherInfo);
-            memcpy(cipherInfo->input.buf.data,
-                   cipherInfo->output.buf.data,
-                   cipherInfo->input.buf.len);
-        }
-    } else {
-        cipherDoOp(cipherInfo);
-    }
-    cipherFinish(cipherInfo);
-}
-
-/* bltest commands */
-enum {
-    cmd_Decrypt = 0,
-    cmd_Encrypt,
-    cmd_FIPS,
-    cmd_Hash,
-    cmd_Nonce,
-    cmd_Dump,
-    cmd_Sign,
-    cmd_SelfTest,
-    cmd_Verify
-};
-
-/* bltest options */
-enum {
-    opt_B64 = 0,
-    opt_BufSize,
-    opt_Restart,
-    opt_SelfTestDir,
-    opt_Exponent,
-    opt_SigFile,
-    opt_KeySize,
-    opt_Hex,
-    opt_Input,
-    opt_PQGFile,
-    opt_Key,
-    opt_HexWSpc,
-    opt_Mode,
-#ifdef NSS_ENABLE_ECC
-    opt_CurveName,
-#endif
-    opt_Output,
-    opt_Repetitions,
-    opt_ZeroBuf,
-    opt_Rounds,
-    opt_Seed,
-    opt_SigSeedFile,
-    opt_CXReps,
-    opt_IV,
-    opt_WordSize,
-    opt_UseSeed,
-    opt_UseSigSeed,
-    opt_SeedFile,
-    opt_InputOffset,
-    opt_OutputOffset,
-    opt_MonteCarlo,
-    opt_ThreadNum,
-    opt_SecondsToRun,
-    opt_CmdLine
-};
-
-static secuCommandFlag bltest_commands[] =
-{
-    { /* cmd_Decrypt	*/ 'D', PR_FALSE, 0, PR_FALSE },
-    { /* cmd_Encrypt	*/ 'E', PR_FALSE, 0, PR_FALSE },
-    { /* cmd_FIPS	*/ 'F', PR_FALSE, 0, PR_FALSE },
-    { /* cmd_Hash	*/ 'H', PR_FALSE, 0, PR_FALSE },
-    { /* cmd_Nonce      */ 'N', PR_FALSE, 0, PR_FALSE },
-    { /* cmd_Dump	*/ 'P', PR_FALSE, 0, PR_FALSE },
-    { /* cmd_Sign	*/ 'S', PR_FALSE, 0, PR_FALSE },
-    { /* cmd_SelfTest	*/ 'T', PR_FALSE, 0, PR_FALSE },
-    { /* cmd_Verify	*/ 'V', PR_FALSE, 0, PR_FALSE }
-};
-
-static secuCommandFlag bltest_options[] =
-{
-    { /* opt_B64	  */ 'a', PR_FALSE, 0, PR_FALSE },
-    { /* opt_BufSize	  */ 'b', PR_TRUE,  0, PR_FALSE },
-    { /* opt_Restart	  */ 'c', PR_FALSE, 0, PR_FALSE },
-    { /* opt_SelfTestDir  */ 'd', PR_TRUE,  0, PR_FALSE },
-    { /* opt_Exponent	  */ 'e', PR_TRUE,  0, PR_FALSE },
-    { /* opt_SigFile      */ 'f', PR_TRUE,  0, PR_FALSE },
-    { /* opt_KeySize	  */ 'g', PR_TRUE,  0, PR_FALSE },
-    { /* opt_Hex	  */ 'h', PR_FALSE, 0, PR_FALSE },
-    { /* opt_Input	  */ 'i', PR_TRUE,  0, PR_FALSE },
-    { /* opt_PQGFile	  */ 'j', PR_TRUE,  0, PR_FALSE },
-    { /* opt_Key	  */ 'k', PR_TRUE,  0, PR_FALSE },
-    { /* opt_HexWSpc	  */ 'l', PR_FALSE, 0, PR_FALSE },
-    { /* opt_Mode	  */ 'm', PR_TRUE,  0, PR_FALSE },
-#ifdef NSS_ENABLE_ECC
-    { /* opt_CurveName	  */ 'n', PR_TRUE,  0, PR_FALSE },
-#endif
-    { /* opt_Output	  */ 'o', PR_TRUE,  0, PR_FALSE },
-    { /* opt_Repetitions  */ 'p', PR_TRUE,  0, PR_FALSE },
-    { /* opt_ZeroBuf	  */ 'q', PR_FALSE, 0, PR_FALSE },
-    { /* opt_Rounds	  */ 'r', PR_TRUE,  0, PR_FALSE },
-    { /* opt_Seed	  */ 's', PR_TRUE,  0, PR_FALSE },
-    { /* opt_SigSeedFile  */ 't', PR_TRUE,  0, PR_FALSE },
-    { /* opt_CXReps       */ 'u', PR_TRUE,  0, PR_FALSE },
-    { /* opt_IV		  */ 'v', PR_TRUE,  0, PR_FALSE },
-    { /* opt_WordSize	  */ 'w', PR_TRUE,  0, PR_FALSE },
-    { /* opt_UseSeed	  */ 'x', PR_FALSE, 0, PR_FALSE },
-    { /* opt_UseSigSeed	  */ 'y', PR_FALSE, 0, PR_FALSE },
-    { /* opt_SeedFile	  */ 'z', PR_FALSE, 0, PR_FALSE },
-    { /* opt_InputOffset  */ '1', PR_TRUE,  0, PR_FALSE },
-    { /* opt_OutputOffset */ '2', PR_TRUE,  0, PR_FALSE },
-    { /* opt_MonteCarlo   */ '3', PR_FALSE, 0, PR_FALSE },
-    { /* opt_ThreadNum    */ '4', PR_TRUE,  0, PR_FALSE },
-    { /* opt_SecondsToRun */ '5', PR_TRUE,  0, PR_FALSE },
-    { /* opt_CmdLine	  */ '-', PR_FALSE, 0, PR_FALSE }
-};
-
-int main(int argc, char **argv)
-{
-    char *infileName, *outfileName, *keyfileName, *ivfileName;
-    SECStatus rv = SECFailure;
-
-    double              totalTime;
-    PRIntervalTime      time1, time2;
-    PRFileDesc          *outfile = NULL;
-    bltestCipherInfo    *cipherInfoListHead, *cipherInfo;
-    bltestIOMode        ioMode;
-    int                 bufsize, exponent, curThrdNum;
-#ifdef NSS_ENABLE_ECC
-    char		*curveName = NULL;
-#endif
-    int			 i, commandsEntered;
-    int			 inoff, outoff;
-    int                  threads = 1;
-
-    secuCommand bltest;
-    bltest.numCommands = sizeof(bltest_commands) / sizeof(secuCommandFlag);
-    bltest.numOptions = sizeof(bltest_options) / sizeof(secuCommandFlag);
-    bltest.commands = bltest_commands;
-    bltest.options = bltest_options;
-
-    progName = strrchr(argv[0], '/');
-    if (!progName) 
-	progName = strrchr(argv[0], '\\');
-    progName = progName ? progName+1 : argv[0];
-
-    rv = RNG_RNGInit();
-    if (rv != SECSuccess) {
-    	SECU_PrintPRandOSError(progName);
-	return -1;
-    }
-    rv = BL_Init();
-    if (rv != SECSuccess) {
-    	SECU_PrintPRandOSError(progName);
-	return -1;
-    }
-    RNG_SystemInfoForRNG();
-
-    rv = SECU_ParseCommandLine(argc, argv, progName, &bltest);
-    if (rv == SECFailure) {
-        fprintf(stderr, "%s: command line parsing error!\n", progName);
-        goto print_usage;
-    }
-    rv = SECFailure;
-
-    cipherInfo = PORT_ZNew(bltestCipherInfo);
-    cipherInfoListHead = cipherInfo;
-    /* set some defaults */
-    infileName = outfileName = keyfileName = ivfileName = NULL;
-
-    /* Check the number of commands entered on the command line. */
-    commandsEntered = 0;
-    for (i=0; i<bltest.numCommands; i++)
-	if (bltest.commands[i].activated)
-	    commandsEntered++;
-
-    if (commandsEntered > 1 &&
-	!(commandsEntered == 2 && bltest.commands[cmd_SelfTest].activated)) {
-	fprintf(stderr, "%s: one command at a time!\n", progName);
-        goto print_usage;
-    }
-
-    if (commandsEntered == 0) {
-	fprintf(stderr, "%s: you must enter a command!\n", progName);
-        goto print_usage;
-    }
-
-    if (bltest.commands[cmd_Sign].activated)
-	bltest.commands[cmd_Encrypt].activated = PR_TRUE;
-    if (bltest.commands[cmd_Verify].activated)
-	bltest.commands[cmd_Decrypt].activated = PR_TRUE;
-    if (bltest.commands[cmd_Hash].activated)
-	bltest.commands[cmd_Encrypt].activated = PR_TRUE;
-
-    inoff = outoff = 0;
-    if (bltest.options[opt_InputOffset].activated)
-	inoff = PORT_Atoi(bltest.options[opt_InputOffset].arg);
-    if (bltest.options[opt_OutputOffset].activated)
-	outoff = PORT_Atoi(bltest.options[opt_OutputOffset].arg);
-
-    testdir = (bltest.options[opt_SelfTestDir].activated) ? 
-                 strdup(bltest.options[opt_SelfTestDir].arg) : ".";
-
-    /*
-     * Handle three simple cases first
-     */
-
-    /* Do BLAPI self-test */
-    if (bltest.commands[cmd_SelfTest].activated) {
-	PRBool encrypt = PR_TRUE, decrypt = PR_TRUE;
-	/* user may specified a set of ciphers to test.  parse them. */
-	bltestCipherMode modesToTest[NUMMODES];
-	int numModesToTest = 0;
-	char *tok, *str;
-	str = bltest.options[opt_Mode].arg;
-	while (str) {
-	    tok = strchr(str, ',');
-	    if (tok) *tok = '\0';
-	    modesToTest[numModesToTest++] = get_mode(str);
-	    if (tok) {
-		*tok = ',';
-		str = tok + 1;
-	    } else {
-		break;
-	    }
-	}
-	if (bltest.commands[cmd_Decrypt].activated &&
-	    !bltest.commands[cmd_Encrypt].activated)
-	    encrypt = PR_FALSE;
-	if (bltest.commands[cmd_Encrypt].activated &&
-	    !bltest.commands[cmd_Decrypt].activated)
-	    decrypt = PR_FALSE;
-	rv = blapi_selftest(modesToTest, numModesToTest, inoff, outoff,
-                            encrypt, decrypt);
-        PORT_Free(cipherInfo);
-        return rv;
-    }
-
-    /* Do FIPS self-test */
-    if (bltest.commands[cmd_FIPS].activated) {
-	CK_RV ckrv = sftk_fipsPowerUpSelfTest();
-	fprintf(stdout, "CK_RV: %ld.\n", ckrv);
-        PORT_Free(cipherInfo);
-        if (ckrv == CKR_OK)
-            return SECSuccess;
-        return SECFailure;
-    }
-
-    /*
-     * Check command line arguments for Encrypt/Decrypt/Hash/Sign/Verify
-     */
-
-    if ((bltest.commands[cmd_Decrypt].activated ||
-	 bltest.commands[cmd_Verify].activated) &&
-	bltest.options[opt_BufSize].activated) {
-	fprintf(stderr, "%s: Cannot use a nonce as input to decrypt/verify.\n",
-			 progName);
-        goto print_usage;
-    }
-
-    if (bltest.options[opt_Mode].activated) {
-	cipherInfo->mode = get_mode(bltest.options[opt_Mode].arg);
-	if (cipherInfo->mode == bltestINVALID) {
-            goto print_usage;
-	}
-    } else {
-	fprintf(stderr, "%s: You must specify a cipher mode with -m.\n",
-			 progName);
-        goto print_usage;
-    }
-
-    
-    if (bltest.options[opt_Repetitions].activated &&
-        bltest.options[opt_SecondsToRun].activated) {
-        fprintf(stderr, "%s: Operation time should be defined in either "
-                "repetitions(-p) or seconds(-5) not both",
-                progName);
-        goto print_usage;
-    }
-
-    if (bltest.options[opt_Repetitions].activated) {
-        cipherInfo->repetitionsToPerfom =
-            PORT_Atoi(bltest.options[opt_Repetitions].arg);
-    } else {
-        cipherInfo->repetitionsToPerfom = 0;
-    }
-
-    if (bltest.options[opt_SecondsToRun].activated) {
-        cipherInfo->seconds = PORT_Atoi(bltest.options[opt_SecondsToRun].arg);
-    } else {
-        cipherInfo->seconds = 0;
-    }
-
-
-    if (bltest.options[opt_CXReps].activated) {
-        cipherInfo->cxreps = PORT_Atoi(bltest.options[opt_CXReps].arg);
-    } else {
-        cipherInfo->cxreps = 0;
-    }
-
-    if (bltest.options[opt_ThreadNum].activated) {
-        threads = PORT_Atoi(bltest.options[opt_ThreadNum].arg);
-        if (threads <= 0) {
-            threads = 1;
-        }
-    }
-
-    /* Dump a file (rsakey, dsakey, etc.) */
-    if (bltest.commands[cmd_Dump].activated) {
-        rv = dump_file(cipherInfo->mode, bltest.options[opt_Input].arg);
-        PORT_Free(cipherInfo);
-        return rv;
-    }
-
-    /* default input mode is binary */
-    ioMode = (bltest.options[opt_B64].activated)     ? bltestBase64Encoded :
-	     (bltest.options[opt_Hex].activated)     ? bltestHexStream :
-	     (bltest.options[opt_HexWSpc].activated) ? bltestHexSpaceDelim :
-						       bltestBinary;
-
-    if (bltest.options[opt_Exponent].activated)
-	exponent = PORT_Atoi(bltest.options[opt_Exponent].arg);
-    else
-	exponent = 65537;
-
-#ifdef NSS_ENABLE_ECC
-    if (bltest.options[opt_CurveName].activated)
-	curveName = PORT_Strdup(bltest.options[opt_CurveName].arg);
-    else
-	curveName = NULL;
-#endif
-
-    if (bltest.commands[cmd_Verify].activated &&
-        !bltest.options[opt_SigFile].activated) {
-        fprintf(stderr, "%s: You must specify a signature file with -f.\n",
-                progName);
-
-      print_usage:
-        PORT_Free(cipherInfo);
-        Usage();
-    }
-
-    if (bltest.options[opt_MonteCarlo].activated) {
-        cipherInfo->mCarlo = PR_TRUE;
-    } else {
-        cipherInfo->mCarlo = PR_FALSE;
-    }
-
-    for (curThrdNum = 0;curThrdNum < threads;curThrdNum++) {
-        int            keysize = 0;
-        PRFileDesc     *file = NULL, *infile;
-        bltestParams   *params;
-        char           *instr = NULL;
-        PRArenaPool    *arena;
-
-        if (curThrdNum > 0) {
-            bltestCipherInfo *newCInfo = PORT_ZNew(bltestCipherInfo);
-            if (!newCInfo) {
-                fprintf(stderr, "%s: Can not allocate  memory.\n", progName);
-                goto exit_point;
-            }
-            newCInfo->mode = cipherInfo->mode;
-            newCInfo->mCarlo = cipherInfo->mCarlo;
-            newCInfo->repetitionsToPerfom =
-                cipherInfo->repetitionsToPerfom;
-            newCInfo->seconds = cipherInfo->seconds;
-            newCInfo->cxreps = cipherInfo->cxreps;
-            cipherInfo->next = newCInfo;
-            cipherInfo = newCInfo;
-        }
-        arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
-        if (!arena) {
-            fprintf(stderr, "%s: Can not allocate memory.\n", progName);
-            goto exit_point;
-        }
-        cipherInfo->arena = arena;
-        params = &cipherInfo->params;
-        
-        /* Set up an encryption key. */
-        keysize = 0;
-        file = NULL;
-        if (is_symmkeyCipher(cipherInfo->mode)) {
-            char *keystr = NULL;  /* if key is on command line */
-            if (bltest.options[opt_Key].activated) {
-                if (bltest.options[opt_CmdLine].activated) {
-                    keystr = bltest.options[opt_Key].arg;
-                } else {
-                    file = PR_Open(bltest.options[opt_Key].arg,
-                                   PR_RDONLY, 00660);
-                }
-            } else {
-                if (bltest.options[opt_KeySize].activated)
-                    keysize = PORT_Atoi(bltest.options[opt_KeySize].arg);
-                else
-                    keysize = 8; /* use 64-bit default (DES) */
-                /* save the random key for reference */
-                file = PR_Open("tmp.key", PR_WRONLY|PR_CREATE_FILE, 00660);
-            }
-            params->key.mode = ioMode;
-            setupIO(cipherInfo->arena, &params->key, file, keystr, keysize);
-            if (file)
-                PR_Close(file);
-        } else if (is_pubkeyCipher(cipherInfo->mode)) {
-            if (bltest.options[opt_Key].activated) {
-                file = PR_Open(bltest.options[opt_Key].arg, PR_RDONLY, 00660);
-            } else {
-                if (bltest.options[opt_KeySize].activated)
-                    keysize = PORT_Atoi(bltest.options[opt_KeySize].arg);
-                else
-                    keysize = 64; /* use 512-bit default */
-                file = PR_Open("tmp.key", PR_WRONLY|PR_CREATE_FILE, 00660);
-            }
-            params->key.mode = bltestBase64Encoded;
-#ifdef NSS_ENABLE_ECC
-            pubkeyInitKey(cipherInfo, file, keysize, exponent, curveName);
-#else
-            pubkeyInitKey(cipherInfo, file, keysize, exponent);
-#endif
-            PR_Close(file);
-        }
-
-        /* set up an initialization vector. */
-        if (cipher_requires_IV(cipherInfo->mode)) {
-            char *ivstr = NULL;
-            bltestSymmKeyParams *skp;
-            file = NULL;
-#ifdef NSS_SOFTOKEN_DOES_RC5
-            if (cipherInfo->mode == bltestRC5_CBC)
-                skp = (bltestSymmKeyParams *)&params->rc5;
-            else
-#endif
-                skp = &params->sk;
-            if (bltest.options[opt_IV].activated) {
-                if (bltest.options[opt_CmdLine].activated) {
-                    ivstr = bltest.options[opt_IV].arg;
-                } else {
-                    file = PR_Open(bltest.options[opt_IV].arg,
-                                   PR_RDONLY, 00660);
-                }
-            } else {
-                /* save the random iv for reference */
-                file = PR_Open("tmp.iv", PR_WRONLY|PR_CREATE_FILE, 00660);
-            }
-            memset(&skp->iv, 0, sizeof skp->iv);
-            skp->iv.mode = ioMode;
-            setupIO(cipherInfo->arena, &skp->iv, file, ivstr, keysize);
-            if (file) {
-                PR_Close(file);
-            }
-        }
-        
-        if (bltest.commands[cmd_Verify].activated) {
-            file = PR_Open(bltest.options[opt_SigFile].arg, PR_RDONLY, 00660);
-            if (cipherInfo->mode == bltestDSA) {
-                memset(&cipherInfo->params.dsa.sig, 0, sizeof(bltestIO));
-                cipherInfo->params.dsa.sig.mode = ioMode;
-                setupIO(cipherInfo->arena, &cipherInfo->params.dsa.sig,
-                        file, NULL, 0);
-#ifdef NSS_ENABLE_ECC
-            } else if (cipherInfo->mode == bltestECDSA) {
-                memset(&cipherInfo->params.ecdsa.sig, 0, sizeof(bltestIO));
-                cipherInfo->params.ecdsa.sig.mode = ioMode;
-                setupIO(cipherInfo->arena, &cipherInfo->params.ecdsa.sig,
-                        file, NULL, 0);
-#endif
-            }
-            if (file) {
-                PR_Close(file);
-            }
-        }
-        
-        if (bltest.options[opt_PQGFile].activated) {
-            file = PR_Open(bltest.options[opt_PQGFile].arg, PR_RDONLY, 00660);
-            params->dsa.pqgdata.mode = bltestBase64Encoded;
-            setupIO(cipherInfo->arena, &params->dsa.pqgdata, file, NULL, 0);
-            if (file) {
-                PR_Close(file);
-            }
-        }
-
-        /* Set up the input buffer */
-        if (bltest.options[opt_Input].activated) {
-            if (bltest.options[opt_CmdLine].activated) {
-                instr = bltest.options[opt_Input].arg;
-                infile = NULL;
-            } else {
-                /* form file name from testdir and input arg. */
-                char * filename = bltest.options[opt_Input].arg;
-                if (bltest.options[opt_SelfTestDir].activated && 
-                    testdir && filename && filename[0] != '/') {
-                    filename = PR_smprintf("%s/tests/%s/%s", testdir, 
-                                           mode_strings[cipherInfo->mode],
-                                           filename);
-                    if (!filename) {
-                        fprintf(stderr, "%s: Can not allocate memory.\n",
-                                progName);
-                        goto exit_point;
-                    }
-                    infile = PR_Open(filename, PR_RDONLY, 00660);
-                    PR_smprintf_free(filename);
-                } else {
-                    infile = PR_Open(filename, PR_RDONLY, 00660);
-                }
-            }
-        } else if (bltest.options[opt_BufSize].activated) {
-            /* save the random plaintext for reference */
-            char *tmpFName = PR_smprintf("tmp.in.%d", curThrdNum);
-            if (!tmpFName) {
-                fprintf(stderr, "%s: Can not allocate memory.\n", progName);
-                goto exit_point;
-            }
-            infile = PR_Open(tmpFName, PR_WRONLY|PR_CREATE_FILE, 00660);
-            PR_smprintf_free(tmpFName);
-        } else {
-            infile = PR_STDIN;
-        }
-        if (!infile) {
-            fprintf(stderr, "%s: Failed to open input file.\n", progName);
-            goto exit_point;
-        }
-        cipherInfo->input.mode = ioMode;
-
-        /* Set up the output stream */
-        if (bltest.options[opt_Output].activated) {
-            /* form file name from testdir and input arg. */
-            char * filename = bltest.options[opt_Output].arg;
-            if (bltest.options[opt_SelfTestDir].activated && 
-                testdir && filename && filename[0] != '/') {
-                filename = PR_smprintf("%s/tests/%s/%s", testdir, 
-                                       mode_strings[cipherInfo->mode],
-                                       filename);
-                if (!filename) {
-                    fprintf(stderr, "%s: Can not allocate memory.\n", progName);
-                    goto exit_point;
-                }
-                outfile = PR_Open(filename, PR_WRONLY|PR_CREATE_FILE, 00660);
-                PR_smprintf_free(filename);
-            } else {
-                outfile = PR_Open(filename, PR_WRONLY|PR_CREATE_FILE, 00660);
-            }
-        } else {
-            outfile = PR_STDOUT;
-        }
-        if (!outfile) {
-            fprintf(stderr, "%s: Failed to open output file.\n", progName);
-            rv = SECFailure;
-            goto exit_point;
-        }
-        cipherInfo->output.mode = ioMode;
-        if (bltest.options[opt_SelfTestDir].activated && ioMode == bltestBinary)
-            cipherInfo->output.mode = bltestBase64Encoded;
-
-        if (is_hashCipher(cipherInfo->mode))
-            cipherInfo->params.hash.restart =
-                bltest.options[opt_Restart].activated;
-
-        bufsize = 0;
-        if (bltest.options[opt_BufSize].activated)
-            bufsize = PORT_Atoi(bltest.options[opt_BufSize].arg);
-
-        /*infile = NULL;*/
-        setupIO(cipherInfo->arena, &cipherInfo->input, infile, instr, bufsize);
-        if (infile && infile != PR_STDIN)
-            PR_Close(infile);
-        misalignBuffer(cipherInfo->arena, &cipherInfo->input, inoff);
-
-        cipherInit(cipherInfo, bltest.commands[cmd_Encrypt].activated);
-        misalignBuffer(cipherInfo->arena, &cipherInfo->output, outoff);
-    }
-
-    if (!bltest.commands[cmd_Nonce].activated) {
-        TIMESTART();
-        cipherInfo = cipherInfoListHead;
-        while (cipherInfo != NULL) {
-            cipherInfo->cipherThread = 
-                PR_CreateThread(PR_USER_THREAD,
-                                    ThreadExecTest,
-                                    cipherInfo,
-                                    PR_PRIORITY_NORMAL,
-                                    PR_GLOBAL_THREAD,
-                                    PR_JOINABLE_THREAD,
-                                    0);
-            cipherInfo = cipherInfo->next;
-        } 
-
-        cipherInfo = cipherInfoListHead;
-        while (cipherInfo != NULL) {
-            PR_JoinThread(cipherInfo->cipherThread);
-            finishIO(&cipherInfo->output, outfile);
-            cipherInfo = cipherInfo->next;
-        }
-        TIMEFINISH(totalTime, 1);
-    }
-    
-    cipherInfo = cipherInfoListHead;
-    if (cipherInfo->repetitions > 0 || cipherInfo->cxreps > 0 ||
-        threads > 1)
-        dump_performance_info(cipherInfoListHead, totalTime,
-                              bltest.commands[cmd_Encrypt].activated,
-	                      (cipherInfo->repetitions == 0));
-    
-    rv = SECSuccess;
-
-  exit_point:
-    if (outfile && outfile != PR_STDOUT)
-	PR_Close(outfile);
-    cipherInfo = cipherInfoListHead;
-    while (cipherInfo != NULL) {
-        bltestCipherInfo *tmpInfo = cipherInfo;
-
-        if (cipherInfo->arena)
-            PORT_FreeArena(cipherInfo->arena, PR_TRUE);
-        cipherInfo = cipherInfo->next;
-        PORT_Free(tmpInfo);
-    }
-
-    /*NSS_Shutdown();*/
-
-    return SECSuccess;
-}
-
diff --git a/security/nss/cmd/bltest/manifest.mn b/security/nss/cmd/bltest/manifest.mn
deleted file mode 100644
index 3c283af6d..000000000
--- a/security/nss/cmd/bltest/manifest.mn
+++ /dev/null
@@ -1,58 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-REQUIRES = seccmd dbm softoken
-
-INCLUDES += -I$(CORE_DEPTH)/nss/lib/softoken
-
-PROGRAM = bltest
-
- USE_STATIC_LIBS = 1
-
-EXPORTS = \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	$(NULL)
-
-CSRCS = \
-	blapitest.c \
-	$(NULL)
-
diff --git a/security/nss/cmd/bltest/tests/README b/security/nss/cmd/bltest/tests/README
deleted file mode 100644
index 9982a2f15..000000000
--- a/security/nss/cmd/bltest/tests/README
+++ /dev/null
@@ -1,49 +0,0 @@
-This directory contains a set of tests for each cipher supported by
-BLAPI.  Each subdirectory contains known plaintext and ciphertext pairs
-(and keys and/or iv's if needed).  The tests can be run as a full set
-with:
-    bltest -T
-or as subsets, for example:
-    bltest -T -m des_ecb,md2,rsa
-
-In each subdirectory, the plaintext, key, and iv are ascii, and treated
-as such.  The ciphertext is base64-encoded to avoid the hassle of binary
-files.
-
-To add a test, incremement the value in the numtests file.  Create a
-plaintext, key, and iv file, such that the name of the file is
-incrememted one from the last set of tests.  For example, if you are
-adding the second test, put your data in files named plaintext1, key1,
-and iv1 (ignoring key and iv if they are not needed, of course).  Make
-sure your key and iv are the correct number of bytes for your cipher (a
-trailing \n is okay, but any other trailing bytes will be used!).  Once
-you have your input data, create output data by running bltest on a
-trusted implementation.  For example, for a new DES ECB test, run
-    bltest -E -m des_ecb -i plaintext1 -k key1 -o ciphertext1 -a in the
-tests/des_ecb directory.  Then run
-    bltest -T des_ecb from the cmd/bltest directory in the tree of the
-implementation you want to test.
-
-Note that the -a option above is important, it tells bltest to expect
-the input to be straight ASCII, and not base64 encoded binary!
-
-Special cases:
-
-RC5:
-RC5 can take additional parameters, the number of rounds to perform and
-the wordsize to use.  The number of rounds is between is between 0 and
-255, and the wordsize is either is either 16, 32, or 64 bits (at this
-time only 32-bit is supported).  These parameters are specified in a
-paramsN file, where N is an index as above.  The format of the file is
-"rounds=R\nwordsize=W\n".
-
-public key modes (RSA and DSA):
-Asymmetric key ciphers use keys with special properties, so creating a
-key file with "Mozilla!" in it will not get you very far!  To create a
-public key, run bltest with the plaintext you want to encrypt, using a
-trusted implementation.  bltest will generate a key and store it in
-"tmp.key", rename that file to keyN.  For example:
-    bltest -E -m rsa -i plaintext0 -o ciphertext0 -e 65537 -g 32 -a
-    mv tmp.key key0
-
-[note: specifying a keysize (-g) when using RSA is important!]
diff --git a/security/nss/cmd/bltest/tests/aes_cbc/ciphertext0 b/security/nss/cmd/bltest/tests/aes_cbc/ciphertext0
deleted file mode 100644
index 040a397d7..000000000
--- a/security/nss/cmd/bltest/tests/aes_cbc/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-oJLgOzZ1GiWt3DGo2sPKaA==

diff --git a/security/nss/cmd/bltest/tests/aes_cbc/iv0 b/security/nss/cmd/bltest/tests/aes_cbc/iv0
deleted file mode 100644
index 4e65bc034..000000000
--- a/security/nss/cmd/bltest/tests/aes_cbc/iv0
+++ /dev/null
@@ -1 +0,0 @@
-qwertyuiopasdfgh
diff --git a/security/nss/cmd/bltest/tests/aes_cbc/key0 b/security/nss/cmd/bltest/tests/aes_cbc/key0
deleted file mode 100644
index 13911cc29..000000000
--- a/security/nss/cmd/bltest/tests/aes_cbc/key0
+++ /dev/null
@@ -1 +0,0 @@
-fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/aes_cbc/numtests b/security/nss/cmd/bltest/tests/aes_cbc/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/aes_cbc/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/aes_cbc/plaintext0 b/security/nss/cmd/bltest/tests/aes_cbc/plaintext0
deleted file mode 100644
index 8d6a8d555..000000000
--- a/security/nss/cmd/bltest/tests/aes_cbc/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-0123456789abcdef
diff --git a/security/nss/cmd/bltest/tests/aes_ecb/ciphertext0 b/security/nss/cmd/bltest/tests/aes_ecb/ciphertext0
deleted file mode 100644
index d6818c1d0..000000000
--- a/security/nss/cmd/bltest/tests/aes_ecb/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-PVuaCIiaKQhblgFCbVMTTg==

diff --git a/security/nss/cmd/bltest/tests/aes_ecb/key0 b/security/nss/cmd/bltest/tests/aes_ecb/key0
deleted file mode 100644
index 13911cc29..000000000
--- a/security/nss/cmd/bltest/tests/aes_ecb/key0
+++ /dev/null
@@ -1 +0,0 @@
-fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/aes_ecb/numtests b/security/nss/cmd/bltest/tests/aes_ecb/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/aes_ecb/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/aes_ecb/plaintext0 b/security/nss/cmd/bltest/tests/aes_ecb/plaintext0
deleted file mode 100644
index 8d6a8d555..000000000
--- a/security/nss/cmd/bltest/tests/aes_ecb/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-0123456789abcdef
diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext0 b/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext0
deleted file mode 100644
index e7895954a..000000000
--- a/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-taydfPlRJe3wf8Td0xJ9Tw==

diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext1 b/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext1
deleted file mode 100644
index 7dbd9b036..000000000
--- a/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext1
+++ /dev/null
@@ -1 +0,0 @@
-yoYCZwKnUMcS4ADHxnwObA==

diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext2 b/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext2
deleted file mode 100644
index 007a2b0fa..000000000
--- a/security/nss/cmd/bltest/tests/camellia_cbc/ciphertext2
+++ /dev/null
@@ -1 +0,0 @@
-T+Wn4cs1Sbqrh/XtNd4vzQ==

diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/iv0 b/security/nss/cmd/bltest/tests/camellia_cbc/iv0
deleted file mode 100644
index 4e65bc034..000000000
--- a/security/nss/cmd/bltest/tests/camellia_cbc/iv0
+++ /dev/null
@@ -1 +0,0 @@
-qwertyuiopasdfgh
diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/key0 b/security/nss/cmd/bltest/tests/camellia_cbc/key0
deleted file mode 100644
index 13911cc29..000000000
--- a/security/nss/cmd/bltest/tests/camellia_cbc/key0
+++ /dev/null
@@ -1 +0,0 @@
-fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/key1 b/security/nss/cmd/bltest/tests/camellia_cbc/key1
deleted file mode 100644
index a9cb2f12f..000000000
--- a/security/nss/cmd/bltest/tests/camellia_cbc/key1
+++ /dev/null
@@ -1 +0,0 @@
-fedcba9876543210fedcba98
diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/key2 b/security/nss/cmd/bltest/tests/camellia_cbc/key2
deleted file mode 100644
index ab55fe2ee..000000000
--- a/security/nss/cmd/bltest/tests/camellia_cbc/key2
+++ /dev/null
@@ -1 +0,0 @@
-fedcba9876543210fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/numtests b/security/nss/cmd/bltest/tests/camellia_cbc/numtests
deleted file mode 100644
index 00750edc0..000000000
--- a/security/nss/cmd/bltest/tests/camellia_cbc/numtests
+++ /dev/null
@@ -1 +0,0 @@
-3
diff --git a/security/nss/cmd/bltest/tests/camellia_cbc/plaintext0 b/security/nss/cmd/bltest/tests/camellia_cbc/plaintext0
deleted file mode 100644
index 8d6a8d555..000000000
--- a/security/nss/cmd/bltest/tests/camellia_cbc/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-0123456789abcdef
diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext0 b/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext0
deleted file mode 100644
index 084ba780e..000000000
--- a/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-6v0CGxSwow3AhsyhunfdbQ==

diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext1 b/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext1
deleted file mode 100644
index dbd6e5f42..000000000
--- a/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext1
+++ /dev/null
@@ -1 +0,0 @@
-Nf1GwJiBtZT+VPJp+gBhPA==

diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext2 b/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext2
deleted file mode 100644
index 0b278ce2a..000000000
--- a/security/nss/cmd/bltest/tests/camellia_ecb/ciphertext2
+++ /dev/null
@@ -1 +0,0 @@
-ilB/0K3SI86Oecwh7cruGA==

diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/key0 b/security/nss/cmd/bltest/tests/camellia_ecb/key0
deleted file mode 100644
index 13911cc29..000000000
--- a/security/nss/cmd/bltest/tests/camellia_ecb/key0
+++ /dev/null
@@ -1 +0,0 @@
-fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/key1 b/security/nss/cmd/bltest/tests/camellia_ecb/key1
deleted file mode 100644
index a9cb2f12f..000000000
--- a/security/nss/cmd/bltest/tests/camellia_ecb/key1
+++ /dev/null
@@ -1 +0,0 @@
-fedcba9876543210fedcba98
diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/key2 b/security/nss/cmd/bltest/tests/camellia_ecb/key2
deleted file mode 100644
index ab55fe2ee..000000000
--- a/security/nss/cmd/bltest/tests/camellia_ecb/key2
+++ /dev/null
@@ -1 +0,0 @@
-fedcba9876543210fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/numtests b/security/nss/cmd/bltest/tests/camellia_ecb/numtests
deleted file mode 100644
index 00750edc0..000000000
--- a/security/nss/cmd/bltest/tests/camellia_ecb/numtests
+++ /dev/null
@@ -1 +0,0 @@
-3
diff --git a/security/nss/cmd/bltest/tests/camellia_ecb/plaintext0 b/security/nss/cmd/bltest/tests/camellia_ecb/plaintext0
deleted file mode 100644
index 8d6a8d555..000000000
--- a/security/nss/cmd/bltest/tests/camellia_ecb/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-0123456789abcdef
diff --git a/security/nss/cmd/bltest/tests/des3_cbc/ciphertext0 b/security/nss/cmd/bltest/tests/des3_cbc/ciphertext0
deleted file mode 100644
index 61dae3192..000000000
--- a/security/nss/cmd/bltest/tests/des3_cbc/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-KV3MDNGKWOc=
diff --git a/security/nss/cmd/bltest/tests/des3_cbc/iv0 b/security/nss/cmd/bltest/tests/des3_cbc/iv0
deleted file mode 100644
index 97b5955f7..000000000
--- a/security/nss/cmd/bltest/tests/des3_cbc/iv0
+++ /dev/null
@@ -1 +0,0 @@
-12345678
diff --git a/security/nss/cmd/bltest/tests/des3_cbc/key0 b/security/nss/cmd/bltest/tests/des3_cbc/key0
deleted file mode 100644
index 588efd111..000000000
--- a/security/nss/cmd/bltest/tests/des3_cbc/key0
+++ /dev/null
@@ -1 +0,0 @@
-abcdefghijklmnopqrstuvwx
diff --git a/security/nss/cmd/bltest/tests/des3_cbc/numtests b/security/nss/cmd/bltest/tests/des3_cbc/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/des3_cbc/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/des3_cbc/plaintext0 b/security/nss/cmd/bltest/tests/des3_cbc/plaintext0
deleted file mode 100644
index 5513e438c..000000000
--- a/security/nss/cmd/bltest/tests/des3_cbc/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-Mozilla!
diff --git a/security/nss/cmd/bltest/tests/des3_ecb/ciphertext0 b/security/nss/cmd/bltest/tests/des3_ecb/ciphertext0
deleted file mode 100644
index 76dc820d3..000000000
--- a/security/nss/cmd/bltest/tests/des3_ecb/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-RgckVNh4QcM=
diff --git a/security/nss/cmd/bltest/tests/des3_ecb/key0 b/security/nss/cmd/bltest/tests/des3_ecb/key0
deleted file mode 100644
index 588efd111..000000000
--- a/security/nss/cmd/bltest/tests/des3_ecb/key0
+++ /dev/null
@@ -1 +0,0 @@
-abcdefghijklmnopqrstuvwx
diff --git a/security/nss/cmd/bltest/tests/des3_ecb/numtests b/security/nss/cmd/bltest/tests/des3_ecb/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/des3_ecb/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/des3_ecb/plaintext0 b/security/nss/cmd/bltest/tests/des3_ecb/plaintext0
deleted file mode 100644
index 5513e438c..000000000
--- a/security/nss/cmd/bltest/tests/des3_ecb/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-Mozilla!
diff --git a/security/nss/cmd/bltest/tests/des_cbc/ciphertext0 b/security/nss/cmd/bltest/tests/des_cbc/ciphertext0
deleted file mode 100644
index 67d2ad1aa..000000000
--- a/security/nss/cmd/bltest/tests/des_cbc/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-Perdg9FMYQ4=
diff --git a/security/nss/cmd/bltest/tests/des_cbc/iv0 b/security/nss/cmd/bltest/tests/des_cbc/iv0
deleted file mode 100644
index 97b5955f7..000000000
--- a/security/nss/cmd/bltest/tests/des_cbc/iv0
+++ /dev/null
@@ -1 +0,0 @@
-12345678
diff --git a/security/nss/cmd/bltest/tests/des_cbc/key0 b/security/nss/cmd/bltest/tests/des_cbc/key0
deleted file mode 100644
index 65513c116..000000000
--- a/security/nss/cmd/bltest/tests/des_cbc/key0
+++ /dev/null
@@ -1 +0,0 @@
-zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/des_cbc/numtests b/security/nss/cmd/bltest/tests/des_cbc/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/des_cbc/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/des_cbc/plaintext0 b/security/nss/cmd/bltest/tests/des_cbc/plaintext0
deleted file mode 100644
index 5513e438c..000000000
--- a/security/nss/cmd/bltest/tests/des_cbc/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-Mozilla!
diff --git a/security/nss/cmd/bltest/tests/des_ecb/ciphertext0 b/security/nss/cmd/bltest/tests/des_ecb/ciphertext0
deleted file mode 100644
index 8be22fa5c..000000000
--- a/security/nss/cmd/bltest/tests/des_ecb/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-3bNoWzzNiFc=
diff --git a/security/nss/cmd/bltest/tests/des_ecb/key0 b/security/nss/cmd/bltest/tests/des_ecb/key0
deleted file mode 100644
index 65513c116..000000000
--- a/security/nss/cmd/bltest/tests/des_ecb/key0
+++ /dev/null
@@ -1 +0,0 @@
-zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/des_ecb/numtests b/security/nss/cmd/bltest/tests/des_ecb/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/des_ecb/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/des_ecb/plaintext0 b/security/nss/cmd/bltest/tests/des_ecb/plaintext0
deleted file mode 100644
index 5513e438c..000000000
--- a/security/nss/cmd/bltest/tests/des_ecb/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-Mozilla!
diff --git a/security/nss/cmd/bltest/tests/dsa/ciphertext0 b/security/nss/cmd/bltest/tests/dsa/ciphertext0
deleted file mode 100644
index 8e7150562..000000000
--- a/security/nss/cmd/bltest/tests/dsa/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-fB0bnKWvjT6X5NIkZ5l/Y/DXZ6QNI6j0iPhR/ZERkfj67xRnTWY1cg==
diff --git a/security/nss/cmd/bltest/tests/dsa/key0 b/security/nss/cmd/bltest/tests/dsa/key0
deleted file mode 100644
index e582eeb04..000000000
--- a/security/nss/cmd/bltest/tests/dsa/key0
+++ /dev/null
@@ -1,6 +0,0 @@
-AAAAQI3ypJRJInaqPSV1m7BoacvqwNg6+40M98u4Mk8NeILl0HYvxbchDq/C6a2s

-Mqt6rElpPfv4NyTC7Ac27jHIApEAAAAUx3MhjHN+yO6ZO08t7TD0jtrOkV8AAABA

-Ym0CeDnqChNBMWOlW0y1ACmdVSKVbO/LO/8Q85nOLC5xy53l+iS6v1jlt5Uhklyc

-xC6fb0ZLCIzFcq9T5teIAgAAAEAZExhx11sWEqgZ8p140bDXNG96p3u2KoWb/WxW

-ddqdIS06Nu8Wcu9mC4x8JVzA7HSFj7oz9EwGaZYwp2sDDuMzAAAAFCBwsyI9ujcv

-3hwP/HsuO0mLJgYU

diff --git a/security/nss/cmd/bltest/tests/dsa/keyseed0 b/security/nss/cmd/bltest/tests/dsa/keyseed0
deleted file mode 100644
index 6eea359db..000000000
--- a/security/nss/cmd/bltest/tests/dsa/keyseed0
+++ /dev/null
@@ -1 +0,0 @@
-AAAAAAAAAAAAAAAAAAAAAAAAAAA=

diff --git a/security/nss/cmd/bltest/tests/dsa/numtests b/security/nss/cmd/bltest/tests/dsa/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/dsa/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/dsa/plaintext0 b/security/nss/cmd/bltest/tests/dsa/plaintext0
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/dsa/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/dsa/pqg0 b/security/nss/cmd/bltest/tests/dsa/pqg0
deleted file mode 100644
index f16326ccc..000000000
--- a/security/nss/cmd/bltest/tests/dsa/pqg0
+++ /dev/null
@@ -1,4 +0,0 @@
-AAAAQI3ypJRJInaqPSV1m7BoacvqwNg6+40M98u4Mk8NeILl0HYvxbchDq/C6a2s

-Mqt6rElpPfv4NyTC7Ac27jHIApEAAAAUx3MhjHN+yO6ZO08t7TD0jtrOkV8AAABA

-Ym0CeDnqChNBMWOlW0y1ACmdVSKVbO/LO/8Q85nOLC5xy53l+iS6v1jlt5Uhklyc

-xC6fb0ZLCIzFcq9T5teIAg==

diff --git a/security/nss/cmd/bltest/tests/dsa/sigseed0 b/security/nss/cmd/bltest/tests/dsa/sigseed0
deleted file mode 100644
index 05d7fd2d6..000000000
--- a/security/nss/cmd/bltest/tests/dsa/sigseed0
+++ /dev/null
@@ -1 +0,0 @@
-aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/README b/security/nss/cmd/bltest/tests/ecdsa/README
deleted file mode 100644
index 764aeec81..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/README
+++ /dev/null
@@ -1,22 +0,0 @@
-0  secp160k1
-1  secp160r1
-2  secp160r2
-3  nistk163
-4  sect163r1
-5  nistb163
-6  secp192k1
-7  nistp192
-8  secp224k1
-9  nistp224
-10 nistk233
-11 nistb233
-12 nistp256
-13 nistk283
-14 nistb283
-15 nistp384
-16 nistk409
-17 nistb409
-18 nistk571
-19 nistb571
-# the following tests are not yet implemented
-#20 nistp521
diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext0 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext0
deleted file mode 100644
index 14d8e0ece..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-GoWqve3YezF7HOABQjioFL/3oq32oM9pHsGTQTJE7aFE62nItVqAdg==

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext1 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext1
deleted file mode 100644
index 4484aae61..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext1
+++ /dev/null
@@ -1 +0,0 @@
-PM6xHbiwP6Xcb44mg7BHtaJvd8PkxgvHAB1sh2cF0so3naFf0Tj6vQ==

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext10 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext10
deleted file mode 100644
index a956d53a6..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext10
+++ /dev/null
@@ -1,2 +0,0 @@
-AF3bbyED08NTrUgKmag9HiuUbaW0skXA/Bp9RPjRAD6M0rp3nvLDKozI940jxPP1

-nWpHF7VcyCVzJeV6

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext11 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext11
deleted file mode 100644
index 8cc2c2623..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext11
+++ /dev/null
@@ -1,2 +0,0 @@
-AOLrxy4FWd29ToUjOwLs6GyQ+dYZN6NkZ8oVO6dsAEXt55ePlCWZbOtmk6v9PrNG

-JOsY/MHnGhDeAGRl

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext12 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext12
deleted file mode 100644
index 5a05a7863..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext12
+++ /dev/null
@@ -1,2 +0,0 @@
-aQHMte9cFByD9Ff3rZOPOtPI75luPoxemmgjXIgh/9jEeoTdDk8xuAYQUkayCfs+

-DpDaGnOLkfAyZ8GcuaCujg==

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext13 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext13
deleted file mode 100644
index 690c00a71..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext13
+++ /dev/null
@@ -1,2 +0,0 @@
-AaeVCRJQPbpTqa1+zLd/8xAbkz3KKTr0dlS4tuGC8hc9j5esAeEv+7IklbA3v5Jz

-jC+nJy4p81iNO5E9H8nfGGckfQSiFzHG

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext14 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext14
deleted file mode 100644
index fe527c625..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext14
+++ /dev/null
@@ -1,2 +0,0 @@
-AgU0N7zJPg/1UxmCWD5Z+DqDqkRKjy4heFgayCyopb/u4XErAZArgsjashAxzMKC

-PSDJasPT90T5Va8sNtjXtSpHWxc2roV9

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext15 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext15
deleted file mode 100644
index d1090942a..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext15
+++ /dev/null
@@ -1,2 +0,0 @@
-NXo8is+7lAoOwWGt7+GBbT/UX8LGs8TXEHBI+tX9311pJ4J3pfBYobgN0ZK6ZBtp

-dS6PkrPaQp0S9nrfTOS5uAH95eD1eymRfCbOnjTUKzLuIn53V17vRjdcDtLzrhzX

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext16 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext16
deleted file mode 100644
index d5fe14482..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext16
+++ /dev/null
@@ -1,3 +0,0 @@
-ADhxjBz/ACTy4GJlL0tYZpyNpC4DsXND9lJuU7x9N7g6gkpJyBPw3vBYU1olw6PH

-dnegpgAm4Gh6MCsZB4KBcLwl1wjt4B3p2eqEqDYn5fiie5f4XuRomvI92jR5Sb+I

-nBLCHIppt/Q=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext17 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext17
deleted file mode 100644
index 486bf664f..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext17
+++ /dev/null
@@ -1,3 +0,0 @@
-AGhHQ6kfdZRgu1svQTXEIewvFVglnUy6ANPumyUbM14AEfRkCUNa1uzvhV1sbWYj

-qT3egQCA9MTjThDNJeDOvvL6hVVOryUv4+C3RtkpQGCtdml+CSsjVTej8h9JbMds

-Dme40b2G6fE=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext18 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext18
deleted file mode 100644
index 7eeef3811..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext18
+++ /dev/null
@@ -1,3 +0,0 @@
-AGBuqk48tufy0bKEWpu+xEHsmi+6KCfdwOSRwLDnpVetGe9AWknHDzeTSwe0QxcE

-RsEkUZGDpxfzUlCLSSSU+ErrYY/uyLV2AJTb3prB6A2YNwdmFGeRbDoxeOu7FuQA

-3gxBQhR+TGMuskeM+BdHFmFrwvTTdHCGzjTBa5S8mbgEJTfeik/it28T/9i+duZ8

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext19 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext19
deleted file mode 100644
index ef8e5f381..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext19
+++ /dev/null
@@ -1,3 +0,0 @@
-AaiotJfCiWU1d2LFe+t0CcWHDSF7EOlApWYJ+RNRSq8TbkXJIzi6abbb7BovtRwf

-i/COYwjS7OnkFQ6x5Pdrb7OZ0dTAdDRXAKtXWSKR20Y4fhnx/HUxisFwKrsCEQ3O

-uVtwDG8rh5V8zjBnCEcs5Iy9CsklucibR0PIyglVmW+ZuY42YNebuOC2VUKqHNF7

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext2 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext2
deleted file mode 100644
index a3837a410..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext2
+++ /dev/null
@@ -1 +0,0 @@
-Vli8Hau3xL8oder6ZdM9Y3fMd92jbguiMq6F+9CUjlUQXy5EwAVGeg==

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext20 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext20
deleted file mode 100644
index 67c99244a..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext20
+++ /dev/null
@@ -1,3 +0,0 @@
-ALAM5hGnex7TvBbSEzDlfv+n5g7aWyRyZsBbl2Y6wW1plSovbq2GcV6w1ZV1Vlot

-70zbqkKyNApvTi3xoD4Ens6pAeLMYDILwaQhnyJZWQv3etbWqUKJZNgfH1IDj03k

-n9hbjYLX3y4bc4CnrhOiv5Ab34s7M8wUYcjC+DbHwhLl/S6N

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext3 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext3
deleted file mode 100644
index e9a480882..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext3
+++ /dev/null
@@ -1 +0,0 @@
-AFohw5TN/dpmqbhp/T4z1Rl1boAUA6r9eEPJbYN0zf+eHZzyvezxqjxU

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext4 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext4
deleted file mode 100644
index 57ce239ab..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext4
+++ /dev/null
@@ -1 +0,0 @@
-AtJdCPXn5yQW34jekhsnsNmaMOeeA3KIVl1d2+7pb6QycUAzYccgwSrp

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext5 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext5
deleted file mode 100644
index e476c80bf..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext5
+++ /dev/null
@@ -1 +0,0 @@
-AzEg0sOGHwxd0o3cv+o9dsRPOzXMAdpgtI6O0uUmVN2+a5qI5FYQlItz

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext6 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext6
deleted file mode 100644
index bdea7171d..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext6
+++ /dev/null
@@ -1 +0,0 @@
-5+HDXH/ieN8Bzxd3dfxKZoqbbhsm7jyeqWdemt6Xy0kx+7zwSYsh9Ng5KRdy6wtA

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext7 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext7
deleted file mode 100644
index 3273fd9f7..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext7
+++ /dev/null
@@ -1 +0,0 @@
-WcS9umnUASP0X6lHvkWJwPY37ZVvAMLBERHLjL3Vzg6QVjwcS8kDVortTFei3aTx

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext8 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext8
deleted file mode 100644
index 636392e43..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext8
+++ /dev/null
@@ -1,2 +0,0 @@
-ItpmPaGAaoe2feXPbh5+EASLGnEzyYbEnwJ+JFNSOQcoY4a/cMV2rn8FYyBsEDiZ

-LPDBU0i2uOg=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/ciphertext9 b/security/nss/cmd/bltest/tests/ecdsa/ciphertext9
deleted file mode 100644
index 0c43fa3d7..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/ciphertext9
+++ /dev/null
@@ -1,2 +0,0 @@
-QjzCVGRUjulOLqeBqC5xpY0GWomOrmQUCtImY0czn98a/jHrdgsSRKiMHukBUxM1

-TIRGjkV2L+A=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key0 b/security/nss/cmd/bltest/tests/ecdsa/key0
deleted file mode 100644
index 7c6d61b36..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key0
+++ /dev/null
@@ -1,2 +0,0 @@
-AAAABwYFK4EEAAkAAAApBPiF0ntSFtn41JULxlA1l/lHE/zUPGJWkCqtdOryS6yD

-WFCoF/IHwHsAAAAUcw+b2b1AJUlmezgu5EjmAGPC0YQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key1 b/security/nss/cmd/bltest/tests/ecdsa/key1
deleted file mode 100644
index 049aa1edb..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key1
+++ /dev/null
@@ -1,2 +0,0 @@
-AAAABwYFK4EEAAgAAAApBI80VWK9xatmkFRiDTcdeFQ0T9h3h6iVOinMURyWZw0T

-5vZqd8/gvwwAAAAUYOQMjDdtNSL5zY0nVWPWY+UJoqQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key10 b/security/nss/cmd/bltest/tests/ecdsa/key10
deleted file mode 100644
index 3e3341714..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key10
+++ /dev/null
@@ -1,3 +0,0 @@
-AAAABwYFK4EEABoAAAA9BACmzalMQJBOWV2FoyV0tXSpT07Xajq4bB1SUwSY7QGn

-dgGC3GBqjPs9vEpqfMMQ2M9k3+5oubWnexNFhQAAAB4BRha/6sE7VSHl92ZqCj5p

-LYtBpK23jzfdVWO8SAY=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key11 b/security/nss/cmd/bltest/tests/ecdsa/key11
deleted file mode 100644
index 6111d52ad..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key11
+++ /dev/null
@@ -1,3 +0,0 @@
-AAAABwYFK4EEABsAAAA9BAD2/x9HSYYVEQ9AU4MivlIKPypJjsm0sTrp8BftlQGv

-KaYrKpZCg/CEw3C2kqvke7HAu+10hafK9asRxQAAAB4AXyFCurtsXhahkyJpkb5J

-LUg3xVL00vviR0KyFZY=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key12 b/security/nss/cmd/bltest/tests/ecdsa/key12
deleted file mode 100644
index 491fdba1b..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key12
+++ /dev/null
@@ -1,3 +0,0 @@
-AAAACgYIKoZIzj0DAQcAAABBBNGB7n4kH15tKA/SMpetaQVqg6WxIuuUuMQT2tDX

-NN5jKZfaxD47NsTjTr3x3D5t1qRBYuL6VtdgIuxBIHGG9dcAAAAgaGjyZBL+LN3a

-7NkGiHJBfqh7XKNH0AnPF3vFWpostIQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key13 b/security/nss/cmd/bltest/tests/ecdsa/key13
deleted file mode 100644
index fc8057a57..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key13
+++ /dev/null
@@ -1,3 +0,0 @@
-AAAABwYFK4EEABAAAABJBAT3klWkt7+1Pr6QGEcvEIZplopwt1alrsJUThDOxvUF

-7KvBpQLVjB+DQTwYQnEREb/WFyRgUBuIbII0+zd/g0fLHE4PQ8SNlAAAACQFPsMX

-mqSVRreUVasUOIZQFB2jnpwCUyoq+xa9SRril5LeOCY=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key14 b/security/nss/cmd/bltest/tests/ecdsa/key14
deleted file mode 100644
index 2e158236c..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key14
+++ /dev/null
@@ -1,3 +0,0 @@
-AAAABwYFK4EEABEAAABJBAf/ei/XCrFrMZLBp5BFkKZ3Odn+ZJu7QIAK32Ubuxmi

-xgWTewf2vv+KY5kHwsBYuBXmmnKe9Ak9zGP4Lykvgk5n5J6iUz5ycQAAACQAQHXa

-d29OqGxoDNCl9xETW3tAL/2hfZzstNuOPLm5kj4j1Dc=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key15 b/security/nss/cmd/bltest/tests/ecdsa/key15
deleted file mode 100644
index a062f1f67..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key15
+++ /dev/null
@@ -1,4 +0,0 @@
-AAAABwYFK4EEACIAAABhBLWMJG3t4khPYcsl3H492rAqukJ1RqJm27pqpN54rFGG

-r2VDwOfqb9tMninq8IyOh42eaaVOEPXXu4Q/ATWBEfrbTRBjTpzAE2SSPuQma0lM

-q0RSVECCgdBOKIhB0H6VxAAAADA3WPjUaMWCS9E5KbVDrEcf5CV5tCNNWJQkwjsA

-yALMCiXJqRVXwbq42WMuaELMW+g=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key16 b/security/nss/cmd/bltest/tests/ecdsa/key16
deleted file mode 100644
index d2694ae41..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key16
+++ /dev/null
@@ -1,4 +0,0 @@
-AAAABwYFK4EEACQAAABpBADkgknFgTPuirxQxFlqIK+vcARWzlpJR+qmyRyQsBiz

-Nh6Ws036xUKY9M8LxMIWXFNM6aIA2wxKsBF+HHD6oy27EAJSJOGbke/9F9Kv5AiW

-2RXA4mllUaxCNsuQ36PqUdqv4FeXxWTpAAAANAHTZloqhR0V4bfyaeo2hojcvY3T

-NO04ewNryBpsHZ0bhID0EfewYuwQmX00GYNfuV3mJ2w=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key17 b/security/nss/cmd/bltest/tests/ecdsa/key17
deleted file mode 100644
index 30be05774..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key17
+++ /dev/null
@@ -1,4 +0,0 @@
-AAAABwYFK4EEACUAAABpBAAEE/bAmqCjO3FLvN93Q/UjDyDp2sj+F//buuf1hZ0K

-1rSOGXMLcBrqVa8R6UJ57F9/Yc0BCTylpJMXjfCr4eDczG4WOQk+5x8kpKQs5Q9U

-V3IolHDiQY/Nhn7o4UFn5/mF71T3qUqwAAAANAH/o7jEl9Bw+Arj9uQ7ZHkoPGgx

-t92UJg1r/lxa7UUd66iJfRI8n8yQH/sw56D1+CweeII=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key18 b/security/nss/cmd/bltest/tests/ecdsa/key18
deleted file mode 100644
index bbdcb1371..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key18
+++ /dev/null
@@ -1,5 +0,0 @@
-AAAABwYFK4EEACYAAACRBAffZTrfwIl0dciO2fui3UhZw6r+jnFh7gyER92gXL7+

-LzPgTHagd1vdQiIX4K8Dv76KN0BldiFuX5odP7qC26MUaiURDdWT0AWcPmumSSBH

-NXZYLLx5hQjW3BTNwV7v5bmUjezfgtuOCC30dQGs2GMgExAmiWRjTkiPrHg1SFKF

-3RklauOyMWauaVpEzh3c+wAAAEgAZvLs4/Rx7tS+QGH92fGGIxPWPbVYOpDKwabY

-poV2i1BD5Fxvw+eHlvxVOLmRPqRCPTfOLwAeNbHyt17U/BVZ8+svTChlzuA=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key19 b/security/nss/cmd/bltest/tests/ecdsa/key19
deleted file mode 100644
index 31b4071f2..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key19
+++ /dev/null
@@ -1,5 +0,0 @@
-AAAABwYFK4EEACcAAACRBASpPvOfQVqiMD+cBL/nulFit5pk/5beJ6/KpeIltg4s

-6/s7PPggJA59BP7RJwak6rgY3PsRqXVPjyM/1UkUfRUR2BJgOfNTkQe9WF7Y5zXy

-TM76cWhOP+sLSoUcscy/HTLCpHqRLLvWZPDzgjrfJqSlydMEDZjWsJRVPk9IfeQ/

-amGiWOhJIQd/bSrAazZn6AAAAEgFz1qZzjHuhuP1boJ7gzndJhQslx1efbESxHSc

-wbOpeBpw2MsCAwjtgo3Y8pviFIC8+5MStkFjE8uHQ0ngXc02wm3G0xj8XGQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key2 b/security/nss/cmd/bltest/tests/ecdsa/key2
deleted file mode 100644
index f4ba6f2f2..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key2
+++ /dev/null
@@ -1,2 +0,0 @@
-AAAABwYFK4EEAB4AAAApBGouC+vgvmItzsLO4hXn+AXi3skEE+M19o/QHLfjibbA

-p7av8F4tcGgAAAAUmpQDUgnIkiXPBs0moD4jEmJHato=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key20 b/security/nss/cmd/bltest/tests/ecdsa/key20
deleted file mode 100644
index c4da3486d..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key20
+++ /dev/null
@@ -1,5 +0,0 @@
-AAAABwYFK4EEACMAAACFBAHLMSpMFVyG6mXE7SZ5O5Bwv4d8/QiAB3BzpXkyrU1W

-jJ9O9uOYTXM+cFtF5v56+LsI4yGkaAl9+RF6lFPjrhpIswCmBmEqMBgZpjoz38my

-nLHBI9MaFF8AHkRQwD3LJLo4eSZHOVkdIvDYLwicdlgr0zD3Nf76/HB1+0DkBGqE

-MyG22gAAAEIAFah7z179UbqqdH68pzdZsP1ChXjtYZ11rBM0+HP7yLirxH3ahKTt

-DjsY19GEjz4gKsaLfLiQ1/Dp+VKVLcBKpk0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key3 b/security/nss/cmd/bltest/tests/ecdsa/key3
deleted file mode 100644
index 689e06bda..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key3
+++ /dev/null
@@ -1,2 +0,0 @@
-AAAABwYFK4EEAAEAAAArBAe4qW9DTVGRVIYYznwJZbn8mWXLugA2A+Mv112Bu+y7

-gxI8E4/fEdLTsQAAABUGEQDNcbxi0JhwALA8FCCxvmWYM3E=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key4 b/security/nss/cmd/bltest/tests/ecdsa/key4
deleted file mode 100644
index 90ecb72c6..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key4
+++ /dev/null
@@ -1,2 +0,0 @@
-AAAABwYFK4EEAAIAAAArBAXw45Pc59l1QWmAB1W6M30lyFzQmAH/0FIFKYgEOYIa

-dnEXMwKNwaRdsQAAABUCErj052f+Rth5OxAm376LOAQyvBY=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key5 b/security/nss/cmd/bltest/tests/ecdsa/key5
deleted file mode 100644
index b9d221f8e..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key5
+++ /dev/null
@@ -1,2 +0,0 @@
-AAAABwYFK4EEAA8AAAArBAFhm71N2wsUOYCwDNr/6rFvNX1okAbki1SNlHq2TQDO

-Bktd1M0jlApWVQAAABUCILsraWg3Qi5nBsXQ1pGmZk0YuSA=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key6 b/security/nss/cmd/bltest/tests/ecdsa/key6
deleted file mode 100644
index 92fb463dc..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key6
+++ /dev/null
@@ -1,2 +0,0 @@
-AAAABwYFK4EEAB8AAAAxBHOYACoc9XsLk5n8NZZKV2U9CDoMj/VRDvqbf+myloR7

-uBfVNm+uVN33Sa65phAfXQAAABitxs6KZtkqU4tglcdQ1Rmk2U74vjYP0JM=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key7 b/security/nss/cmd/bltest/tests/ecdsa/key7
deleted file mode 100644
index 83fced184..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key7
+++ /dev/null
@@ -1,2 +0,0 @@
-AAAACgYIKoZIzj0DAQEAAAAxBOyOI+rIs3x+jsChxQqSVblnoZGqhIM1WX0FMfw+

-D8Dz6Y25iPcAQFpIAWh29FxnrgAAABh+uEQYXwMB783sULxE6PEd1t/MNZ9HSHI=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key8 b/security/nss/cmd/bltest/tests/ecdsa/key8
deleted file mode 100644
index cc7c6103b..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key8
+++ /dev/null
@@ -1,3 +0,0 @@
-AAAABwYFK4EEACAAAAA5BKQnZoj4VtlPqrJ5dekM4haG+7PjfgO4wNNIqD7JnrKI

-gTUd+oUQ41d517xCObyBaHNzdVPty9DvAAAAHIrG9+FE+OJV5UV2l/op7PCDPI4G

-qkpgzPIwe7U=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/key9 b/security/nss/cmd/bltest/tests/ecdsa/key9
deleted file mode 100644
index ab8f43bae..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/key9
+++ /dev/null
@@ -1,3 +0,0 @@
-AAAABwYFK4EEACEAAAA5BGCNDWldzQCbI83PMR96tqR6JnIUpvfIO8l6hIf/QfMc

-rx2BbrSLoy6EJmP++Jyw5yNyaoVaNYl6AAAAHDnjgcUSIshTSLuejnSsvtvU363b

-1NJv4ULUbIs=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/numtests b/security/nss/cmd/bltest/tests/ecdsa/numtests
deleted file mode 100644
index aabe6ec39..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/numtests
+++ /dev/null
@@ -1 +0,0 @@
-21
diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext0 b/security/nss/cmd/bltest/tests/ecdsa/plaintext0
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext1 b/security/nss/cmd/bltest/tests/ecdsa/plaintext1
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext1
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext10 b/security/nss/cmd/bltest/tests/ecdsa/plaintext10
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext10
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext11 b/security/nss/cmd/bltest/tests/ecdsa/plaintext11
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext11
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext12 b/security/nss/cmd/bltest/tests/ecdsa/plaintext12
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext12
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext13 b/security/nss/cmd/bltest/tests/ecdsa/plaintext13
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext13
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext14 b/security/nss/cmd/bltest/tests/ecdsa/plaintext14
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext14
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext15 b/security/nss/cmd/bltest/tests/ecdsa/plaintext15
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext15
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext16 b/security/nss/cmd/bltest/tests/ecdsa/plaintext16
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext16
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext17 b/security/nss/cmd/bltest/tests/ecdsa/plaintext17
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext17
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext18 b/security/nss/cmd/bltest/tests/ecdsa/plaintext18
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext18
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext19 b/security/nss/cmd/bltest/tests/ecdsa/plaintext19
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext19
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext2 b/security/nss/cmd/bltest/tests/ecdsa/plaintext2
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext2
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext20 b/security/nss/cmd/bltest/tests/ecdsa/plaintext20
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext20
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext3 b/security/nss/cmd/bltest/tests/ecdsa/plaintext3
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext3
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext4 b/security/nss/cmd/bltest/tests/ecdsa/plaintext4
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext4
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext5 b/security/nss/cmd/bltest/tests/ecdsa/plaintext5
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext5
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext6 b/security/nss/cmd/bltest/tests/ecdsa/plaintext6
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext6
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext7 b/security/nss/cmd/bltest/tests/ecdsa/plaintext7
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext7
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext8 b/security/nss/cmd/bltest/tests/ecdsa/plaintext8
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext8
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/plaintext9 b/security/nss/cmd/bltest/tests/ecdsa/plaintext9
deleted file mode 100644
index 48fbdb6fd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/plaintext9
+++ /dev/null
@@ -1 +0,0 @@
-qZk+NkcGgWq6PiVxeFDCbJzQ2J0=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed0 b/security/nss/cmd/bltest/tests/ecdsa/sigseed0
deleted file mode 100644
index 05d7fd2d6..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed0
+++ /dev/null
@@ -1 +0,0 @@
-aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed1 b/security/nss/cmd/bltest/tests/ecdsa/sigseed1
deleted file mode 100644
index 05d7fd2d6..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed1
+++ /dev/null
@@ -1 +0,0 @@
-aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed10 b/security/nss/cmd/bltest/tests/ecdsa/sigseed10
deleted file mode 100644
index 6983e5f7d..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed10
+++ /dev/null
@@ -1 +0,0 @@
-fjIzMWJpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed11 b/security/nss/cmd/bltest/tests/ecdsa/sigseed11
deleted file mode 100644
index 6983e5f7d..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed11
+++ /dev/null
@@ -1 +0,0 @@
-fjIzMWJpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed12 b/security/nss/cmd/bltest/tests/ecdsa/sigseed12
deleted file mode 100644
index 92aa40c82..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed12
+++ /dev/null
@@ -1 +0,0 @@
-/jI1NmJpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA4MDk=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed13 b/security/nss/cmd/bltest/tests/ecdsa/sigseed13
deleted file mode 100644
index 4ac076584..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed13
+++ /dev/null
@@ -1 +0,0 @@
-ATI4MWJpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA4MDkwYTBi

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed14 b/security/nss/cmd/bltest/tests/ecdsa/sigseed14
deleted file mode 100644
index 4ac076584..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed14
+++ /dev/null
@@ -1 +0,0 @@
-ATI4MWJpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA4MDkwYTBi

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed15 b/security/nss/cmd/bltest/tests/ecdsa/sigseed15
deleted file mode 100644
index 097523032..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed15
+++ /dev/null
@@ -1 +0,0 @@
-/jM4NGJpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA4MDkwYTBiMGMwZDBlMGYxMDEx

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed16 b/security/nss/cmd/bltest/tests/ecdsa/sigseed16
deleted file mode 100644
index 36fbf0951..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed16
+++ /dev/null
@@ -1 +0,0 @@
-fjQwN2JpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA4MDkwYTBiMGMwZDBlMGYxMDExMTIx

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed17 b/security/nss/cmd/bltest/tests/ecdsa/sigseed17
deleted file mode 100644
index 36fbf0951..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed17
+++ /dev/null
@@ -1 +0,0 @@
-fjQwN2JpdHNPZlRleHQwMTAyMDMwNDA1MDYwNzA4MDkwYTBiMGMwZDBlMGYxMDExMTIx

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed18 b/security/nss/cmd/bltest/tests/ecdsa/sigseed18
deleted file mode 100644
index 7be8ce6dd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed18
+++ /dev/null
@@ -1,2 +0,0 @@
-PjU2NmJpdHNPZlRleHQwMDAxMDIwMzA0MDUwNjA3MDgwOTBhMGIwYzBkMGUwZjEwMTExMjEz

-MTQxNTE2MTcxODE5MWExYjE=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed19 b/security/nss/cmd/bltest/tests/ecdsa/sigseed19
deleted file mode 100644
index 7be8ce6dd..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed19
+++ /dev/null
@@ -1,2 +0,0 @@
-PjU2NmJpdHNPZlRleHQwMDAxMDIwMzA0MDUwNjA3MDgwOTBhMGIwYzBkMGUwZjEwMTExMjEz

-MTQxNTE2MTcxODE5MWExYjE=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed2 b/security/nss/cmd/bltest/tests/ecdsa/sigseed2
deleted file mode 100644
index 05d7fd2d6..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed2
+++ /dev/null
@@ -1 +0,0 @@
-aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed20 b/security/nss/cmd/bltest/tests/ecdsa/sigseed20
deleted file mode 100644
index f0dddb66c..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed20
+++ /dev/null
@@ -1,2 +0,0 @@
-/jUyMGJpdHNPZlRleHQwMDAxMDIwMzA0MDUwNjA3MDgwOTBhMGIwYzBkMGUwZjEwMTExMjEz

-MTQxNTE2MTcxODE=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed3 b/security/nss/cmd/bltest/tests/ecdsa/sigseed3
deleted file mode 100644
index 05d7fd2d6..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed3
+++ /dev/null
@@ -1 +0,0 @@
-aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed4 b/security/nss/cmd/bltest/tests/ecdsa/sigseed4
deleted file mode 100644
index 05d7fd2d6..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed4
+++ /dev/null
@@ -1 +0,0 @@
-aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed5 b/security/nss/cmd/bltest/tests/ecdsa/sigseed5
deleted file mode 100644
index 05d7fd2d6..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed5
+++ /dev/null
@@ -1 +0,0 @@
-aHpm2QZI+ZOGfhIfTd+d2wEgVYQ=

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed6 b/security/nss/cmd/bltest/tests/ecdsa/sigseed6
deleted file mode 100644
index a0687196c..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed6
+++ /dev/null
@@ -1 +0,0 @@
-/jE5MmJpdHNPZlRleHQwMDAwMDAwMDAw

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed7 b/security/nss/cmd/bltest/tests/ecdsa/sigseed7
deleted file mode 100644
index a0687196c..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed7
+++ /dev/null
@@ -1 +0,0 @@
-/jE5MmJpdHNPZlRleHQwMDAwMDAwMDAw

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed8 b/security/nss/cmd/bltest/tests/ecdsa/sigseed8
deleted file mode 100644
index 01ae26574..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed8
+++ /dev/null
@@ -1 +0,0 @@
-/jIyNGJpdHNPZlRleHQwMDAwMDAwMDAwMDAwMA==

diff --git a/security/nss/cmd/bltest/tests/ecdsa/sigseed9 b/security/nss/cmd/bltest/tests/ecdsa/sigseed9
deleted file mode 100644
index 01ae26574..000000000
--- a/security/nss/cmd/bltest/tests/ecdsa/sigseed9
+++ /dev/null
@@ -1 +0,0 @@
-/jIyNGJpdHNPZlRleHQwMDAwMDAwMDAwMDAwMA==

diff --git a/security/nss/cmd/bltest/tests/md2/ciphertext0 b/security/nss/cmd/bltest/tests/md2/ciphertext0
deleted file mode 100644
index 22e1fc496..000000000
--- a/security/nss/cmd/bltest/tests/md2/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-CS/UNcrWhB5Knt7Gf8Tz3Q==
diff --git a/security/nss/cmd/bltest/tests/md2/numtests b/security/nss/cmd/bltest/tests/md2/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/md2/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/md2/plaintext0 b/security/nss/cmd/bltest/tests/md2/plaintext0
deleted file mode 100644
index dce2994ba..000000000
--- a/security/nss/cmd/bltest/tests/md2/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-16-bytes to MD2.
diff --git a/security/nss/cmd/bltest/tests/md5/ciphertext0 b/security/nss/cmd/bltest/tests/md5/ciphertext0
deleted file mode 100644
index ea11ee523..000000000
--- a/security/nss/cmd/bltest/tests/md5/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-XN8lnQuWAiMqmSGfvd8Hdw==
diff --git a/security/nss/cmd/bltest/tests/md5/numtests b/security/nss/cmd/bltest/tests/md5/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/md5/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/md5/plaintext0 b/security/nss/cmd/bltest/tests/md5/plaintext0
deleted file mode 100644
index 5ae3875e2..000000000
--- a/security/nss/cmd/bltest/tests/md5/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-63-byte input to MD5 can be a bit tricky, but no problems here.
diff --git a/security/nss/cmd/bltest/tests/rc2_cbc/ciphertext0 b/security/nss/cmd/bltest/tests/rc2_cbc/ciphertext0
deleted file mode 100644
index d964ef864..000000000
--- a/security/nss/cmd/bltest/tests/rc2_cbc/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-3ki6eVsWpY8=
diff --git a/security/nss/cmd/bltest/tests/rc2_cbc/iv0 b/security/nss/cmd/bltest/tests/rc2_cbc/iv0
deleted file mode 100644
index 97b5955f7..000000000
--- a/security/nss/cmd/bltest/tests/rc2_cbc/iv0
+++ /dev/null
@@ -1 +0,0 @@
-12345678
diff --git a/security/nss/cmd/bltest/tests/rc2_cbc/key0 b/security/nss/cmd/bltest/tests/rc2_cbc/key0
deleted file mode 100644
index 65513c116..000000000
--- a/security/nss/cmd/bltest/tests/rc2_cbc/key0
+++ /dev/null
@@ -1 +0,0 @@
-zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/rc2_cbc/numtests b/security/nss/cmd/bltest/tests/rc2_cbc/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/rc2_cbc/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/rc2_cbc/plaintext0 b/security/nss/cmd/bltest/tests/rc2_cbc/plaintext0
deleted file mode 100644
index 5513e438c..000000000
--- a/security/nss/cmd/bltest/tests/rc2_cbc/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-Mozilla!
diff --git a/security/nss/cmd/bltest/tests/rc2_ecb/ciphertext0 b/security/nss/cmd/bltest/tests/rc2_ecb/ciphertext0
deleted file mode 100644
index 337d30765..000000000
--- a/security/nss/cmd/bltest/tests/rc2_ecb/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-WT+tc4fANhQ=
diff --git a/security/nss/cmd/bltest/tests/rc2_ecb/key0 b/security/nss/cmd/bltest/tests/rc2_ecb/key0
deleted file mode 100644
index 65513c116..000000000
--- a/security/nss/cmd/bltest/tests/rc2_ecb/key0
+++ /dev/null
@@ -1 +0,0 @@
-zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/rc2_ecb/numtests b/security/nss/cmd/bltest/tests/rc2_ecb/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/rc2_ecb/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/rc2_ecb/plaintext0 b/security/nss/cmd/bltest/tests/rc2_ecb/plaintext0
deleted file mode 100644
index 5513e438c..000000000
--- a/security/nss/cmd/bltest/tests/rc2_ecb/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-Mozilla!
diff --git a/security/nss/cmd/bltest/tests/rc4/ciphertext0 b/security/nss/cmd/bltest/tests/rc4/ciphertext0
deleted file mode 100644
index 004f13472..000000000
--- a/security/nss/cmd/bltest/tests/rc4/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-34sTZJtr20k=
diff --git a/security/nss/cmd/bltest/tests/rc4/ciphertext1 b/security/nss/cmd/bltest/tests/rc4/ciphertext1
deleted file mode 100644
index 6050da4c6..000000000
--- a/security/nss/cmd/bltest/tests/rc4/ciphertext1
+++ /dev/null
@@ -1 +0,0 @@
-34sTZJtr20nGP6VxS3BIBxxIYm6QGIa1rehFHn51z9M=
diff --git a/security/nss/cmd/bltest/tests/rc4/key0 b/security/nss/cmd/bltest/tests/rc4/key0
deleted file mode 100644
index 65513c116..000000000
--- a/security/nss/cmd/bltest/tests/rc4/key0
+++ /dev/null
@@ -1 +0,0 @@
-zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/rc4/key1 b/security/nss/cmd/bltest/tests/rc4/key1
deleted file mode 100644
index 65513c116..000000000
--- a/security/nss/cmd/bltest/tests/rc4/key1
+++ /dev/null
@@ -1 +0,0 @@
-zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/rc4/numtests b/security/nss/cmd/bltest/tests/rc4/numtests
deleted file mode 100644
index 0cfbf0888..000000000
--- a/security/nss/cmd/bltest/tests/rc4/numtests
+++ /dev/null
@@ -1 +0,0 @@
-2
diff --git a/security/nss/cmd/bltest/tests/rc4/plaintext0 b/security/nss/cmd/bltest/tests/rc4/plaintext0
deleted file mode 100644
index 5513e438c..000000000
--- a/security/nss/cmd/bltest/tests/rc4/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-Mozilla!
diff --git a/security/nss/cmd/bltest/tests/rc4/plaintext1 b/security/nss/cmd/bltest/tests/rc4/plaintext1
deleted file mode 100644
index d41abc7b8..000000000
--- a/security/nss/cmd/bltest/tests/rc4/plaintext1
+++ /dev/null
@@ -1 +0,0 @@
-Mozilla!Mozilla!Mozilla!Mozilla!
diff --git a/security/nss/cmd/bltest/tests/rc5_cbc/ciphertext0 b/security/nss/cmd/bltest/tests/rc5_cbc/ciphertext0
deleted file mode 100644
index 544713b33..000000000
--- a/security/nss/cmd/bltest/tests/rc5_cbc/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-qsv4Fn2J6d0=
diff --git a/security/nss/cmd/bltest/tests/rc5_cbc/iv0 b/security/nss/cmd/bltest/tests/rc5_cbc/iv0
deleted file mode 100644
index 97b5955f7..000000000
--- a/security/nss/cmd/bltest/tests/rc5_cbc/iv0
+++ /dev/null
@@ -1 +0,0 @@
-12345678
diff --git a/security/nss/cmd/bltest/tests/rc5_cbc/key0 b/security/nss/cmd/bltest/tests/rc5_cbc/key0
deleted file mode 100644
index 65513c116..000000000
--- a/security/nss/cmd/bltest/tests/rc5_cbc/key0
+++ /dev/null
@@ -1 +0,0 @@
-zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/rc5_cbc/numtests b/security/nss/cmd/bltest/tests/rc5_cbc/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/rc5_cbc/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/rc5_cbc/params0 b/security/nss/cmd/bltest/tests/rc5_cbc/params0
deleted file mode 100644
index d68e0362d..000000000
--- a/security/nss/cmd/bltest/tests/rc5_cbc/params0
+++ /dev/null
@@ -1,2 +0,0 @@
-rounds=10
-wordsize=4
diff --git a/security/nss/cmd/bltest/tests/rc5_cbc/plaintext0 b/security/nss/cmd/bltest/tests/rc5_cbc/plaintext0
deleted file mode 100644
index 5513e438c..000000000
--- a/security/nss/cmd/bltest/tests/rc5_cbc/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-Mozilla!
diff --git a/security/nss/cmd/bltest/tests/rc5_ecb/ciphertext0 b/security/nss/cmd/bltest/tests/rc5_ecb/ciphertext0
deleted file mode 100644
index 133777dd0..000000000
--- a/security/nss/cmd/bltest/tests/rc5_ecb/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-4ZKK/1v5Ohc=
diff --git a/security/nss/cmd/bltest/tests/rc5_ecb/key0 b/security/nss/cmd/bltest/tests/rc5_ecb/key0
deleted file mode 100644
index 65513c116..000000000
--- a/security/nss/cmd/bltest/tests/rc5_ecb/key0
+++ /dev/null
@@ -1 +0,0 @@
-zyxwvuts
diff --git a/security/nss/cmd/bltest/tests/rc5_ecb/numtests b/security/nss/cmd/bltest/tests/rc5_ecb/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/rc5_ecb/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/rc5_ecb/params0 b/security/nss/cmd/bltest/tests/rc5_ecb/params0
deleted file mode 100644
index d68e0362d..000000000
--- a/security/nss/cmd/bltest/tests/rc5_ecb/params0
+++ /dev/null
@@ -1,2 +0,0 @@
-rounds=10
-wordsize=4
diff --git a/security/nss/cmd/bltest/tests/rc5_ecb/plaintext0 b/security/nss/cmd/bltest/tests/rc5_ecb/plaintext0
deleted file mode 100644
index 5513e438c..000000000
--- a/security/nss/cmd/bltest/tests/rc5_ecb/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-Mozilla!
diff --git a/security/nss/cmd/bltest/tests/rsa/ciphertext0 b/security/nss/cmd/bltest/tests/rsa/ciphertext0
deleted file mode 100644
index 943ea599a..000000000
--- a/security/nss/cmd/bltest/tests/rsa/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-qPVrXv0y3SC5rY44bIi6GE4Aec8uDpHH7/cCg0FU5as=
diff --git a/security/nss/cmd/bltest/tests/rsa/key0 b/security/nss/cmd/bltest/tests/rsa/key0
deleted file mode 100644
index 1352fe986..000000000
--- a/security/nss/cmd/bltest/tests/rsa/key0
+++ /dev/null
@@ -1,4 +0,0 @@
-AAAAAAAAACC5lyu2K2ro8YGnvOCKaL1sFX1HEIblIVbuMXsa8oeFSwAAAAERAAAA

-IBXVjKwFG6LvPG4WOIjBBzmxGNpkQwDs3W5qZcXVzqahAAAAEOEOH/WnhZCJyM39

-oNfhf18AAAAQ0xvmxqXXs3L62xxogUl9lQAAABAaeiHgqkvy4wiQtG1Gkv/tAAAA

-EMaw2TNu6SFdKFXAYluQdjEAAAAQi0u+IlgKCt/hatGAsTrfzQ==

diff --git a/security/nss/cmd/bltest/tests/rsa/numtests b/security/nss/cmd/bltest/tests/rsa/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/rsa/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/rsa/plaintext0 b/security/nss/cmd/bltest/tests/rsa/plaintext0
deleted file mode 100644
index d915bc88c..000000000
--- a/security/nss/cmd/bltest/tests/rsa/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-512bitsforRSAPublicKeyEncryption
diff --git a/security/nss/cmd/bltest/tests/seed_cbc/ciphertext0 b/security/nss/cmd/bltest/tests/seed_cbc/ciphertext0
deleted file mode 100644
index 97e970e1b..000000000
--- a/security/nss/cmd/bltest/tests/seed_cbc/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-JVdzim3if1YIcpGABasoCQ==
diff --git a/security/nss/cmd/bltest/tests/seed_cbc/iv0 b/security/nss/cmd/bltest/tests/seed_cbc/iv0
deleted file mode 100644
index 2b3b07661..000000000
--- a/security/nss/cmd/bltest/tests/seed_cbc/iv0
+++ /dev/null
@@ -1 +0,0 @@
-1234567890123456
diff --git a/security/nss/cmd/bltest/tests/seed_cbc/key0 b/security/nss/cmd/bltest/tests/seed_cbc/key0
deleted file mode 100644
index 13911cc29..000000000
--- a/security/nss/cmd/bltest/tests/seed_cbc/key0
+++ /dev/null
@@ -1 +0,0 @@
-fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/seed_cbc/numtests b/security/nss/cmd/bltest/tests/seed_cbc/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/seed_cbc/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/seed_cbc/plaintext0 b/security/nss/cmd/bltest/tests/seed_cbc/plaintext0
deleted file mode 100644
index 8d6a8d555..000000000
--- a/security/nss/cmd/bltest/tests/seed_cbc/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-0123456789abcdef
diff --git a/security/nss/cmd/bltest/tests/seed_ecb/ciphertext0 b/security/nss/cmd/bltest/tests/seed_ecb/ciphertext0
deleted file mode 100644
index 314ffbd8e..000000000
--- a/security/nss/cmd/bltest/tests/seed_ecb/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-GX8KY3uUhAQnL6XbQhXjEw==
diff --git a/security/nss/cmd/bltest/tests/seed_ecb/iv0 b/security/nss/cmd/bltest/tests/seed_ecb/iv0
deleted file mode 100644
index 2b3b07661..000000000
--- a/security/nss/cmd/bltest/tests/seed_ecb/iv0
+++ /dev/null
@@ -1 +0,0 @@
-1234567890123456
diff --git a/security/nss/cmd/bltest/tests/seed_ecb/key0 b/security/nss/cmd/bltest/tests/seed_ecb/key0
deleted file mode 100644
index 13911cc29..000000000
--- a/security/nss/cmd/bltest/tests/seed_ecb/key0
+++ /dev/null
@@ -1 +0,0 @@
-fedcba9876543210
diff --git a/security/nss/cmd/bltest/tests/seed_ecb/numtests b/security/nss/cmd/bltest/tests/seed_ecb/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/seed_ecb/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/seed_ecb/plaintext0 b/security/nss/cmd/bltest/tests/seed_ecb/plaintext0
deleted file mode 100644
index 8d6a8d555..000000000
--- a/security/nss/cmd/bltest/tests/seed_ecb/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-0123456789abcdef
diff --git a/security/nss/cmd/bltest/tests/sha1/ciphertext0 b/security/nss/cmd/bltest/tests/sha1/ciphertext0
deleted file mode 100644
index 1fe4bd2bd..000000000
--- a/security/nss/cmd/bltest/tests/sha1/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-cDSMAygXMPIJZC5bntZ4ZhecQ9g=
diff --git a/security/nss/cmd/bltest/tests/sha1/numtests b/security/nss/cmd/bltest/tests/sha1/numtests
deleted file mode 100644
index d00491fd7..000000000
--- a/security/nss/cmd/bltest/tests/sha1/numtests
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/security/nss/cmd/bltest/tests/sha1/plaintext0 b/security/nss/cmd/bltest/tests/sha1/plaintext0
deleted file mode 100644
index 863e79c65..000000000
--- a/security/nss/cmd/bltest/tests/sha1/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-A cage went in search of a bird.
diff --git a/security/nss/cmd/bltest/tests/sha256/ciphertext0 b/security/nss/cmd/bltest/tests/sha256/ciphertext0
deleted file mode 100644
index 07e2ff14f..000000000
--- a/security/nss/cmd/bltest/tests/sha256/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0=
diff --git a/security/nss/cmd/bltest/tests/sha256/ciphertext1 b/security/nss/cmd/bltest/tests/sha256/ciphertext1
deleted file mode 100644
index 2ab6e1da5..000000000
--- a/security/nss/cmd/bltest/tests/sha256/ciphertext1
+++ /dev/null
@@ -1 +0,0 @@
-JI1qYdIGOLjlwCaTDD5gOaM85Flk/yFn9uzt1BnbBsE=
diff --git a/security/nss/cmd/bltest/tests/sha256/numtests b/security/nss/cmd/bltest/tests/sha256/numtests
deleted file mode 100644
index 0cfbf0888..000000000
--- a/security/nss/cmd/bltest/tests/sha256/numtests
+++ /dev/null
@@ -1 +0,0 @@
-2
diff --git a/security/nss/cmd/bltest/tests/sha256/plaintext0 b/security/nss/cmd/bltest/tests/sha256/plaintext0
deleted file mode 100644
index 8baef1b4a..000000000
--- a/security/nss/cmd/bltest/tests/sha256/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-abc
diff --git a/security/nss/cmd/bltest/tests/sha256/plaintext1 b/security/nss/cmd/bltest/tests/sha256/plaintext1
deleted file mode 100644
index afb5dce5d..000000000
--- a/security/nss/cmd/bltest/tests/sha256/plaintext1
+++ /dev/null
@@ -1 +0,0 @@
-abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq
diff --git a/security/nss/cmd/bltest/tests/sha384/ciphertext0 b/security/nss/cmd/bltest/tests/sha384/ciphertext0
deleted file mode 100644
index c94f91e22..000000000
--- a/security/nss/cmd/bltest/tests/sha384/ciphertext0
+++ /dev/null
@@ -1 +0,0 @@
-ywB1P0WjXou1oD1pmsZQBycsMqsO3tFjGotgWkP/W+2AhgcroefMI1i67KE0yCWn
diff --git a/security/nss/cmd/bltest/tests/sha384/ciphertext1 b/security/nss/cmd/bltest/tests/sha384/ciphertext1
deleted file mode 100644
index 833f06d84..000000000
--- a/security/nss/cmd/bltest/tests/sha384/ciphertext1
+++ /dev/null
@@ -1 +0,0 @@
-CTMMM/cRR+g9GS/Hgs0bR1MRGxc7OwXSL6CAhuOw9xL8x8caVX4tuWbD6fqRdGA5
diff --git a/security/nss/cmd/bltest/tests/sha384/numtests b/security/nss/cmd/bltest/tests/sha384/numtests
deleted file mode 100644
index 0cfbf0888..000000000
--- a/security/nss/cmd/bltest/tests/sha384/numtests
+++ /dev/null
@@ -1 +0,0 @@
-2
diff --git a/security/nss/cmd/bltest/tests/sha384/plaintext0 b/security/nss/cmd/bltest/tests/sha384/plaintext0
deleted file mode 100644
index 8baef1b4a..000000000
--- a/security/nss/cmd/bltest/tests/sha384/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-abc
diff --git a/security/nss/cmd/bltest/tests/sha384/plaintext1 b/security/nss/cmd/bltest/tests/sha384/plaintext1
deleted file mode 100644
index 94fcc2b29..000000000
--- a/security/nss/cmd/bltest/tests/sha384/plaintext1
+++ /dev/null
@@ -1 +0,0 @@
-abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu
diff --git a/security/nss/cmd/bltest/tests/sha512/ciphertext0 b/security/nss/cmd/bltest/tests/sha512/ciphertext0
deleted file mode 100644
index 8b626e237..000000000
--- a/security/nss/cmd/bltest/tests/sha512/ciphertext0
+++ /dev/null
@@ -1,2 +0,0 @@
-3a81oZNherrMQXNJriBBMRLm+k6JqX6iCp7u5ktV05ohkpkqJ0/BqDa6PCOj/uu9
-RU1EI2Q86A4qmslPpUyknw==
diff --git a/security/nss/cmd/bltest/tests/sha512/ciphertext1 b/security/nss/cmd/bltest/tests/sha512/ciphertext1
deleted file mode 100644
index c02d1752d..000000000
--- a/security/nss/cmd/bltest/tests/sha512/ciphertext1
+++ /dev/null
@@ -1,2 +0,0 @@
-jpWbddrjE9qM9PcoFPwUP493ecbrn3+hcpmurbaIkBhQHSieSQD35DMbmd7EtUM6
-x9Mp7rbdJlReluVbh0vpCQ==
diff --git a/security/nss/cmd/bltest/tests/sha512/numtests b/security/nss/cmd/bltest/tests/sha512/numtests
deleted file mode 100644
index 0cfbf0888..000000000
--- a/security/nss/cmd/bltest/tests/sha512/numtests
+++ /dev/null
@@ -1 +0,0 @@
-2
diff --git a/security/nss/cmd/bltest/tests/sha512/plaintext0 b/security/nss/cmd/bltest/tests/sha512/plaintext0
deleted file mode 100644
index 8baef1b4a..000000000
--- a/security/nss/cmd/bltest/tests/sha512/plaintext0
+++ /dev/null
@@ -1 +0,0 @@
-abc
diff --git a/security/nss/cmd/bltest/tests/sha512/plaintext1 b/security/nss/cmd/bltest/tests/sha512/plaintext1
deleted file mode 100644
index 94fcc2b29..000000000
--- a/security/nss/cmd/bltest/tests/sha512/plaintext1
+++ /dev/null
@@ -1 +0,0 @@
-abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu
diff --git a/security/nss/cmd/btoa/Makefile b/security/nss/cmd/btoa/Makefile
deleted file mode 100644
index 6eb6e71da..000000000
--- a/security/nss/cmd/btoa/Makefile
+++ /dev/null
@@ -1,79 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/btoa/btoa.c b/security/nss/cmd/btoa/btoa.c
deleted file mode 100644
index f140bddf8..000000000
--- a/security/nss/cmd/btoa/btoa.c
+++ /dev/null
@@ -1,213 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "plgetopt.h"
-#include "secutil.h"
-#include "nssb64.h"
-#include <errno.h>
-
-#if defined(XP_WIN) || (defined(__sun) && !defined(SVR4))
-#if !defined(WIN32)
-extern int fread(char *, size_t, size_t, FILE*);
-extern int fwrite(char *, size_t, size_t, FILE*);
-extern int fprintf(FILE *, char *, ...);
-#endif
-#endif
-
-#if defined(WIN32)
-#include "fcntl.h"
-#include "io.h"
-#endif
-
-static PRInt32 
-output_ascii (void *arg, const char *obuf, PRInt32 size)
-{
-    FILE *outFile = arg;
-    int nb;
-
-    nb = fwrite(obuf, 1, size, outFile);
-    if (nb != size) {
-	PORT_SetError(SEC_ERROR_IO);
-	return -1;
-    }
-
-    return nb;
-}
-
-static SECStatus
-encode_file(FILE *outFile, FILE *inFile)
-{
-    NSSBase64Encoder *cx;
-    int nb;
-    SECStatus status = SECFailure;
-    unsigned char ibuf[4096];
-
-    cx = NSSBase64Encoder_Create(output_ascii, outFile);
-    if (!cx) {
-	return -1;
-    }
-
-    for (;;) {
-	if (feof(inFile)) break;
-	nb = fread(ibuf, 1, sizeof(ibuf), inFile);
-	if (nb != sizeof(ibuf)) {
-	    if (nb == 0) {
-		if (ferror(inFile)) {
-		    PORT_SetError(SEC_ERROR_IO);
-		    goto loser;
-		}
-		/* eof */
-		break;
-	    }
-	}
-
-	status = NSSBase64Encoder_Update(cx, ibuf, nb);
-	if (status != SECSuccess) goto loser;
-    }
-
-    status = NSSBase64Encoder_Destroy(cx, PR_FALSE);
-    if (status != SECSuccess)
-	return status;
-
-    /*
-     * Add a trailing CRLF.  Note this must be done *after* the call
-     * to Destroy above (because only then are we sure all data has
-     * been written out).
-     */
-    fwrite("\r\n", 1, 2, outFile);
-    return SECSuccess;
-
-  loser:
-    (void) NSSBase64Encoder_Destroy(cx, PR_TRUE);
-    return status;
-}
-
-static void Usage(char *progName)
-{
-    fprintf(stderr,
-	    "Usage: %s [-i input] [-o output]\n",
-	    progName);
-    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
-	    "-i input");
-    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
-	    "-o output");
-    exit(-1);
-}
-
-int main(int argc, char **argv)
-{
-    char *progName;
-    SECStatus rv;
-    FILE *inFile, *outFile;
-    PLOptState *optstate;
-    PLOptStatus status;
-
-    inFile = 0;
-    outFile = 0;
-    progName = strrchr(argv[0], '/');
-    if (!progName)
-	progName = strrchr(argv[0], '\\');
-    progName = progName ? progName+1 : argv[0];
-
-    /* Parse command line arguments */
-    optstate = PL_CreateOptState(argc, argv, "i:o:");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  default:
-	    Usage(progName);
-	    break;
-
-	  case 'i':
-	    inFile = fopen(optstate->value, "rb");
-	    if (!inFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 'o':
-	    outFile = fopen(optstate->value, "wb");
-	    if (!outFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-	}
-    }
-    if (status == PL_OPT_BAD)
-	Usage(progName);
-    if (!inFile) {
-#if defined(WIN32)
-	/* If we're going to read binary data from stdin, we must put stdin
-	** into O_BINARY mode or else incoming \r\n's will become \n's.
-	*/
-
-	int smrv = _setmode(_fileno(stdin), _O_BINARY);
-	if (smrv == -1) {
-	    fprintf(stderr,
-	    "%s: Cannot change stdin to binary mode. Use -i option instead.\n",
-	            progName);
-	    return smrv;
-	}
-#endif
-    	inFile = stdin;
-    }
-    if (!outFile) {
-#if defined(WIN32)
-	/* We're going to write binary data to stdout. We must put stdout
-	** into O_BINARY mode or else outgoing \r\n's will become \r\r\n's.
-	*/
-
-	int smrv = _setmode(_fileno(stdout), _O_BINARY);
-	if (smrv == -1) {
-	    fprintf(stderr,
-	    "%s: Cannot change stdout to binary mode. Use -o option instead.\n",
-	            progName);
-	    return smrv;
-	}
-#endif
-    	outFile = stdout;
-    }
-    rv = encode_file(outFile, inFile);
-    if (rv != SECSuccess) {
-	fprintf(stderr, "%s: lossage: error=%d errno=%d\n",
-		progName, PORT_GetError(), errno);
-	return -1;
-    }
-    return 0;
-}
diff --git a/security/nss/cmd/btoa/manifest.mn b/security/nss/cmd/btoa/manifest.mn
deleted file mode 100644
index 394c661be..000000000
--- a/security/nss/cmd/btoa/manifest.mn
+++ /dev/null
@@ -1,53 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH	= ../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss 
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-# MODULE is implicitly REQUIRED, doesn't need to be listed below.
-REQUIRES = seccmd dbm 
-
-DEFINES = -DNSPR20
-
-CSRCS = btoa.c
-
-PROGRAM	= btoa
-
diff --git a/security/nss/cmd/certcgi/HOWTO.txt b/security/nss/cmd/certcgi/HOWTO.txt
deleted file mode 100644
index f02ad32fd..000000000
--- a/security/nss/cmd/certcgi/HOWTO.txt
+++ /dev/null
@@ -1,168 +0,0 @@
-        How to setup your very own Cert-O-Matic Root CA server
-
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version 
-1.1 (the "License"); you may not use this file except in compliance with 
-the License. You may obtain a copy of the License at 
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is Netscape security libraries.
-
-The Initial Developer of the Original Code is Netscape Communications 
-Corporation.  Portions created by the Initial Developer are 
-Copyright (C) 2001 the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
-
-        How to setup your very own Cert-O-Matic Root CA server
-
-The program certcgi is part of a small test CA that is used inside 
-Netscape by the NSS development team.  That CA is affectionately known
-as "Cert-O-Matic" or "Cert-O-Matic II".  It presently runs on a server
-named interzone.mcom.com inside Netscape's firewall.
-
-If you wish to setup your own Cert-O-Matic, here are directions.
-
-Disclaimer:  This program does not follow good practices for root CAs.
-It should be used only for playing/testing and never for production use.
-Remember, you've been warned!
-
-Cert-O-Matic consists of some html files, shell scripts, one executable
-program that uses NSS and NSPR, the usual set of NSS .db files, and a file
-in which to remember the serial number of the last cert issued.  The 
-html files and the source to the executable program are in this directory.
-Sample shell scripts are shown below.  
-
-The shell scripts and executable program run as CGI "scripts".  The
-entire thing runs on an ordinary http web server.  It would also run on
-an https web server.  The shell scripts and html files must be
-customized for the server on which they run.
-
-The package assumes you have a "document root" directory $DOCROOT, and a
-"cgi-bin" directory $CGIBIN.  In this example, the document root is
-assumed to be located in /var/www/htdocs, and the cgi-bin directory in
-/var/www/cgi-bin.
-
-The server is assumed to run all cgi scripts as the user "nobody".
-The names of the cgi scripts run directly by the server all end in .cgi
-because some servers like it that way.
-
-Instructions:
-
-- Create directory $DOCROOT/certomatic
-- Copy the following files from nss/cmd/certcgi to $DOCROOT/certomatic
-        ca.html index.html main.html nscp_ext_form.html stnd_ext_form.html
-- Edit the html files, substituting the name of your own server for the
-  server named in those files.
-- In some web page (e.g. your server's home page), provide an html link to
-  $DOCROOT/certomatic/index.html. This is where users start to get their
-  own certs from certomatic.
-- give these files and directories appropriate permissions.
-
-- Create directories $CGIBIN/certomatic and $CGIBIN/certomatic/bin
-  make sure that $CGIBIN/certomatic is writable by "nobody"
-
-- Create a new set of NSS db files there with the following command:
-
-        certutil -N -d $CGIBIN/certomatic
-
-- when certutil prompts you for the password, enter the word foo
-  because that is compiled into the certcgi program.
-
-- Create the new Root CA cert with this command
-
-        certutil -S -x -d $CGIBIN/certomatic -n "Cert-O-Matic II" \
-        -s "CN=Cert-O-Matic II, O=Cert-O-Matic II" -t TCu,cu,cu -k rsa \
-        -g 1024 -m 10001 -v 60
-
-  (adjust the -g, -m and -v parameters to taste.  -s and -x must be as
-shown.)
-
-- dump out the new root CA cert in base64 encoding:
-
-        certutil -d $CGIBIN/certomatic -L -n "Cert-O-Matic II" -a > \
-          $CGIBIN/certomatic/root.cacert
-
-- In $CGIBIN/certomatic/bin add two shell scripts - one to download the
-  root CA cert on demand, and one to run the certcgi program.
-
-download.cgi, the script to install the root CA cert into a browser on
-demand, is this:
-
-#!/bin/sh
-echo "Content-type: application/x-x509-ca-cert"
-echo
-cat $CGIBIN/certomatic/root.cacert
-
-You'll have to put the real path into that cat command because CGIBIN
-won't be defined when this script is run by the server.
-
-certcgi.cgi, the script to run the certcgi program is similar to this:
-
-#!/bin/sh
-cd $CGIBIN/certomatic/bin
-LD_LIBRARY_PATH=$PLATFORM/lib
-export LD_LIBRARY_PATH
-$PLATFORM/bin/certcgi $* 2>&1
-
-Where $PLATFORM/lib is where the NSPR nad NSS DSOs are located, and
-$PLATFORM/bin is where certcgi is located.  PLATFORM is not defined when 
-the server runs this script, so you'll have to substitute the right value 
-in your script.  certcgi requires that the working directory be one level 
-below the NSS DBs, that is, the DBs are accessed in the directory "..".
-
-You'll want to provide an html link somewhere to the script that downloads
-the root.cacert file.  You'll probably want to put that next to the link
-that loads the index.html page.  On interzone, this is done with the 
-following html:
-
-<a href="/certomatic/index.html">Cert-O-Matic II Root CA server</a>
-<p>
-<a href="/cgi-bin/certomatic/bin/download.cgi">Download and trust Root CA
-certificate</a>
-
-The index.html file in this directory invokes the certcgi.cgi script with 
-the form post method, so if you change the name of the certcgi.cgi script, 
-you'll also have to change the index.html file in $DOCROOT/certomatic
-
-The 4 files used by the certcgi program (the 3 NSS DBs, and the serial
-number file) are not required to live in $CGIBIN/certomatic, but they are
-required to live in $CWD/.. when certcgi starts.
-
-Known bugs:
-
-1. Because multiple of these CAs exist simultaneously, it would be best if 
-they didn't all have to be called "Cert-O-Matic II", but that string is 
-presently hard coded into certcgi.c.
-
-2. the html files in this directory contain numerous extraneous <FORM> tags
-which appear to use the post method and have action URLS that are never
-actually used.  burp.cgi and echoform.cgi are never actually used.  This
-should be cleaned up.
-
-3. The html files use <layer> tags which are supported only in Netscape 
-Navigator and Netscape Communication 4.x browsers.  The html files do 
-not work as intended with Netscape 6.x, Mozilla or Microsoft IE browsers.
-The html files should be fixed to work with all those named browsers.
-
diff --git a/security/nss/cmd/certcgi/Makefile b/security/nss/cmd/certcgi/Makefile
deleted file mode 100644
index 140b4191f..000000000
--- a/security/nss/cmd/certcgi/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/certcgi/ca.html b/security/nss/cmd/certcgi/ca.html
deleted file mode 100644
index 5525b382a..000000000
--- a/security/nss/cmd/certcgi/ca.html
+++ /dev/null
@@ -1,51 +0,0 @@
-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is the Netscape security libraries.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 1994-2000
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-
-<form method="post" name="ca_form" action="mailto:jerdonek@netscape.com">
-<input type="radio" name="caChoiceradio" value="SignWithDefaultkey" 
-    onClick="{parent.choice_change(this.form)}"> 
-    Use the Cert-O-matic certificate to issue the cert</p>
-<input type="radio" name="caChoiceradio" value="SignWithRandomChain" 
-    onClick="{parent.choice_change(this.form)}"> Use a 
-    <input type="text" size="2" maxsize="2" name="autoCAs"> CA long 
-    automatically generated chain ending with the Cert-O-Matic Cert 
-    (18 maximum)</p>
-<input type="radio" name="caChoiceradio" value="SignWithSpecifiedChain" 
-    onClick="{parent.choice_change(this.form)}"> Use a 
-    <input type="text" size="1" maxlength="1" name="manCAs" 
-    onChange="{parent.ca_num_change(this.value,this.form)}"> CA long 
-    user input chain ending in the Cert-O-Matic Cert.</p>
-</form>
diff --git a/security/nss/cmd/certcgi/ca_form.html b/security/nss/cmd/certcgi/ca_form.html
deleted file mode 100644
index cb3e195ea..000000000
--- a/security/nss/cmd/certcgi/ca_form.html
+++ /dev/null
@@ -1,388 +0,0 @@
-<html>
-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is the Netscape security libraries.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 1994-2000
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-    <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
-    <table border=0 cellspacing=10 cellpadding=0>
-    <tr>
-    <td>
-    Common Name:</td><td> <input type="text" name="name" onChange="{window.top.reset_subject('CN=', value, form)}"></p>
-    </td>
-    <td></td><td></td><td>
-    Mail: </td><td><input type="text" name="email" onChange="var temp;{if (email_type[0].checked) {temp = 'MAIL='} else {temp = 'E='}} ;{window.top.reset_subject(temp, value, form)}"></p>
-    RFC 1274<input type="radio" name="email_type" value="1" onClick="window.top.switch_mail(form)">
-    e-mail<input type="radio" name="email_type" value="2" checked onClick="window.top.switch_mail(form)"></td>
-    <tr>
-    <td>
-    Organization: </td><td>  <input type="text" name="org" onChange="{window.top.reset_subject('O=', value, form)}"></p></td>
-    <td></td><td></td><td>
-    Organizational Unit: </td><td><input type="text" name="org_unit" onChange="{window.top.reset_subject('OU=', value, form)}"></p></td>
-    <tr>
-    <td>
-    RFC 1274 UID: </td><td><input type="text" name="uid" onChange="{window.top.reset_subject('UID=', value, form)}"></p></td>
-    <td></td><td></td><td>
-    Locality: </td><td><input type="text" name="loc" onChange="{window.top.reset_subject('L=', value, form)}"></p></td>
-    <tr>
-    <td>
-    State or Province: </td><td><input type="text" name="state" onChange="{window.top.reset_subject('ST=', value, form)}"></p></td>
-    <td></td><td></td><td>
-    Country: </td><td><input type="text" size="2" maxsize="2" name="country" onChange="{window.top.reset_subject('C=', value, form)}"></p></td>
-    </table>
-    <table border=0 cellspacing=10 cellpadding=0>
-    <tr>
-    <td>
-    Serial Number:</p>
-    <DD>
-    <input type="radio" name="serial" value="auto" checked> Auto Generate</P>
-    <DD>
-    <input type="radio" name="serial" value="input">
-    Use this value: <input type="text" name="serial_value" size="8" maxlength="8"></p>
-    </td>
-    <td></td><td></td><td></td><td></td>
-    <td>
-    X.509 version:</p>
-    <DD>
-    <input type="radio" name="ver" value="1" checked> Version 1</p>
-    <DD>
-    <input type="radio" name="ver" value="3"> Version 3</P></td>
-    <td></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td>
-    <td>
-    Key Type:</p>
-    <DD>
-    <input type="radio" name="keyType" value="rsa" checked> RSA</p>
-    <DD>
-    <input type="radio" name="keyType" value="dsa"> DSA</P></td>
-    </table>
-    DN: <input type="text" name="subject" size="70" onChange="{window.top.reset_subjectFields(form)}"></P>
-    <Select name="keysize">
-        <option>1024 (High Grade)
-        <option>768 (Medium Grade)
-        <option>512 (Low Grade)
-    </select> 
-    </p>
-  <hr>
-    </p>
-    <table  border=1 cellspacing=5 cellpadding=5>
-    <tr>
-    <td>
-    <b>Netscape Certificate Type: </b></p>
-    Activate extension: <input type="checkbox" name="netscape-cert-type"></P>
-    Critical: <input type="checkbox" name="netscape-cert-type-crit">
-    <td>
-    <input type="checkbox" name="netscape-cert-type-ssl-client"> SSL Client</P>
-    <input type="checkbox" name="netscape-cert-type-ssl-server"> SSL Server</P>
-    <input type="checkbox" name="netscape-cert-type-smime"> S/MIME</P>
-    <input type="checkbox" name="netscape-cert-type-object-signing"> Object Signing</P>    
-    <input type="checkbox" name="netscape-cert-type-reserved"> Reserved for future use (bit 4)</P>
-    <input type="checkbox" name="netscape-cert-type-ssl-ca"> SSL CA</P>
-    <input type="checkbox" name="netscape-cert-type-smime-ca"> S/MIME CA</P>
-    <input type="checkbox" name="netscape-cert-type-object-signing-ca"> Object Signing CA</P>
-    </tr>
-    <tr>
-    <td>
-    <b>Netscape Base URL:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-base-url"></P>
-    Critical: <input type="checkbox" name="netscape-base-url-crit">
-    <td>
-    <input type="text" name="netscape-base-url-text" size="50">
-    </tr>
-    <tr>
-    <td>
-    <b>Netscape Revocation URL:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-revocation-url"></P>
-    Critical: <input type="checkbox" name="netscape-revocation-url-crit">
-    <td>
-    <input type="text" name="netscape-revocation-url-text" size="50">
-    </tr>
-    <tr>
-    <td>    
-    <b>Netscape CA Revocation URL:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-ca-revocation-url"></P>
-    Critical: <input type="checkbox" name="netscape-ca-revocation-url-crit">
-    <td>
-    <input type="text" name="netscape-ca-revocation-url-text" size="50">
-    </tr>
-    <tr>
-    <td>    
-    <b>Netscape Certificate Renewal URL:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-cert-renewal-url"></P>
-    Critical: <input type="checkbox" name="netscape-cert-renewal-url-crit">
-    <td>
-    <input type="text" name="netscape-cert-renewal-url-text" size="50">
-    </tr>
-    <tr>
-    <td>
-    <b>Netscape CA Policy URL:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-ca-policy-url"></P>
-    Critical: <input type="checkbox" name="netscape-ca-policy-url-crit">
-    <td>
-    <input type="text" name="netscape-ca-policy-url-text" size="50">
-    </tr>
-    <tr>
-    <td>
-    <b>Netscape SSL Server Name:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-ssl-server-name"></P>
-    Critical: <input type="checkbox" name="netscape-ssl-server-name-crit">
-    <td>
-    <input type="text" name="netscape-ssl-server-name-text" size="50">
-    </tr>
-    <tr>
-    <td>
-    <b>Netscape Comment:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-comment"></P>
-    Critical: <input type="checkbox" name="netscape-comment-crit">
-    <td>
-    <textarea name="netscape-comment-text" rows="5" cols="50"></textarea>
-    </tr>
-    </table>
-    </p>
-  <hr>
-    </p>
-    <table  border=1 cellspacing=5 cellpadding=5>
-    <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
-    <tr>
-    <td>
-    <b>Key Usage: </b></p>
-    Activate extension: <input type="checkbox" name="keyUsage"></P>
-    Critical: <input type="checkbox" name="keyUsage-crit">
-    <td>
-    <input type="checkbox" name="keyUsage-digitalSignature"> Digital Signature</P>
-    <input type="checkbox" name="keyUsage-nonRepudiation"> Non Repudiation</P>    
-    <input type="checkbox" name="keyUsage-keyEncipherment"> Key Encipherment</P>    
-    <input type="checkbox" name="keyUsage-dataEncipherment"> Data Encipherment</P>
-    <input type="checkbox" name="keyUsage-keyAgreement"> Key Agreement</P>
-    <input type="checkbox" name="keyUsage-keyCertSign"> Key Certificate Signing</P>
-    <input type="checkbox" name="keyUsage-cRLSign"> CRL Signing</P>
-    </tr>
-    <tr>
-    <td>
-    <b>Extended Key Usage: </b></p>
-    Activate extension: <input type="checkbox" name="extKeyUsage"></P>
-    Critical: <input type="checkbox" name="extKeyUsage-crit">
-    <td>
-    <input type="checkbox" name="extKeyUsage-serverAuth"> Server Auth</P>
-    <input type="checkbox" name="extKeyUsage-clientAuth"> Client Auth</P>
-    <input type="checkbox" name="extKeyUsage-codeSign"> Code Signing</P>
-    <input type="checkbox" name="extKeyUsage-emailProtect"> Email Protection</P>
-    <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
-    <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
-    <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
-    </tr>
-    <tr>
-    <td>
-    <b>Basic Constraints:</b></p>
-    Activate extension: <input type="checkbox" name="basicConstraints"></P>
-    Critical: <input type="checkbox" name="basicConstraints-crit">
-    <td>
-    CA:</p>
-    <dd><input type=radio name="basicConstraints-cA-radio" value="CA"> True</p>
-    <dd><input type=radio name="basicConstraints-cA-radio" value="NotCA"> False</p>
-    <input type="checkbox" name="basicConstraints-pathLengthConstraint">
-     Include Path length:  <input type="text" name="basicConstraints-pathLengthConstraint-text" size="2"></p>
-    </tr>
-    <tr>
-    <td>
-    <b>Authority Key Identifier:</b></p>
-    Activate extension: <input type="checkbox" name="authorityKeyIdentifier">
-    <td>
-    <input type="radio" name="authorityKeyIdentifier-radio" value="keyIdentifier"> Key Identider</p>
-    <input type="radio" name="authorityKeyIdentifier-radio" value="authorityCertIssuer"> Issuer Name and Serial number</p>
-    </tr>
-    <tr>
-    <td>    
-    <b>Subject Key Identifier:</b></p>
-    Activate extension: <input type="checkbox" name="subjectKeyIdentifier">
-    <td>
-    Key Identifier: 
-    <input type="text" name="subjectKeyIdentifier-text"></p>
-    This is an:<p>
-    <dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="ascii"> ascii text value<p>
-    <dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="hex"> hex value<p>
-    </tr>
-    <tr>
-    <td>    
-    <b>Private Key Usage Period:</b></p>
-    Activate extension: <input type="checkbox" name="privKeyUsagePeriod"></p>
-    Critical: <input type="checkbox" name="privKeyUsagePeriod-crit">
-    <td>
-    Use:</p>
-    <dd><input type="radio" name="privKeyUsagePeriod-radio" value="notBefore"> Not Before</p>
-    <dd><input type="radio" name="privKeyUsagePeriod-radio" value="notAfter"> Not After</p>
-    <dd><input type="radio" name="privKeyUsagePeriod-radio" value="both" > Both</p>
-    <b>Not to be used to sign before:</b></p>
-    <dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="auto"> Set to time of certificate issue</p>
-    <dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="manual"> Use This value</p>
-    <dd><dd>(YYYY/MM/DD HH:MM:SS): 
-    <input type="text" name="privKeyUsagePeriod-notBefore-year" size="4" maxlength="4">/
-    <input type="text" name="privKeyUsagePeriod-notBefore-month" size="2" maxlength="2">/
-    <input type="text" name="privKeyUsagePeriod-notBefore-day" size="2" maxlength="2"> 
-    <input type="text" name="privKeyUsagePeriod-notBefore-hour" size="2" maxlength="2">:
-    <input type="text" name="privKeyUsagePeriod-notBefore-minute" size="2" maxlength="2">:
-    <input type="text" name="privKeyUsagePeriod-notBefore-second" size="2" maxlength="2"></p>
-    <b>Not to be used to sign after:</b></p>
-    <dd>(YYYY/MM/DD HH:MM:SS): 
-    <input type="text" name="privKeyUsagePeriod-notAfter-year" size="4" maxlength="4">/
-    <input type="text" name="privKeyUsagePeriod-notAfter-month" size="2" maxlength="2">/
-    <input type="text" name="privKeyUsagePeriod-notAfter-day" size="2" maxlength="2"> 
-    <input type="text" name="privKeyUsagePeriod-notAfter-hour" size="2" maxlength="2">:
-    <input type="text" name="privKeyUsagePeriod-notAfter-minute" size="2" maxlength="2">:
-    <input type="text" name="privKeyUsagePeriod-notAfter-second" size="2" maxlength="2"></p>
-    </tr>
-    <tr>
-    <td>
-    <b>Subject Alternative Name:</b></p>
-    Activate extension: <input type="checkbox" name="SubAltName"></P>
-    Critical: <input type="checkbox" name="SubAltName-crit">
-    <td>
-      <table>
-      <tr>
-      <td>
-      General Names:</p>
-      <select name="SubAltNameSelect" multiple size="10">
-      </select></p></p>
-      <input type="button" name="SubAltName-add" value="Add" onClick="{parent.addSubAltName(this.form)}">
-      <input type="button" name="SubAltName-delete" value="Delete" onClick="parent.deleteSubAltName(this.form)">
-      </td><td>
-        <table><tr><td>
-        Name Type: </td></tr><tr><td>
-        <input type="radio" name="SubAltNameRadio" value="otherName" onClick="parent.setSubAltNameType(form)"> Other Name, 
-        OID: <input type="text" name="SubAltNameOtherNameOID" size="6"> </td><td>
-        <input type="radio" name="SubAltNameRadio" value="rfc822Name" onClick="parent.setSubAltNameType(form)"> RFC 822 Name</td></tr><td>
-        <input type="radio" name="SubAltNameRadio" value="dnsName" onClick="parent.setSubAltNameType(form)"> DNS Name </td><td>
-        <input type="radio" name="SubAltNameRadio" value="x400" onClick="parent.setSubAltNameType(form)"> X400 Address</td></tr><td>
-        <input type="radio" name="SubAltNameRadio" value="directoryName" onClick="parent.setSubAltNameType(form)"> Directory Name</td><td>
-        <input type="radio" name="SubAltNameRadio" value="ediPartyName" onClick="parent.setSubAltNameType(form)"> EDI Party Name</td></tr><td>
-        <input type="radio" name="SubAltNameRadio" value="URL" onClick="parent.setSubAltNameType(form)"> Uniform Resource Locator</td><td>
-        <input type="radio" name="SubAltNameRadio" value="ipAddress" onClick="parent.setSubAltNameType(form)"> IP Address</td></tr><td>
-        <input type="radio" name="SubAltNameRadio" value="regID"onClick="parent.setSubAltNameType(form)"> Registered ID</td><td>
-	<input type="radio" name="SubAltNameRadio" value="nscpNickname" onClick="parent.setSubAltNameType(form)"> Netscape Certificate Nickname</td><td></tr>
-        </table>
-      Name: <input type="text" name="SubAltNameText">
-        Binary Encoded: <input type="checkbox" name="SubAltNameDataType" value="binary" onClick="parent.setSubAltNameType(form)"></p>
-      </tr>
-      </table>
-    </tr>
-
-
-    <tr>
-    <td>
-    <b>Issuer Alternative Name:</b></p>
-    Activate extension: <input type="checkbox" name="IssuerAltName"></P>
-    Critical: <input type="checkbox" name="IssuerAltName-crit">
-    <td>
-      <input type="radio" name="IssuerAltNameSourceRadio" value="auto"> Use the Subject Alternative Name from the Issuers Certificate</p>
-      <input type="radio" name="IssuerAltNameSourceRadio" value="man"> Use this Name:
-      <table>
-      <tr>
-      <td>
-      General Names:</p>
-      <select name="IssuerAltNameSelect" multiple size="10">
-      </select></p></p>
-      <input type="button" name="IssuerAltName-add" value="Add" onClick="{parent.addIssuerAltName(this.form)}">
-      <input type="button" name="IssuerAltName-delete" value="Delete" onClick="parent.deleteIssuerAltName(this.form)">
-      </td><td>
-        <table><tr><td>
-        Name Type: </td></tr><tr><td>
-        <input type="radio" name="IssuerAltNameRadio" value="otherName" onClick="parent.setIssuerAltNameType(form)"> Other Name, 
-        OID: <input type="text" name="IssuerAltNameOtherNameOID" size="6"> </td><td>
-        <input type="radio" name="IssuerAltNameRadio" value="rfc822Name" onClick="parent.setIssuerAltNameType(form)"> RFC 822 Name</td></tr><td>
-        <input type="radio" name="IssuerAltNameRadio" value="dnsName" onClick="parent.setIssuerAltNameType(form)"> DNS Name </td><td>
-        <input type="radio" name="IssuerAltNameRadio" value="x400" onClick="parent.setIssuerAltNameType(form)"> X400 Address</td></tr><td>
-        <input type="radio" name="IssuerAltNameRadio" value="directoryName" onClick="parent.setIssuerAltNameType(form)"> Directory Name</td><td>
-        <input type="radio" name="IssuerAltNameRadio" value="ediPartyName" onClick="parent.setIssuerAltNameType(form)"> EDI Party Name</td></tr><td>
-        <input type="radio" name="IssuerAltNameRadio" value="URL" onClick="parent.setIssuerAltNameType(form)"> Uniform Resource Locator</td><td>
-        <input type="radio" name="IssuerAltNameRadio" value="ipAddress" onClick="parent.setIssuerAltNameType(form)"> IP Address</td></tr><td>
-        <input type="radio" name="IssuerAltNameRadio" value="regID" onClick="parent.setIssuerAltNameType(form)"> Registered ID</td><td></tr>
-        </table>
-      Name: <input type="text" name="IssuerAltNameText"> 
-        Binary Encoded: <input type="checkbox" name="IssuerAltNameDataType" value="binary" onClick="parent.setIssuerAltNameType(form)"></p>
-      </tr>
-      </table>
-    </tr>
-
-    <tr>
-    <td>
-    <b>Name Constraints:</b></p>
-    Activate extension: <input type="checkbox" name="NameConstraints"></P>
-    <td>
-      <table>
-      <tr>
-      <td>
-      Name Constraints:</p>
-
-
-      <select name="NameConstraintSelect" multiple size="10">
-      </select></p></p>
-      <input type="button" name="NameConstraint-add" value="Add" onClick="{parent.addNameConstraint(this.form)}">
-      <input type="button" name="NameConstraint-delete" value="Delete" onClick="parent.deleteNameConstraint(this.form)">
-      </td><td>
-        <table><tr><td>
-        Name Type: </td></tr><tr><td>
-        <input type="radio" name="NameConstraintRadio" value="otherName" onClick="parent.setNameConstraintNameType(form)"> Other Name,
-        OID: <input type="text" name="NameConstraintOtherNameOID" size="6">  </td><td>
-        <input type="radio" name="NameConstraintRadio" value="rfc822Name" onClick="parent.setNameConstraintNameType(form)"> RFC 822 Name</td></tr><td>
-        <input type="radio" name="NameConstraintRadio" value="dnsName" onClick="parent.setNameConstraintNameType(form)"> DNS Name </td><td>
-        <input type="radio" name="NameConstraintRadio" value="x400" onClick="parent.setNameConstraintNameType(form)"> X400 Address</td></tr><td>
-        <input type="radio" name="NameConstraintRadio" value="directoryName" onClick="parent.setNameConstraintNameType(form)"> Directory Name</td><td>
-        <input type="radio" name="NameConstraintRadio" value="ediPartyName" onClick="parent.setNameConstraintNameType(form)"> EDI Party Name</td></tr><td>
-        <input type="radio" name="NameConstraintRadio" value="URL" onClick="parent.setNameConstraintNameType(form)"> Uniform Resource Locator</td><td>
-        <input type="radio" name="NameConstraintRadio" value="ipAddress" onClick="parent.setNameConstraintNameType(form)"> IP Address</td></tr><td>
-        <input type="radio" name="NameConstraintRadio" value="regID" onClick="parent.setNameConstraintNameType(form)"> Registered ID</td><td></tr>
-        </table>
-      Name: <input type="text" name="NameConstraintText">
-        Binary Encoded: <input type="checkbox" name="NameConstraintNameDataType" value="binary" onClick="parent.setNameConstraintNameType(form)"></p>
-      Constraint type:<p>
-      <dd><input type="radio" name="NameConstraintTypeRadio" value="permited"> permited<p>
-      <dd><input type="radio" name="NameConstraintTypeRadio" value="excluded"> excluded<p>
-      Minimum: <input type="text" name="NameConstraintMin" size="8" maxlength="8"></p>
-      Maximum: <input type="text" name="NameConstraintMax" size="8" maxlength="8"></p>
-
-
-
-      </tr>
-      </table>
-    </tr>
-    </table>
-    </form>
-
-
-
-
-
-
-
-
-
-
diff --git a/security/nss/cmd/certcgi/certcgi.c b/security/nss/cmd/certcgi/certcgi.c
deleted file mode 100644
index 038b55f98..000000000
--- a/security/nss/cmd/certcgi/certcgi.c
+++ /dev/null
@@ -1,2408 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* Cert-O-Matic CGI */
-
-
-#include "nspr.h"
-#include "prtypes.h"
-#include "prtime.h"
-#include "prlong.h"
-
-#include "pk11func.h"
-#include "cert.h"
-#include "cryptohi.h"
-#include "secoid.h"
-#include "secder.h"
-#include "genname.h"
-#include "xconst.h"
-#include "secutil.h"
-#include "pk11pqg.h"
-#include "certxutl.h"
-#include "nss.h"
-
-
-/* #define TEST           1 */
-/* #define FILEOUT        1 */
-/* #define OFFLINE        1 */
-#define START_FIELDS   100
-#define PREFIX_LEN     6
-#define SERIAL_FILE    "../serial"
-#define DB_DIRECTORY   ".."
-
-static char *progName;
-
-typedef struct PairStr Pair;
-
-struct PairStr {
-    char *name;
-    char *data;
-};
-
-
-char prefix[PREFIX_LEN];
-
-
-const SEC_ASN1Template CERTIA5TypeTemplate[] = {
-    { SEC_ASN1_IA5_STRING }
-};
-
-
-
-SECKEYPrivateKey *privkeys[9] = {NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-				 NULL, NULL};
-
-
-#ifdef notdef
-const SEC_ASN1Template CERT_GeneralNameTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
-};
-#endif
-
-
-static void
-error_out(char  *error_string)
-{
-    printf("Content-type: text/plain\n\n");
-    printf(error_string);
-    fflush(stderr);
-    fflush(stdout);
-    exit(1);
-}
-
-static void
-error_allocate(void)
-{
-    error_out("ERROR: Unable to allocate memory");
-}
-
-
-static char *
-make_copy_string(char  *read_pos, 
-		 int   length, 
-		 char  sentinal_value)
-    /* copys string from to a new string it creates and 
-       returns a pointer to the new string */
-{
-    int                remaining = length;
-    char               *write_pos;
-    char               *new;
-
-    new = write_pos = (char *) PORT_Alloc (length);
-    if (new == NULL) {
-	error_allocate();
-    }
-    while (*read_pos != sentinal_value) {
-	if (remaining == 1) {
-	    remaining += length;
-	    length = length * 2;
-	    new = PORT_Realloc(new,length);
-	    if (new == NULL) {
-		error_allocate();
-	    }
-	    write_pos = new + length - remaining;
-	}
-	*write_pos = *read_pos;
-	++write_pos;
-	++read_pos;
-	remaining = remaining - 1;
-    }
-    *write_pos = '\0';
-    return new;
-}
-
-
-static SECStatus
-clean_input(Pair *data)
-    /* converts the non-alphanumeric characters in a form post 
-       from hex codes back to characters */
-{
-    int           length;
-    int           hi_digit;
-    int           low_digit;
-    char          character;
-    char          *begin_pos;
-    char          *read_pos;
-    char          *write_pos;
-    PRBool        name = PR_TRUE;
-
-    begin_pos = data->name;
-    while (begin_pos != NULL) {
-	length = strlen(begin_pos);
-	read_pos = write_pos = begin_pos;
-	while ((read_pos - begin_pos) < length) {
-	    if (*read_pos == '+') {
-		*read_pos = ' ';
-	    }
-	    if (*read_pos == '%') {
-		hi_digit = *(read_pos + 1);
-		low_digit = *(read_pos +2);
-		read_pos += 3;
-		if (isdigit(hi_digit)){
-		    hi_digit = hi_digit - '0';
-		} else {
-		    hi_digit = toupper(hi_digit);
-		    if (isxdigit(hi_digit)) {
-			hi_digit = (hi_digit - 'A') + 10;
-		    } else {
-			error_out("ERROR: Form data incorrectly formated");
-		    }
-		}
-		if (isdigit(low_digit)){
-		    low_digit = low_digit - '0';
-		} else {
-		    low_digit = toupper(low_digit);
-		    if ((low_digit >='A') && (low_digit <= 'F')) {
-			low_digit = (low_digit - 'A') + 10;
-		    } else {
-			error_out("ERROR: Form data incorrectly formated");
-		    }
-		}
-		character = (hi_digit << 4) | low_digit;
-		if (character != 10) {
-		    *write_pos = character;
-		    ++write_pos;
-		}
-	    } else {
-		*write_pos = *read_pos;
-		++write_pos;
-		++read_pos;
-	    }
-	}
-	*write_pos = '\0';
-	if (name == PR_TRUE) {
-	    begin_pos = data->data;
-	    name = PR_FALSE;
-	} else {
-	    data++;
-	    begin_pos = data->name;
-	    name = PR_TRUE;
-	}
-    }
-    return SECSuccess;
-}
-
-static char *
-make_name(char  *new_data)
-    /* gets the next field name in the input string and returns
-       a pointer to a string containing a copy of it */
-{
-    int         length = 20;
-    char        *name;
-
-    name = make_copy_string(new_data, length, '=');
-    return name;
-}
-	
-static char *
-make_data(char  *new_data)
-    /* gets the data for the next field in the input string 
-       and returns a pointer to a string containing it */
-{
-    int         length = 100;
-    char        *data;
-    char        *read_pos;
-
-    read_pos = new_data;
-    while (*(read_pos - 1) != '=') {
-	++read_pos;
-    }
-    data = make_copy_string(read_pos, length, '&');
-    return data;
-}
-
-
-static Pair
-make_pair(char  *new_data)
-    /* makes a pair name/data pair from the input string */
-{
-    Pair        temp;
-
-    temp.name = make_name(new_data);
-    temp.data = make_data(new_data);
-    return temp;
-}
-
-
-
-static Pair *
-make_datastruct(char  *data, int len)
-    /* parses the input from the form post into a data 
-       structure of field name/data pairs */
-{
-    Pair              *datastruct;
-    Pair              *current;
-    char              *curr_pos;
-    int               fields = START_FIELDS;
-    int               remaining = START_FIELDS;
-
-    curr_pos = data;
-    datastruct = current = (Pair *) PORT_Alloc(fields * sizeof(Pair));
-    if (datastruct == NULL) {
-	error_allocate();
-    }
-    while (curr_pos - data < len) {
-	if (remaining == 1) {
-	    remaining += fields;
-	    fields = fields * 2;
-	    datastruct = (Pair *) PORT_Realloc
-		(datastruct, fields * sizeof(Pair));
-	    if (datastruct == NULL) {
-		error_allocate();
-	    }
-	    current = datastruct + (fields - remaining);
-	}
-	*current = make_pair(curr_pos);
-	while (*curr_pos != '&') {
-	    ++curr_pos;
-	}
-	++curr_pos;
-	++current;
-	remaining = remaining - 1;
-    }
-    current->name = NULL;
-    return datastruct;
-}
-
-static char *
-return_name(Pair  *data_struct,
-	    int   n)
-    /* returns a pointer to the name of the nth 
-       (starting from 0) item in the data structure */
-{
-    char          *name;
-
-    if ((data_struct + n)->name != NULL) {
-	name = (data_struct + n)->name;
-	return name;
-    } else {
-	return NULL;
-    }
-}
-
-static char *
-return_data(Pair  *data_struct,int n)
-    /* returns a pointer to the data of the nth (starting from 0) 
-       itme in the data structure */
-{
-    char          *data;
-
-    data = (data_struct + n)->data;
-    return data;
-}
-
-
-static char *
-add_prefix(char  *field_name)
-{
-    extern char  prefix[PREFIX_LEN];
-    int          i = 0;
-    char         *rv;
-    char         *write;
-
-    rv = write = PORT_Alloc(PORT_Strlen(prefix) + PORT_Strlen(field_name) + 1);
-    for(i = 0; i < PORT_Strlen(prefix); i++) {
-	*write = prefix[i];
-	write++;
-    }
-    *write = '\0';
-    rv = PORT_Strcat(rv,field_name);
-    return rv;
-}
-
-
-static char *
-find_field(Pair    *data, 
-	   char    *field_name, 
-	   PRBool  add_pre)
-    /* returns a pointer to the data of the first pair 
-       thats name matches the string it is passed */
-{
-    int            i = 0;
-    char           *retrieved;
-    int            found = 0;
-
-    if (add_pre) {
-	field_name = add_prefix(field_name);
-    }
-    while(return_name(data, i) != NULL) {
-	if (PORT_Strcmp(return_name(data, i), field_name) == 0) {
-	    retrieved = return_data(data, i);
-	    found = 1;
-	    break;
-	}
-	i++;
-    }
-    if (!found) {
-	retrieved = NULL;
-    }
-    return retrieved;
-}
-
-static PRBool
-find_field_bool(Pair    *data, 
-		char    *fieldname, 
-		PRBool  add_pre)
-{
-    char                *rv;
-
-    rv = find_field(data, fieldname, add_pre);
-	
-    if  ((rv != NULL) && (PORT_Strcmp(rv, "true")) == 0) {
-	return PR_TRUE;
-    } else {
-	return PR_FALSE;
-    }
-}
-
-static char *
-update_data_by_name(Pair  *data, 
-		    char  *field_name,
-                    char  *new_data)
-    /* replaces the data in the data structure associated with 
-       a name with new data, returns null if not found */
-{
-    int                   i = 0;
-    int                   found = 0;
-    int                   length = 100;
-    char                  *new;
-
-    while (return_name(data, i) != NULL) {
-	if (PORT_Strcmp(return_name(data, i), field_name) == 0) {
-	    new = make_copy_string( new_data, length, '\0');
-	    PORT_Free(return_data(data, i));
-	    found = 1;
-	    (*(data + i)).data = new;
-	    break;
-	}
-	i++;
-    }
-    if (!found) {
-	new = NULL;
-    }
-    return new;
-}
-
-static char *
-update_data_by_index(Pair  *data, 
-		     int   n, 
-		     char  *new_data)
-    /* replaces the data of a particular index in the data structure */
-{
-    int                    length = 100;
-    char                   *new;
-
-    new = make_copy_string(new_data, length, '\0');
-    PORT_Free(return_data(data, n));
-    (*(data + n)).data = new;
-    return new;
-}
-
-
-static Pair *
-add_field(Pair   *data, 
-	  char*  field_name, 
-	  char*  field_data)
-    /* adds a new name/data pair to the data structure */
-{
-    int          i = 0;
-    int          j;
-    int          name_length = 100;
-    int          data_length = 100;
-
-    while(return_name(data, i) != NULL) {
-	i++;
-    }
-    j = START_FIELDS;
-    while ( j < (i + 1) ) {
-	j = j * 2;
-    }
-    if (j == (i + 1)) {
-	data = (Pair *) PORT_Realloc(data, (j * 2) * sizeof(Pair));
-	if (data == NULL) {
-	    error_allocate();
-	}
-    }
-    (*(data + i)).name = make_copy_string(field_name, name_length, '\0');
-    (*(data + i)).data = make_copy_string(field_data, data_length, '\0');
-    (data + i + 1)->name = NULL;
-    return data;
-}
-
-
-static CERTCertificateRequest *
-makeCertReq(Pair             *form_data,
-	    int              which_priv_key)
-    /* makes and encodes a certrequest */
-{
-
-    PK11SlotInfo             *slot;
-    CERTCertificateRequest   *certReq = NULL;
-    CERTSubjectPublicKeyInfo *spki;
-    SECKEYPrivateKey         *privkey = NULL;
-    SECKEYPublicKey          *pubkey = NULL;
-    CERTName                 *name;
-    char                     *key;
-    extern SECKEYPrivateKey  *privkeys[9];
-    int                      keySizeInBits;
-    char                     *challenge = "foo";
-    SECStatus                rv = SECSuccess;
-    PQGParams                *pqgParams = NULL;
-    PQGVerify                *pqgVfy = NULL;
-
-    name = CERT_AsciiToName(find_field(form_data, "subject", PR_TRUE));
-    if (name == NULL) {
-	error_out("ERROR: Unable to create Subject Name");
-    }
-    key = find_field(form_data, "key", PR_TRUE);
-    if (key == NULL) {
-	switch (*find_field(form_data, "keysize", PR_TRUE)) {
-	  case '0':
-	    keySizeInBits = 2048;
-	    break;
-	  case '1':
-	    keySizeInBits = 1024;
-	    break;
-	  case '2':
-	    keySizeInBits = 512;
-	    break;
-	  default:
-	    error_out("ERROR: Unsupported Key length selected");
-	}
-	if (find_field_bool(form_data, "keyType-dsa", PR_TRUE)) {
-	    rv = PK11_PQG_ParamGen(keySizeInBits, &pqgParams, &pqgVfy);
-	    if (rv != SECSuccess) {
-		error_out("ERROR: Unable to generate PQG parameters");
-	    }
-	    slot = PK11_GetBestSlot(CKM_DSA_KEY_PAIR_GEN, NULL);
-	    privkey = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, 
-					   pqgParams,&pubkey, PR_FALSE, 
-					   PR_TRUE, NULL);
-	} else {
-	    privkey = SECKEY_CreateRSAPrivateKey(keySizeInBits, &pubkey, NULL);
-	}
-	privkeys[which_priv_key] = privkey;
-	spki = SECKEY_CreateSubjectPublicKeyInfo(pubkey);
-    } else {
-	spki = SECKEY_ConvertAndDecodePublicKeyAndChallenge(key, challenge, 
-							    NULL);
-	if (spki == NULL) {
-	    error_out("ERROR: Unable to decode Public Key and Challenge String");
-	}
-    }
-    certReq = CERT_CreateCertificateRequest(name, spki, NULL);
-    if (certReq == NULL) {
-	error_out("ERROR: Unable to create Certificate Request");
-    }
-    if (pubkey != NULL) {
-	SECKEY_DestroyPublicKey(pubkey);
-    }
-    if (spki != NULL) {
-	SECKEY_DestroySubjectPublicKeyInfo(spki);
-    }
-    if (pqgParams != NULL) {
-	PK11_PQG_DestroyParams(pqgParams);
-    }
-    if (pqgVfy != NULL) {
-	PK11_PQG_DestroyVerify(pqgVfy);
-    }
-    return certReq;
-}
-
-
-
-static CERTCertificate *
-MakeV1Cert(CERTCertDBHandle        *handle, 
-	   CERTCertificateRequest  *req,
-	   char                    *issuerNameStr, 
-	   PRBool                  selfsign, 
-	   int                     serialNumber,
-	   int                     warpmonths,
-	   Pair                    *data)
-{
-    CERTCertificate                 *issuerCert = NULL;
-    CERTValidity                    *validity;
-    CERTCertificate                 *cert = NULL;
-    PRExplodedTime                  printableTime;
-    PRTime                          now, 
-	                            after;
-    SECStatus rv;
-   
-    
-
-    if ( !selfsign ) {
-	issuerCert = CERT_FindCertByNameString(handle, issuerNameStr);
-	if (!issuerCert) {
-	    error_out("ERROR: Could not find issuer's certificate");
-	    return NULL;
-	}
-    }
-    if (find_field_bool(data, "manValidity", PR_TRUE)) {
-	rv = DER_AsciiToTime(&now, find_field(data, "notBefore", PR_TRUE));
-    } else {
-	now = PR_Now();
-    }
-    PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
-    if ( warpmonths ) {
-	printableTime.tm_month += warpmonths;
-	now = PR_ImplodeTime (&printableTime);
-	PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
-    }
-    if (find_field_bool(data, "manValidity", PR_TRUE)) {
-	rv = DER_AsciiToTime(&after, find_field(data, "notAfter", PR_TRUE));
-	PR_ExplodeTime (after, PR_GMTParameters, &printableTime);
-    } else {
-	printableTime.tm_month += 3;
-	after = PR_ImplodeTime (&printableTime);
-    }
-    /* note that the time is now in micro-second unit */
-    validity = CERT_CreateValidity (now, after);
-
-    if ( selfsign ) {
-	cert = CERT_CreateCertificate
-	    (serialNumber,&(req->subject), validity, req);
-    } else {
-	cert = CERT_CreateCertificate
-	    (serialNumber,&(issuerCert->subject), validity, req);
-    }
-    
-    CERT_DestroyValidity(validity);
-    if ( issuerCert ) {
-	CERT_DestroyCertificate (issuerCert);
-    }
-    return(cert);
-}
-
-static int
-get_serial_number(Pair  *data)
-{
-    int                 serial = 0;
-    int                 error;
-    char                *filename = SERIAL_FILE;
-    char                *SN;
-    FILE                *serialFile;
-
-
-    if (find_field_bool(data, "serial-auto", PR_TRUE)) {
-	serialFile = fopen(filename, "r");
-	if (serialFile != NULL) {
-	    fread(&serial, sizeof(int), 1, serialFile);
-	    if (ferror(serialFile) != 0) {
-		error_out("Error: Unable to read serial number file");
-	    }
-	    if (serial == 4294967295) {
-		serial = 21;
-	    }
-	    fclose(serialFile);
-	    ++serial;
-	    serialFile = fopen(filename,"w");
-	    if (serialFile == NULL) {
-	        error_out("ERROR: Unable to open serial number file for writing");
-	    }
-	    fwrite(&serial, sizeof(int), 1, serialFile);
-	    if (ferror(serialFile) != 0) {
-		error_out("Error: Unable to write to serial number file");
-	    }
-	} else {
-	    fclose(serialFile);
-	    serialFile = fopen(filename,"w");
-	    if (serialFile == NULL) {
-		error_out("ERROR: Unable to open serial number file");
-	    }
-	    serial = 21;
-	    fwrite(&serial, sizeof(int), 1, serialFile);
-	    if (ferror(serialFile) != 0) {
-		error_out("Error: Unable to write to serial number file");
-	    }
-	    error = ferror(serialFile);
-	    if (error != 0) {
-		error_out("ERROR: Unable to write to serial file");
-	    }
-	}
-	fclose(serialFile);
-    } else {
-	SN = find_field(data, "serial_value", PR_TRUE);
-	while (*SN != '\0') {
-	    serial = serial * 16;
-	    if ((*SN >= 'A') && (*SN <='F')) {
-		serial += *SN - 'A' + 10; 
-	    } else {
-		if ((*SN >= 'a') && (*SN <='f')) {
-		    serial += *SN - 'a' + 10;
-		} else {
-		    serial += *SN - '0';
-		}
-	    }
-	    ++SN;
-	}
-    }
-    return serial;
-}
-	
-
-
-typedef SECStatus (* EXTEN_VALUE_ENCODER)
-		(PRArenaPool *extHandle, void *value, SECItem *encodedValue);
-
-static SECStatus 
-EncodeAndAddExtensionValue(
-	PRArenaPool          *arena, 
-	void                 *extHandle, 
-	void                 *value, 
-	PRBool 		     criticality,
-	int 		     extenType, 
-	EXTEN_VALUE_ENCODER  EncodeValueFn)
-{
-    SECItem                  encodedValue;
-    SECStatus                rv;
-	
-
-    encodedValue.data = NULL;
-    encodedValue.len = 0;
-    rv = (*EncodeValueFn)(arena, value, &encodedValue);
-    if (rv != SECSuccess) {
-	error_out("ERROR: Unable to encode extension value");
-    }
-    rv = CERT_AddExtension
-	(extHandle, extenType, &encodedValue, criticality, PR_TRUE);
-    return (rv);
-}
-
-
-
-static SECStatus 
-AddKeyUsage (void  *extHandle, 
-	     Pair  *data)
-{
-    SECItem        bitStringValue;
-    unsigned char  keyUsage = 0x0;
-
-    if (find_field_bool(data,"keyUsage-digitalSignature", PR_TRUE)){
-	keyUsage |= (0x80 >> 0);
-    }
-    if (find_field_bool(data,"keyUsage-nonRepudiation", PR_TRUE)){
-	keyUsage |= (0x80 >> 1);
-    }
-    if (find_field_bool(data,"keyUsage-keyEncipherment", PR_TRUE)){
-	keyUsage |= (0x80 >> 2);
-    }
-    if (find_field_bool(data,"keyUsage-dataEncipherment", PR_TRUE)){
-	keyUsage |= (0x80 >> 3);
-    }
-    if (find_field_bool(data,"keyUsage-keyAgreement", PR_TRUE)){
-	keyUsage |= (0x80 >> 4);
-    }
-    if (find_field_bool(data,"keyUsage-keyCertSign", PR_TRUE)) {
-	keyUsage |= (0x80 >> 5);
-    }
-    if (find_field_bool(data,"keyUsage-cRLSign", PR_TRUE)) {
-	keyUsage |= (0x80 >> 6);
-    }
-
-    bitStringValue.data = &keyUsage;
-    bitStringValue.len = 1;
-
-    return (CERT_EncodeAndAddBitStrExtension
-	    (extHandle, SEC_OID_X509_KEY_USAGE, &bitStringValue,
-	     (find_field_bool(data, "keyUsage-crit", PR_TRUE))));
-
-}
-
-static CERTOidSequence *
-CreateOidSequence(void)
-{
-  CERTOidSequence *rv = (CERTOidSequence *)NULL;
-  PRArenaPool *arena = (PRArenaPool *)NULL;
-
-  arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-  if( (PRArenaPool *)NULL == arena ) {
-    goto loser;
-  }
-
-  rv = (CERTOidSequence *)PORT_ArenaZAlloc(arena, sizeof(CERTOidSequence));
-  if( (CERTOidSequence *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->oids = (SECItem **)PORT_ArenaZAlloc(arena, sizeof(SECItem *));
-  if( (SECItem **)NULL == rv->oids ) {
-    goto loser;
-  }
-
-  rv->arena = arena;
-  return rv;
-
- loser:
-  if( (PRArenaPool *)NULL != arena ) {
-    PORT_FreeArena(arena, PR_FALSE);
-  }
-
-  return (CERTOidSequence *)NULL;
-}
-
-static SECStatus
-AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag)
-{
-  SECItem **oids;
-  PRUint32 count = 0;
-  SECOidData *od;
-
-  od = SECOID_FindOIDByTag(oidTag);
-  if( (SECOidData *)NULL == od ) {
-    return SECFailure;
-  }
-
-  for( oids = os->oids; (SECItem *)NULL != *oids; oids++ ) {
-    count++;
-  }
-
-  /* ArenaZRealloc */
-
-  {
-    PRUint32 i;
-
-    oids = (SECItem **)PORT_ArenaZAlloc(os->arena, sizeof(SECItem *) * (count+2));
-    if( (SECItem **)NULL == oids ) {
-      return SECFailure;
-    }
-    
-    for( i = 0; i < count; i++ ) {
-      oids[i] = os->oids[i];
-    }
-
-    /* ArenaZFree(os->oids); */
-  }
-
-  os->oids = oids;
-  os->oids[count] = &od->oid;
-
-  return SECSuccess;
-}
-
-static SECItem *
-EncodeOidSequence(CERTOidSequence *os)
-{
-  SECItem *rv;
-  extern const SEC_ASN1Template CERT_OidSeqTemplate[];
-
-  rv = (SECItem *)PORT_ArenaZAlloc(os->arena, sizeof(SECItem));
-  if( (SECItem *)NULL == rv ) {
-    goto loser;
-  }
-
-  if( !SEC_ASN1EncodeItem(os->arena, rv, os, CERT_OidSeqTemplate) ) {
-    goto loser;
-  }
-
-  return rv;
-
- loser:
-  return (SECItem *)NULL;
-}
-
-static SECStatus
-AddExtKeyUsage(void *extHandle, Pair *data)
-{
-  SECStatus rv;
-  CERTOidSequence *os;
-  SECItem *value;
-  PRBool crit;
-
-  os = CreateOidSequence();
-  if( (CERTOidSequence *)NULL == os ) {
-    return SECFailure;
-  }
-
-  if( find_field_bool(data, "extKeyUsage-serverAuth", PR_TRUE) ) {
-    rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH);
-    if( SECSuccess != rv ) goto loser;
-  }
-
-  if( find_field_bool(data, "extKeyUsage-clientAuth", PR_TRUE) ) {
-    rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);
-    if( SECSuccess != rv ) goto loser;
-  }
-
-  if( find_field_bool(data, "extKeyUsage-codeSign", PR_TRUE) ) {
-    rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
-    if( SECSuccess != rv ) goto loser;
-  }
-
-  if( find_field_bool(data, "extKeyUsage-emailProtect", PR_TRUE) ) {
-    rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT);
-    if( SECSuccess != rv ) goto loser;
-  }
-
-  if( find_field_bool(data, "extKeyUsage-timeStamp", PR_TRUE) ) {
-    rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_TIME_STAMP);
-    if( SECSuccess != rv ) goto loser;
-  }
-
-  if( find_field_bool(data, "extKeyUsage-ocspResponder", PR_TRUE) ) {
-    rv = AddOidToSequence(os, SEC_OID_OCSP_RESPONDER);
-    if( SECSuccess != rv ) goto loser;
-  }
-
-  if( find_field_bool(data, "extKeyUsage-NS-govtApproved", PR_TRUE) ) {
-    rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
-    if( SECSuccess != rv ) goto loser;
-  }
-
-  value = EncodeOidSequence(os);
-
-  crit = find_field_bool(data, "extKeyUsage-crit", PR_TRUE);
-
-  rv = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE, value,
-                         crit, PR_TRUE);
-  /*FALLTHROUGH*/
- loser:
-  CERT_DestroyOidSequence(os);
-  return rv;
-}
-
-static SECStatus
-AddSubKeyID(void             *extHandle, 
-	    Pair             *data, 
-	    CERTCertificate  *subjectCert)
-{
-    SECItem                  encodedValue;
-    SECStatus                rv;
-    char                     *read;
-    char                     *write;
-    char                     *first;
-    char                     character;
-    int                      high_digit = 0,
-	                     low_digit = 0;
-    int                      len;
-    PRBool                   odd = PR_FALSE;
-
-
-    encodedValue.data = NULL;
-    encodedValue.len = 0;
-    first = read = write = find_field(data,"subjectKeyIdentifier-text", 
-				      PR_TRUE);
-    len = PORT_Strlen(first);
-    odd = ((len % 2) != 0 ) ? PR_TRUE : PR_FALSE;
-    if (find_field_bool(data, "subjectKeyIdentifier-radio-hex", PR_TRUE)) {
-	if (odd) {
-	    error_out("ERROR: Improperly formated subject key identifier, hex values must be expressed as an octet string");
-	}
-	while (*read != '\0') {
-	    if (!isxdigit(*read)) {
-		error_out("ERROR: Improperly formated subject key identifier");
-	    }
-	    *read = toupper(*read);
-	    if ((*read >= 'A') && (*read <= 'F')) {
-		high_digit = *read - 'A' + 10;
-	    }  else {
-		high_digit = *read - '0';
-	    }
-	    ++read;
-	    if (!isxdigit(*read)) {
-		error_out("ERROR: Improperly formated subject key identifier");
-	    }
-	    *read = toupper(*read);
-	    if ((*read >= 'A') && (*read <= 'F')) {
-		low_digit = *(read) - 'A' + 10;
-	    } else {
-		low_digit = *(read) - '0';
-	    }
-	    character = (high_digit << 4) | low_digit;
-	    *write = character;
-	    ++write;
-	    ++read;
-	}
-	*write = '\0';
-	len = write - first;
-    }
-    subjectCert->subjectKeyID.data = (unsigned char *) find_field
-	(data,"subjectKeyIdentifier-text", PR_TRUE);
-    subjectCert->subjectKeyID.len = len;
-    rv = CERT_EncodeSubjectKeyID
-	(NULL, &subjectCert->subjectKeyID, &encodedValue);
-    if (rv) {
-	return (rv);
-    }
-    return (CERT_AddExtension(extHandle,  SEC_OID_X509_SUBJECT_KEY_ID, 
-			      &encodedValue, PR_FALSE, PR_TRUE));
-}
-
-
-static SECStatus 
-AddAuthKeyID (void              *extHandle,
-	      Pair              *data, 
-	      char              *issuerNameStr, 
-	      CERTCertDBHandle  *handle)
-{
-    CERTAuthKeyID               *authKeyID = NULL;    
-    PRArenaPool                 *arena = NULL;
-    SECStatus                   rv = SECSuccess;
-    CERTCertificate             *issuerCert = NULL;
-    CERTGeneralName             *genNames;
-    CERTName                    *directoryName = NULL;
-
-
-    issuerCert = CERT_FindCertByNameString(handle, issuerNameStr);
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-	error_allocate();
-    }
-
-    authKeyID = PORT_ArenaZAlloc (arena, sizeof (CERTAuthKeyID));
-    if (authKeyID == NULL) {
-	error_allocate();
-    }
-    if (find_field_bool(data, "authorityKeyIdentifier-radio-keyIdentifier", 
-			PR_TRUE)) {
-	authKeyID->keyID.data = PORT_ArenaAlloc (arena, PORT_Strlen 
-				       ((char *)issuerCert->subjectKeyID.data));
-	if (authKeyID->keyID.data == NULL) {
-	    error_allocate();
-	}
-	PORT_Memcpy (authKeyID->keyID.data, issuerCert->subjectKeyID.data, 
-		     authKeyID->keyID.len = 
-		        PORT_Strlen((char *)issuerCert->subjectKeyID.data));
-    } else {
-	
-	PORT_Assert (arena);
-	genNames = (CERTGeneralName *) PORT_ArenaZAlloc (arena, (sizeof(CERTGeneralName)));
-	if (genNames == NULL){
-	    error_allocate();
-	}
-	genNames->l.next = genNames->l.prev = &(genNames->l);
-	genNames->type = certDirectoryName;
-
-	directoryName = CERT_AsciiToName(issuerCert->subjectName);
-	if (!directoryName) {
-	    error_out("ERROR: Unable to create Directory Name");
-	}
-	rv = CERT_CopyName (arena, &genNames->name.directoryName, 
-			    directoryName);
-        CERT_DestroyName (directoryName);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to copy Directory Name");
-	}
-	authKeyID->authCertIssuer = genNames;
-	if (authKeyID->authCertIssuer == NULL && SECFailure == 
-	                                            PORT_GetError ()) {
-	    error_out("ERROR: Unable to get Issuer General Name for Authority Key ID Extension");
-	}
-	authKeyID->authCertSerialNumber = issuerCert->serialNumber;
-    }
-    rv = EncodeAndAddExtensionValue(arena, extHandle, authKeyID, PR_FALSE, 
-				    SEC_OID_X509_AUTH_KEY_ID, 
-				    (EXTEN_VALUE_ENCODER)
-				    CERT_EncodeAuthKeyID);
-    if (arena) {
-	PORT_FreeArena (arena, PR_FALSE);
-    }
-    return (rv);
-}
-
-
-static SECStatus 
-AddPrivKeyUsagePeriod(void             *extHandle, 
-		      Pair             *data, 
-		      CERTCertificate  *cert)
-{
-    char *notBeforeStr;
-    char *notAfterStr;
-    PRArenaPool *arena = NULL;
-    SECStatus rv = SECSuccess;
-    CERTPrivKeyUsagePeriod *pkup;
-
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-	error_allocate();
-    }
-    pkup = PORT_ArenaZNew (arena, CERTPrivKeyUsagePeriod);
-    if (pkup == NULL) {
-	error_allocate();
-    }
-    notBeforeStr = (char *) PORT_Alloc(16 );
-    notAfterStr = (char *) PORT_Alloc(16 );
-    *notBeforeStr = '\0';
-    *notAfterStr = '\0';
-    pkup->arena = arena;
-    pkup->notBefore.len = 0;
-    pkup->notBefore.data = NULL;
-    pkup->notAfter.len = 0;
-    pkup->notAfter.data = NULL;
-    if (find_field_bool(data, "privKeyUsagePeriod-radio-notBefore", PR_TRUE) ||
-	find_field_bool(data, "privKeyUsagePeriod-radio-both", PR_TRUE)) {
-	pkup->notBefore.len = 15;
-	pkup->notBefore.data = (unsigned char *)notBeforeStr;
-	if (find_field_bool(data, "privKeyUsagePeriod-notBefore-radio-manual", 
-			    PR_TRUE)) {
-	    PORT_Strcat(notBeforeStr,find_field(data,
-					   "privKeyUsagePeriod-notBefore-year",
-					   PR_TRUE));
-	    PORT_Strcat(notBeforeStr,find_field(data,
-					   "privKeyUsagePeriod-notBefore-month",
-					   PR_TRUE));
-	    PORT_Strcat(notBeforeStr,find_field(data,
-					   "privKeyUsagePeriod-notBefore-day",
-					   PR_TRUE));
-	    PORT_Strcat(notBeforeStr,find_field(data,
-					   "privKeyUsagePeriod-notBefore-hour",
-					   PR_TRUE));
-	    PORT_Strcat(notBeforeStr,find_field(data,
-					  "privKeyUsagePeriod-notBefore-minute",
-					   PR_TRUE));
-	    PORT_Strcat(notBeforeStr,find_field(data,
-					  "privKeyUsagePeriod-notBefore-second",
-					   PR_TRUE));
-	    if ((*(notBeforeStr + 14) != '\0') ||
-		(!isdigit(*(notBeforeStr + 13))) ||
-		(*(notBeforeStr + 12) >= '5' && *(notBeforeStr + 12) <= '0') ||
-		(!isdigit(*(notBeforeStr + 11))) ||
-		(*(notBeforeStr + 10) >= '5' && *(notBeforeStr + 10) <= '0') ||
-		(!isdigit(*(notBeforeStr + 9))) ||
-		(*(notBeforeStr + 8) >= '2' && *(notBeforeStr + 8) <= '0') ||
-		(!isdigit(*(notBeforeStr + 7))) ||
-		(*(notBeforeStr + 6) >= '3' && *(notBeforeStr + 6) <= '0') ||
-		(!isdigit(*(notBeforeStr + 5))) ||
-		(*(notBeforeStr + 4) >= '1' && *(notBeforeStr + 4) <= '0') ||
-		(!isdigit(*(notBeforeStr + 3))) ||
-		(!isdigit(*(notBeforeStr + 2))) ||
-		(!isdigit(*(notBeforeStr + 1))) ||
-		(!isdigit(*(notBeforeStr + 0))) ||
-		(*(notBeforeStr + 8) == '2' && *(notBeforeStr + 9) >= '4') ||
-		(*(notBeforeStr + 6) == '3' && *(notBeforeStr + 7) >= '1') ||
-		(*(notBeforeStr + 4) == '1' && *(notBeforeStr + 5) >= '2')) {
-		error_out("ERROR: Improperly formated private key usage period");
-	    }
-	    *(notBeforeStr + 14) = 'Z';
-	    *(notBeforeStr + 15) = '\0';
-	} else {
-	    if ((*(cert->validity.notBefore.data) > '5') || 
-		((*(cert->validity.notBefore.data) == '5') &&
-		 (*(cert->validity.notBefore.data + 1) != '0'))) {
-		PORT_Strcat(notBeforeStr, "19");
-	    } else {
-		PORT_Strcat(notBeforeStr, "20");
-	    }
-	    PORT_Strcat(notBeforeStr, (char *)cert->validity.notBefore.data);
-	}
-    }
-    if (find_field_bool(data, "privKeyUsagePeriod-radio-notAfter", PR_TRUE) ||
-	find_field_bool(data, "privKeyUsagePeriod-radio-both", PR_TRUE)) {
-	pkup->notAfter.len = 15;
-	pkup->notAfter.data = (unsigned char *)notAfterStr;
-	PORT_Strcat(notAfterStr,find_field(data,"privKeyUsagePeriod-notAfter-year", 
-				      PR_TRUE));
-	PORT_Strcat(notAfterStr,find_field(data,"privKeyUsagePeriod-notAfter-month",
-				      PR_TRUE));
-	PORT_Strcat(notAfterStr,find_field(data,"privKeyUsagePeriod-notAfter-day", 
-				      PR_TRUE));
-	PORT_Strcat(notAfterStr,find_field(data,"privKeyUsagePeriod-notAfter-hour", 
-				      PR_TRUE));
-	PORT_Strcat(notAfterStr,find_field(data,"privKeyUsagePeriod-notAfter-minute",
-				      PR_TRUE));
-	PORT_Strcat(notAfterStr,find_field(data,"privKeyUsagePeriod-notAfter-second",
-				      PR_TRUE));
-	if ((*(notAfterStr + 14) != '\0') ||
-	    (!isdigit(*(notAfterStr + 13))) ||
-	    (*(notAfterStr + 12) >= '5' && *(notAfterStr + 12) <= '0') ||
-	    (!isdigit(*(notAfterStr + 11))) ||
-	    (*(notAfterStr + 10) >= '5' && *(notAfterStr + 10) <= '0') ||
-	    (!isdigit(*(notAfterStr + 9))) ||
-	    (*(notAfterStr + 8) >= '2' && *(notAfterStr + 8) <= '0') ||
-	    (!isdigit(*(notAfterStr + 7))) ||
-	    (*(notAfterStr + 6) >= '3' && *(notAfterStr + 6) <= '0') ||
-	    (!isdigit(*(notAfterStr + 5))) ||
-	    (*(notAfterStr + 4) >= '1' && *(notAfterStr + 4) <= '0') ||
-	    (!isdigit(*(notAfterStr + 3))) ||
-	    (!isdigit(*(notAfterStr + 2))) ||
-	    (!isdigit(*(notAfterStr + 1))) ||
-	    (!isdigit(*(notAfterStr + 0))) ||
-	    (*(notAfterStr + 8) == '2' && *(notAfterStr + 9) >= '4') ||
-	    (*(notAfterStr + 6) == '3' && *(notAfterStr + 7) >= '1') ||
-	    (*(notAfterStr + 4) == '1' && *(notAfterStr + 5) >= '2')) {
-	    error_out("ERROR: Improperly formated private key usage period");
-	}
-	*(notAfterStr + 14) = 'Z';
-	*(notAfterStr + 15) = '\0';
-    }
-	
-    PORT_Assert (arena);
-
-    rv = EncodeAndAddExtensionValue(arena, extHandle, pkup, 
-				    find_field_bool(data,
-						    "privKeyUsagePeriod-crit", 
-						    PR_TRUE), 
-				    SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD, 
-				    (EXTEN_VALUE_ENCODER)
-				    CERT_EncodePrivateKeyUsagePeriod);
-    if (arena) {
-	PORT_FreeArena (arena, PR_FALSE);
-    }
-    if (notBeforeStr != NULL) {
-	PORT_Free(notBeforeStr);
-    }
-    if (notAfterStr != NULL) {
-	PORT_Free(notAfterStr);
-    }
-    return (rv);
-}    
-
-static SECStatus 
-AddBasicConstraint(void   *extHandle, 
-		   Pair   *data)
-{
-    CERTBasicConstraints  basicConstraint;
-    SECItem               encodedValue;
-    SECStatus             rv;
-
-    encodedValue.data = NULL;
-    encodedValue.len = 0;
-    basicConstraint.pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
-    basicConstraint.isCA = (find_field_bool(data,"basicConstraints-cA-radio-CA",
-					    PR_TRUE));
-    if (find_field_bool(data,"basicConstraints-pathLengthConstraint", PR_TRUE)){
-	basicConstraint.pathLenConstraint = atoi 
-	    (find_field(data,"basicConstraints-pathLengthConstraint-text", 
-			PR_TRUE));
-    }
-    
-    rv = CERT_EncodeBasicConstraintValue (NULL, &basicConstraint, 
-					  &encodedValue);
-    if (rv)
-	return (rv);
-    rv = CERT_AddExtension(extHandle, SEC_OID_X509_BASIC_CONSTRAINTS, 
-			   &encodedValue, 
-			   (find_field_bool(data,"basicConstraints-crit", 
-					    PR_TRUE)), PR_TRUE);
-
-    PORT_Free (encodedValue.data);
-    return (rv);
-}
-
-
-
-static SECStatus 
-AddNscpCertType (void  *extHandle, 
-		 Pair  *data)
-{
-    SECItem            bitStringValue;
-    unsigned char      CertType = 0x0;
-
-    if (find_field_bool(data,"netscape-cert-type-ssl-client", PR_TRUE)){
-	CertType |= (0x80 >> 0);
-    }
-    if (find_field_bool(data,"netscape-cert-type-ssl-server", PR_TRUE)){
-	CertType |= (0x80 >> 1);
-    }
-    if (find_field_bool(data,"netscape-cert-type-smime", PR_TRUE)){
-	CertType |= (0x80 >> 2);
-    }
-    if (find_field_bool(data,"netscape-cert-type-object-signing", PR_TRUE)){
-	CertType |= (0x80 >> 3);
-    }
-    if (find_field_bool(data,"netscape-cert-type-reserved", PR_TRUE)){
-	CertType |= (0x80 >> 4);
-    }
-    if (find_field_bool(data,"netscape-cert-type-ssl-ca", PR_TRUE)) {
-	CertType |= (0x80 >> 5);
-    }
-    if (find_field_bool(data,"netscape-cert-type-smime-ca", PR_TRUE)) {
-	CertType |= (0x80 >> 6);
-    }
-    if (find_field_bool(data,"netscape-cert-type-object-signing-ca", PR_TRUE)) {
-	CertType |= (0x80 >> 7);
-    }
-
-    bitStringValue.data = &CertType;
-    bitStringValue.len = 1;
-
-    return (CERT_EncodeAndAddBitStrExtension
-	    (extHandle, SEC_OID_NS_CERT_EXT_CERT_TYPE, &bitStringValue,
-	     (find_field_bool(data, "netscape-cert-type-crit", PR_TRUE))));
-}
-
-
-static SECStatus
-add_IA5StringExtension(void    *extHandle, 
-		       char    *string, 
-		       PRBool  crit, 
-		       int     idtag)
-{
-    SECItem                    encodedValue;
-    SECStatus                  rv;
-
-    encodedValue.data = NULL;
-    encodedValue.len = 0;
-
-    rv = CERT_EncodeIA5TypeExtension(NULL, string, &encodedValue);
-    if (rv) {
-	return (rv);
-    }
-    return (CERT_AddExtension(extHandle, idtag, &encodedValue, crit, PR_TRUE));
-}
-
-static SECItem *
-string_to_oid(char  *string)
-{
-    int             i;
-    int             length = 20;
-    int             remaining;
-    int             first_value;
-    int             second_value;
-    int             value;
-    int             oidLength;
-    unsigned char   *oidString;
-    unsigned char   *write;
-    unsigned char   *read;
-    unsigned char   *temp;
-    SECItem         *oid;
-    
-    
-    remaining = length;
-    i = 0;
-    while (*string == ' ') {
-	string++;
-    }
-    while (isdigit(*(string + i))) {
-	i++;
-    }
-    if (*(string + i) == '.') {
-	*(string + i) = '\0';
-    } else {
-	error_out("ERROR: Improperly formated OID");
-    }
-    first_value = atoi(string);
-    if (first_value < 0 || first_value > 2) {
-	error_out("ERROR: Improperly formated OID");
-    }
-    string += i + 1;
-    i = 0;
-    while (isdigit(*(string + i))) {
-	i++;
-    }
-    if (*(string + i) == '.') {
-	*(string + i) = '\0';
-    } else {
-	error_out("ERROR: Improperly formated OID");
-    }
-    second_value = atoi(string);
-    if (second_value < 0 || second_value > 39) {
-	error_out("ERROR: Improperly formated OID");
-    }
-    oidString = PORT_ZAlloc(2);
-    *oidString = (first_value * 40) + second_value;
-    *(oidString + 1) = '\0';
-    oidLength = 1;
-    string += i + 1;
-    i = 0;
-    temp = write = PORT_ZAlloc(length);
-    while (*string != '\0') {
-	value = 0;
-	while(isdigit(*(string + i))) {
-	    i++;
-	}
-	if (*(string + i) == '\0') {
-	    value = atoi(string);
-	    string += i;
-	} else {
-	    if (*(string + i) == '.') {
-		*(string + i) = '\0';
-		value = atoi(string);
-		string += i + 1;
-	    } else {
-		*(string + i) = '\0';
-		i++;
-		value = atoi(string);
-		while (*(string + i) == ' ')
-		    i++;
-		if (*(string + i) != '\0') {
-		    error_out("ERROR: Improperly formated OID");
-		}
-	    }
-	}
-	i = 0;
-	while (value != 0) {
-	    if (remaining < 1) {
-		remaining += length;
-		length = length * 2;
-		temp = PORT_Realloc(temp, length);
-		write = temp + length - remaining;
-	    }
-	    *write = (value & 0x7f) | (0x80);
-	    write++;
-	    remaining--;
-	    value = value >> 7;
-	}
-	*temp = *temp & (0x7f);
-	oidLength += write - temp;
-	oidString = PORT_Realloc(oidString, (oidLength + 1));
-	read = write - 1;
-	write = oidLength + oidString - 1;
-	for (i = 0; i < (length - remaining); i++) {
-	    *write = *read;
-	    write--;
-	    read++;
-	}
-	write = temp;
-	remaining = length;
-    }
-    *(oidString + oidLength) = '\0';
-    oid = (SECItem *) PORT_ZAlloc(sizeof(SECItem));
-    oid->data = oidString;
-    oid->len  = oidLength;
-    PORT_Free(temp);
-    return oid;
-}
-
-static SECItem *
-string_to_ipaddress(char *string)
-{
-    int      i = 0;
-    int      value;
-    int      j = 0;
-    SECItem  *ipaddress;
-    
-
-    while (*string == ' ') {
-	string++;
-    }
-    ipaddress = (SECItem *) PORT_ZAlloc(sizeof(SECItem));
-    ipaddress->data = PORT_ZAlloc(9);
-    while (*string != '\0' && j < 8) {
-	while (isdigit(*(string + i))) {
-	    i++;
-	}
-	if (*(string + i) == '.') {
-	    *(string + i) = '\0';
-	    value = atoi(string);
-	    string = string + i + 1;
-	    i = 0;
-	} else {
-	    if (*(string + i) == '\0') {
-		value = atoi(string);
-		string = string + i;
-		i = 0;
-	    } else {
-		*(string + i) = '\0';
-		while (*(string + i) == ' ') {
-		    i++;
-		}
-		if (*(string + i) == '\0') {
-		    value = atoi(string);
-		    string = string + i;
-		    i = 0;
-		} else {
-		    error_out("ERROR: Improperly formated IP Address");
-		}
-	    }
-	}
-	if (value >= 0 || value < 256) {
-	    *(ipaddress->data + j) = value;
-	} else {
-	    error_out("ERROR: Improperly formated IP Address");
-	}
-	j++;
-    }
-    *(ipaddress->data + j) = '\0';
-    if (j != 4 && j != 8) {
-	error_out("ERROR: Improperly formated IP Address");
-    }
-    ipaddress->len = j;
-    return ipaddress;
-}
-
-static SECItem *
-string_to_binary(char  *string)
-{
-    SECItem            *rv;
-    int                high_digit;
-    int                low_digit;
-
-    rv = (SECItem *) PORT_ZAlloc(sizeof(SECItem));
-    if (rv == NULL) {
-	error_allocate();
-    }
-    rv->data = (unsigned char *) PORT_ZAlloc((PORT_Strlen(string))/3 + 2);
-    while (!isxdigit(*string)) {
-	string++;
-    }
-    rv->len = 0;
-    while (*string != '\0') {
-	if (isxdigit(*string)) {
-	    if (*string >= '0' && *string <= '9') {
-		high_digit = *string - '0';
-	    } else {
-		*string = toupper(*string);
-		high_digit = *string - 'A';
-	    }
-	    string++;
-	    if (*string >= '0' && *string <= '9') {
-		low_digit = *string - '0';
-	    } else {
-		*string = toupper(*string);
-		low_digit = *string = 'A';
-	    }
-	    (rv->len)++;
-	} else {
-	    if (*string == ':') {
-		string++;
-	    } else {
-		if (*string == ' ') {
-		    while (*string == ' ') {
-			string++;
-		    }
-		}
-		if (*string != '\0') {
-		    error_out("ERROR: Improperly formated binary encoding");
-		}
-	    }
-	} 
-    }
-
-    return rv;
-}
-
-static SECStatus
-MakeGeneralName(char             *name, 
-		CERTGeneralName  *genName,
-		PRArenaPool      *arena)
-{
-    SECItem                      *oid;
-    SECOidData                   *oidData;
-    SECItem                      *ipaddress;
-    SECItem                      *temp = NULL;
-    int                          i;
-    int                          nameType;
-    PRBool                       binary = PR_FALSE;
-    SECStatus                    rv = SECSuccess;
-    PRBool                       nickname = PR_FALSE;
-
-    PORT_Assert(genName);
-    PORT_Assert(arena);
-    nameType = *(name + PORT_Strlen(name) - 1) - '0';
-    if (nameType == 0  && *(name +PORT_Strlen(name) - 2) == '1') {
-	nickname = PR_TRUE;
-	nameType = certOtherName;
-    }
-    if (nameType < 1 || nameType > 9) {
-	error_out("ERROR: Unknown General Name Type");
-    }
-    *(name + PORT_Strlen(name) - 4) = '\0';
-    genName->type = nameType;
-    
-    switch (genName->type) {
-      case certURI:
-      case certRFC822Name:
-      case certDNSName: {
-	  genName->name.other.data = (unsigned char *)name;
-	  genName->name.other.len = PORT_Strlen(name);
-	  break;
-      }
-      
-      case certIPAddress: {
-	  ipaddress = string_to_ipaddress(name);
-	  genName->name.other.data = ipaddress->data;
-	  genName->name.other.len = ipaddress->len;
-	  break;
-      }
-      
-      case certRegisterID: {
-	  oid = string_to_oid(name);
-	  genName->name.other.data = oid->data;
-	  genName->name.other.len = oid->len;
-	  break;
-      }
-      
-      case certEDIPartyName:
-      case certX400Address: {
-	  
-	  genName->name.other.data = PORT_ArenaAlloc (arena, 
-						      PORT_Strlen (name) + 2);
-	  if (genName->name.other.data == NULL) {
-	      error_allocate();
-	  }
-	  
-	  PORT_Memcpy (genName->name.other.data + 2, name, PORT_Strlen (name));
-	  /* This may not be accurate for all cases.  
-	     For now, use this tag type */
-	  genName->name.other.data[0] = (char)(((genName->type - 1) & 
-						0x1f)| 0x80);
-	  genName->name.other.data[1] = (char)PORT_Strlen (name);
-	  genName->name.other.len = PORT_Strlen (name) + 2;
-	  break;
-      }
-      
-      case certOtherName: {
-	  i = 0;
-	  if (!nickname) {
-	      while (!isdigit(*(name + PORT_Strlen(name) - i))) {
-		  i++;
-	      }
-	      if (*(name + PORT_Strlen(name) - i) == '1') {
-		  binary = PR_TRUE;
-	      } else {
-		  binary = PR_FALSE;
-	      }  
-	      while (*(name + PORT_Strlen(name) - i) != '-') {
-		  i++;
-	      }
-	      *(name + PORT_Strlen(name) - i - 1) = '\0';
-	      i = 0;
-	      while (*(name + i) != '-') {
-		  i++;
-	      }
-	      *(name + i - 1) = '\0';
-	      oid = string_to_oid(name + i + 2);
-	  } else {
-	      oidData = SECOID_FindOIDByTag(SEC_OID_NETSCAPE_NICKNAME);
-	      oid = &oidData->oid;
-	      while (*(name + PORT_Strlen(name) - i) != '-') {
-		  i++;
-	      }
-	      *(name + PORT_Strlen(name) - i) = '\0';
-	  }
-	  genName->name.OthName.oid.data = oid->data;
-	  genName->name.OthName.oid.len  = oid->len;
-	  if (binary) {
-	      temp = string_to_binary(name);
-	      genName->name.OthName.name.data = temp->data;
-	      genName->name.OthName.name.len = temp->len;
-	  } else {
-	      temp = (SECItem *) PORT_ZAlloc(sizeof(SECItem));
-	      if (temp == NULL) {
-		  error_allocate();
-	      }
-	      temp->data = (unsigned char *)name;
-	      temp->len = PORT_Strlen(name);
-	      SEC_ASN1EncodeItem (arena, &(genName->name.OthName.name), temp,
-				  CERTIA5TypeTemplate);
-	  }
-	  PORT_Free(temp);
-	  break;
-      }
-      
-      case certDirectoryName: {
-	  CERTName *directoryName = NULL;
-	  
-	  directoryName = CERT_AsciiToName (name);
-	  if (!directoryName) {
-	      error_out("ERROR: Improperly formated alternative name");
-	      break;
-	  }
-	  rv = CERT_CopyName (arena, &genName->name.directoryName, 
-			      directoryName);
-	  CERT_DestroyName (directoryName);
-	  
-	  break;
-      }
-    }
-    genName->l.next = &(genName->l);
-    genName->l.prev = &(genName->l);
-    return rv;
-}
-
-
-static CERTGeneralName *
-MakeAltName(Pair             *data, 
-	    char             *which, 
-	    PRArenaPool      *arena)
-{
-    CERTGeneralName          *SubAltName;
-    CERTGeneralName          *current;
-    CERTGeneralName          *newname;
-    char                     *name = NULL;
-    SECStatus                rv = SECSuccess;
-    int                      len;
-    
-
-    len = PORT_Strlen(which);
-    name = find_field(data, which, PR_TRUE);
-    SubAltName = current = (CERTGeneralName *) PORT_ZAlloc
-	                                        (sizeof(CERTGeneralName));
-    if (current == NULL) {
-	error_allocate();
-    }
-    while (name != NULL) {
-
-	rv = MakeGeneralName(name, current, arena);
-
-	if (rv != SECSuccess) {
-	    break;
-	}
-	if (*(which + len -1) < '9') {
-	    *(which + len - 1) = *(which + len - 1) + 1;
-	} else {
-	    if (isdigit(*(which + len - 2) )) {
-		*(which + len - 2) = *(which + len - 2) + 1;
-		*(which + len - 1) = '0';
-	    } else {
-		*(which + len - 1) = '1';
-		*(which + len) = '0';
-		*(which + len + 1) = '\0';
-		len++;
-	    }
-	}
-	len = PORT_Strlen(which);
-	name = find_field(data, which, PR_TRUE);
-	if (name != NULL) {
-	    newname = (CERTGeneralName *) PORT_ZAlloc(sizeof(CERTGeneralName));
-	    if (newname == NULL) {
-		error_allocate();
-	    }
-	    current->l.next = &(newname->l);
-	    newname->l.prev = &(current->l);
-	    current = newname;
-            newname = NULL;
-	} else {
-	    current->l.next = &(SubAltName->l);
-	    SubAltName->l.prev = &(current->l);
-	}
-    }
-    if (rv == SECFailure) {
-	return NULL;
-    }
-    return SubAltName;
-}
-
-static CERTNameConstraints *
-MakeNameConstraints(Pair             *data, 
-		    PRArenaPool      *arena)
-{
-    CERTNameConstraints      *NameConstraints;
-    CERTNameConstraint       *current = NULL;
-    CERTNameConstraint       *last_permited = NULL;
-    CERTNameConstraint       *last_excluded = NULL;
-    char                     *constraint = NULL;
-    char                     *which;
-    SECStatus                rv = SECSuccess;
-    int                      len;
-    int                      i;
-    long                     max;
-    long                     min;
-    PRBool                   permited;
-    
-
-    NameConstraints = (CERTNameConstraints *) PORT_ZAlloc
-	                            (sizeof(CERTNameConstraints));
-    which = make_copy_string("NameConstraintSelect0", 25,'\0');
-    len = PORT_Strlen(which);
-    constraint = find_field(data, which, PR_TRUE);
-    NameConstraints->permited = NameConstraints->excluded = NULL;
-    while (constraint != NULL) {
-	current = (CERTNameConstraint *) PORT_ZAlloc
-	                       (sizeof(CERTNameConstraint));
-	if (current == NULL) {
-	    error_allocate();
-	}
-	i = 0;
-	while (*(constraint + PORT_Strlen(constraint) - i) != '-') {
-	    i++;
-	}
-        *(constraint + PORT_Strlen(constraint) - i - 1) = '\0'; 
-	max = (long) atoi(constraint + PORT_Strlen(constraint) + 3);
-	if (max > 0) {
-	    (void) SEC_ASN1EncodeInteger(arena, &current->max, max);
-	}
-	i = 0;
-	while (*(constraint + PORT_Strlen(constraint) - i) != '-') {
-	    i++;
-	}
-        *(constraint + PORT_Strlen(constraint) - i - 1) = '\0';
-	min = (long) atoi(constraint + PORT_Strlen(constraint) + 3);
-	(void) SEC_ASN1EncodeInteger(arena, &current->min, min);
-	while (*(constraint + PORT_Strlen(constraint) - i) != '-') {
-	    i++;
-	}
-        *(constraint + PORT_Strlen(constraint) - i - 1) = '\0';
-	if (*(constraint + PORT_Strlen(constraint) + 3) == 'p') {
-	    permited = PR_TRUE;
-	} else {
-	    permited = PR_FALSE;
-	}
-	rv = MakeGeneralName(constraint, &(current->name), arena);
-
-	if (rv != SECSuccess) {
-	    break;
-	}
-	if (*(which + len - 1) < '9') {
-	    *(which + len - 1) = *(which + len - 1) + 1;
-	} else {
-	    if (isdigit(*(which + len - 2) )) {
-		*(which + len - 2) = *(which + len - 2) + 1;
-		*(which + len - 1) = '0';
-	    } else {
-		*(which + len - 1) = '1';
-		*(which + len) = '0';
-		*(which + len + 1) = '\0';
-		len++;
-	    }
-	}
-	len = PORT_Strlen(which);
-	if (permited) {
-	    if (NameConstraints->permited == NULL) {
-		NameConstraints->permited = last_permited = current;
-	    }
-	    last_permited->l.next = &(current->l);
-	    current->l.prev = &(last_permited->l);
-	    last_permited = current;
-	} else {
-	    if (NameConstraints->excluded == NULL) {
-		NameConstraints->excluded = last_excluded = current;
-	    }
-	    last_excluded->l.next = &(current->l);
-	    current->l.prev = &(last_excluded->l);
-	    last_excluded = current;
-	}
-	constraint = find_field(data, which, PR_TRUE);
-	if (constraint != NULL) {
-	    current = (CERTNameConstraint *) PORT_ZAlloc(sizeof(CERTNameConstraint));
-	    if (current == NULL) {
-		error_allocate();
-	    }
-	}
-    }
-    if (NameConstraints->permited != NULL) {
-	last_permited->l.next = &(NameConstraints->permited->l);
-	NameConstraints->permited->l.prev = &(last_permited->l);
-    }
-    if (NameConstraints->excluded != NULL) {
-	last_excluded->l.next = &(NameConstraints->excluded->l);
-	NameConstraints->excluded->l.prev = &(last_excluded->l);
-    }
-    if (which != NULL) {
-	PORT_Free(which);
-    }
-    if (rv == SECFailure) {
-	return NULL;
-    }
-    return NameConstraints;
-}
-
-
-
-static SECStatus
-AddAltName(void              *extHandle,
-	   Pair              *data,
-	   char              *issuerNameStr, 
-	   CERTCertDBHandle  *handle,
-	   int               type)
-{
-    PRBool             autoIssuer = PR_FALSE;
-    PRArenaPool        *arena = NULL;
-    CERTGeneralName    *genName = NULL;
-    char               *which = NULL;
-    char               *name = NULL;
-    SECStatus          rv = SECSuccess;
-    SECItem            *issuersAltName = NULL;
-    CERTCertificate    *issuerCert = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	error_allocate();
-    }
-    if (type == 0) {
-	which = make_copy_string("SubAltNameSelect0", 20,'\0');
-	genName = MakeAltName(data, which, arena);
-    } else {
-	if (autoIssuer) {
-	    autoIssuer = find_field_bool(data,"IssuerAltNameSourceRadio-auto",
-					 PR_TRUE);
-	    issuerCert = CERT_FindCertByNameString(handle, issuerNameStr);
-	    rv = cert_FindExtension((*issuerCert).extensions, 
-				    SEC_OID_X509_SUBJECT_ALT_NAME, 
-				    issuersAltName);
-	    if (issuersAltName == NULL) {
-		name = PORT_Alloc(PORT_Strlen((*issuerCert).subjectName) + 4);
-		PORT_Strcpy(name, (*issuerCert).subjectName);
-		PORT_Strcat(name, " - 5");
-	    }
-	} else {
-	    which = make_copy_string("IssuerAltNameSelect0", 20,'\0');
-	    genName = MakeAltName(data, which, arena);
-	}
-    }
-    if (type == 0) {
-	EncodeAndAddExtensionValue(arena, extHandle, genName, 
-				   find_field_bool(data, "SubAltName-crit", 
-						   PR_TRUE), 
-				   SEC_OID_X509_SUBJECT_ALT_NAME, 
-				   (EXTEN_VALUE_ENCODER)
-				   CERT_EncodeAltNameExtension);
-
-    } else {
-	if (autoIssuer && (name == NULL)) {
-	    rv = CERT_AddExtension
-		(extHandle, SEC_OID_X509_ISSUER_ALT_NAME, issuersAltName,
-		 find_field_bool(data, "IssuerAltName-crit", PR_TRUE), PR_TRUE);
-	} else {
-	    EncodeAndAddExtensionValue(arena, extHandle, genName, 
-				       find_field_bool(data, 
-						       "IssuerAltName-crit", 
-						       PR_TRUE), 
-				       SEC_OID_X509_ISSUER_ALT_NAME, 
-				       (EXTEN_VALUE_ENCODER)
-				       CERT_EncodeAltNameExtension);
-	}
-    }
-    if (which != NULL) {
-	PORT_Free(which);
-    }
-    if (issuerCert != NULL) {
-	CERT_DestroyCertificate(issuerCert);
-    }
-    return rv;
-}
-
-
-static SECStatus
-AddNameConstraints(void  *extHandle,
-		   Pair  *data)
-{
-    PRArenaPool         *arena = NULL;
-    CERTNameConstraints *constraints = NULL;
-    SECStatus           rv = SECSuccess;
-
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	error_allocate();
-    }
-    constraints = MakeNameConstraints(data, arena);
-    if (constraints != NULL) {
-	EncodeAndAddExtensionValue(arena, extHandle, constraints, PR_TRUE, 
-				   SEC_OID_X509_NAME_CONSTRAINTS, 
-				   (EXTEN_VALUE_ENCODER)
-				   CERT_EncodeNameConstraintsExtension);
-    }
-    if (arena != NULL) {
-	PORT_ArenaRelease (arena, NULL);
-    }
-    return rv;
-}
-
-
-static SECStatus
-add_extensions(CERTCertificate   *subjectCert, 
-	       Pair              *data, 
-	       char              *issuerNameStr, 
-	       CERTCertDBHandle  *handle)
-{
-    void                         *extHandle;
-    SECStatus                    rv = SECSuccess;
-
-
-    extHandle = CERT_StartCertExtensions (subjectCert);
-    if (extHandle == NULL) {
-	error_out("ERROR: Unable to get certificates extension handle");
-    }
-    if (find_field_bool(data, "keyUsage", PR_TRUE)) {
-	rv = AddKeyUsage(extHandle, data);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Key Usage extension");
-	}
-    }
-
-    if( find_field_bool(data, "extKeyUsage", PR_TRUE) ) {
-      rv = AddExtKeyUsage(extHandle, data);
-      if( SECSuccess != rv ) {
-        error_out("ERROR: Unable to add Extended Key Usage extension");
-      }
-    }
-
-    if (find_field_bool(data, "basicConstraints", PR_TRUE)) {
-	rv = AddBasicConstraint(extHandle, data);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Basic Constraint extension");
-	}
-    }
-    if (find_field_bool(data, "subjectKeyIdentifier", PR_TRUE)) {
-	rv = AddSubKeyID(extHandle, data, subjectCert);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Subject Key Identifier Extension");
-	}
-    }
-    if (find_field_bool(data, "authorityKeyIdentifier", PR_TRUE)) {
-	rv = AddAuthKeyID (extHandle, data, issuerNameStr, handle);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Authority Key Identifier extension");
-	}
-    }
-    if (find_field_bool(data, "privKeyUsagePeriod", PR_TRUE)) {
-	rv = AddPrivKeyUsagePeriod (extHandle, data, subjectCert);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Private Key Usage Period extension");
-	}
-    }
-    if (find_field_bool(data, "SubAltName", PR_TRUE)) {
-	rv = AddAltName (extHandle, data, NULL, NULL, 0);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Subject Alternative Name extension");
-	}
-    }
-    if (find_field_bool(data, "IssuerAltName", PR_TRUE)) {
-	rv = AddAltName (extHandle, data, issuerNameStr, handle, 1);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Issuer Alternative Name Extension");
-	}
-    }
-    if (find_field_bool(data, "NameConstraints", PR_TRUE)) {
-	rv = AddNameConstraints(extHandle, data);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Name Constraints Extension");
-	}
-    }
-    if (find_field_bool(data, "netscape-cert-type", PR_TRUE)) {
-	rv = AddNscpCertType(extHandle, data);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Netscape Certificate Type Extension");
-	}
-    }
-    if (find_field_bool(data, "netscape-base-url", PR_TRUE)) {
-	rv = add_IA5StringExtension(extHandle, 
-				    find_field(data, "netscape-base-url-text", 
-					       PR_TRUE), 
-				    find_field_bool(data, 
-						    "netscape-base-url-crit", 
-						    PR_TRUE),
-				    SEC_OID_NS_CERT_EXT_BASE_URL);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Netscape Base URL Extension");
-	}
-    }
-    if (find_field_bool(data, "netscape-revocation-url", PR_TRUE)) {
-	rv = add_IA5StringExtension(extHandle, 
-				    find_field(data, 
-					       "netscape-revocation-url-text", 
-					       PR_TRUE), 
-				    find_field_bool
-				       (data, "netscape-revocation-url-crit", 
-					PR_TRUE),
-				    SEC_OID_NS_CERT_EXT_REVOCATION_URL);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Netscape Revocation URL Extension");
-	}
-    }
-    if (find_field_bool(data, "netscape-ca-revocation-url", PR_TRUE)) {
-	rv = add_IA5StringExtension(extHandle, 
-				    find_field(data, 
-					      "netscape-ca-revocation-url-text",
-					       PR_TRUE), 
-				    find_field_bool
-				        (data, "netscape-ca-revocation-url-crit"
-					 , PR_TRUE),
-				    SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Netscape CA Revocation URL Extension");
-	}
-    }
-    if (find_field_bool(data, "netscape-cert-renewal-url", PR_TRUE)) {
-	rv = add_IA5StringExtension(extHandle, 
-				    find_field(data, 
-					       "netscape-cert-renewal-url-text",
-					       PR_TRUE), 
-				    find_field_bool
-				        (data, "netscape-cert-renewal-url-crit",
-					 PR_TRUE),
-				    SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Netscape Certificate Renewal URL Extension");
-	}
-    }
-    if (find_field_bool(data, "netscape-ca-policy-url", PR_TRUE)) {
-	rv = add_IA5StringExtension(extHandle, 
-				    find_field(data, 
-					       "netscape-ca-policy-url-text", 
-					       PR_TRUE), 
-				    find_field_bool
-				         (data, "netscape-ca-policy-url-crit", 
-					  PR_TRUE),
-				    SEC_OID_NS_CERT_EXT_CA_POLICY_URL);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Netscape CA Policy URL Extension");
-	}
-    }
-    if (find_field_bool(data, "netscape-ssl-server-name", PR_TRUE)) {
-	rv = add_IA5StringExtension(extHandle, 
-				    find_field(data, 
-					       "netscape-ssl-server-name-text", 
-					       PR_TRUE), 
-				    find_field_bool
-				         (data, "netscape-ssl-server-name-crit",
-					  PR_TRUE),
-				    SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Netscape SSL Server Name Extension");
-	}
-    }
-    if (find_field_bool(data, "netscape-comment", PR_TRUE)) {
-	rv = add_IA5StringExtension(extHandle, 
-				    find_field(data, "netscape-comment-text", 
-					       PR_TRUE), 
-				    find_field_bool(data, 
-						    "netscape-comment-crit", 
-						    PR_TRUE),
-				    SEC_OID_NS_CERT_EXT_COMMENT);
-	if (rv != SECSuccess) {
-	    error_out("ERROR: Unable to add Netscape Comment Extension");
-	}
-    }
-    CERT_FinishExtensions(extHandle);
-    return (rv);
-}
-
-
-
-char *
-return_dbpasswd(PK11SlotInfo *slot, PRBool retry, void *data)
-{
-    char *rv;
-
-    /* don't clobber our poor smart card */
-    if (retry == PR_TRUE) {
-	return NULL;
-    }
-    rv = PORT_Alloc(4);
-    PORT_Strcpy(rv, "foo");
-    return rv;
-}
-
-
-SECKEYPrivateKey *
-FindPrivateKeyFromNameStr(char              *name, 
-			  CERTCertDBHandle  *certHandle)
-{
-    SECKEYPrivateKey                        *key;
-    CERTCertificate                         *cert;
-    CERTCertificate                         *p11Cert;
-
-
-    /* We don't presently have a PK11 function to find a cert by 
-    ** subject name.  
-    ** We do have a function to find a cert in the internal slot's
-    ** cert db by subject name, but it doesn't setup the slot info.
-    ** So, this HACK works, but should be replaced as soon as we 
-    ** have a function to search for certs accross slots by subject name.
-    */
-    cert = CERT_FindCertByNameString(certHandle, name);
-    if (cert == NULL || cert->nickname == NULL) {
-	error_out("ERROR: Unable to retrieve issuers certificate");
-    }
-    p11Cert = PK11_FindCertFromNickname(cert->nickname, NULL);
-    if (p11Cert == NULL) {
-	error_out("ERROR: Unable to retrieve issuers certificate");
-    }
-    key = PK11_FindKeyByAnyCert(p11Cert, NULL);
-    return key;
-}
-
-static SECItem *
-SignCert(CERTCertificate   *cert,
-	 char              *issuerNameStr,
-	 Pair              *data,
-	 CERTCertDBHandle  *handle,
-         int               which_key)
-{
-    SECItem                der;
-    SECKEYPrivateKey       *caPrivateKey = NULL;
-    SECStatus              rv;
-    PRArenaPool            *arena;
-    SECOidTag              algID;
-
-    if (which_key == 0) {
-	caPrivateKey = FindPrivateKeyFromNameStr(issuerNameStr, handle); 
-    } else {
-	caPrivateKey = privkeys[which_key - 1];
-    }
-    if (caPrivateKey == NULL) {
-	error_out("ERROR: unable to retrieve issuers key");
-    }
-	
-    arena = cert->arena;
-
-    algID = SEC_GetSignatureAlgorithmOidTag(caPrivateKey->keyType,
-					    SEC_OID_UNKNOWN);
-    if (algID == SEC_OID_UNKNOWN) {
-	error_out("ERROR: Unknown key type for issuer.");
-	goto done;
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
-    if (rv != SECSuccess) {
-	error_out("ERROR: Could not set signature algorithm id.");
-    }
-
-    if (find_field_bool(data,"ver-1", PR_TRUE)) {
-	*(cert->version.data) = 0;
-	cert->version.len = 1;
-    } else {
-	*(cert->version.data) = 2;
-	cert->version.len = 1;
-    }
-    der.data = NULL;
-    der.len = 0;
-    (void) SEC_ASN1EncodeItem (arena, &der, cert, CERT_CertificateTemplate);
-    if (der.data == NULL) {
-	error_out("ERROR: Could not encode certificate.\n");
-    }
-    rv = SEC_DerSignData (arena, &(cert->derCert), der.data, der.len, caPrivateKey,
-			  algID);
-    if (rv != SECSuccess) {
-	error_out("ERROR: Could not sign encoded certificate data.\n");
-    }
-done:
-    SECKEY_DestroyPrivateKey(caPrivateKey);
-    return &(cert->derCert);
-}
-
-
-int
-main(int argc, char **argv)
-{
-    int                    length = 500;
-    int                    remaining = 500;
-    int                    n;
-    int                    i;
-    int                    serial;
-    int                    chainLen;
-    int                    which_key;
-    char                   *pos;
-#ifdef OFFLINE
-    char                   *form_output = "key=MIIBPTCBpzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7SLqjWBL9Wl11Vlg%0AaMqZCvcQOL%2FnvSqYPPRP0XZy9SoAeyWzQnBOiCm2t8H5mK7r2jnKdAQOmfhjaJil%0A3hNVu3SekHOXF6Ze7bkWa6%2FSGVcY%2FojkydxFSgY43nd1iydzPQDp8WWLL%2BpVpt%2B%2B%0ATRhFtVXbF0fQI03j9h3BoTgP2lkCAwEAARYDZm9vMA0GCSqGSIb3DQEBBAUAA4GB%0AAJ8UfRKJ0GtG%2B%2BufCC6tAfTzKrq3CTBHnom55EyXcsAsv6WbDqI%2F0rLAPkn2Xo1r%0AnNhtMxIuj441blMt%2Fa3AGLOy5zmC7Qawt8IytvQikQ1XTpTBCXevytrmLjCmlURr%0ANJryTM48WaMQHiMiJpbXCqVJC1d%2FpEWBtqvALzZaOOIy&subject=CN%3D%22test%22%26serial-auto%3Dtrue%26serial_value%3D%26ver-1%3Dtrue%26ver-3%3Dfalse%26caChoiceradio-SignWithDefaultkey%3Dtrue%26caChoiceradio-SignWithRandomChain%3Dfalse%26autoCAs%3D%26caChoiceradio-SignWithSpecifiedChain%3Dfalse%26manCAs%3D%26%24";
-#else
-    char                   *form_output;
-#endif
-    char                   *issuerNameStr;
-    char                   *certName;
-    char                   *DBdir = DB_DIRECTORY;
-    char                   *prefixs[10] = {"CA#1-", "CA#2-", "CA#3-", 
-					   "CA#4-", "CA#5-", "CA#6-", 
-					   "CA#7-", "CA#8-", "CA#9-", ""};
-    Pair                   *form_data;
-    CERTCertificate        *cert;
-    CERTCertDBHandle       *handle;
-    CERTCertificateRequest *certReq = NULL;
-    int                    warpmonths = 0;
-    SECItem                *certDER;
-#ifdef FILEOUT
-    FILE                   *outfile;
-#endif
-    SECStatus              status = SECSuccess;
-    extern                 char prefix[PREFIX_LEN];
-    SEC_PKCS7ContentInfo   *certChain;
-    SECItem                *encodedCertChain;
-    PRBool                 UChain = PR_FALSE;
-
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-
-#ifdef TEST
-    sleep(20);
-#endif
-    SECU_ConfigDirectory(DBdir);
-
-    PK11_SetPasswordFunc(return_dbpasswd);
-    status = NSS_InitReadWrite(DBdir);
-    if (status != SECSuccess) {
-	SECU_PrintPRandOSError(progName);
-	return -1;
-    }
-    handle = CERT_GetDefaultCertDB();
-
-    prefix[0]= '\0';
-#if !defined(OFFLINE)
-    form_output = (char*) PORT_Alloc(length);
-    if (form_output == NULL) {
-	error_allocate();
-    }
-    pos = form_output;
-    while (feof(stdin) == 0 ) {
-	if (remaining <= 1) {
-	    remaining += length;
-	    length = length * 2;
-	    form_output = PORT_Realloc(form_output, (length));
-	    if (form_output == NULL) {
-		error_allocate();
-	    }
-	    pos = form_output + length - remaining;
-	}
-	n = fread(pos, 1, (size_t) (remaining - 1), stdin);
-	pos += n;
-	remaining -= n;
-    }
-    *pos = '&';
-    pos++;
-    length = pos - form_output;
-#else
-    length = PORT_Strlen(form_output);
-#endif
-#ifdef FILEOUT
-    printf("Content-type: text/plain\n\n");
-    fwrite(form_output, 1, (size_t)length, stdout);
-    printf("\n");
-#endif
-#ifdef FILEOUT
-    fwrite(form_output, 1, (size_t)length, stdout);
-    printf("\n");
-    fflush(stdout);
-#endif
-    form_data = make_datastruct(form_output, length);
-    status = clean_input(form_data);
-#if !defined(OFFLINE)
-    PORT_Free(form_output);
-#endif
-#ifdef FILEOUT
-    i = 0;
-    while(return_name(form_data, i) != NULL) {
-        printf("%s",return_name(form_data,i));
-        printf("=\n");
-        printf("%s",return_data(form_data,i));
-        printf("\n");
-	i++;
-    }
-    printf("I got that done, woo hoo\n");
-    fflush(stdout);
-#endif
-    issuerNameStr = PORT_Alloc(200);
-    if (find_field_bool(form_data, "caChoiceradio-SignWithSpecifiedChain",
-			PR_FALSE)) {
-	UChain = PR_TRUE;
-	chainLen = atoi(find_field(form_data, "manCAs", PR_FALSE));
-	PORT_Strcpy(prefix, prefixs[0]);
-	issuerNameStr = PORT_Strcpy(issuerNameStr,
-			       "CN=Cert-O-Matic II, O=Cert-O-Matic II");
-	if (chainLen == 0) {
-	    UChain =  PR_FALSE;
-	}
-    } else {
-	if (find_field_bool(form_data, "caChoiceradio-SignWithRandomChain", 
-			    PR_FALSE)) {
-	    PORT_Strcpy(prefix,prefixs[9]);
-	    chainLen = atoi(find_field(form_data, "autoCAs", PR_FALSE));
-	    if (chainLen < 1 || chainLen > 18) {
-		issuerNameStr = PORT_Strcpy(issuerNameStr, 
-				       "CN=CA18, O=Cert-O-Matic II");
-	    }
-	    issuerNameStr = PORT_Strcpy(issuerNameStr, "CN=CA");
-	    issuerNameStr = PORT_Strcat(issuerNameStr, 
-				   find_field(form_data,"autoCAs", PR_FALSE));
-	    issuerNameStr = PORT_Strcat(issuerNameStr,", O=Cert-O-Matic II");
-	} else {
-	    issuerNameStr = PORT_Strcpy(issuerNameStr, 
-				   "CN=Cert-O-Matic II, O=Cert-O-Matic II");
-	}
-	chainLen = 0;
-    }
-
-    i = -1;
-    which_key = 0;
-    do {
-    	extern SECStatus cert_GetKeyID(CERTCertificate *cert);
-	i++;
-	if (i != 0 && UChain) {
-	    PORT_Strcpy(prefix, prefixs[i]);
-	}
-	/*        find_field(form_data,"subject", PR_TRUE); */
-	certReq = makeCertReq(form_data, which_key);
-#ifdef OFFLINE
-	serial = 900;
-#else
-	serial = get_serial_number(form_data);
-#endif
-	cert = MakeV1Cert(handle, certReq, issuerNameStr, PR_FALSE, 
-			  serial, warpmonths, form_data);
-	if (certReq != NULL) {
-	    CERT_DestroyCertificateRequest(certReq);
-	}
-	if (find_field_bool(form_data,"ver-3", PR_TRUE)) {
-	    status = add_extensions(cert, form_data, issuerNameStr, handle);
-	    if (status != SECSuccess) {
-		error_out("ERROR: Unable to add extensions");
-	    }
-	}
-	status = cert_GetKeyID(cert);
-	if (status == SECFailure) {
-	    error_out("ERROR: Unable to get Key ID.");
-	}
-	certDER = SignCert(cert, issuerNameStr, form_data, handle, which_key);
-	CERT_NewTempCertificate(handle, certDER, NULL, PR_FALSE, PR_TRUE);
-	issuerNameStr = find_field(form_data, "subject", PR_TRUE);
-	/*        SECITEM_FreeItem(certDER, PR_TRUE); */
-	CERT_DestroyCertificate(cert);
-	if (i == (chainLen - 1)) {
-	    i = 8;
-	}
-	++which_key;
-    } while (i < 9 && UChain);
-
-
-
-#ifdef FILEOUT
-    outfile = fopen("../certout", "wb");
-#endif
-    certName = find_field(form_data, "subject", PR_FALSE);
-    cert = CERT_FindCertByNameString(handle, certName);
-    certChain = SEC_PKCS7CreateCertsOnly (cert, PR_TRUE, handle);
-    if (certChain == NULL) {
-	error_out("ERROR: No certificates in cert chain");
-    }
-    encodedCertChain = SEC_PKCS7EncodeItem (NULL, NULL, certChain, NULL, NULL, 
-					    NULL);
-    if (encodedCertChain) {
-#if !defined(FILEOUT)
-	printf("Content-type: application/x-x509-user-cert\r\n");
-	printf("Content-length: %d\r\n\r\n", encodedCertChain->len);
-	fwrite (encodedCertChain->data, 1, encodedCertChain->len, stdout);
-#else
-	fwrite (encodedCertChain->data, 1, encodedCertChain->len, outfile);
-#endif
-
-    } else {
-	error_out("Error: Unable to DER encode certificate");
-    }
-#ifdef FILEOUT
-    printf("\nI got here!\n");
-    fflush(outfile);
-    fclose(outfile);
-#endif
-    fflush(stdout);
-    if (NSS_Shutdown() != SECSuccess) {
-        exit(1);
-    }
-    return 0;
-}
-
diff --git a/security/nss/cmd/certcgi/index.html b/security/nss/cmd/certcgi/index.html
deleted file mode 100644
index 2909dd0cf..000000000
--- a/security/nss/cmd/certcgi/index.html
+++ /dev/null
@@ -1,821 +0,0 @@
-<HTML>	<!-- -*- Mode: Java; tab-width: 8 -*- -->
-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is the Netscape security libraries.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 1994-2000
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-<HEAD>
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 
-<SCRIPT LANGUAGE="JavaScript1.2">
-
-script_url = 'http://interzone.mcom.com/cgi-bin/certomatic/bin/certcgi.cgi'
-
-ext_page_ver1 =
-  make_page_intro('Version 1 extensions', "#FFFFFF") +
-  '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext1">' +
-  'Version 1 X.509 certs do not support extensions' +
-  '</IFRAME>' +
-  '</body></html>';
-
-num_ca = 0;
-
-your_certificate_index_label       = 'Your Certificate';
-netscape_extensions_index_label    = 'Netscape X.509 Extensions';
-standard_extensions_index_label    = 'Standard X.509 Extensions';
-certifying_authorities_index_label = 'Certifying Authorities';
-add_sub_alt_name_index_label       = 'Add Subject Alternative Name';
-
-index_list = 
-  '0, your_certificate_index_label,' +
-  '0, netscape_extensions_index_label,' +
-  '0, standard_extensions_index_label,' +
-  '0, certifying_authorities_index_label';
-
-add_index_list = '';
-
-ver = 3
-
-max_pages = 13;
-cur_page = 1;
-
-ext_page_array = new Array(max_pages);
-
-index_label = 'Options';
-
-var main_page = 
-  make_page_intro('Your Key', "#FFFFFF") +
-  '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="main" SRC="main.html">' +
-  '</IFRAME>' +
-  '</body></html>' ;
-
-function setSubAltNameType(form)
-{
-  with(form) {
-    if (SubAltNameRadio[0].checked) {
-      return true;
-    }
-    if (SubAltNameRadio[3].checked || SubAltNameRadio[5].checked) {
-      SubAltNameDataType.checked = true;
-      return true;
-    }
-    if (SubAltNameRadio[1].checked || SubAltNameRadio[2].checked ||
-	SubAltNameRadio[4].checked || SubAltNameRadio[6].checked ||
-	SubAltNameRadio[7].checked || SubAltNameRadio[8].checked) {
-      SubAltNameDataType.checked = false;
-      return true;
-    }
-  }
-  return true;
-}
-
-function setIssuerAltNameType(form)
-{
-  with(form) {
-    if (IssuerAltNameRadio[0].checked) {
-      return true;
-    }
-    if (IssuerAltNameRadio[3].checked || IssuerAltNameRadio[5].checked) {
-      IssuerAltNameDataType.checked = true;
-      return true;
-    }
-    if (IssuerAltNameRadio[1].checked || IssuerAltNameRadio[2].checked ||
-	IssuerAltNameRadio[4].checked || IssuerAltNameRadio[6].checked ||
-	IssuerAltNameRadio[7].checked || IssuerAltNameRadio[8].checked) {
-      IssuerAltNameDataType.checked = false;
-      return true;
-    }
-  }
-  return true;
-}
-
-
-function setNameConstraintNameType(form)
-{
-  with(form) {
-    if (NameConstraintRadio[0].checked) {
-      return true;
-    }
-    if (NameConstraintRadio[3].checked || NameConstraintRadio[5].checked) {
-      NameConstraintNameDataType.checked = true;
-      return true;
-    }
-    if (NameConstraintRadio[1].checked || NameConstraintRadio[2].checked ||
-	NameConstraintRadio[4].checked || NameConstraintRadio[6].checked ||
-	NameConstraintRadio[7].checked || NameConstraintRadio[8].checked) {
-      NameConstraintNameDataType.checked = false;
-      return true;
-    }
-  }
-  return true;
-}
-
-
-function addSubAltName(form)
-{
-  with(form) {
-    var len = SubAltNameSelect.length;
-    var value;
-    var i = 0;
-    while(!(i == (SubAltNameRadio.length - 1)) & 
-          !(SubAltNameRadio[i].checked == true)) {
-      i++;
-    }
-    if (i != 0) {
-      value = SubAltNameText.value + " - " + (i + 1);
-    } else {
-      value = SubAltNameText.value + " - " + 
-              SubAltNameOtherNameOID.value + " - ";
-      if (SubAltNameDataType.checked) {
-	value += "1 - ";
-      } else {
-	value += "0 - ";
-      }
-      value += (i + 1);
-      if (SubAltNameOtherNameOID.value == "") {
-	alert("Other names must include an OID");
-	return false;
-      }
-    }
-
-    if ((SubAltNameText.value == "") | (SubAltNameRadio[i].checked != true)) {
-      alert("Alternative Names must include values for name and name type.");
-    } else {
-      SubAltNameSelect.options[len] = new Option(value, value);
-    }
-  }
-  return true;
-}
-
-function deleteSubAltName(form)
-{
-  with(form) {
-    while (SubAltNameSelect.selectedIndex >= 0) {
-      SubAltNameSelect[SubAltNameSelect.selectedIndex] = null;
-    }
-  }
-}
-  
-function addIssuerAltName(form)
-{
-  with(form)
-  {
-    var len = IssuerAltNameSelect.length;
-    var value;
-    var i = 0;
-
-    while(!(i == (IssuerAltNameRadio.length -1)) & 
-          !(IssuerAltNameRadio[i].checked == true)) {
-      i++;
-    }
-    if (i != 0) {
-      value = IssuerAltNameText.value + " - " + (i + 1);
-    } else {
-      value = IssuerAltNameText.value + " - " + 
-              IssuerAltNameOtherNameOID.value + " - ";
-      if (IssuerAltNameDataType.checked) {
-	value += "1 - ";
-      } else {
-	value += "0 - ";
-      }
-      value += (i + 1);
-      if (IssuerAltNameOtherNameOID.value == "") {
-	  alert("Other names must include an OID");
-	  return false;
-      }
-    }
-    if ((IssuerAltNameText.value == "") | 
-        (IssuerAltNameRadio[i].checked != true)) {
-      alert("Alternative Names must include values for name and name type.")
-    } else {
-      IssuerAltNameSelect.options[len] = new Option(value, value);
-    }
-  }
-  return true;
-}
-
-function deleteIssuerAltName(form)
-{
-  with(form) {
-    while (IssuerAltNameSelect.selectedIndex >= 0) {
-      IssuerAltNameSelect[IssuerAltNameSelect.selectedIndex] = null;
-    }
-  }
-}
-
-
-
-function addNameConstraint(form)
-{
-  with(form) {
-    var len = NameConstraintSelect.length;
-    var value;
-    var i = 0;
-    var min = NameConstraintMin.value;
-    var max = NameConstraintMax.value;
-
-    while(!(i == (NameConstraintRadio.length - 1) ) & 
-          !(NameConstraintRadio[i].checked == true)) {
-      i++;
-    }
-    value = NameConstraintText.value + " - ";
-    if (i == 0) {
-      value += NameConstraintOtherNameOID.value + " - ";
-      if (NameConstraintNameDataType.checked) {
-	value += "1 - ";
-      } else {
-	value += "0 - ";
-      }
-      if (NameConstraintOtherNameOID.value == "") {
-	alert("Other names must include an OID");
-	return false;
-      }
-    }
-    value += (i + 1) + " - ";
-    if (NameConstraintTypeRadio[0].checked == true) {
-      value += "p - ";
-    } else {
-      value += "e - ";
-    }
-    value += min + " - " + max;
-    if ((min == "") | (NameConstraintText.value == "") | 
-        (NameConstraintRadio[i].checked != true)) {
-      alert("Name Constraints must include values for minimum, name, and name type.")
-    } else {
-      NameConstraintSelect.options[len] = new Option(value, value);
-    }
-  }
-  return true;
-}
-
-function deleteNameConstraint(form)
-{
-  with(form) {
-    while (NameConstraintSelect.selectedIndex >= 0) {
-      NameConstraintSelect[NameConstraintSelect.selectedIndex] = null;
-    }
-  }
-}
-
-
-function submit_it()
-{
-  save_cur_page(cur_page);
-
-  var ver1 = (ver == 1);
-  var ver3 = (ver == 3);
-  var array_string;
-  var serial        = ext_page_array[0][10][0];
-  var serial_number = ext_page_array[0][12][0];
-  var manValidity   = ext_page_array[0][19][0];
-  var notBefore     = ext_page_array[0][20][0];
-  var notAfter      = ext_page_array[0][21][0];
-  var subject       = ext_page_array[0][22][0];
-
-  if (subject == "") {
-    alert("The DN field must contain some data");
-    return false;
-  }
-  if (!serial & serial_number == "") {
-    alert("No serial number specified");
-    return false;
-  }
-  if (ext_page_array[0][15][0]) {
-    var keygen = "<keygen name=\"key\" challenge=\"foo\">";
-  } else {
-    switch (ext_page_array[0][17][0]) {
-      case 2:
-        var keygen = "<keygen keytype=\"dsa\" pqg=\"MIGdAkEAjfKklEkidqo9JXWbsGhpy+rA2Dr7jQz3y7gyTw14guXQdi/FtyEOr8Lprawyq3qsSWk9+/g3JMLsBzbuMcgCkQIVAMdzIYxzfsjumTtPLe0w9I7azpFfAkEAYm0CeDnqChNBMWOlW0y1ACmdVSKVbO/LO/8Q85nOLC5xy53l+iS6v1jlt5UhklycxC6fb0ZLCIzFcq9T5teIAg==\" name=\"key\" challenge=\"foo\">";
-	break;
-      case 1:
-        var keygen = "<keygen keytype=\"dsa\" pqg=\"MIHaAmDCboVgX0+6pEeMlbwsasWDVBcJNHPKMzkq9kbCRK2U3k+tE15n+Dc2g3ZjDYr1um51e2iLC34/BwAAAAAAAAAAAAAAAAAAAAAAAAABbBhnlFN5Djmt0Mk8cdEBY5H8iPMCFMhUnFtbpjn3EyfH2DjVg3ALh7FtAmA2zWzhpeCwvOTjYnQorlXiv0WcnSiWmaC79CRYkFt5i+UEfRxwP1eNGJBVB1T+CPW6JGd4WhgsqtSf53pn5DEtv++O7lNfXyOhWhb3KaWHYIx8fuAXtioIWkWmpfEIVZA=\" name=\"key\" challenge=\"foo\">";
-	break;
-      case 0:
-        var keygen = "<keygen keytype=\"dsa\" pqg=\"MIIBHAKBgId8SiiWrcdua5zbsBhPkKfFcnHBG7T/bQla7c6OixGjjmSSuq2fJLvMKa579CaxHxLZzZZXIHmAk9poRgWl2GUUkCJ68XSum8OQzDPXPsofcEdeANjw3mIAAAAAAAAAAAAAAAAAAAAAAAAIE+MkW5hguLIQqWvEVi9dMpbNu6OZAhTIA+y3TgyiwA0D8pt686ofaL1IOQKBgAiZQC6UCXztr2iXxJrAC+51gN5oX/R9Thilln9RGegsWnHrdxUOpcm5vAWp1LU8TOXtujE8kqkm3UxIRhUWQORe9IxLANAXmZJqkw9FEVHkxj6Cy9detwT2MyBzSwS6avsf7aLisgHmI/IHSeapJsQ3NQa3rikb6zRiqIV+TVa6\" name=\"key\" challenge=\"foo\">";
-        break;
-    }
-  }
-  array_string =  build_array_string();
-  hiddens = "<input type=\"hidden\" name=\"subject\" value=\'" + subject + "\'> \n" +
-            "<input type=\"hidden\" name=\"serial-auto\" value=\"" + serial + "\"> \n" +
-            "<input type=\"hidden\" name=\"serial_value\" value=\"" + serial_number + "\"> \n" +
-            "<input type=\"hidden\" name=\"ver-1\" value=\"" + ver1 + "\"> \n" +
-            "<input type=\"hidden\" name=\"ver-3\" value=\"" + ver3 + "\"> \n" +
-            "<input type=\"hidden\" name=\"notBefore\" value=\"" + notBefore + "\"> \n" +
-            "<input type=\"hidden\" name=\"notAfter\" value=\"" + notAfter + "\"> \n" +
-            "<input type=\"hidden\" name=\"manValidity\" value=\"" + manValidity + "\"> \n" +
-            array_string;
-
-  var good_submit_page =
-    '<html>' +
-    '<BODY TEXT="#000000" LINK="#000000" VLINK="#000000" ALINK="#FF0000" BGCOLOR="#FFFFFF">' +
-    '<form method="post" action="' + script_url + '">' +
-    'Select size for your key:' + keygen + '</p>' +
-    '<input type="submit"></p>' +
-    hiddens +
-    '</form>\n' +
-    '</body>\n' +
-    '</html>\n';
-
-  window.frames['right'].document.write(good_submit_page);
-  window.frames['right'].document.close();
-  cur_page = max_pages + 1;
-  make_left_frame(window);
-  return false;
-}
-
-
-
-function build_array_string()
-{
-  var pg;
-  var array_string = '';
-  var pages;
-
-  if ((ext_page_array[3][4][0] > 0) && ext_page_array[3][3][0]) {
-    pages = 4 + parseInt(ext_page_array[3][4][0]);
-  } else {
-    pages = 4;
-  }
-  for (pg = 1; pg < pages; pg++) {
-    if ((pg > 1 || (ver == 3)) && (ext_page_array[pg].length > 1)) {
-      if (pg < 4) {
-	for (i = 0; i < ext_page_array[pg].length; i++) {
-	  if (ext_page_array[pg][i][3].indexOf("radio") == -1) {
-	    if (ext_page_array[pg][i][3].indexOf("multiple") == -1) {
-	      array_string +=  '<input type=\"hidden\" name=\"' + 
-                               ext_page_array[pg][i][1] + '\" value=\'' + 
-                               ext_page_array[pg][i][0] + '\'> \n';
-	    } else {
-	      for (k = 0; k < ext_page_array[pg][i][0].length; k++) {
-		array_string += '<input type=\"hidden\" name=\"' + 
-                                ext_page_array[pg][i][1] + k + '\" value=\'' + 
-                                ext_page_array[pg][i][0][k] + '\'> \n';
-	      }
-	    }
-	  } else {
-	    array_string += '<input type=\"hidden\" name=\"' + 
-                            ext_page_array[pg][i][1] + '-' + 
-			    ext_page_array[pg][i][2] + '\" value=\'' + 
-			    ext_page_array[pg][i][0] + '\'> \n';
-	  }
-	}
-      } else {
-	for (i = 0; i < ext_page_array[pg].length; i++) {
-	  if (ext_page_array[pg][i][3].indexOf("radio") == -1) {
-	    if (ext_page_array[pg][i][3].indexOf("multiple") == -1) {
-	      array_string += '<input type=\"hidden\" name=\"' + 
-	                      'CA#' + (pg - 3) + '-' + 
-			      ext_page_array[pg][i][1] + '\" value=\'' + 
-			      ext_page_array[pg][i][0] +'\'> \n';
-	    } else {
-	      for (k = 0; k < ext_page_array[pg][i][0].length; k++) {
-		array_string += '<input type=\"hidden\" name=\"' + 
-		                'CA#' + (pg - 3) + '-' + 
-				ext_page_array[pg][i][1] + k + '\" value=\'' + 
-				ext_page_array[pg][i][0][k] + '\'> \n';
-	      }
-	    }
-	  } else {
-	    array_string += '<input type=\"hidden\" name=\"' + 
-	                    'CA#' + (pg - 3) + '-' + 
-			    ext_page_array[pg][i][1] + '-' + 
-			    ext_page_array[pg][i][2] + '\" value=\'' + 
-			    ext_page_array[pg][i][0] + '\'> \n';
-	  }
-	}
-      }
-    }
-  }
-  return array_string;
-}
-
-
-
-function init_ext_page_array()
-{
-  for (i = 0; i < max_pages; i++) {
-    ext_page_array[i] = '';
-  }
-}
-
-function ca_num_change(n,ca_form)
-{
-  with(ca_form) {
-    n = parseInt(n,10);
-    if (caChoiceradio[2].checked) {
-      if (n) {
-	update_left_frame(n);
-      } else {
-	update_left_frame(0);
-      }
-    }
-  }
-}
-
-function choice_change(ca_form)
-{
-  with(ca_form) {
-    if (caChoiceradio[2].checked) {
-      ca_num_change(manCAs.value,ca_form);
-    } else {
-      update_left_frame(0);
-    }
-  }
-}
-
-function update_left_frame(n)
-{
-  var add_string = '';
-  for (var i = 0; i < n; i++) {
-    var j = i + 1;
-    add_string = add_string + ',1, \'CA #' + j + '\'';
-  }
-  top.add_index_list = add_string;
-  num_ca = n;
-  make_left_frame(window);
-}
-
-function set_ver1()
-// redraws the extensions page for version 1 certificates
-{
-  ver = 1
-  if (cur_page == 2 || cur_page == 3) {
-    switch_right_frame(window, cur_page, cur_page);
-  }
-}
-
-
-function set_ver3()
-// redraws the extensions page for version 3 certificates
-{
-  ver = 3
-  if (cur_page == 2) {
-    switch_right_frame(window, 0, 2);
-  } else if (cur_page == 3) {
-    switch_right_frame(window, 0, 3);
-  }
-}
-
-function reset_subject(marker, value, form)
-// Updates the subject field from a subordinate field
-{
-  with(form) {
-    var field_sep = '", ';
-    var begin_index = subject.value.indexOf(marker);
-    if (begin_index != 0 && subject.value[begin_index - 1] != ' ') {
-      begin_index = subject.value.indexOf(marker, begin_index +1);
-    }
-    var end_index = subject.value.indexOf(field_sep, begin_index);
-    if (begin_index > -1) {       // is it a delete/change?
-      if (end_index == -1) {      // is it the last one (includes only one)?
-        if (value.length > 0) {   // do I have to change it?
-          if (begin_index == 0) { // is is the only one?
-            subject.value = marker + '"' + value + '"';
-          } else {                // it is the last of many
-            subject.value = subject.value.substring(0,begin_index) + 
-	                    marker + '"' + value + '"';
-          }
-        } else {                  //  must be a delete
-          if (begin_index == 0) { // is it the only one?
-            begin_index += 2;
-          }
-          subject.value = subject.value.substring(0,(begin_index - 2));
-        }
-      } else {                    // it is the first of many or a middle one
-        if (value.length >0) {    // do I have to change it?
-          subject.value = 
-	  	subject.value.substring(0,(begin_index + marker.length + 1)) + 
-		value + subject.value.substring(end_index,subject.length);
-        } else {                  // it is a delete
-          subject.value = subject.value.substring(0,begin_index) + 
-	        subject.value.substring((end_index + 3),subject.length);
-        }
-      }
-    } else {                      // It is either an insert or a do nothing
-      if (value.length > 0) {     // is it an insert?
-        if (subject.value.length == 0) {  // is subject currently empty?
-          subject.value = marker + '"' + value + '"';
-        } else {
-          subject.value = subject.value + ', ' + marker + '"' + value + '"';
-        }
-      }
-    }
-  }
-}
-
-
-
-function reset_subjectFields(form)
-// updates all the subordinate fields from the subject field of a form
-// **** move the strings to global variables, to make maintentance easier ****
-{
-
-  update_subject_Field(form, 'CN=\"', form.name);
-  update_subject_Field(form, 'MAIL=\"', form.email);
-  update_subject_Field(form, 'O=\"', form.org);
-  update_subject_Field(form, 'C=\"', form.country);
-  update_subject_Field(form, ' L=\"', form.loc);
-  update_subject_Field(form, 'ST=\"', form.state);
-  update_subject_Field(form, 'E=\"', form.email);
-  update_subject_Field(form, 'OU=\"', form.org_unit);
-  update_subject_Field(form, 'UID=\"', form.uid);
-}
-
-function update_subject_Field(form, marker, update_field)
-//updates a single subordinate field from the subject field of a form
-// *** need to deal with the two types of e-mail addresses **************
-{
-  with(form) {
-    var field_sep = '", ';
-    var begin_index = subject.value.indexOf(marker) + marker.length;
-    var end_index = subject.value.indexOf(field_sep, begin_index);
-    if (end_index == -1) {
-      end_index = subject.value.indexOf('"',begin_index);
-    }
-    if (begin_index != (-1 + marker.length) ) {
-      update_field.value = subject.value.substring(begin_index, end_index);
-    } else {
-      update_field.value = '';
-    }
-  }
-}
-
-
-function switch_mail(form)
-// **** Do I want to delete the other type of e-mail address ? ************
-{
-  if (form.email_type[0].checked) {
-    var del = 'E=';
-    var ins = 'MAIL=';
-  } else {
-    var del = 'MAIL=';
-    var ins = 'E=';
-  }
-  reset_subject(del, '', form);
-  reset_subject(ins, form.email.value, form);
-}
-
-function make_page_intro(title, bgcolor)
-{
-  var style = '<STYLE TYPE="text/css">BODY{' +
-    'font-family: Geneva,MS Sans Serif,Arial,Lucida,Helvetica,sans-serif;' +
-    'font-size: 10pt;' +
-    '}' +
-    'TD{' +
-    'font-family: Geneva,MS Sans Serif,Arial,Lucida,Helvetica,sans-serif;' +
-    'font-size: 10pt;}' +
-    '</STYLE>';
-
-  if (bgcolor == null) { bgcolor = "#C0C0C0"; }
-  return '<HTML><HEAD>' +
-    '<TITLE>' + title + '</TITLE>' +
-    '</HEAD>' +
-    '<BODY TEXT="#000000" LINK="#000000" VLINK="#000000" ALINK="#FF0000" ' +
-          'BGCOLOR="' + bgcolor + '">';
-}
-
-
-function make_left_frame(window)
-{
-  with (window.frames['index']) {
-    eval ('index_string = make_left_frame_page(cur_page, ' 
-           + index_list + add_index_list + ' )');
-    fool1 = make_page_intro(index_label, "#FFFFFF") +
-      index_string + '</BODY></HTML>';
-    document.write(fool1);
-    document.close();
-  }
-}
-
-
-function save_cur_page(page_number)
-{
-  var len;
-  var pg = page_number - 1;
-  if (window.frames['right'].document.forms.length != 0) {
-    with (window.frames['right'].document) {
-      if ((page_number != 2 && page_number != 3 && page_number <= max_pages) || 
-	  ver == 3) {
-        ext_page_array[pg] = new Array(forms[0].elements.length);
-        for (i = 0; i < forms[0].elements.length; i++) {
-	  ext_page_array[pg][i] = new Array(4);
-	  switch (forms[0].elements[i].type) {
-	  case 'radio': 
-          case 'checkbox':
-	    ext_page_array[pg][i][0] = forms[0].elements[i].checked;
-	    break;
-	  case 'select-one':
-	    ext_page_array[pg][i][0] = forms[0].elements[i].selectedIndex;
-	    break;
-	  case 'select-multiple':
-	    len = forms[0].elements[i].options.length;
-	    ext_page_array[pg][i][0] = new Array(len);
-	    for(k = 0; k < len; k++) {
-	      ext_page_array[pg][i][0][k] = forms[0].elements[i].options[k].value;
-	    }
-	    break;
-	  default:
-	    ext_page_array[pg][i][0] = forms[0].elements[i].value;
-	  }
-	  ext_page_array[pg][i][1] = forms[0].elements[i].name;
-	  ext_page_array[pg][i][2] = forms[0].elements[i].value;
-	  ext_page_array[pg][i][3] = forms[0].elements[i].type;
-        }
-      }
-    }
-  }
-}
-
-function reload_form(page_number)
-{
-  var j = page_number - 1;
-  with (window.frames['right'].document) {
-    if (((page_number < 2 || page_number > 3) || ver == 3) 
-	&& page_number != 0 && (ext_page_array[j].length > 1)) {
-      for (i = 0; i < ext_page_array[j].length; i++) {
-	switch (forms[0].elements[i].type) {
-	case 'radio': case 'checkbox':
-	  forms[0].elements[i].checked = ext_page_array[j][i][0];
-	  break;
-	case 'select-one':
-	  forms[0].elements[i].selectedIndex = ext_page_array[j][i][0];
-	  break;
-	case 'select-multiple':
-	  for (k = 0; k < ext_page_array[j][i][0].length; k++) {
-	    forms[0].elements[i].options[k] = 
-	        new Option(ext_page_array[j][i][0][k], 
-			   ext_page_array[j][i][0][k]);
-	  }
-	  break;
-	default:
-	  forms[0].elements[i].value = ext_page_array[j][i][0];
-	}
-      }
-    }
-  }
-}
-
-function switch_right_frame(top_window, old_pane, new_pane)
-{
-  var ext_page_stnd =
-    make_page_intro(standard_extensions_index_label, "#FFFFFF") +
-    '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
-    'SRC="stnd_ext_form.html">' +
-    '</IFRAME></body></html>';
-
-  var ext_page_nscp = 
-    make_page_intro(netscape_extensions_index_label, "#FFFFFF") +
-    '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
-    'SRC="nscp_ext_form.html">' +
-    '</IFRAME></body></html>';
-
-  var ext_page_ca =
-    make_page_intro(certifying_authorities_index_label, "#FFFFFF") +
-    '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
-    'SRC="ca.html">' +
-    '</IFRAME></body</html>';
-
-  var ext_page_ca_exp =
-    make_page_intro('Certifying Authority Details', "#FFFFFF") +
-    '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
-    'SRC="ca_form.html">' +
-    '</IFRAME></body></html>';
-
-
-  if (old_pane > 0 && cur_page <= max_pages) {
-    save_cur_page(old_pane);
-  }
-  cur_page = new_pane;
-  make_left_frame(top_window);
-  if (new_pane == 2 || new_pane == 3) {
-    if (ver == 1) {
-      frames['right'].document.write(ext_page_ver1);
-      frames['right'].document.close();
-    } else if (new_pane == 2) {
-      frames['right'].document.write(ext_page_nscp);
-      frames['right'].document.close();
-      reload_form(new_pane);
-    } else {
-      frames['right'].document.write(ext_page_stnd);
-      frames['right'].document.close();
-      reload_form(new_pane);
-    }
-  } else if (new_pane == 4) {
-    frames['right'].document.write(ext_page_ca);
-    frames['right'].document.close();
-    reload_form(new_pane);
-  } else if (new_pane == 1) {
-    frames['right'].document.write(main_page);
-    frames['right'].document.close();
-    reload_form(new_pane);
-  } else {
-    frames['right'].document.write(ext_page_ca_exp);
-    frames['right'].document.close();
-    reload_form(new_pane);
-  }
-}
-
-function make_left_frame_page(selected)
-{
-  var n_strings = ( make_left_frame_page.arguments.length - 1 ) / 2;
-  var table_background;
-  var command;
-  var indent;
-  var label;
-  var ret_string = "";
-    
-  ret_string += '<TABLE CELLSPACING=4>';
-  for ( var i = 1; i <= n_strings; i++ ) {
-    if ( i == selected ) {
-      table_background = 'BGCOLOR=#BBCCBB';
-    } else {
-      table_background = '';
-    }
-	
-    indent = make_left_frame_page.arguments[(i*2) - 1];
-    label =  make_left_frame_page.arguments[(i*2)];
-
-    if ( indent == 0 ) {
-      ret_string += ('<TR><TD COLSPAN=2 ' + table_background + '>');
-    } else {
-      ret_string += ('<TR><TD>&nbsp;&nbsp;</TD><TD ' + table_background + '>');
-    }
-
-    command = "'parent.switch_right_frame(parent," + selected + "," + i + ")'";
-    ret_string += ('<A HREF="javascript:void setTimeout(' + command + ',0)">');
-    if ( indent == 0 ) { ret_string += "<B>"; }
-    ret_string += label;
-    if ( indent == 0 ) { ret_string += "</B>"; }
-    ret_string += '</A></TD></TR>';
-  }
-  if (selected == (max_pages + 1)) {
-    table_background = 'BGCOLOR=#BBCCBB';
-  } else {
-    table_background = '';
-  }
-  ret_string +=
-    '<TR><TD COLSPAN=2 ' + table_background + 
-    '><b><A HREF="javascript:void setTimeout(\'top.submit_it()\', 0)">Finish</A></b>' +
-    '</TD></TR>' +
-    '<input type="submit"></form>' + 
-    '</TABLE>';
-  return(ret_string);
-}
-
-
-function make_page(window)
-// Draws the initial page setup
-{
-  selected = cur_page
-  init_ext_page_array()
-
-  with (window.frames['right']) {
-    location="main.html";
-//  document.write(main_page);
-//  document.close();
-  }
-
-  make_left_frame(window);
-
-}
-</script>
-
-</HEAD>
-<title>Cert-O-Matic</title>
-  <FRAMESET cols="150,*" BORDER=3 ONLOAD="make_page(window)">
-      <FRAME SRC="about:blank" ID="index" NAME="index"
-           MARGINWIDTH=15 MARGINHEIGHT=10 BORDER=3>
-      <FRAME SRC="about:blank" ID="right" NAME="right"
-           MARGINWIDTH=15 MARGINHEIGHT=10 BORDER=3>
-  </FRAMESET>
-</HTML>
diff --git a/security/nss/cmd/certcgi/main.html b/security/nss/cmd/certcgi/main.html
deleted file mode 100644
index 8a04ef9d6..000000000
--- a/security/nss/cmd/certcgi/main.html
+++ /dev/null
@@ -1,108 +0,0 @@
-<HTML>
-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is the Netscape security libraries.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 1994-2000
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-<HEAD>
-    <TITLE>Main Layer for CertOMatic</TITLE>
-</HEAD>
-
-    <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
-    <table border=0 cellspacing=10 cellpadding=0>
-    <tr>
-    <td>
-    Common Name:</td><td> <input type="text" name="name" onChange="{window.top.reset_subject('CN=', value, form)}"></p>
-    </td>
-    <td></td><td></td>
-    <td>
-    Organization: </td><td>  <input type="text" name="org" onChange="{window.top.reset_subject('O=', value, form)}"></p></td>
-    <tr>
-    <td>
-    <input type="radio" name="email_type" value="1" onClick="window.top.switch_mail(form)">MAIL=
-
-    <input type="radio" name="email_type" value="2" checked onClick="window.top.switch_mail(form)">E=
-    </td>
-    <td>
-    <input type="text" name="email" onChange="var temp;{if (email_type[0].checked) {temp = 'MAIL='} else {temp = 'E='}} ;{window.top.reset_subject(temp, value, form)}">
-    </td>
-    <td></td><td></td><td>
-    Organizational Unit: </td><td><input type="text" name="org_unit" onChange="{window.top.reset_subject('OU=', value, form)}"></p></td>
-    <tr>
-    <td>
-    UID= </td><td><input type="text" name="uid" onChange="{window.top.reset_subject('UID=', value, form)}"></p></td>
-    <td></td><td></td><td>
-    Locality: </td><td><input type="text" name="loc" onChange="{window.top.reset_subject('L=', value, form)}"></p></td>
-    <tr>
-    <td>
-    State or Province: </td><td><input type="text" name="state" onChange="{window.top.reset_subject('ST=', value, form)}"></p></td>
-    <td></td><td></td><td>
-    Country: </td><td><input type="text" size="2" name="country" onChange="{window.top.reset_subject('C=', value, form)}" maxlength="2"></p></td>
-    <tr>
-    <td COLSPAN=2>
-    Serial Number:
-    <DD><input type="radio" name="serial" value="auto" checked> Auto Generate
-    <DD><input type="radio" name="serial" value="input">
-    Use this hex value:&nbsp; <input type="text" name="serial_value" size="8" maxlength="8"></p>
-    </td>
-    <td></td> <td></td>
-    <td COLSPAN=2>
-    X.509 version:
-    <DD><input type="radio" name="ver" value="1" onClick="if (this.checked) {window.top.set_ver1();}"> Version 1
-    <DD><input type="radio" name="ver" value="3" checked onClick="if (this.checked) {window.top.set_ver3();}"> Version 3</P></td>
-    <tr>
-    <td COLSPAN=2>
-    Key Type:
-    <DD><input type="radio" name="keyType" value="rsa" checked> RSA
-    <DD><input type="radio" name="keyType" value="dsa"> DSA</p>
-    Intermediate CA Key Sizes:
-    <DD><select name="keysize">
-        <option>2048 (Very High Grade)
-        <option>1024 (High Grade)
-        <option>512  (Low Grade)
-        </select>
-    </td>
-    <td></td> <td></td>
-    <td COLSPAN=2>
-    Validity:
-    <DD><input type="radio" name="validity" value="auto" checked> 
-       Generate Automatically
-    <DD><input type="radio" name="validity" value="man"> Use these values:
-    <DD>Not Before:&nbsp; <input type="text" size="15" maxlength="17" name="notBefore">
-    <DD>Not After:&nbsp;&nbsp;&nbsp; <input type="text" size="15" maxlength="17" name="notAfter">
-    <DD>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
-    <FONT SIZE=-1><TT>YYMMDDhhmm[ss]{Z|+hhmm|-hhmm} </TT></FONT>
-    </table>
-    DN: <input type="text" name="subject" size="70" onChange="{window.top.reset_subjectFields(form)}"></P>  	      
-    </form>
-</HTML>
diff --git a/security/nss/cmd/certcgi/manifest.mn b/security/nss/cmd/certcgi/manifest.mn
deleted file mode 100644
index 057f2596d..000000000
--- a/security/nss/cmd/certcgi/manifest.mn
+++ /dev/null
@@ -1,54 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH	= ../../..
-
-# MODULE public and private header directories are implicitly REQUIREd.
-MODULE = nss 
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-REQUIRES = seccmd dbm 
-
-DEFINES = -DNSPR20
-
-CSRCS = certcgi.c
-
-PROGRAM	= certcgi
-
-USE_STATIC_LIBS = 1
-
diff --git a/security/nss/cmd/certcgi/nscp_ext_form.html b/security/nss/cmd/certcgi/nscp_ext_form.html
deleted file mode 100644
index bc94ab3a2..000000000
--- a/security/nss/cmd/certcgi/nscp_ext_form.html
+++ /dev/null
@@ -1,116 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html> 
-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is the Netscape security libraries.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 1994-2000
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-
-  <body>
-    <table  border=1 cellspacing=5 cellpadding=5>
-    <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
-    <tr>
-    <td>
-    <b>Netscape Certificate Type: </b></p>
-    Activate extension: <input type="checkbox" name="netscape-cert-type"></P>
-    Critical: <input type="checkbox" name="netscape-cert-type-crit">
-    <td>
-    <input type="checkbox" name="netscape-cert-type-ssl-client"> SSL Client</P>
-    <input type="checkbox" name="netscape-cert-type-ssl-server"> SSL Server</P>
-    <input type="checkbox" name="netscape-cert-type-smime"> S/MIME</P>
-    <input type="checkbox" name="netscape-cert-type-object-signing"> Object Signing</P>    
-    <input type="checkbox" name="netscape-cert-type-reserved"> Reserved for future use (bit 4)</P>
-    <input type="checkbox" name="netscape-cert-type-ssl-ca"> SSL CA</P>
-    <input type="checkbox" name="netscape-cert-type-smime-ca"> S/MIME CA</P>
-    <input type="checkbox" name="netscape-cert-type-object-signing-ca"> Object Signing CA</P>
-    </tr>
-    <tr>
-    <td>
-    <b>Netscape Base URL:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-base-url"></P>
-    Critical: <input type="checkbox" name="netscape-base-url-crit">
-    <td>
-    <input type="text" name="netscape-base-url-text" size="50">
-    </tr>
-    <tr>
-    <td>
-    <b>Netscape Revocation URL:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-revocation-url"></P>
-    Critical: <input type="checkbox" name="netscape-revocation-url-crit">
-    <td>
-    <input type="text" name="netscape-revocation-url-text" size="50">
-    </tr>
-    <tr>
-    <td>    
-    <b>Netscape CA Revocation URL:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-ca-revocation-url"></P>
-    Critical: <input type="checkbox" name="netscape-ca-revocation-url-crit">
-    <td>
-    <input type="text" name="netscape-ca-revocation-url-text" size="50">
-    </tr>
-    <tr>
-    <td>    
-    <b>Netscape Certificate Renewal URL:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-cert-renewal-url"></P>
-    Critical: <input type="checkbox" name="netscape-cert-renewal-url-crit">
-    <td>
-    <input type="text" name="netscape-cert-renewal-url-text" size="50">
-    </tr>
-    <tr>
-    <td>
-    <b>Netscape CA Policy URL:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-ca-policy-url"></P>
-    Critical: <input type="checkbox" name="netscape-ca-policy-url-crit">
-    <td>
-    <input type="text" name="netscape-ca-policy-url-text" size="50">
-    </tr>
-    <tr>
-    <td>
-    <b>Netscape SSL Server Name:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-ssl-server-name"></P>
-    Critical: <input type="checkbox" name="netscape-ssl-server-name-crit">
-    <td>
-    <input type="text" name="netscape-ssl-server-name-text" size="50">
-    </tr>
-    <tr>
-    <td>
-    <b>Netscape Comment:</b></p>
-    Activate extension: <input type="checkbox" name="netscape-comment"></P>
-    Critical: <input type="checkbox" name="netscape-comment-crit">
-    <td>
-    <textarea name="netscape-comment-text" rows="5" cols="50"></textarea>
-    </tr>
-        
-    </table>
-  </body>
-</html>
diff --git a/security/nss/cmd/certcgi/stnd_ext_form.html b/security/nss/cmd/certcgi/stnd_ext_form.html
deleted file mode 100644
index de5d795ba..000000000
--- a/security/nss/cmd/certcgi/stnd_ext_form.html
+++ /dev/null
@@ -1,250 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is the Netscape security libraries.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 1994-2000
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-
-  <body>
-    <table  border=1 cellspacing=5 cellpadding=5>
-    <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
-    <tr>
-    <td>
-    <b>Key Usage: </b></p>
-    Activate extension: <input type="checkbox" name="keyUsage"></P>
-    Critical: <input type="checkbox" name="keyUsage-crit">
-    <td>
-    <input type="checkbox" name="keyUsage-digitalSignature"> Digital Signature</P>
-    <input type="checkbox" name="keyUsage-nonRepudiation"> Non Repudiation</P>    
-    <input type="checkbox" name="keyUsage-keyEncipherment"> Key Encipherment</P>    
-    <input type="checkbox" name="keyUsage-dataEncipherment"> Data Encipherment</P>
-    <input type="checkbox" name="keyUsage-keyAgreement"> Key Agreement</P>
-    <input type="checkbox" name="keyUsage-keyCertSign"> Key Certificate Signing</P>
-    <input type="checkbox" name="keyUsage-cRLSign"> CRL Signing</P>
-    </tr>
-    <tr>
-    <td>
-    <b>Extended Key Usage: </b></p>
-    Activate extension: <input type="checkbox" name="extKeyUsage"></P>
-    Critical: <input type="checkbox" name="extKeyUsage-crit">
-    <td>
-    <input type="checkbox" name="extKeyUsage-serverAuth"> Server Auth</P>
-    <input type="checkbox" name="extKeyUsage-clientAuth"> Client Auth</P>
-    <input type="checkbox" name="extKeyUsage-codeSign"> Code Signing</P>
-    <input type="checkbox" name="extKeyUsage-emailProtect"> Email Protection</P>
-    <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
-    <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
-    <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
-    </tr>
-    <tr>
-    <td>
-    <b>Basic Constraints:</b></p>
-    Activate extension: <input type="checkbox" name="basicConstraints"></P>
-    Critical: <input type="checkbox" name="basicConstraints-crit">
-    <td>
-    CA:</p>
-    <dd><input type=radio name="basicConstraints-cA-radio" value="CA"> True</p>
-    <dd><input type=radio name="basicConstraints-cA-radio" value="NotCA"> False</p>
-    <input type="checkbox" name="basicConstraints-pathLengthConstraint">
-     Include Path length:  <input type="text" name="basicConstraints-pathLengthConstraint-text" size="2"></p>
-    </tr>
-    <tr>
-    <td>
-    <b>Authority Key Identifier:</b></p>
-    Activate extension: <input type="checkbox" name="authorityKeyIdentifier">
-    <td>
-    <input type="radio" name="authorityKeyIdentifier-radio" value="keyIdentifier"> Key Identider</p>
-    <input type="radio" name="authorityKeyIdentifier-radio" value="authorityCertIssuer"> Issuer Name and Serial number</p>
-    </tr>
-    <tr>
-    <td>    
-    <b>Subject Key Identifier:</b></p>
-    Activate extension: <input type="checkbox" name="subjectKeyIdentifier">
-    <td>
-    Key Identifier: 
-    <input type="text" name="subjectKeyIdentifier-text"></p>
-    This is an:<p>
-    <dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="ascii"> ascii text value<p>
-    <dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="hex"> hex value<p>
-    </tr>
-    <tr>
-    <td>    
-    <b>Private Key Usage Period:</b></p>
-    Activate extension: <input type="checkbox" name="privKeyUsagePeriod"></p>
-    Critical: <input type="checkbox" name="privKeyUsagePeriod-crit">
-    <td>
-    Use:</p>
-    <dd><input type="radio" name="privKeyUsagePeriod-radio" value="notBefore"> Not Before</p>
-    <dd><input type="radio" name="privKeyUsagePeriod-radio" value="notAfter"> Not After</p>
-    <dd><input type="radio" name="privKeyUsagePeriod-radio" value="both" > Both</p>
-    <b>Not to be used to sign before:</b></p>
-    <dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="auto"> Set to time of certificate issue</p>
-    <dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="manual"> Use This value</p>
-    <dd><dd>(YYYY/MM/DD HH:MM:SS): 
-    <input type="text" name="privKeyUsagePeriod-notBefore-year" size="4" maxlength="4">/
-    <input type="text" name="privKeyUsagePeriod-notBefore-month" size="2" maxlength="2">/
-    <input type="text" name="privKeyUsagePeriod-notBefore-day" size="2" maxlength="2"> 
-    <input type="text" name="privKeyUsagePeriod-notBefore-hour" size="2" maxlength="2">:
-    <input type="text" name="privKeyUsagePeriod-notBefore-minute" size="2" maxlength="2">:
-    <input type="text" name="privKeyUsagePeriod-notBefore-second" size="2" maxlength="2"></p>
-    <b>Not to be used to sign after:</b></p>
-    <dd>(YYYY/MM/DD HH:MM:SS): 
-    <input type="text" name="privKeyUsagePeriod-notAfter-year" size="4" maxlength="4">/
-    <input type="text" name="privKeyUsagePeriod-notAfter-month" size="2" maxlength="2">/
-    <input type="text" name="privKeyUsagePeriod-notAfter-day" size="2" maxlength="2"> 
-    <input type="text" name="privKeyUsagePeriod-notAfter-hour" size="2" maxlength="2">:
-    <input type="text" name="privKeyUsagePeriod-notAfter-minute" size="2" maxlength="2">:
-    <input type="text" name="privKeyUsagePeriod-notAfter-second" size="2" maxlength="2"></p>
-    </tr>
-    <tr>
-    <td>
-    <b>Subject Alternative Name:</b></p>
-    Activate extension: <input type="checkbox" name="SubAltName"></P>
-    Critical: <input type="checkbox" name="SubAltName-crit">
-    <td>
-      <table>
-      <tr>
-      <td>
-      General Names:</p>
-      <select name="SubAltNameSelect" multiple size="10">
-      </select></p></p>
-      <input type="button" name="SubAltName-add" value="Add" onClick="{parent.addSubAltName(this.form)}">
-      <input type="button" name="SubAltName-delete" value="Delete" onClick="parent.deleteSubAltName(this.form)">
-      </td><td>
-        <table><tr><td>
-        Name Type: </td></tr><tr><td>
-        <input type="radio" name="SubAltNameRadio" value="otherName" onClick="parent.setSubAltNameType(form)"> Other Name, 
-        OID: <input type="text" name="SubAltNameOtherNameOID" size="6"> </td><td>
-        <input type="radio" name="SubAltNameRadio" value="rfc822Name" onClick="parent.setSubAltNameType(form)"> RFC 822 Name</td></tr><td>
-        <input type="radio" name="SubAltNameRadio" value="dnsName" onClick="parent.setSubAltNameType(form)"> DNS Name </td><td>
-        <input type="radio" name="SubAltNameRadio" value="x400" onClick="parent.setSubAltNameType(form)"> X400 Address</td></tr><td>
-        <input type="radio" name="SubAltNameRadio" value="directoryName" onClick="parent.setSubAltNameType(form)"> Directory Name</td><td>
-        <input type="radio" name="SubAltNameRadio" value="ediPartyName" onClick="parent.setSubAltNameType(form)"> EDI Party Name</td></tr><td>
-        <input type="radio" name="SubAltNameRadio" value="URL" onClick="parent.setSubAltNameType(form)"> Uniform Resource Locator</td><td>
-        <input type="radio" name="SubAltNameRadio" value="ipAddress" onClick="parent.setSubAltNameType(form)"> IP Address</td></tr><td>
-        <input type="radio" name="SubAltNameRadio" value="regID"onClick="parent.setSubAltNameType(form)"> Registered ID</td><td>
-	<input type="radio" name="SubAltNameRadio" value="nscpNickname" onClick="parent.setSubAltNameType(form)"> Netscape Certificate Nickname</td><td></tr>
-        </table>
-      Name: <input type="text" name="SubAltNameText">
-        Binary Encoded: <input type="checkbox" name="SubAltNameDataType" value="binary" onClick="parent.setSubAltNameType(form)"></p>
-      </tr>
-      </table>
-    </tr>
-
-
-    <tr>
-    <td>
-    <b>Issuer Alternative Name:</b></p>
-    Activate extension: <input type="checkbox" name="IssuerAltName"></P>
-    Critical: <input type="checkbox" name="IssuerAltName-crit">
-    <td>
-      <input type="radio" name="IssuerAltNameSourceRadio" value="auto"> Use the Subject Alternative Name from the Issuers Certificate</p>
-      <input type="radio" name="IssuerAltNameSourceRadio" value="man"> Use this Name:
-      <table>
-      <tr>
-      <td>
-      General Names:</p>
-      <select name="IssuerAltNameSelect" multiple size="10">
-      </select></p></p>
-      <input type="button" name="IssuerAltName-add" value="Add" onClick="{parent.addIssuerAltName(this.form)}">
-      <input type="button" name="IssuerAltName-delete" value="Delete" onClick="parent.deleteIssuerAltName(this.form)">
-      </td><td>
-        <table><tr><td>
-        Name Type: </td></tr><tr><td>
-        <input type="radio" name="IssuerAltNameRadio" value="otherName" onClick="parent.setIssuerAltNameType(form)"> Other Name, 
-        OID: <input type="text" name="IssuerAltNameOtherNameOID" size="6"> </td><td>
-        <input type="radio" name="IssuerAltNameRadio" value="rfc822Name" onClick="parent.setIssuerAltNameType(form)"> RFC 822 Name</td></tr><td>
-        <input type="radio" name="IssuerAltNameRadio" value="dnsName" onClick="parent.setIssuerAltNameType(form)"> DNS Name </td><td>
-        <input type="radio" name="IssuerAltNameRadio" value="x400" onClick="parent.setIssuerAltNameType(form)"> X400 Address</td></tr><td>
-        <input type="radio" name="IssuerAltNameRadio" value="directoryName" onClick="parent.setIssuerAltNameType(form)"> Directory Name</td><td>
-        <input type="radio" name="IssuerAltNameRadio" value="ediPartyName" onClick="parent.setIssuerAltNameType(form)"> EDI Party Name</td></tr><td>
-        <input type="radio" name="IssuerAltNameRadio" value="URL" onClick="parent.setIssuerAltNameType(form)"> Uniform Resource Locator</td><td>
-        <input type="radio" name="IssuerAltNameRadio" value="ipAddress" onClick="parent.setIssuerAltNameType(form)"> IP Address</td></tr><td>
-        <input type="radio" name="IssuerAltNameRadio" value="regID" onClick="parent.setIssuerAltNameType(form)"> Registered ID</td><td></tr>
-        </table>
-      Name: <input type="text" name="IssuerAltNameText"> 
-        Binary Encoded: <input type="checkbox" name="IssuerAltNameDataType" value="binary" onClick="parent.setIssuerAltNameType(form)"></p>
-      </tr>
-      </table>
-    </tr>
-
-    <tr>
-    <td>
-    <b>Name Constraints:</b></p>
-    Activate extension: <input type="checkbox" name="NameConstraints"></P>
-    <td>
-      <table>
-      <tr>
-      <td>
-      Name Constraints:</p>
-      <select name="NameConstraintSelect" multiple size="10">
-      </select></p></p>
-      <input type="button" name="NameConstraint-add" value="Add" onClick="{parent.addNameConstraint(this.form)}">
-      <input type="button" name="NameConstraint-delete" value="Delete" onClick="parent.deleteNameConstraint(this.form)">
-      </td><td>
-        <table><tr><td>
-        Name Type: </td></tr><tr><td>
-        <input type="radio" name="NameConstraintRadio" value="otherName" onClick="parent.setNameConstraintNameType(form)"> Other Name,
-        OID: <input type="text" name="NameConstraintOtherNameOID" size="6">  </td><td>
-        <input type="radio" name="NameConstraintRadio" value="rfc822Name" onClick="parent.setNameConstraintNameType(form)"> RFC 822 Name</td></tr><td>
-        <input type="radio" name="NameConstraintRadio" value="dnsName" onClick="parent.setNameConstraintNameType(form)"> DNS Name </td><td>
-        <input type="radio" name="NameConstraintRadio" value="x400" onClick="parent.setNameConstraintNameType(form)"> X400 Address</td></tr><td>
-        <input type="radio" name="NameConstraintRadio" value="directoryName" onClick="parent.setNameConstraintNameType(form)"> Directory Name</td><td>
-        <input type="radio" name="NameConstraintRadio" value="ediPartyName" onClick="parent.setNameConstraintNameType(form)"> EDI Party Name</td></tr><td>
-        <input type="radio" name="NameConstraintRadio" value="URL" onClick="parent.setNameConstraintNameType(form)"> Uniform Resource Locator</td><td>
-        <input type="radio" name="NameConstraintRadio" value="ipAddress" onClick="parent.setNameConstraintNameType(form)"> IP Address</td></tr><td>
-        <input type="radio" name="NameConstraintRadio" value="regID" onClick="parent.setNameConstraintNameType(form)"> Registered ID</td><td></tr>
-        </table>
-      Name: <input type="text" name="NameConstraintText">
-        Binary Encoded: <input type="checkbox" name="NameConstraintNameDataType" value="binary" onClick="parent.setNameConstraintNameType(form)"></p>
-      Constraint type:<p>
-      <dd><input type="radio" name="NameConstraintTypeRadio" value="permited"> permited<p>
-      <dd><input type="radio" name="NameConstraintTypeRadio" value="excluded"> excluded<p>
-      Minimum: <input type="text" name="NameConstraintMin" size="8" maxlength="8"></p>
-      Maximum: <input type="text" name="NameConstraintMax" size="8" maxlength="8"></p>
-      </tr>
-      </table>
-    </tr>
-
-    </table>
-  </body>
-</html>
-
-
-
-
-
-
-
-
diff --git a/security/nss/cmd/certutil/Makefile b/security/nss/cmd/certutil/Makefile
deleted file mode 100644
index fe7991878..000000000
--- a/security/nss/cmd/certutil/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
- 
diff --git a/security/nss/cmd/certutil/certext.c b/security/nss/cmd/certutil/certext.c
deleted file mode 100644
index ee7b00ddc..000000000
--- a/security/nss/cmd/certutil/certext.c
+++ /dev/null
@@ -1,1817 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-** certext.c
-**
-** part of certutil for managing certificates extensions
-**
-*/
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#if defined(WIN32)
-#include "fcntl.h"
-#include "io.h"
-#endif
-
-#include "secutil.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#include "cert.h"
-#include "xconst.h"
-#include "prprf.h"
-#include "certutil.h"
-
-#define GEN_BREAK(e) rv=e; break;
-
-static char *
-Gets_s(char *buff, size_t size) {
-    char *str;
-    
-    if (buff == NULL || size < 1) {
-        PORT_Assert(0);
-        return NULL;
-    }
-    if ((str = fgets(buff, size, stdin)) != NULL) {
-        int len = PORT_Strlen(str);
-        /*
-         * fgets() automatically converts native text file
-         * line endings to '\n'.  As defensive programming
-         * (just in case fgets has a bug or we put stdin in
-         * binary mode by mistake), we handle three native 
-         * text file line endings here:
-         *   '\n'      Unix (including Linux and Mac OS X)
-         *   '\r''\n'  DOS/Windows & OS/2
-         *   '\r'      Mac OS Classic
-         * len can not be less then 1, since in case with
-         * empty string it has at least '\n' in the buffer
-         */
-        if (buff[len - 1] == '\n' || buff[len - 1] == '\r') {
-            buff[len - 1] = '\0';
-            if (len > 1 && buff[len - 2] == '\r')
-                buff[len - 2] = '\0';
-        }
-    } else {
-        buff[0] = '\0';
-    }
-    return str;
-}
-
-
-static SECStatus
-PrintChoicesAndGetAnswer(char* str, char* rBuff, int rSize)
-{
-    fprintf(stdout, str);
-    fprintf(stdout, " > ");
-    fflush (stdout);
-    if (Gets_s(rBuff, rSize) == NULL) {
-        PORT_SetError(SEC_ERROR_INPUT_LEN);
-        return SECFailure;
-    }
-    return SECSuccess;
-}
-
-static CERTGeneralName *
-GetGeneralName (PRArenaPool *arena)
-{
-    CERTGeneralName *namesList = NULL;
-    CERTGeneralName *current;
-    CERTGeneralName *tail = NULL;
-    SECStatus rv = SECSuccess;
-    int intValue;
-    char buffer[512];
-    void *mark;
-
-    PORT_Assert (arena);
-    mark = PORT_ArenaMark (arena);
-    do {
-        if (PrintChoicesAndGetAnswer(
-		"\nSelect one of the following general name type: \n"
-		"\t2 - rfc822Name\n"
-		"\t3 - dnsName\n"
-		"\t5 - directoryName\n"
-		"\t7 - uniformResourceidentifier\n"
-		"\t8 - ipAddress\n"
-		"\t9 - registerID\n"
-		"\tAny other number to finish\n"
-		"\t\tChoice:", buffer, sizeof(buffer)) == SECFailure) {
-            GEN_BREAK (SECFailure);
-        }
-        intValue = PORT_Atoi (buffer);
-        /*
-         * Should use ZAlloc instead of Alloc to avoid problem with garbage
-         * initialized pointers in CERT_CopyName
-         */
-        switch (intValue) {
-        case certRFC822Name:
-        case certDNSName:
-        case certDirectoryName:
-        case certURI:
-        case certIPAddress:
-        case certRegisterID:
-	    break;
-	default:
-	    intValue = 0;   /* force a break for anything else */
-	}
-
-        if (intValue == 0)
-	    break;
-	
-	if (namesList == NULL) {
-	    namesList = current = tail =
-		PORT_ArenaZNew(arena, CERTGeneralName);
-	} else {
-	    current = PORT_ArenaZNew(arena, CERTGeneralName);
-	}
-	if (current == NULL) {
-	    GEN_BREAK (SECFailure);
-	}
-
-        current->type = intValue;
-        puts ("\nEnter data:");
-        fflush (stdout);
-        if (Gets_s (buffer, sizeof(buffer)) == NULL) {
-            PORT_SetError(SEC_ERROR_INPUT_LEN);
-            GEN_BREAK (SECFailure);
-        }
-        switch (current->type) {
-        case certURI:
-        case certDNSName:
-        case certRFC822Name:
-            current->name.other.data =
-                PORT_ArenaAlloc (arena, strlen (buffer));
-            if (current->name.other.data == NULL) {
-                GEN_BREAK (SECFailure);
-            }
-            PORT_Memcpy(current->name.other.data, buffer,
-                        current->name.other.len = strlen(buffer));
-            break;
-
-        case certEDIPartyName:
-        case certIPAddress:
-        case certOtherName:
-        case certRegisterID:
-        case certX400Address: {
-
-            current->name.other.data =
-                PORT_ArenaAlloc (arena, strlen (buffer) + 2);
-            if (current->name.other.data == NULL) {
-                GEN_BREAK (SECFailure);
-            }
-            
-            PORT_Memcpy (current->name.other.data + 2, buffer,
-                         strlen (buffer));
-            /* This may not be accurate for all cases.  For now,
-             * use this tag type */
-            current->name.other.data[0] =
-                (char)(((current->type - 1) & 0x1f)| 0x80);
-            current->name.other.data[1] = (char)strlen (buffer);
-            current->name.other.len = strlen (buffer) + 2;
-            break;
-        }
-
-        case certDirectoryName: {
-            CERTName *directoryName = NULL;
-            
-            directoryName = CERT_AsciiToName (buffer);
-            if (!directoryName) {
-                fprintf(stderr, "certutil: improperly formatted name: "
-                        "\"%s\"\n", buffer);
-                break;
-            }
-            
-            rv = CERT_CopyName (arena, &current->name.directoryName,
-                                directoryName);
-            CERT_DestroyName (directoryName);
-            
-            break;
-        }
-        }
-        if (rv != SECSuccess)
-            break;
-        current->l.next = &(namesList->l);
-        current->l.prev = &(tail->l);
-        tail->l.next = &(current->l);
-        tail = current;
-        
-    }while (1);
-
-    if (rv != SECSuccess) {
-        PORT_ArenaRelease (arena, mark);
-        namesList = NULL;
-    }
-    return (namesList);
-}
-
-static SECStatus 
-GetString(PRArenaPool *arena, char *prompt, SECItem *value)
-{
-    char buffer[251];
-    char *buffPrt;
-
-    buffer[0] = '\0';
-    value->data = NULL;
-    value->len = 0;
-    
-    puts (prompt);
-    buffPrt = Gets_s (buffer, sizeof(buffer));
-    /* returned NULL here treated the same way as empty string */
-    if (buffPrt && strlen (buffer) > 0) {
-        value->data = PORT_ArenaAlloc (arena, strlen (buffer));
-        if (value->data == NULL) {
-            PORT_SetError (SEC_ERROR_NO_MEMORY);
-            return (SECFailure);
-        }
-        PORT_Memcpy (value->data, buffer, value->len = strlen(buffer));
-    }
-    return (SECSuccess);
-}
-
-static PRBool 
-GetYesNo(char *prompt) 
-{
-    char buf[3];
-    char *buffPrt;
-
-    buf[0] = 'n';
-    puts(prompt);
-    buffPrt = Gets_s(buf, sizeof(buf));
-    return (buffPrt && (buf[0] == 'y' || buf[0] == 'Y')) ? PR_TRUE : PR_FALSE;
-}
-
-/* Parses comma separated values out of the string pointed by nextPos.
- * Parsed value is compared to an array of possible values(valueArray).
- * If match is found, a value index is returned, otherwise returns SECFailue.
- * nextPos is set to the token after found comma separator or to NULL.
- * NULL in nextPos should be used as indication of the last parsed token.
- * A special value "critical" can be parsed out from the supplied sting.*/
-
-static SECStatus
-parseNextCmdInput(const char * const *valueArray, int *value,  char **nextPos,
-                  PRBool *critical)
-{
-    char *thisPos = *nextPos;
-    int keyLen = 0;
-    int arrIndex = 0;
-
-    if (!valueArray || !value || !nextPos || !critical) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-    while (1) {
-        if ((*nextPos = strchr(thisPos, ',')) == NULL) {
-            keyLen = strlen(thisPos);
-        } else {
-            keyLen = *nextPos - thisPos;
-            *nextPos += 1;
-        }
-        /* if critical keyword is found, go for another loop,
-         * but check, if it is the last keyword of
-         * the string.*/
-        if (!strncmp("critical", thisPos, keyLen)) {
-            *critical = PR_TRUE;
-            if (*nextPos == NULL) {
-                return SECSuccess;
-            }
-            thisPos = *nextPos;
-            continue;
-        }
-        break;
-    }
-    for (arrIndex = 0; valueArray[arrIndex]; arrIndex++) {
-        if (!strncmp(valueArray[arrIndex], thisPos, keyLen)) {
-            *value = arrIndex;
-            return SECSuccess;
-        }
-    }
-    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    return SECFailure;
-}
-
-static const char * const
-keyUsageKeyWordArray[] = { "digitalSignature",
-                           "nonRepudiation",
-                           "keyEncipherment",
-                           "dataEncipherment",
-                           "keyAgreement",
-                           "certSigning",
-                           "crlSigning",
-                           NULL};
-
-static SECStatus 
-AddKeyUsage (void *extHandle, const char *userSuppliedValue)
-{
-    SECItem bitStringValue;
-    unsigned char keyUsage = 0x0;
-    char buffer[5];
-    int value;
-    char *nextPos = (char*)userSuppliedValue;
-    PRBool isCriticalExt = PR_FALSE;
-
-    if (!userSuppliedValue) {
-        while (1) {
-            if (PrintChoicesAndGetAnswer(
-                    "\t\t0 - Digital Signature\n"
-                    "\t\t1 - Non-repudiation\n"
-                    "\t\t2 - Key encipherment\n"
-                    "\t\t3 - Data encipherment\n"   
-                    "\t\t4 - Key agreement\n"
-                    "\t\t5 - Cert signing key\n"   
-                    "\t\t6 - CRL signing key\n"
-                    "\t\tOther to finish\n",
-                    buffer, sizeof(buffer)) == SECFailure) {
-                return SECFailure;
-            }
-            value = PORT_Atoi (buffer);
-            if (value < 0 || value > 6)
-                break;
-            if (value == 0) {
-                /* Checking that zero value of variable 'value'
-                 * corresponds to '0' input made by user */
-                char *chPtr = strchr(buffer, '0');
-                if (chPtr == NULL) {
-                    continue;
-                }
-            }
-            keyUsage |= (0x80 >> value);
-        }
-        isCriticalExt = GetYesNo("Is this a critical extension [y/N]?");
-    } else {
-        while (1) {
-            if (parseNextCmdInput(keyUsageKeyWordArray, &value, &nextPos,
-                                  &isCriticalExt) == SECFailure) {
-                return SECFailure;
-            }
-            keyUsage |= (0x80 >> value);
-            if (!nextPos)
-                break;
-        }
-    }
-
-    bitStringValue.data = &keyUsage;
-    bitStringValue.len = 1;
-
-    return (CERT_EncodeAndAddBitStrExtension
-            (extHandle, SEC_OID_X509_KEY_USAGE, &bitStringValue,
-             isCriticalExt));
-
-}
-
-
-static CERTOidSequence *
-CreateOidSequence(void)
-{
-    CERTOidSequence *rv = (CERTOidSequence *)NULL;
-    PRArenaPool *arena = (PRArenaPool *)NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if( (PRArenaPool *)NULL == arena ) {
-        goto loser;
-    }
-
-    rv = (CERTOidSequence *)PORT_ArenaZNew(arena, CERTOidSequence);
-    if( (CERTOidSequence *)NULL == rv ) {
-        goto loser;
-    }
-
-    rv->oids = (SECItem **)PORT_ArenaZNew(arena, SECItem *);
-    if( (SECItem **)NULL == rv->oids ) {
-        goto loser;
-    }
-
-    rv->arena = arena;
-    return rv;
-
-loser:
-    if( (PRArenaPool *)NULL != arena ) {
-        PORT_FreeArena(arena, PR_FALSE);
-    }
-
-    return (CERTOidSequence *)NULL;
-}
-
-static void
-DestroyOidSequence(CERTOidSequence *os)
-{
-    if (os->arena) {
-        PORT_FreeArena(os->arena, PR_FALSE);
-    }
-}
-
-static SECStatus
-AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag)
-{
-    SECItem **oids;
-    PRUint32 count = 0;
-    SECOidData *od;
-
-    od = SECOID_FindOIDByTag(oidTag);
-    if( (SECOidData *)NULL == od ) {
-        return SECFailure;
-    }
-
-    for( oids = os->oids; (SECItem *)NULL != *oids; oids++ ) {
-        if (*oids == &od->oid) {
-            /* We already have this oid */
-            return SECSuccess;
-        }
-        count++;
-    }
-
-    /* ArenaZRealloc */
-
-    {
-        PRUint32 i;
-
-        oids = (SECItem **)PORT_ArenaZNewArray(os->arena, SECItem *, count + 2);
-        if( (SECItem **)NULL == oids ) {
-            return SECFailure;
-        }
-    
-        for( i = 0; i < count; i++ ) {
-            oids[i] = os->oids[i];
-        }
-
-        /* ArenaZFree(os->oids); */
-    }
-
-    os->oids = oids;
-    os->oids[count] = &od->oid;
-
-    return SECSuccess;
-}
-
-SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
-
-const SEC_ASN1Template CERT_OidSeqTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, offsetof(CERTOidSequence, oids),
-      SEC_ASN1_SUB(SEC_ObjectIDTemplate) }
-};
-
-
-static SECItem *
-EncodeOidSequence(CERTOidSequence *os)
-{
-    SECItem *rv;
-
-    rv = (SECItem *)PORT_ArenaZNew(os->arena, SECItem);
-    if( (SECItem *)NULL == rv ) {
-        goto loser;
-    }
-
-    if( !SEC_ASN1EncodeItem(os->arena, rv, os, CERT_OidSeqTemplate) ) {
-        goto loser;
-    }
-
-    return rv;
-
-loser:
-    return (SECItem *)NULL;
-}
-
-static const char * const 
-extKeyUsageKeyWordArray[] = { "serverAuth",
-                              "clientAuth",
-                              "codeSigning",
-                              "emailProtection",
-                              "timeStamp",
-                              "ocspResponder",
-                              "stepUp",
-                              NULL};
-
-static SECStatus 
-AddExtKeyUsage (void *extHandle, const char *userSuppliedValue)
-{
-    char buffer[5];
-    int value;
-    CERTOidSequence *os;
-    SECStatus rv;
-    SECItem *item;
-    PRBool isCriticalExt = PR_FALSE;
-    char *nextPos = (char*)userSuppliedValue;
-    
-    os = CreateOidSequence();
-    if( (CERTOidSequence *)NULL == os ) {
-        return SECFailure;
-    }
-
-    while (1) {
-        if (!userSuppliedValue) {
-            if (PrintChoicesAndGetAnswer(
-                    "\t\t0 - Server Auth\n"
-                    "\t\t1 - Client Auth\n"
-                    "\t\t2 - Code Signing\n"
-                    "\t\t3 - Email Protection\n"
-                    "\t\t4 - Timestamp\n"
-                    "\t\t5 - OCSP Responder\n"
-                    "\t\t6 - Step-up\n"
-                    "\t\tOther to finish\n",
-                    buffer, sizeof(buffer)) == SECFailure) {
-                GEN_BREAK(SECFailure);
-            }
-            value = PORT_Atoi(buffer);
-            
-            if (value == 0) {
-                /* Checking that zero value of variable 'value'
-                 * corresponds to '0' input made by user */
-                char *chPtr = strchr(buffer, '0');
-                if (chPtr == NULL) {
-                    continue;
-                }
-            }
-        } else {
-            if (parseNextCmdInput(extKeyUsageKeyWordArray, &value, &nextPos,
-                                  &isCriticalExt) == SECFailure) {
-                return SECFailure;
-            }
-        }
-
-        switch( value ) {
-        case 0:
-            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH);
-            break;
-        case 1:
-            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);
-            break;
-        case 2:
-            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
-            break;
-        case 3:
-            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT);
-            break;
-        case 4:
-            rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_TIME_STAMP);
-            break;
-        case 5:
-            rv = AddOidToSequence(os, SEC_OID_OCSP_RESPONDER);
-            break;
-        case 6:
-            rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
-            break;
-        default:
-            goto endloop;
-        }
-
-        if (userSuppliedValue && !nextPos)
-            break;
-        if( SECSuccess != rv )
-            goto loser;
-    }
-
-endloop:
-    item = EncodeOidSequence(os);
-
-    if (!userSuppliedValue) {
-        isCriticalExt = GetYesNo("Is this a critical extension [y/N]?");
-    }
-
-    rv = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE, item,
-                           isCriticalExt, PR_TRUE);
-    /*FALLTHROUGH*/
-loser:
-    DestroyOidSequence(os);
-    return rv;
-}
-
-static const char * const
-nsCertTypeKeyWordArray[] = { "sslClient",
-                             "sslServer",
-                             "smime",
-                             "objectSigning",
-                             "Not!Used",
-                             "sslCA",
-                             "smimeCA",
-                             "objectSigningCA",
-                            NULL };
-
-static SECStatus 
-AddNscpCertType (void *extHandle, const char *userSuppliedValue)
-{
-    SECItem bitStringValue;
-    unsigned char keyUsage = 0x0;
-    char buffer[5];
-    int value;
-    char *nextPos = (char*)userSuppliedValue;
-    PRBool isCriticalExt = PR_FALSE;
-
-    if (!userSuppliedValue) {
-        while (1) {
-            if (PrintChoicesAndGetAnswer(
-                    "\t\t0 - SSL Client\n"
-                    "\t\t1 - SSL Server\n"
-                    "\t\t2 - S/MIME\n"
-                    "\t\t3 - Object Signing\n"   
-                    "\t\t4 - Reserved for future use\n"
-                    "\t\t5 - SSL CA\n"   
-                    "\t\t6 - S/MIME CA\n"
-                    "\t\t7 - Object Signing CA\n"
-                    "\t\tOther to finish\n",
-                    buffer, sizeof(buffer)) == SECFailure) {
-                return SECFailure;
-            }
-            value = PORT_Atoi (buffer);
-            if (value < 0 || value > 7)
-                break;
-            if (value == 0) {
-                /* Checking that zero value of variable 'value'
-                 * corresponds to '0' input made by user */
-                char *chPtr = strchr(buffer, '0');
-                if (chPtr == NULL) {
-                    continue;
-                }
-            }
-            keyUsage |= (0x80 >> value);
-        }
-        isCriticalExt = GetYesNo("Is this a critical extension [y/N]?");
-    } else {
-        while (1) {
-            if (parseNextCmdInput(nsCertTypeKeyWordArray, &value, &nextPos,
-                                  &isCriticalExt) == SECFailure) {
-                return SECFailure;
-            }
-            keyUsage |= (0x80 >> value);
-            if (!nextPos)
-                break;
-        }
-    }
-
-    bitStringValue.data = &keyUsage;
-    bitStringValue.len = 1;
-
-    return (CERT_EncodeAndAddBitStrExtension
-            (extHandle, SEC_OID_NS_CERT_EXT_CERT_TYPE, &bitStringValue,
-             isCriticalExt));
-
-}
-
-static SECStatus 
-AddSubjectAltNames(PRArenaPool *arena, CERTGeneralName **existingListp,
-                   const char *names, CERTGeneralNameType type)
-{
-    CERTGeneralName *nameList = NULL;
-    CERTGeneralName *current = NULL;
-    PRCList *prev = NULL;
-    const char *cp;
-    char *tbuf;
-    SECStatus rv = SECSuccess;
-
-    /*
-     * walk down the comma separated list of names. NOTE: there is
-     * no sanity checks to see if the email address look like
-     * email addresses.
-     */
-    for (cp=names; cp; cp = PORT_Strchr(cp,',')) {
-        int len;
-        char *end;
-
-        if (*cp == ',') {
-            cp++;
-        }
-        end = PORT_Strchr(cp,',');
-        len = end ? end-cp : PORT_Strlen(cp);
-        if (len <= 0) {
-            continue;
-        }
-        tbuf = PORT_ArenaAlloc(arena,len+1);
-        PORT_Memcpy(tbuf,cp,len);
-        tbuf[len] = 0;
-        current = (CERTGeneralName *) PORT_ZAlloc(sizeof(CERTGeneralName));
-        if (!current) {
-            rv = SECFailure;
-            break;
-        }
-        if (prev) {
-            current->l.prev = prev;
-            prev->next = &(current->l);
-        } else {
-            nameList = current;
-        }
-        current->type = type;
-        current->name.other.data = (unsigned char *)tbuf;
-        current->name.other.len = PORT_Strlen(tbuf);
-        prev = &(current->l);
-    }
-    /* at this point nameList points to the head of a doubly linked,
-     * but not yet circular, list and current points to its tail. */
-    if (rv == SECSuccess && nameList) {
-        if (*existingListp != NULL) {
-            PRCList *existingprev;
-            /* add nameList to the end of the existing list */
-            existingprev = (*existingListp)->l.prev;
-            (*existingListp)->l.prev = &(current->l);
-            nameList->l.prev = existingprev;
-            existingprev->next = &(nameList->l);
-            current->l.next = &((*existingListp)->l);
-        }
-        else {
-            /* make nameList circular and set it as the new existingList */
-            nameList->l.prev = prev;
-            current->l.next = &(nameList->l);
-            *existingListp = nameList;
-        }
-    }
-    return rv;
-}
-
-static SECStatus 
-AddEmailSubjectAlt(PRArenaPool *arena, CERTGeneralName **existingListp,
-                   const char *emailAddrs)
-{
-    return AddSubjectAltNames(arena, existingListp, emailAddrs, 
-                              certRFC822Name);
-}
-
-static SECStatus 
-AddDNSSubjectAlt(PRArenaPool *arena, CERTGeneralName **existingListp,
-                 const char *dnsNames)
-{
-    return AddSubjectAltNames(arena, existingListp, dnsNames, certDNSName);
-}
-
-
-static SECStatus 
-AddBasicConstraint(void *extHandle)
-{
-    CERTBasicConstraints basicConstraint;    
-    SECStatus rv;
-    char buffer[10];
-    PRBool yesNoAns;
-
-    do {
-        basicConstraint.pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
-        basicConstraint.isCA = GetYesNo ("Is this a CA certificate [y/N]?");
-
-        buffer[0] = '\0';
-        if (PrintChoicesAndGetAnswer("Enter the path length constraint, "
-                                     "enter to skip [<0 for unlimited path]:",
-                                     buffer, sizeof(buffer)) == SECFailure) {
-            GEN_BREAK(SECFailure);
-        }
-        if (PORT_Strlen (buffer) > 0)
-            basicConstraint.pathLenConstraint = PORT_Atoi (buffer);
-
-        yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
-
-        rv = SECU_EncodeAndAddExtensionValue(NULL, extHandle,
-		 &basicConstraint, yesNoAns, SEC_OID_X509_BASIC_CONSTRAINTS,
-		 (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeBasicConstraintValue);
-    } while (0);
-
-    return (rv);
-}
-
-static SECStatus 
-AddAuthKeyID (void *extHandle)
-{
-    CERTAuthKeyID *authKeyID = NULL;    
-    PRArenaPool *arena = NULL;
-    SECStatus rv = SECSuccess;
-    PRBool yesNoAns;
-
-    do {
-        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-        if ( !arena ) {
-            SECU_PrintError(progName, "out of memory");
-            GEN_BREAK (SECFailure);
-        }
-
-        if (GetYesNo ("Enter value for the authKeyID extension [y/N]?") == 0)
-            break;
-
-        authKeyID = PORT_ArenaZNew(arena, CERTAuthKeyID);
-        if (authKeyID == NULL) {
-            GEN_BREAK (SECFailure);
-        }
-
-        rv = GetString (arena, "Enter value for the key identifier fields,"
-                        "enter to omit:", &authKeyID->keyID);
-        if (rv != SECSuccess)
-            break;
-
-        SECU_SECItemHexStringToBinary(&authKeyID->keyID);
-
-        authKeyID->authCertIssuer = GetGeneralName (arena);
-        if (authKeyID->authCertIssuer == NULL && 
-            SECFailure == PORT_GetError ())
-            break;
-
-
-        rv = GetString (arena, "Enter value for the authCertSerial field, "
-                        "enter to omit:", &authKeyID->authCertSerialNumber);
-
-        yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
-
-        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle,
-		     authKeyID, yesNoAns, SEC_OID_X509_AUTH_KEY_ID, 
-		     (EXTEN_EXT_VALUE_ENCODER) CERT_EncodeAuthKeyID);
-        if (rv)
-            break;
-
-    } while (0);
-    if (arena)
-        PORT_FreeArena (arena, PR_FALSE);
-    return (rv);
-}   
-    
-static SECStatus 
-AddSubjKeyID (void *extHandle)
-{
-    SECItem keyID;
-    PRArenaPool *arena = NULL;
-    SECStatus rv = SECSuccess;
-    PRBool yesNoAns;
-
-    do {
-        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-        if ( !arena ) {
-            SECU_PrintError(progName, "out of memory");
-            GEN_BREAK (SECFailure);
-        }
-        printf("Adding Subject Key ID extension.\n");
-
-        rv = GetString (arena, "Enter value for the key identifier fields,"
-                        "enter to omit:", &keyID);
-        if (rv != SECSuccess)
-            break;
-
-        SECU_SECItemHexStringToBinary(&keyID);
-
-        yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
-
-        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle,
-		     &keyID, yesNoAns, SEC_OID_X509_SUBJECT_KEY_ID, 
-		     (EXTEN_EXT_VALUE_ENCODER) CERT_EncodeSubjectKeyID);
-        if (rv)
-            break;
-
-    } while (0);
-    if (arena)
-        PORT_FreeArena (arena, PR_FALSE);
-    return (rv);
-}   
-
-static SECStatus 
-AddCrlDistPoint(void *extHandle)
-{
-    PRArenaPool *arena = NULL;
-    CERTCrlDistributionPoints *crlDistPoints = NULL;
-    CRLDistributionPoint *current;
-    SECStatus rv = SECSuccess;
-    int count = 0, intValue;
-    char buffer[512];
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena )
-        return (SECFailure);
-
-    do {
-        current = NULL;
-
-        current = PORT_ArenaZNew(arena, CRLDistributionPoint);
-        if (current == NULL) {
-            GEN_BREAK (SECFailure);
-        }   
-
-        /* Get the distributionPointName fields - this field is optional */
-        if (PrintChoicesAndGetAnswer(
-                "Enter the type of the distribution point name:\n"
-                "\t1 - Full Name\n\t2 - Relative Name\n\tAny other "
-                "number to finish\n\t\tChoice: ",
-                buffer, sizeof(buffer)) == SECFailure) {
-	    GEN_BREAK (SECFailure);
-	}
-        intValue = PORT_Atoi (buffer);
-        switch (intValue) {
-        case generalName:
-            current->distPointType = intValue;
-            current->distPoint.fullName = GetGeneralName (arena);
-            rv = PORT_GetError();
-            break;
-
-        case relativeDistinguishedName: {
-            CERTName *name;
-
-            current->distPointType = intValue;
-            puts ("Enter the relative name: ");
-            fflush (stdout);
-            if (Gets_s (buffer, sizeof(buffer)) == NULL) {
-                GEN_BREAK (SECFailure);
-            }
-            /* For simplicity, use CERT_AsciiToName to converse from a string
-               to NAME, but we only interest in the first RDN */
-            name = CERT_AsciiToName (buffer);
-            if (!name) {
-                GEN_BREAK (SECFailure);
-            }
-            rv = CERT_CopyRDN (arena, &current->distPoint.relativeName,
-                               name->rdns[0]);
-            CERT_DestroyName (name);
-            break;
-          }
-        }
-        if (rv != SECSuccess)
-            break;
-
-        /* Get the reason flags */
-        if (PrintChoicesAndGetAnswer(
-                "\nSelect one of the following for the reason flags\n"
-                "\t0 - unused\n\t1 - keyCompromise\n"
-                "\t2 - caCompromise\n\t3 - affiliationChanged\n"
-                "\t4 - superseded\n\t5 - cessationOfOperation\n"
-                "\t6 - certificateHold\n"
-                "\tAny other number to finish\t\tChoice: ",
-                buffer, sizeof(buffer)) == SECFailure) {
-            GEN_BREAK(SECFailure);
-        }
-        intValue = PORT_Atoi (buffer);
-        if (intValue == 0) {
-            /* Checking that zero value of variable 'value'
-             * corresponds to '0' input made by user */
-            char *chPtr = strchr(buffer, '0');
-            if (chPtr == NULL) {
-                intValue = -1;
-            }
-        }
-        if (intValue >= 0 && intValue <8) {
-            current->reasons.data = PORT_ArenaAlloc (arena, sizeof(char));
-            if (current->reasons.data == NULL) {
-                GEN_BREAK (SECFailure);
-            }
-            *current->reasons.data = (char)(0x80 >> intValue);
-            current->reasons.len = 1;
-        }
-        puts ("Enter value for the CRL Issuer name:\n");
-        current->crlIssuer = GetGeneralName (arena);
-        if (current->crlIssuer == NULL && (rv = PORT_GetError()) == SECFailure)
-            break;
-
-        if (crlDistPoints == NULL) {
-            crlDistPoints = PORT_ArenaZNew(arena, CERTCrlDistributionPoints);
-            if (crlDistPoints == NULL) {
-                GEN_BREAK (SECFailure);
-            }
-        }
-
-        crlDistPoints->distPoints =
-            PORT_ArenaGrow (arena, crlDistPoints->distPoints,
-                            sizeof (*crlDistPoints->distPoints) * count,
-                            sizeof (*crlDistPoints->distPoints) *(count + 1));
-        if (crlDistPoints->distPoints == NULL) {
-            GEN_BREAK (SECFailure);
-        }
-
-        crlDistPoints->distPoints[count] = current;
-        ++count;
-        if (GetYesNo("Enter another value for the CRLDistributionPoint "
-                      "extension [y/N]?") == 0) {
-            /* Add null to the end to mark end of data */
-            crlDistPoints->distPoints =
-                PORT_ArenaGrow(arena, crlDistPoints->distPoints,
-			   sizeof (*crlDistPoints->distPoints) * count,
-			   sizeof (*crlDistPoints->distPoints) *(count + 1));
-            crlDistPoints->distPoints[count] = NULL;    
-            break;
-        }
-
-
-    } while (1);
-    
-    if (rv == SECSuccess) {
-        PRBool yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
-
-        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle,
-		 crlDistPoints, yesNoAns, SEC_OID_X509_CRL_DIST_POINTS,
-		 (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeCRLDistributionPoints);
-    }
-    if (arena)
-        PORT_FreeArena (arena, PR_FALSE);
-    return (rv);
-}
-
-
-
-static SECStatus 
-AddPolicyConstraints(void *extHandle)
-{
-    CERTCertificatePolicyConstraints *policyConstr;
-    PRArenaPool *arena = NULL;
-    SECStatus rv = SECSuccess;
-    SECItem *item, *dummy;
-    char buffer[512];
-    int value;
-    PRBool yesNoAns;
-    PRBool skipExt = PR_TRUE;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-        SECU_PrintError(progName, "out of memory");
-        return SECFailure;
-    }
-
-    policyConstr = PORT_ArenaZNew(arena, CERTCertificatePolicyConstraints);
-    if (policyConstr == NULL) {
-        SECU_PrintError(progName, "out of memory");
-        goto loser;
-    }
-
-    if (PrintChoicesAndGetAnswer("for requireExplicitPolicy enter the number "
-               "of certs in path\nbefore explicit policy is required\n"
-               "(press Enter to omit)", buffer, sizeof(buffer)) == SECFailure) {
-        goto loser;
-    }
-
-    if (PORT_Strlen(buffer)) {
-        value = PORT_Atoi(buffer);
-	if (value < 0) {
-            goto loser;
-        }
-        item = &policyConstr->explicitPolicySkipCerts;
-        dummy = SEC_ASN1EncodeInteger(arena, item, value);
-        if (!dummy) {
-            goto loser;
-        }
-        skipExt = PR_FALSE;
-    }
-
-    if (PrintChoicesAndGetAnswer("for inihibitPolicyMapping enter "
-               "the number of certs in path\n"
-	       "after which policy mapping is not allowed\n"
-               "(press Enter to omit)", buffer, sizeof(buffer)) == SECFailure) {
-        goto loser;
-    }
-
-    if (PORT_Strlen(buffer)) {
-        value = PORT_Atoi(buffer);
-	if (value < 0) {
-            goto loser;
-        }
-        item = &policyConstr->inhibitMappingSkipCerts;
-        dummy = SEC_ASN1EncodeInteger(arena, item, value);
-        if (!dummy) {
-            goto loser;
-        }
-        skipExt = PR_FALSE;
-    }
- 
-    
-    if (!skipExt) {
-        yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
-
-        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, policyConstr,
-	     yesNoAns, SEC_OID_X509_POLICY_CONSTRAINTS,
-	     (EXTEN_EXT_VALUE_ENCODER)CERT_EncodePolicyConstraintsExtension);
-    } else {
-	fprintf(stdout, "Policy Constraint extensions must contain "
-                        "at least one policy field\n");
-	rv = SECFailure;
-    }
-   
-loser:
-    if (arena) {
-        PORT_FreeArena (arena, PR_FALSE);
-    }
-    return (rv);
-}
-
-
-static SECStatus 
-AddInhibitAnyPolicy(void *extHandle)
-{
-    CERTCertificateInhibitAny certInhibitAny;
-    PRArenaPool *arena = NULL;
-    SECStatus rv = SECSuccess;
-    SECItem *item, *dummy;
-    char buffer[10];
-    int value;
-    PRBool yesNoAns;
-    
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-        SECU_PrintError(progName, "out of memory");
-        return SECFailure;
-    }
-
-    if (PrintChoicesAndGetAnswer("Enter the number of certs in the path "
-                                 "permitted to use anyPolicy.\n"
-                                 "(press Enter for 0)",
-                                 buffer, sizeof(buffer)) == SECFailure) {
-        goto loser;
-    }
-
-    item = &certInhibitAny.inhibitAnySkipCerts;
-    value = PORT_Atoi(buffer);
-    if (value < 0) {
-        goto loser;
-    }
-    dummy = SEC_ASN1EncodeInteger(arena, item, value);
-    if (!dummy) {
-        goto loser;
-    }
-    
-    yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
-    
-    rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, &certInhibitAny,
-		 yesNoAns, SEC_OID_X509_INHIBIT_ANY_POLICY,
-		 (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeInhibitAnyExtension);
-loser:
-    if (arena) {
-        PORT_FreeArena (arena, PR_FALSE);
-    }
-    return (rv);
-}
-
-
-static SECStatus 
-AddPolicyMappings(void *extHandle)
-{
-    CERTPolicyMap **policyMapArr = NULL;
-    CERTPolicyMap *current;
-    PRArenaPool *arena = NULL;
-    SECStatus rv = SECSuccess;
-    int count = 0;
-    char buffer[512];
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-        SECU_PrintError(progName, "out of memory");
-        return SECFailure;
-    }
-
-    do {
-        if (PrintChoicesAndGetAnswer("Enter an Object Identifier (dotted "
-                                     "decimal format) for Issuer Domain Policy",
-                                     buffer, sizeof(buffer)) == SECFailure) {
-            GEN_BREAK (SECFailure);
-        }
-
-        current = PORT_ArenaZNew(arena, CERTPolicyMap);
-        if (current == NULL) {
-            GEN_BREAK(SECFailure);
-        }
-
-        rv = SEC_StringToOID(arena, &current->issuerDomainPolicy, buffer, 0);
-        if (rv == SECFailure) {
-            GEN_BREAK(SECFailure);
-        }
-
-        if (PrintChoicesAndGetAnswer("Enter an Object Identifier for "
-                                     "Subject Domain Policy",
-                                     buffer, sizeof(buffer)) == SECFailure) {
-            GEN_BREAK (SECFailure);
-        }
-
-        rv = SEC_StringToOID(arena, &current->subjectDomainPolicy, buffer, 0);
-        if (rv == SECFailure) {
-            GEN_BREAK(SECFailure);
-        }
-
-        if (policyMapArr == NULL) {
-            policyMapArr = PORT_ArenaZNew(arena, CERTPolicyMap *);
-            if (policyMapArr == NULL) {
-                GEN_BREAK (SECFailure);
-            }
-        }
-
-        policyMapArr = PORT_ArenaGrow(arena, policyMapArr,
-                                         sizeof (current) * count,
-                                         sizeof (current) *(count + 1));
-        if (policyMapArr == NULL) {
-            GEN_BREAK (SECFailure);
-        }
-    
-        policyMapArr[count] = current;
-        ++count;
-        
-        if (!GetYesNo("Enter another Policy Mapping [y/N]")) {
-            /* Add null to the end to mark end of data */
-            policyMapArr = PORT_ArenaGrow (arena, policyMapArr,
-                                           sizeof (current) * count,
-                                           sizeof (current) *(count + 1));
-            if (policyMapArr == NULL) {
-                GEN_BREAK (SECFailure);
-            }
-            policyMapArr[count] = NULL;        
-            break;
-        }
-
-    } while (1);
-
-    if (rv == SECSuccess) {
-        CERTCertificatePolicyMappings mappings;
-        PRBool yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
-
-        mappings.arena = arena;
-        mappings.policyMaps = policyMapArr;
-        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, &mappings,
-		 yesNoAns, SEC_OID_X509_POLICY_MAPPINGS,
-		 (EXTEN_EXT_VALUE_ENCODER)CERT_EncodePolicyMappingExtension);
-    }
-    if (arena)
-        PORT_FreeArena (arena, PR_FALSE);
-    return (rv);
-}
-
-enum PoliciQualifierEnum {
-    cpsPointer = 1,
-    userNotice = 2
-};
-
-
-static CERTPolicyQualifier **
-RequestPolicyQualifiers(PRArenaPool *arena, SECItem *policyID)
-{
-    CERTPolicyQualifier **policyQualifArr = NULL;
-    CERTPolicyQualifier *current;
-    SECStatus rv = SECSuccess;
-    int count = 0;
-    char buffer[512];
-    void *mark;
-    SECOidData *oid = NULL;
-    int intValue = 0;
-    int inCount = 0;
-
-    PORT_Assert(arena);
-    mark = PORT_ArenaMark(arena);
-    do {
-        current = PORT_ArenaZNew(arena, CERTPolicyQualifier);
-        if (current == NULL) {
-            GEN_BREAK(SECFailure);
-        }
-
-        /* Get the accessMethod fields */
-        SECU_PrintObjectID(stdout, policyID,
-                           "Choose the type of qualifier for policy" , 0);
-
-        if (PrintChoicesAndGetAnswer(
-                "\t1 - CPS Pointer qualifier\n"
-                "\t2 - User notice qualifier\n"
-                "\tAny other number to finish\n"
-                "\t\tChoice: ", buffer, sizeof(buffer)) == SECFailure) {
-            GEN_BREAK (SECFailure);
-        }
-        intValue = PORT_Atoi(buffer);
-        switch (intValue) {
-        case cpsPointer: {
-            SECItem input;
-
-            oid = SECOID_FindOIDByTag(SEC_OID_PKIX_CPS_POINTER_QUALIFIER);
-            if (PrintChoicesAndGetAnswer("Enter CPS pointer URI: ",
-				     buffer, sizeof(buffer)) == SECFailure) {
-                GEN_BREAK (SECFailure);
-            }
-            input.len = PORT_Strlen(buffer);
-            input.data = (void*)PORT_ArenaStrdup(arena, buffer);
-            if (input.data == NULL ||
-	        SEC_ASN1EncodeItem(arena, &current->qualifierValue, &input,
-			       SEC_ASN1_GET(SEC_IA5StringTemplate)) == NULL) {
-                GEN_BREAK (SECFailure);
-	    }
-            break;
-        }
-        case userNotice: {
-            SECItem **noticeNumArr;
-            CERTUserNotice *notice = PORT_ArenaZNew(arena, CERTUserNotice);
-            if (!notice) {
-                GEN_BREAK(SECFailure);
-            }
-            
-            oid = SECOID_FindOIDByTag(SEC_OID_PKIX_USER_NOTICE_QUALIFIER);
-
-            if (GetYesNo("\t add a User Notice reference? [y/N]")) {
-
-                if (PrintChoicesAndGetAnswer("Enter user organization string: ",
-				 buffer, sizeof(buffer)) == SECFailure) {
-                    GEN_BREAK (SECFailure);
-                }
-
-                notice->noticeReference.organization.type = siAsciiString;
-                notice->noticeReference.organization.len =
-                    PORT_Strlen(buffer);
-                notice->noticeReference.organization.data =
-                    (void*)PORT_ArenaStrdup(arena, buffer);
-
-
-                noticeNumArr = PORT_ArenaZNewArray(arena, SECItem *, 2);
-		if (!noticeNumArr) {
-                    GEN_BREAK (SECFailure);
-		}
-                
-                do {
-                    SECItem *noticeNum;
-                    
-                    noticeNum = PORT_ArenaZNew(arena, SECItem);
-                    
-                    if (PrintChoicesAndGetAnswer(
-				      "Enter User Notice reference number "
-				      "(or -1 to quit): ",
-                                      buffer, sizeof(buffer)) == SECFailure) {
-                        GEN_BREAK (SECFailure);
-                    }
-                    
-                    intValue = PORT_Atoi(buffer);
-		    if (noticeNum == NULL) {
-			if (intValue < 0) {
-			    fprintf(stdout, "a noticeReference must have at "
-                                    "least one reference number\n");
-                            GEN_BREAK (SECFailure);
-			}
-		    } else {
-			if (intValue >= 0) {
-                            noticeNumArr = PORT_ArenaGrow(arena, noticeNumArr,
-					      sizeof (current) * inCount,
-					      sizeof (current) *(inCount + 1));
-                            if (noticeNumArr == NULL) {
-                                GEN_BREAK (SECFailure);
-                            }
-			} else {
-			    break;
-			}
-                    }
-                    if (!SEC_ASN1EncodeInteger(arena, noticeNum, intValue)) {
-                        GEN_BREAK (SECFailure);
-		    }
-                    noticeNumArr[inCount++] = noticeNum;
-                    noticeNumArr[inCount] = NULL;
-                    
-                } while (1);
-                if (rv == SECFailure) {
-                    GEN_BREAK(SECFailure);
-                }
-                notice->noticeReference.noticeNumbers = noticeNumArr;
-                rv = CERT_EncodeNoticeReference(arena, &notice->noticeReference,
-                                                &notice->derNoticeReference);
-                if (rv == SECFailure) {
-                    GEN_BREAK(SECFailure);
-                }
-            }
-            if (GetYesNo("\t EnterUser Notice explicit text? [y/N]")) {
-                /* Getting only 200 bytes - RFC limitation */
-                if (PrintChoicesAndGetAnswer(
-                        "\t", buffer, 200) == SECFailure) {
-                        GEN_BREAK (SECFailure);
-                }
-                notice->displayText.type = siAsciiString;
-                notice->displayText.len = PORT_Strlen(buffer);
-                notice->displayText.data = 
-		                        (void*)PORT_ArenaStrdup(arena, buffer);
-		if (notice->displayText.data == NULL) {
-		    GEN_BREAK(SECFailure);
-		}
-            }
-
-            rv = CERT_EncodeUserNotice(arena, notice, &current->qualifierValue);
-            if (rv == SECFailure) {
-                GEN_BREAK(SECFailure);
-            }
-
-            break;
-        }
-        }
-        if (rv == SECFailure || oid == NULL ||
-            SECITEM_CopyItem(arena, &current->qualifierID, &oid->oid) 
-	    == SECFailure) {
-            GEN_BREAK (SECFailure);
-        }
-
-        if (!policyQualifArr) {
-            policyQualifArr = PORT_ArenaZNew(arena, CERTPolicyQualifier *);
-        } else {
-	    policyQualifArr = PORT_ArenaGrow (arena, policyQualifArr,
-                                         sizeof (current) * count,
-                                         sizeof (current) *(count + 1));
-	}
-        if (policyQualifArr == NULL) {
-            GEN_BREAK (SECFailure);
-        }
-    
-        policyQualifArr[count] = current;
-        ++count;
-
-        if (!GetYesNo ("Enter another policy qualifier [y/N]")) {
-            /* Add null to the end to mark end of data */
-            policyQualifArr = PORT_ArenaGrow(arena, policyQualifArr,
-                                              sizeof (current) * count,
-                                              sizeof (current) *(count + 1));
-            if (policyQualifArr == NULL) {
-                GEN_BREAK (SECFailure);
-            }
-            policyQualifArr[count] = NULL;        
-            break;
-        }
-
-    } while (1);
-
-    if (rv != SECSuccess) {
-        PORT_ArenaRelease (arena, mark);
-        policyQualifArr = NULL;
-    }
-    return (policyQualifArr);
-}
-
-static SECStatus 
-AddCertPolicies(void *extHandle)
-{
-    CERTPolicyInfo **certPoliciesArr = NULL;
-    CERTPolicyInfo *current;
-    PRArenaPool *arena = NULL;
-    SECStatus rv = SECSuccess;
-    int count = 0;
-    char buffer[512];
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-        SECU_PrintError(progName, "out of memory");
-        return SECFailure;
-    }
-
-    do {
-        current = PORT_ArenaZNew(arena, CERTPolicyInfo);
-        if (current == NULL) {
-            GEN_BREAK(SECFailure);
-        }
-
-        if (PrintChoicesAndGetAnswer("Enter a CertPolicy Object Identifier "
-                                     "(dotted decimal format)\n"
-				     "or \"any\" for AnyPolicy:",
-                                     buffer, sizeof(buffer)) == SECFailure) {
-            GEN_BREAK (SECFailure);
-        }
-	
-	if (strncmp(buffer, "any", 3) == 0) {
-	    /* use string version of X509_CERTIFICATE_POLICIES.anyPolicy */
-	    strcpy(buffer, "OID.2.5.29.32.0");
-	}
-        rv = SEC_StringToOID(arena, &current->policyID, buffer, 0);
-
-        if (rv == SECFailure) {
-            GEN_BREAK(SECFailure);
-        }
-        
-        current->policyQualifiers = 
-            RequestPolicyQualifiers(arena, &current->policyID); 
-
-        if (!certPoliciesArr) {
-            certPoliciesArr = PORT_ArenaZNew(arena, CERTPolicyInfo *);
-        } else {
-	    certPoliciesArr = PORT_ArenaGrow(arena, certPoliciesArr,
-                                         sizeof (current) * count,
-                                         sizeof (current) *(count + 1));
-	}
-        if (certPoliciesArr == NULL) {
-            GEN_BREAK (SECFailure);
-        }
-    
-        certPoliciesArr[count] = current;
-        ++count;
-        
-        if (!GetYesNo ("Enter another PolicyInformation field [y/N]?")) {
-            /* Add null to the end to mark end of data */
-            certPoliciesArr = PORT_ArenaGrow(arena, certPoliciesArr,
-                                              sizeof (current) * count,
-                                              sizeof (current) *(count + 1));
-            if (certPoliciesArr == NULL) {
-                GEN_BREAK (SECFailure);
-            }
-            certPoliciesArr[count] = NULL;        
-            break;
-        }
-
-    } while (1);
-
-    if (rv == SECSuccess) {
-        CERTCertificatePolicies policies;
-        PRBool yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
-
-        policies.arena = arena;
-        policies.policyInfos = certPoliciesArr;
-        
-        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, &policies,
-		 yesNoAns, SEC_OID_X509_CERTIFICATE_POLICIES,
-		 (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeCertPoliciesExtension);
-    }
-    if (arena)
-	PORT_FreeArena(arena, PR_FALSE);
-    return (rv);
-}
-
-enum AuthInfoAccessTypesEnum {
-    caIssuers = 1,
-    ocsp = 2
-};
-
-enum SubjInfoAccessTypesEnum {
-    caRepository = 1,
-    timeStamping = 2
-};
-    
-/* Encode and add an AIA or SIA extension */
-static SECStatus 
-AddInfoAccess(void *extHandle, PRBool addSIAExt, PRBool isCACert)
-{
-    CERTAuthInfoAccess **infoAccArr = NULL;
-    CERTAuthInfoAccess *current;
-    PRArenaPool *arena = NULL;
-    SECStatus rv = SECSuccess;
-    int count = 0;
-    char buffer[512];
-    SECOidData *oid = NULL;
-    int intValue = 0;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-        SECU_PrintError(progName, "out of memory");
-        return SECFailure;
-    }
-
-    do {
-        current = NULL;
-        current = PORT_ArenaZNew(arena, CERTAuthInfoAccess);
-        if (current == NULL) {
-            GEN_BREAK(SECFailure);
-        }
-
-        /* Get the accessMethod fields */
-        if (addSIAExt) {
-            if (isCACert) {
-                puts("Adding \"CA Repository\" access method type for "
-                    "Subject Information Access extension:\n");
-                intValue = caRepository;
-            } else {
-                puts("Adding \"Time Stamping Services\" access method type for "
-                    "Subject Information Access extension:\n");
-                intValue = timeStamping;
-            }
-        } else {
-            PrintChoicesAndGetAnswer("Enter access method type "
-                "for Authority Information Access extension:\n"
-                "\t1 - CA Issuers\n\t2 - OCSP\n\tAny"
-                "other number to finish\n\tChoice",
-                buffer, sizeof(buffer));
-            intValue = PORT_Atoi(buffer);
-        }
-        if (addSIAExt) {
-            switch (intValue) {
-              case caRepository:
-                  oid = SECOID_FindOIDByTag(SEC_OID_PKIX_CA_REPOSITORY);
-                  break;
-                  
-              case timeStamping:
-                  oid = SECOID_FindOIDByTag(SEC_OID_PKIX_TIMESTAMPING);
-                  break;
-            } 
-        } else {
-            switch (intValue) {
-              case caIssuers:
-                  oid = SECOID_FindOIDByTag(SEC_OID_PKIX_CA_ISSUERS);
-                  break;
-                  
-              case ocsp:
-                  oid = SECOID_FindOIDByTag(SEC_OID_PKIX_OCSP);
-                  break;
-            } 
-        }
-        if (oid == NULL ||
-            SECITEM_CopyItem(arena, &current->method, &oid->oid) 
-	    == SECFailure) {
-            GEN_BREAK (SECFailure);
-        }
-
-        current->location = GetGeneralName(arena);
-        if (!current->location) {
-            GEN_BREAK(SECFailure);
-        }
-       
-        if (infoAccArr == NULL) {
-            infoAccArr = PORT_ArenaZNew(arena, CERTAuthInfoAccess *);
-        } else {
-	    infoAccArr = PORT_ArenaGrow(arena, infoAccArr,
-                                     sizeof (current) * count,
-                                     sizeof (current) *(count + 1));
-	}
-        if (infoAccArr == NULL) {
-            GEN_BREAK (SECFailure);
-        }
-    
-        infoAccArr[count] = current;
-        ++count;
-        
-        PR_snprintf(buffer, sizeof(buffer), "Add another location to the %s"
-                    " Information Access extension [y/N]",
-                    (addSIAExt) ? "Subject" : "Authority");
-
-        if (GetYesNo (buffer) == 0) {
-            /* Add null to the end to mark end of data */
-            infoAccArr = PORT_ArenaGrow(arena, infoAccArr,
-                                         sizeof (current) * count,
-                                         sizeof (current) *(count + 1));
-            if (infoAccArr == NULL) {
-                GEN_BREAK (SECFailure);
-            }
-            infoAccArr[count] = NULL;        
-            break;
-        }
-
-    } while (1);
-
-    if (rv == SECSuccess) {
-        int oidIdent = SEC_OID_X509_AUTH_INFO_ACCESS;
-
-        PRBool yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
-        
-        if (addSIAExt) {
-            oidIdent = SEC_OID_X509_SUBJECT_INFO_ACCESS;
-        }
-        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, infoAccArr,
-		 yesNoAns, oidIdent,
-		 (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeInfoAccessExtension);
-    }
-    if (arena)
-        PORT_FreeArena(arena, PR_FALSE);
-    return (rv);
-}
-
-SECStatus
-AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
-              certutilExtnList extList)
-{
-    SECStatus rv = SECSuccess;
-    char *errstring = NULL;
-    
-    do {
-        /* Add key usage extension */
-        if (extList[ext_keyUsage].activated) {
-            rv = AddKeyUsage(extHandle, extList[ext_keyUsage].arg);
-            if (rv) {
-		errstring = "KeyUsage";
-                break;
-	    }
-        }
-
-        /* Add extended key usage extension */
-        if (extList[ext_extKeyUsage].activated) {
-            rv = AddExtKeyUsage(extHandle, extList[ext_extKeyUsage].arg);
-            if (rv) {
-		errstring = "ExtendedKeyUsage";
-                break;
-	    }
-        }
-
-        /* Add basic constraint extension */
-        if (extList[ext_basicConstraint].activated) {
-            rv = AddBasicConstraint(extHandle);
-            if (rv) {
-		errstring = "BasicConstraint";
-                break;
-	    }
-        }
-
-        if (extList[ext_authorityKeyID].activated) {
-            rv = AddAuthKeyID(extHandle);
-            if (rv) {
-		errstring = "AuthorityKeyID";
-                break;
-	    }
-        }
-
-        if (extList[ext_subjectKeyID].activated) {
-            rv = AddSubjKeyID(extHandle);
-            if (rv) {
-		errstring = "SubjectKeyID";
-                break;
-	    }
-        }    
-
-        if (extList[ext_CRLDistPts].activated) {
-            rv = AddCrlDistPoint(extHandle);
-            if (rv) {
-		errstring = "CRLDistPoints";
-                break;
-	    }
-        }
-
-        if (extList[ext_NSCertType].activated) {
-            rv = AddNscpCertType(extHandle, extList[ext_extKeyUsage].arg);
-            if (rv) {
-		errstring = "NSCertType";
-                break;
-	    }
-        }
-
-        if (extList[ext_authInfoAcc].activated ||
-            extList[ext_subjInfoAcc].activated) {
-            rv = AddInfoAccess(extHandle, extList[ext_subjInfoAcc].activated,
-	                       extList[ext_basicConstraint].activated);
-            if (rv) {
-		errstring = "InformationAccess";
-                break;
-	    }
-        }
-
-        if (extList[ext_certPolicies].activated) {
-            rv = AddCertPolicies(extHandle);
-            if (rv) {
-		errstring = "Policies";
-                break;
-	    }
-        }
-
-        if (extList[ext_policyMappings].activated) {
-            rv = AddPolicyMappings(extHandle);
-            if (rv) {
-		errstring = "PolicyMappings";
-                break;
-	    }
-        }
-
-        if (extList[ext_policyConstr].activated) {
-            rv = AddPolicyConstraints(extHandle);
-            if (rv) {
-		errstring = "PolicyConstraints";
-                break;
-	    }
-        }
-
-        if (extList[ext_inhibitAnyPolicy].activated) {
-            rv = AddInhibitAnyPolicy(extHandle);
-            if (rv) {
-		errstring = "InhibitAnyPolicy";
-                break;
-	    }
-        }
-
-        if (emailAddrs || dnsNames) {
-            PRArenaPool *arena;
-            CERTGeneralName *namelist = NULL;
-            SECItem item = { 0, NULL, 0 };
-            
-            arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-            if (arena == NULL) {
-                rv = SECFailure;
-                break;
-            }
-
-            rv = AddEmailSubjectAlt(arena, &namelist, emailAddrs);
-
-            rv |= AddDNSSubjectAlt(arena, &namelist, dnsNames);
-
-            if (rv == SECSuccess) {
-		rv = CERT_EncodeAltNameExtension(arena, namelist, &item);
-	        if (rv == SECSuccess) {
-                    rv = CERT_AddExtension(extHandle,
-                                          SEC_OID_X509_SUBJECT_ALT_NAME,
-                                          &item, PR_FALSE, PR_TRUE);
-		}
-            }
-	    PORT_FreeArena(arena, PR_FALSE);
-	    if (rv) {
-                errstring = "SubjectAltName";
-                break;
-	    }
-        }
-    } while (0);
-    
-    if (rv != SECSuccess) {
-        SECU_PrintError(progName, "Problem creating %s extension", errstring);
-    }
-    return rv;
-}
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c
deleted file mode 100644
index ec1c0eaac..000000000
--- a/security/nss/cmd/certutil/certutil.c
+++ /dev/null
@@ -1,2985 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-** certutil.c
-**
-** utility for managing certificates and the cert database
-**
-*/
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#if defined(WIN32)
-#include "fcntl.h"
-#include "io.h"
-#endif
-
-#include "secutil.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#include "nspr.h"
-#include "prtypes.h"
-#include "prtime.h"
-#include "prlong.h"
-
-#include "pk11func.h"
-#include "secasn1.h"
-#include "cert.h"
-#include "cryptohi.h"
-#include "secoid.h"
-#include "certdb.h"
-#include "nss.h"
-#include "certutil.h"
-
-#define MIN_KEY_BITS		512
-/* MAX_KEY_BITS should agree with MAX_RSA_MODULUS in freebl */
-#define MAX_KEY_BITS		8192
-#define DEFAULT_KEY_BITS	1024
-
-#define GEN_BREAK(e) rv=e; break;
-
-char *progName;
-
-static CERTCertificateRequest *
-GetCertRequest(PRFileDesc *inFile, PRBool ascii)
-{
-    CERTCertificateRequest *certReq = NULL;
-    CERTSignedData signedData;
-    PRArenaPool *arena = NULL;
-    SECItem reqDER;
-    SECStatus rv;
-
-    reqDER.data = NULL;
-    do {
-	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if (arena == NULL) {
-	    GEN_BREAK (SECFailure);
-	}
-	
- 	rv = SECU_ReadDERFromFile(&reqDER, inFile, ascii);
-	if (rv) {
-	    break;
-	}
-        certReq = (CERTCertificateRequest*) PORT_ArenaZAlloc
-		  (arena, sizeof(CERTCertificateRequest));
-        if (!certReq) { 
-	    GEN_BREAK(SECFailure);
-	}
-	certReq->arena = arena;
-
-	/* Since cert request is a signed data, must decode to get the inner
-	   data
-	 */
-	PORT_Memset(&signedData, 0, sizeof(signedData));
-	rv = SEC_ASN1DecodeItem(arena, &signedData, 
-		SEC_ASN1_GET(CERT_SignedDataTemplate), &reqDER);
-	if (rv) {
-	    break;
-	}
-	rv = SEC_ASN1DecodeItem(arena, certReq, 
-		SEC_ASN1_GET(CERT_CertificateRequestTemplate), &signedData.data);
-	if (rv) {
-	    break;
-	}
-   	rv = CERT_VerifySignedDataWithPublicKeyInfo(&signedData, 
-		&certReq->subjectPublicKeyInfo, NULL /* wincx */);
-   } while (0);
-
-   if (reqDER.data) {
-   	SECITEM_FreeItem(&reqDER, PR_FALSE);
-   }
-
-   if (rv) {
-   	SECU_PrintError(progName, "bad certificate request\n");
-   	if (arena) {
-   	    PORT_FreeArena(arena, PR_FALSE);
-   	}
-   	certReq = NULL;
-   }
-
-   return certReq;
-}
-
-static SECStatus
-AddCert(PK11SlotInfo *slot, CERTCertDBHandle *handle, char *name, char *trusts, 
-        PRFileDesc *inFile, PRBool ascii, PRBool emailcert, void *pwdata)
-{
-    CERTCertTrust *trust = NULL;
-    CERTCertificate *cert = NULL;
-    SECItem certDER;
-    SECStatus rv;
-
-    certDER.data = NULL;
-    do {
-	/* Read in the entire file specified with the -i argument */
-	rv = SECU_ReadDERFromFile(&certDER, inFile, ascii);
-	if (rv != SECSuccess) {
-	    SECU_PrintError(progName, "unable to read input file");
-	    break;
-	}
-
-	/* Read in an ASCII cert and return a CERTCertificate */
-	cert = CERT_DecodeCertFromPackage((char *)certDER.data, certDER.len);
-	if (!cert) {
-	    SECU_PrintError(progName, "could not obtain certificate from file"); 
-	    GEN_BREAK(SECFailure);
-	}
-
-	/* Create a cert trust */
-	trust = (CERTCertTrust *)PORT_ZAlloc(sizeof(CERTCertTrust));
-	if (!trust) {
-	    SECU_PrintError(progName, "unable to allocate cert trust");
-	    GEN_BREAK(SECFailure);
-	}
-
-	rv = CERT_DecodeTrustString(trust, trusts);
-	if (rv) {
-	    SECU_PrintError(progName, "unable to decode trust string");
-	    GEN_BREAK(SECFailure);
-	}
-
-	rv =  PK11_ImportCert(slot, cert, CK_INVALID_HANDLE, name, PR_FALSE);
-	if (rv != SECSuccess) {
-	    /* sigh, PK11_Import Cert and CERT_ChangeCertTrust should have 
-	     * been coded to take a password arg. */
-	    if (PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN) {
-		rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
-		if (rv != SECSuccess) {
-                    SECU_PrintError(progName, 
-				"could not authenticate to token %s.",
-				PK11_GetTokenName(slot));
-		    GEN_BREAK(SECFailure);
-		}
-		rv = PK11_ImportCert(slot, cert, CK_INVALID_HANDLE, 
-				     name, PR_FALSE);
-	    }
-	    if (rv != SECSuccess) {
-		SECU_PrintError(progName, 
-			"could not add certificate to token or database");
-		GEN_BREAK(SECFailure);
-	    }
-	}
-
-	rv = CERT_ChangeCertTrust(handle, cert, trust);
-	if (rv != SECSuccess) {
-	    if (PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN) {
-		rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
-		if (rv != SECSuccess) {
-                    SECU_PrintError(progName, 
-				"could not authenticate to token %s.",
-				PK11_GetTokenName(slot));
-		    GEN_BREAK(SECFailure);
-		}
-		rv = CERT_ChangeCertTrust(handle, cert, trust);
-	    }
-	    if (rv != SECSuccess) {
-		SECU_PrintError(progName, 
-			"could not change trust on certificate");
-		GEN_BREAK(SECFailure);
-	    }
-	}
-
-	if ( emailcert ) {
-	    CERT_SaveSMimeProfile(cert, NULL, pwdata);
-	}
-
-    } while (0);
-
-    CERT_DestroyCertificate (cert);
-    PORT_Free(trust);
-    PORT_Free(certDER.data);
-
-    return rv;
-}
-
-static SECStatus
-CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
-        SECOidTag hashAlgTag, CERTName *subject, char *phone, int ascii, 
-	const char *emailAddrs, const char *dnsNames,
-        certutilExtnList extnList,
-        PRFileDesc *outFile)
-{
-    CERTSubjectPublicKeyInfo *spki;
-    CERTCertificateRequest *cr;
-    SECItem *encoding;
-    SECOidTag signAlgTag;
-    SECItem result;
-    SECStatus rv;
-    PRArenaPool *arena;
-    PRInt32 numBytes;
-    void *extHandle;
-
-    /* Create info about public key */
-    spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);
-    if (!spki) {
-	SECU_PrintError(progName, "unable to create subject public key");
-	return SECFailure;
-    }
-    
-    /* Generate certificate request */
-    cr = CERT_CreateCertificateRequest(subject, spki, NULL);
-    if (!cr) {
-	SECU_PrintError(progName, "unable to make certificate request");
-	return SECFailure;
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-	SECU_PrintError(progName, "out of memory");
-	return SECFailure;
-    }
-    
-    extHandle = CERT_StartCertificateRequestAttributes(cr);
-    if (extHandle == NULL) {
-        PORT_FreeArena (arena, PR_FALSE);
-	return SECFailure;
-    }
-    if (AddExtensions(extHandle, emailAddrs, dnsNames, extnList)
-                  != SECSuccess) {
-        PORT_FreeArena (arena, PR_FALSE);
-        return SECFailure;
-    }
-    CERT_FinishExtensions(extHandle);
-    CERT_FinishCertificateRequestAttributes(cr);
-
-    /* Der encode the request */
-    encoding = SEC_ASN1EncodeItem(arena, NULL, cr,
-                                  SEC_ASN1_GET(CERT_CertificateRequestTemplate));
-    if (encoding == NULL) {
-	SECU_PrintError(progName, "der encoding of request failed");
-	return SECFailure;
-    }
-
-    /* Sign the request */
-    signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
-    if (signAlgTag == SEC_OID_UNKNOWN) {
-	SECU_PrintError(progName, "unknown Key or Hash type");
-	return SECFailure;
-    }
-    rv = SEC_DerSignData(arena, &result, encoding->data, encoding->len, 
-			 privk, signAlgTag);
-    if (rv) {
-	SECU_PrintError(progName, "signing of data failed");
-	return SECFailure;
-    }
-
-    /* Encode request in specified format */
-    if (ascii) {
-	char *obuf;
-	char *name, *email, *org, *state, *country;
-	SECItem *it;
-	int total;
-
-	it = &result;
-
-	obuf = BTOA_ConvertItemToAscii(it);
-	total = PL_strlen(obuf);
-
-	name = CERT_GetCommonName(subject);
-	if (!name) {
-	    name = strdup("(not specified)");
-	}
-
-	if (!phone)
-	    phone = strdup("(not specified)");
-
-	email = CERT_GetCertEmailAddress(subject);
-	if (!email)
-	    email = strdup("(not specified)");
-
-	org = CERT_GetOrgName(subject);
-	if (!org)
-	    org = strdup("(not specified)");
-
-	state = CERT_GetStateName(subject);
-	if (!state)
-	    state = strdup("(not specified)");
-
-	country = CERT_GetCountryName(subject);
-	if (!country)
-	    country = strdup("(not specified)");
-
-	PR_fprintf(outFile, 
-	           "\nCertificate request generated by Netscape certutil\n");
-	PR_fprintf(outFile, "Phone: %s\n\n", phone);
-	PR_fprintf(outFile, "Common Name: %s\n", name);
-	PR_fprintf(outFile, "Email: %s\n", email);
-	PR_fprintf(outFile, "Organization: %s\n", org);
-	PR_fprintf(outFile, "State: %s\n", state);
-	PR_fprintf(outFile, "Country: %s\n\n", country);
-
-	PR_fprintf(outFile, "%s\n", NS_CERTREQ_HEADER);
-	numBytes = PR_Write(outFile, obuf, total);
-	if (numBytes != total) {
-	    SECU_PrintSystemError(progName, "write error");
-	    return SECFailure;
-	}
-	PR_fprintf(outFile, "\n%s\n", NS_CERTREQ_TRAILER);
-    } else {
-	numBytes = PR_Write(outFile, result.data, result.len);
-	if (numBytes != (int)result.len) {
-	    SECU_PrintSystemError(progName, "write error");
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-static SECStatus 
-ChangeTrustAttributes(CERTCertDBHandle *handle, PK11SlotInfo *slot,
-			char *name, char *trusts, void *pwdata)
-{
-    SECStatus rv;
-    CERTCertificate *cert;
-    CERTCertTrust *trust;
-    
-    cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
-    if (!cert) {
-	SECU_PrintError(progName, "could not find certificate named \"%s\"",
-			name);
-	return SECFailure;
-    }
-
-    trust = (CERTCertTrust *)PORT_ZAlloc(sizeof(CERTCertTrust));
-    if (!trust) {
-	SECU_PrintError(progName, "unable to allocate cert trust");
-	return SECFailure;
-    }
-
-    /* This function only decodes these characters: pPwcTCu, */
-    rv = CERT_DecodeTrustString(trust, trusts);
-    if (rv) {
-	SECU_PrintError(progName, "unable to decode trust string");
-	return SECFailure;
-    }
-
-    /* CERT_ChangeCertTrust API does not have a way to pass in
-     * a context, so NSS can't prompt for the password if it needs to.
-     * check to see if the failure was token not logged in and 
-     * log in if need be. */
-    rv = CERT_ChangeCertTrust(handle, cert, trust);
-    if (rv != SECSuccess) {
-	if (PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN) {
-	    rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
-	    if (rv != SECSuccess) {
-		SECU_PrintError(progName, "could not authenticate to token %s.",
-                                PK11_GetTokenName(slot));
-		return SECFailure;
-	    }
-	    rv = CERT_ChangeCertTrust(handle, cert, trust);
-	}
-	if (rv != SECSuccess) {
-	    SECU_PrintError(progName, "unable to modify trust attributes");
-	    return SECFailure;
-	}
-    }
-    CERT_DestroyCertificate(cert);
-
-    return SECSuccess;
-}
-
-static SECStatus
-DumpChain(CERTCertDBHandle *handle, char *name)
-{
-    CERTCertificate *the_cert;
-    CERTCertificateList *chain;
-    int i, j;
-    the_cert = PK11_FindCertFromNickname(name, NULL);
-    if (!the_cert) {
-	SECU_PrintError(progName, "Could not find: %s\n", name);
-	return SECFailure;
-    }
-    chain = CERT_CertChainFromCert(the_cert, 0, PR_TRUE);
-    CERT_DestroyCertificate(the_cert);
-    if (!chain) {
-	SECU_PrintError(progName, "Could not obtain chain for: %s\n", name);
-	return SECFailure;
-    }
-    for (i=chain->len-1; i>=0; i--) {
-	CERTCertificate *c;
-	c = CERT_FindCertByDERCert(handle, &chain->certs[i]);
-	for (j=i; j<chain->len-1; j++) printf("  ");
-	printf("\"%s\" [%s]\n\n", c->nickname, c->subjectName);
-	CERT_DestroyCertificate(c);
-    }
-    CERT_DestroyCertificateList(chain);
-    return SECSuccess;
-}
-
-static SECStatus
-listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot,
-          PRBool raw, PRBool ascii, PRFileDesc *outfile, void *pwarg)
-{
-    SECItem data;
-    PRInt32 numBytes;
-    SECStatus rv = SECFailure;
-    CERTCertList *certs;
-    CERTCertListNode *node;
-
-    /* List certs on a non-internal slot. */
-    if (!PK11_IsFriendly(slot) && PK11_NeedLogin(slot)) {
-        SECStatus newrv = PK11_Authenticate(slot, PR_TRUE, pwarg);
-        if (newrv != SECSuccess) {
-            SECU_PrintError(progName, "could not authenticate to token %s.",
-                            PK11_GetTokenName(slot));
-            return SECFailure;
-        }
-    }
-    if (name) {
-	CERTCertificate *the_cert;
-	the_cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
-	if (!the_cert) {
-	    the_cert = PK11_FindCertFromNickname(name, NULL);
-	    if (!the_cert) {
-		SECU_PrintError(progName, "Could not find: %s\n", name);
-		return SECFailure;
-	    }
-	}
-	/* Here, we have one cert with the desired nickname or email 
-	 * address.  Now, we will attempt to get a list of ALL certs 
-	 * with the same subject name as the cert we have.  That list 
-	 * should contain, at a minimum, the one cert we have already found.
-	 * If the list of certs is empty (NULL), the libraries have failed.
-	 */
-	certs = CERT_CreateSubjectCertList(NULL, handle, &the_cert->derSubject,
-		PR_Now(), PR_FALSE);
-	CERT_DestroyCertificate(the_cert);
-	if (!certs) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    SECU_PrintError(progName, "problem printing certificates");
-	    return SECFailure;
-	}
-	for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs);
-						node = CERT_LIST_NEXT(node)) {
-	    the_cert = node->cert;
-	    /* now get the subjectList that matches this cert */
-	    data.data = the_cert->derCert.data;
-	    data.len = the_cert->derCert.len;
-	    if (ascii) {
-		PR_fprintf(outfile, "%s\n%s\n%s\n", NS_CERT_HEADER, 
-		        BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER);
-		rv = SECSuccess;
-	    } else if (raw) {
-		numBytes = PR_Write(outfile, data.data, data.len);
-		if (numBytes != (PRInt32) data.len) {
-		   SECU_PrintSystemError(progName, "error writing raw cert");
-		    rv = SECFailure;
-		}
-		rv = SECSuccess;
-	    } else {
-		rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate",
-                                                  the_cert->trust);
-		if (rv != SECSuccess) {
-		    SECU_PrintError(progName, "problem printing certificate");
-		}
-
-	    }
-	    if (rv != SECSuccess) {
-		break;
-	    }
-	}
-    } else {
-
-	certs = PK11_ListCertsInSlot(slot);
-	if (certs) {
-	    for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs);
-						node = CERT_LIST_NEXT(node)) {
-		SECU_PrintCertNickname(node,stdout);
-	    }
-	    rv = SECSuccess;
-	}
-    }
-    if (certs) {
-        CERT_DestroyCertList(certs);
-    }
-    if (rv) {
-	SECU_PrintError(progName, "problem printing certificate nicknames");
-	return SECFailure;
-    }
-
-    return SECSuccess;	/* not rv ?? */
-}
-
-static SECStatus
-ListCerts(CERTCertDBHandle *handle, char *nickname, PK11SlotInfo *slot,
-          PRBool raw, PRBool ascii, PRFileDesc *outfile, secuPWData *pwdata)
-{
-    SECStatus rv;
-
-    if (!ascii && !raw && !nickname) {
-        PR_fprintf(outfile, "\n%-60s %-5s\n%-60s %-5s\n\n",
-                   "Certificate Nickname", "Trust Attributes", "",
-                   "SSL,S/MIME,JAR/XPI");
-    }
-    if (slot == NULL) {
-	CERTCertList *list;
-	CERTCertListNode *node;
-
-	list = PK11_ListCerts(PK11CertListAll, pwdata);
-	for (node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list);
-	     node = CERT_LIST_NEXT(node)) 
-	{
-	    SECU_PrintCertNickname(node, stdout);
-	}
-	CERT_DestroyCertList(list);
-	return SECSuccess;
-    } else {
-	rv = listCerts(handle,nickname,slot,raw,ascii,outfile,pwdata);
-    }
-    return rv;
-}
-
-static SECStatus 
-DeleteCert(CERTCertDBHandle *handle, char *name)
-{
-    SECStatus rv;
-    CERTCertificate *cert;
-
-    cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
-    if (!cert) {
-	SECU_PrintError(progName, "could not find certificate named \"%s\"",
-			name);
-	return SECFailure;
-    }
-
-    rv = SEC_DeletePermCertificate(cert);
-    CERT_DestroyCertificate(cert);
-    if (rv) {
-	SECU_PrintError(progName, "unable to delete certificate");
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-static SECStatus
-ValidateCert(CERTCertDBHandle *handle, char *name, char *date,
-	     char *certUsage, PRBool checkSig, PRBool logit, secuPWData *pwdata)
-{
-    SECStatus rv;
-    CERTCertificate *cert = NULL;
-    int64 timeBoundary;
-    SECCertificateUsage usage;
-    CERTVerifyLog reallog;
-    CERTVerifyLog *log = NULL;
-
-    if (!certUsage) {
-	    PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	    return (SECFailure);
-    }
-    
-    switch (*certUsage) {
-	case 'O':
-	    usage = certificateUsageStatusResponder;
-	    break;
-	case 'C':
-	    usage = certificateUsageSSLClient;
-	    break;
-	case 'V':
-	    usage = certificateUsageSSLServer;
-	    break;
-	case 'S':
-	    usage = certificateUsageEmailSigner;
-	    break;
-	case 'R':
-	    usage = certificateUsageEmailRecipient;
-	    break;
-	case 'J':
-	    usage = certificateUsageObjectSigner;
-	    break;
-	default:
-	    PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	    return (SECFailure);
-    }
-    do {
-	cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
-	if (!cert) {
-	    SECU_PrintError(progName, "could not find certificate named \"%s\"",
-			    name);
-	    GEN_BREAK (SECFailure)
-	}
-
-	if (date != NULL) {
-	    rv = DER_AsciiToTime(&timeBoundary, date);
-	    if (rv) {
-		SECU_PrintError(progName, "invalid input date");
-		GEN_BREAK (SECFailure)
-	    }
-	} else {
-	    timeBoundary = PR_Now();
-	}
-
-	if ( logit ) {
-	    log = &reallog;
-	    
-	    log->count = 0;
-	    log->head = NULL;
-	    log->tail = NULL;
-	    log->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	    if ( log->arena == NULL ) {
-		SECU_PrintError(progName, "out of memory");
-		GEN_BREAK (SECFailure)
-	    }
-	}
- 
-	rv = CERT_VerifyCertificate(handle, cert, checkSig, usage,
-			     timeBoundary, pwdata, log, &usage);
-	if ( log ) {
-	    if ( log->head == NULL ) {
-		fprintf(stdout, "%s: certificate is valid\n", progName);
-		GEN_BREAK (SECSuccess)
-	    } else {
-		char *name;
-		CERTVerifyLogNode *node;
-		
-		node = log->head;
-		while ( node ) {
-		    if ( node->cert->nickname != NULL ) {
-			name = node->cert->nickname;
-		    } else {
-			name = node->cert->subjectName;
-		    }
-		    fprintf(stderr, "%s : %s\n", name, 
-		    	SECU_Strerror(node->error));
-		    CERT_DestroyCertificate(node->cert);
-		    node = node->next;
-		}
-	    }
-	} else {
-	    if (rv != SECSuccess) {
-		PRErrorCode perr = PORT_GetError();
-		fprintf(stdout, "%s: certificate is invalid: %s\n",
-			progName, SECU_Strerror(perr));
-		GEN_BREAK (SECFailure)
-	    }
-	    fprintf(stdout, "%s: certificate is valid\n", progName);
-	    GEN_BREAK (SECSuccess)
-	}
-    } while (0);
-
-    if (cert) {
-        CERT_DestroyCertificate(cert);
-    }
-
-    return (rv);
-}
-
-static PRBool
-ItemIsPrintableASCII(const SECItem * item)
-{
-    unsigned char *src = item->data;
-    unsigned int   len = item->len;
-    while (len-- > 0) {
-        unsigned char uc = *src++;
-	if (uc < 0x20 || uc > 0x7e) 
-	    return PR_FALSE;
-    }
-    return PR_TRUE;
-}
-
-/* Caller ensures that dst is at least item->len*2+1 bytes long */
-static void
-SECItemToHex(const SECItem * item, char * dst)
-{
-    if (dst && item && item->data) {
-	unsigned char * src = item->data;
-	unsigned int    len = item->len;
-	for (; len > 0; --len, dst += 2) {
-	    sprintf(dst, "%02x", *src++);
-	}
-	*dst = '\0';
-    }
-}
-
-static const char * const keyTypeName[] = {
-  "null", "rsa", "dsa", "fortezza", "dh", "kea", "ec" };
-
-#define MAX_CKA_ID_BIN_LEN 20
-#define MAX_CKA_ID_STR_LEN 40
-
-/* print key number, key ID (in hex or ASCII), key label (nickname) */
-static SECStatus
-PrintKey(PRFileDesc *out, const char *nickName, int count, 
-         SECKEYPrivateKey *key, void *pwarg)
-{
-    SECItem * ckaID;
-    char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
-
-    pwarg = NULL;
-    ckaID = PK11_GetLowLevelKeyIDForPrivateKey(key);
-    if (!ckaID) {
-	strcpy(ckaIDbuf, "(no CKA_ID)");
-    } else if (ItemIsPrintableASCII(ckaID)) {
-	int len = PR_MIN(MAX_CKA_ID_STR_LEN, ckaID->len);
-	ckaIDbuf[0] = '"';
-	memcpy(ckaIDbuf + 1, ckaID->data, len);
-	ckaIDbuf[1 + len] = '"';
-	ckaIDbuf[2 + len] = '\0';
-    } else {
-    	/* print ckaid in hex */
-	SECItem idItem = *ckaID;
-	if (idItem.len > MAX_CKA_ID_BIN_LEN)
-	    idItem.len = MAX_CKA_ID_BIN_LEN;
-        SECItemToHex(&idItem, ckaIDbuf);
-    }
-
-    PR_fprintf(out, "<%2d> %-8.8s %-42.42s %s\n", count, 
-               keyTypeName[key->keyType], ckaIDbuf, nickName);
-    SECITEM_ZfreeItem(ckaID, PR_TRUE);
-
-    return SECSuccess;
-}
-
-/* returns SECSuccess if ANY keys are found, SECFailure otherwise. */
-static SECStatus
-ListKeysInSlot(PK11SlotInfo *slot, const char *nickName, KeyType keyType, 
-               void *pwarg)
-{
-    SECKEYPrivateKeyList *list;
-    SECKEYPrivateKeyListNode *node;
-    int count = 0;
-
-    if (PK11_NeedLogin(slot)) {
-        SECStatus rv = PK11_Authenticate(slot, PR_TRUE, pwarg);
-        if (rv != SECSuccess) {
-            SECU_PrintError(progName, "could not authenticate to token %s.",
-                            PK11_GetTokenName(slot));
-            return SECFailure;
-        }
-    }
-
-    if (nickName && nickName[0]) 
-	list = PK11_ListPrivKeysInSlot(slot, (char *)nickName, pwarg);
-    else
-	list = PK11_ListPrivateKeysInSlot(slot);
-    if (list == NULL) {
-	SECU_PrintError(progName, "problem listing keys");
-	return SECFailure;
-    }
-    for (node=PRIVKEY_LIST_HEAD(list); 
-             !PRIVKEY_LIST_END(node,list);
-	 node=PRIVKEY_LIST_NEXT(node)) {
-	char * keyName;
-	static const char orphan[] = { "(orphan)" };
-
-	if (keyType != nullKey && keyType != node->key->keyType)
-	    continue;
-        keyName = PK11_GetPrivateKeyNickname(node->key);
-	if (!keyName || !keyName[0]) {
-	    /* Try extra hard to find nicknames for keys that lack them. */
-	    CERTCertificate * cert;
-	    PORT_Free((void *)keyName);
-	    keyName = NULL;
-	    cert = PK11_GetCertFromPrivateKey(node->key);
-	    if (cert) {
-		if (cert->nickname && cert->nickname[0]) {
-		    keyName = PORT_Strdup(cert->nickname);
-		} else if (cert->emailAddr && cert->emailAddr[0]) {
-		    keyName = PORT_Strdup(cert->emailAddr);
-		}
-		CERT_DestroyCertificate(cert);
-	    }
-	}
-	if (nickName) {
-	    if (!keyName || PL_strcmp(keyName,nickName)) {
-		/* PKCS#11 module returned unwanted keys */
-	        PORT_Free((void *)keyName);
-		continue;
-	    }
-	}
-	if (!keyName)
-	    keyName = (char *)orphan;
-
-	PrintKey(PR_STDOUT, keyName, count, node->key, pwarg);
-
-	if (keyName != (char *)orphan)
-	    PORT_Free((void *)keyName);
-	count++;
-    }
-    SECKEY_DestroyPrivateKeyList(list);
-
-    if (count == 0) {
-	PR_fprintf(PR_STDOUT, "%s: no keys found\n", progName);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* returns SECSuccess if ANY keys are found, SECFailure otherwise. */
-static SECStatus
-ListKeys(PK11SlotInfo *slot, const char *nickName, int index, 
-         KeyType keyType, PRBool dopriv, secuPWData *pwdata)
-{
-    SECStatus rv = SECFailure;
-    static const char fmt[] = \
-    	"%s: Checking token \"%.33s\" in slot \"%.65s\"\n";
-
-    if (slot == NULL) {
-	PK11SlotList *list;
-	PK11SlotListElement *le;
-
-	list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,pwdata);
-	if (list) {
-	    for (le = list->head; le; le = le->next) {
-		PR_fprintf(PR_STDOUT, fmt, progName, 
-			   PK11_GetTokenName(le->slot), 
-			   PK11_GetSlotName(le->slot));
-		rv &= ListKeysInSlot(le->slot,nickName,keyType,pwdata);
-	    }
-	    PK11_FreeSlotList(list);
-	}
-    } else {
-	PR_fprintf(PR_STDOUT, fmt, progName, PK11_GetTokenName(slot), 
-	           PK11_GetSlotName(slot));
-	rv = ListKeysInSlot(slot,nickName,keyType,pwdata);
-    }
-    return rv;
-}
-
-static SECStatus
-DeleteKey(char *nickname, secuPWData *pwdata)
-{
-    SECStatus rv;
-    CERTCertificate *cert;
-    PK11SlotInfo *slot;
-
-    slot = PK11_GetInternalKeySlot();
-    if (PK11_NeedLogin(slot)) {
-        SECStatus rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
-        if (rv != SECSuccess) {
-            SECU_PrintError(progName, "could not authenticate to token %s.",
-                            PK11_GetTokenName(slot));
-            return SECFailure;
-        }
-    }
-    cert = PK11_FindCertFromNickname(nickname, pwdata);
-    if (!cert) {
-	PK11_FreeSlot(slot);
-	return SECFailure;
-    }
-    rv = PK11_DeleteTokenCertAndKey(cert, pwdata);
-    if (rv != SECSuccess) {
-	SECU_PrintError("problem deleting private key \"%s\"\n", nickname);
-    }
-    CERT_DestroyCertificate(cert);
-    PK11_FreeSlot(slot);
-    return rv;
-}
-
-
-/*
- *  L i s t M o d u l e s
- *
- *  Print a list of the PKCS11 modules that are
- *  available. This is useful for smartcard people to
- *  make sure they have the drivers loaded.
- *
- */
-static SECStatus
-ListModules(void)
-{
-    PK11SlotList *list;
-    PK11SlotListElement *le;
-
-    /* get them all! */
-    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,NULL);
-    if (list == NULL) return SECFailure;
-
-    /* look at each slot*/
-    for (le = list->head ; le; le = le->next) {
-      printf ("\n");
-      printf ("    slot: %s\n", PK11_GetSlotName(le->slot));
-      printf ("   token: %s\n", PK11_GetTokenName(le->slot));
-    }
-    PK11_FreeSlotList(list);
-
-    return SECSuccess;
-}
-
-static void 
-Usage(char *progName)
-{
-#define FPS fprintf(stderr, 
-    FPS "Type %s -H for more detailed descriptions\n", progName);
-    FPS "Usage:  %s -N [-d certdir] [-P dbprefix] [-f pwfile]\n", progName);
-    FPS "Usage:  %s -T [-d certdir] [-P dbprefix] [-h token-name]\n"
-	"\t\t [-f pwfile] [-0 SSO-password]\n", progName);
-    FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
-    	progName);
-    FPS "\t%s -B -i batch-file\n", progName);
-    FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n"
-	"\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
-        "\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n"
-        "\t\t [-1 | --keyUsage [keyUsageKeyword,..]] [-2] [-3] [-4]\n"
-        "\t\t [-5 | --nsCertType [nsCertTypeKeyword,...]]\n"
-        "\t\t [-6 | --extKeyUsage [extKeyUsageKeyword,...]] [-7 emailAddrs]\n"
-        "\t\t [-8 dns-names] [-a]\n",
-	progName);
-    FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName);
-    FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
-	progName);
-    FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n" 
-	"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
-    FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n"
-	"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
-#ifdef NSS_ENABLE_ECC
-    FPS "\t%s -G [-h token-name] -k ec -q curve [-f pwfile]\n"
-	"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
-    FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|all]\n", 
-	progName);
-#else
-    FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|rsa|all]\n", 
-	progName);
-#endif /* NSS_ENABLE_ECC */
-    FPS "\t\t [-f pwfile] [-X] [-d certdir] [-P dbprefix]\n");
-    FPS "\t%s --upgrade-merge --source-dir upgradeDir --upgrade-id uniqueID\n",
-	progName);
-    FPS "\t\t [--upgrade-token-name tokenName] [-d targetDBDir]\n");
-    FPS "\t\t [-P targetDBPrefix] [--source-prefix upgradeDBPrefix]\n");
-    FPS "\t\t [-f targetPWfile] [-@ upgradePWFile]\n");
-    FPS "\t%s --merge --source-dir sourceDBDir [-d targetDBdir]\n",
-	progName);
-    FPS "\t\t [-P targetDBPrefix] [--source-prefix sourceDBPrefix]\n");
-    FPS "\t\t [-f targetPWfile] [-@ sourcePWFile]\n");
-    FPS "\t%s -L [-n cert-name] [-X] [-d certdir] [-P dbprefix] [-r] [-a]\n", progName);
-    FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n",
-	progName);
-    FPS "\t%s -O -n cert-name [-X] [-d certdir] [-P dbprefix]\n", progName);
-    FPS "\t%s -R -s subj -o cert-request-file [-d certdir] [-P dbprefix] [-p phone] [-a]\n"
-	"\t\t [-7 emailAddrs] [-k key-type-or-id] [-h token-name] [-f pwfile] [-g key-size]\n",
-	progName);
-    FPS "\t%s -V -n cert-name -u usage [-b time] [-e] \n"
-	"\t\t[-X] [-d certdir] [-P dbprefix]\n",
-	progName);
-    FPS "\t%s -S -n cert-name -s subj [-c issuer-name | -x]  -t trustargs\n"
-	"\t\t [-k key-type-or-id] [-q key-params] [-h token-name] [-g key-size]\n"
-        "\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
-	"\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n"
-        "\t\t [-p phone] [-1] [-2] [-3] [-4] [-5] [-6] [-7 emailAddrs]\n"
-        "\t\t [-8 DNS-names]\n"
-        "\t\t [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA]\n"
-        "\t\t [--extSKID]\n", progName);
-    FPS "\t%s -U [-X] [-d certdir] [-P dbprefix]\n", progName);
-    exit(1);
-}
-
-static void LongUsage(char *progName)
-{
-
-    FPS "%-15s Add a certificate to the database        (create if needed)\n",
-	"-A");
-    FPS "%-20s\n", "   All options under -E apply");
-    FPS "%-15s Run a series of certutil commands from a batch file\n", "-B");
-    FPS "%-20s Specify the batch file\n", "   -i batch-file");
-    FPS "%-15s Add an Email certificate to the database (create if needed)\n",
-	"-E");
-    FPS "%-20s Specify the nickname of the certificate to add\n",
-	"   -n cert-name");
-    FPS "%-20s Set the certificate trust attributes:\n",
-	"   -t trustargs");
-    FPS "%-25s trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,\n", "");
-    FPS "%-25s and z is for code signing\n", "");
-    FPS "%-25s p \t valid peer\n", "");
-    FPS "%-25s P \t trusted peer (implies p)\n", "");
-    FPS "%-25s c \t valid CA\n", "");
-    FPS "%-25s T \t trusted CA to issue client certs (implies c)\n", "");
-    FPS "%-25s C \t trusted CA to issue server certs (implies c)\n", "");
-    FPS "%-25s u \t user cert\n", "");
-    FPS "%-25s w \t send warning\n", "");
-    FPS "%-25s g \t make step-up cert\n", "");
-    FPS "%-20s Specify the password file\n",
-	"   -f pwfile");
-    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "%-20s The input certificate is encoded in ASCII (RFC1113)\n",
-	"   -a");
-    FPS "%-20s Specify the certificate file (default is stdin)\n",
-	"   -i input");
-    FPS "\n");
-
-    FPS "%-15s Create a new binary certificate from a BINARY cert request\n",
-	"-C");
-    FPS "%-20s The nickname of the issuer cert\n",
-	"   -c issuer-name");
-    FPS "%-20s The BINARY certificate request file\n",
-	"   -i cert-request ");
-    FPS "%-20s Output binary cert to this file (default is stdout)\n",
-	"   -o output-cert");
-    FPS "%-20s Self sign\n",
-	"   -x");
-    FPS "%-20s Cert serial number\n",
-	"   -m serial-number");
-    FPS "%-20s Time Warp\n",
-	"   -w warp-months");
-    FPS "%-20s Months valid (default is 3)\n",
-        "   -v months-valid");
-    FPS "%-20s Specify the password file\n",
-	"   -f pwfile");
-    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "%-20s \n"
-              "%-20s Create key usage extension. Possible keywords:\n"
-              "%-20s \"digitalSignature\", \"nonRepudiation\", \"keyEncipherment\",\n"
-              "%-20s \"dataEncipherment\", \"keyAgreement\", \"certSigning\",\n"
-              "%-20s \"crlSigning\", \"critical\"\n",
-        "   -1 | --keyUsage keyword,keyword,...", "", "", "", "");
-    FPS "%-20s Create basic constraint extension\n",
-	"   -2 ");
-    FPS "%-20s Create authority key ID extension\n",
-	"   -3 ");
-    FPS "%-20s Create crl distribution point extension\n",
-	"   -4 ");
-    FPS "%-20s \n"
-              "%-20s Create netscape cert type extension. Possible keywords:\n"
-              "%-20s \"sslClient\", \"sslServer\", \"smime\", \"objectSigning\",\n"
-              "%-20s \"sslCA\", \"smimeCA\", \"objectSigningCA\", \"critical\".\n",
-        "   -5 | -nsCertType keyword,keyword,... ", "", "", "");
-    FPS "%-20s \n"
-              "%-20s Create extended key usage extension. Possible keywords:\n"
-              "%-20s \"serverAuth\", \"clientAuth\",\"codeSigning\",\n"
-              "%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n"
-              "%-20s \"stepUp\", \"critical\"\n",
-	"   -6 | --extKeyUsage keyword,keyword,...", "", "", "", "");
-    FPS "%-20s Create an email subject alt name extension\n",
-	"   -7 emailAddrs");
-    FPS "%-20s Create an dns subject alt name extension\n",
-	"   -8 dnsNames");
-    FPS "%-20s The input certificate request is encoded in ASCII (RFC1113)\n",
-	"   -a");
-    FPS "\n");
-
-    FPS "%-15s Generate a new key pair\n",
-	"-G");
-    FPS "%-20s Name of token in which to generate key (default is internal)\n",
-	"   -h token-name");
-#ifdef NSS_ENABLE_ECC
-    FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
-	"   -k key-type");
-    FPS "%-20s Key size in bits, (min %d, max %d, default %d) (not for ec)\n",
-	"   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
-#else
-    FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
-	"   -k key-type");
-    FPS "%-20s Key size in bits, (min %d, max %d, default %d)\n",
-	"   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
-#endif /* NSS_ENABLE_ECC */
-    FPS "%-20s Set the public exponent value (3, 17, 65537) (rsa only)\n",
-	"   -y exp");
-    FPS "%-20s Specify the password file\n",
-        "   -f password-file");
-    FPS "%-20s Specify the noise file to be used\n",
-	"   -z noisefile");
-    FPS "%-20s read PQG value from pqgfile (dsa only)\n",
-	"   -q pqgfile");
-#ifdef NSS_ENABLE_ECC
-    FPS "%-20s Elliptic curve name (ec only)\n",
-	"   -q curve-name");
-    FPS "%-20s One of nistp256, nistp384, nistp521\n", "");
-#ifdef NSS_ECC_MORE_THAN_SUITE_B
-    FPS "%-20s sect163k1, nistk163, sect163r1, sect163r2,\n", "");
-    FPS "%-20s nistb163, sect193r1, sect193r2, sect233k1, nistk233,\n", "");
-    FPS "%-20s sect233r1, nistb233, sect239k1, sect283k1, nistk283,\n", "");
-    FPS "%-20s sect283r1, nistb283, sect409k1, nistk409, sect409r1,\n", "");
-    FPS "%-20s nistb409, sect571k1, nistk571, sect571r1, nistb571,\n", "");
-    FPS "%-20s secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,\n", "");
-    FPS "%-20s nistp192, secp224k1, secp224r1, nistp224, secp256k1,\n", "");
-    FPS "%-20s secp256r1, secp384r1, secp521r1,\n", "");
-    FPS "%-20s prime192v1, prime192v2, prime192v3, \n", "");
-    FPS "%-20s prime239v1, prime239v2, prime239v3, c2pnb163v1, \n", "");
-    FPS "%-20s c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, \n", "");
-    FPS "%-20s c2tnb191v2, c2tnb191v3,  \n", "");
-    FPS "%-20s c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, \n", "");
-    FPS "%-20s c2pnb272w1, c2pnb304w1, \n", "");
-    FPS "%-20s c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, \n", "");
-    FPS "%-20s secp112r2, secp128r1, secp128r2, sect113r1, sect113r2\n", "");
-    FPS "%-20s sect131r1, sect131r2\n", "");
-#endif /* NSS_ECC_MORE_THAN_SUITE_B */
-#endif
-    FPS "%-20s Key database directory (default is ~/.netscape)\n",
-	"   -d keydir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "\n");
-
-    FPS "%-15s Delete a certificate from the database\n",
-	"-D");
-    FPS "%-20s The nickname of the cert to delete\n",
-	"   -n cert-name");
-    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "\n");
-
-    FPS "%-15s List all modules\n", /*, or print out a single named module\n",*/
-        "-U");
-    FPS "%-20s Module database directory (default is '~/.netscape')\n",
-        "   -d moddir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "%-20s force the database to open R/W\n",
-	"   -X");
-    FPS "\n");
-
-    FPS "%-15s List all private keys\n",
-        "-K");
-          FPS "%-20s Name of token to search (\"all\" for all tokens)\n",
-	"   -h token-name ");
-
-    FPS "%-20s Key type (\"all\" (default), \"dsa\","
-#ifdef NSS_ENABLE_ECC
-                                                    " \"ec\","
-#endif
-                                                             " \"rsa\")\n",
-	"   -k key-type");
-    FPS "%-20s The nickname of the key or associated certificate\n",
-	"   -n name");
-    FPS "%-20s Specify the password file\n",
-        "   -f password-file");
-    FPS "%-20s Key database directory (default is ~/.netscape)\n",
-	"   -d keydir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "%-20s force the database to open R/W\n",
-	"   -X");
-    FPS "\n");
-
-    FPS "%-15s List all certs, or print out a single named cert\n",
-	"-L");
-    FPS "%-20s Pretty print named cert (list all if unspecified)\n",
-	"   -n cert-name");
-    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "%-20s force the database to open R/W\n",
-	"   -X");
-    FPS "%-20s For single cert, print binary DER encoding\n",
-	"   -r");
-    FPS "%-20s For single cert, print ASCII encoding (RFC1113)\n",
-	"   -a");
-    FPS "\n");
-
-    FPS "%-15s Modify trust attributes of certificate\n",
-	"-M");
-    FPS "%-20s The nickname of the cert to modify\n",
-	"   -n cert-name");
-    FPS "%-20s Set the certificate trust attributes (see -A above)\n",
-	"   -t trustargs");
-    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "\n");
-
-    FPS "%-15s Create a new certificate database\n",
-	"-N");
-    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "\n");
-    FPS "%-15s Reset the Key database or token\n",
-	"-T");
-    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "%-20s Token to reset (default is internal)\n",
-	"   -h token-name");
-    FPS "%-20s Set token's Site Security Officer password\n",
-	"   -0 SSO-password");
-    FPS "\n");
-
-    FPS "\n");
-    FPS "%-15s Print the chain of a certificate\n",
-	"-O");
-    FPS "%-20s The nickname of the cert to modify\n",
-	"   -n cert-name");
-    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "%-20s force the database to open R/W\n",
-	"   -X");
-    FPS "\n");
-
-    FPS "%-15s Generate a certificate request (stdout)\n",
-	"-R");
-    FPS "%-20s Specify the subject name (using RFC1485)\n",
-	"   -s subject");
-    FPS "%-20s Output the cert request to this file\n",
-	"   -o output-req");
-#ifdef NSS_ENABLE_ECC
-    FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
-#else
-    FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
-#endif /* NSS_ENABLE_ECC */
-	"   -k key-type-or-id");
-    FPS "%-20s or nickname of the cert key to use \n",
-	"");
-    FPS "%-20s Name of token in which to generate key (default is internal)\n",
-	"   -h token-name");
-    FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
-	"   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
-    FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
-	"   -q pqgfile");
-#ifdef NSS_ENABLE_ECC
-    FPS "%-20s Elliptic curve name (ec only)\n",
-	"   -q curve-name");
-    FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
-	"");
-#endif /* NSS_ENABLE_ECC */
-    FPS "%-20s Specify the password file\n",
-	"   -f pwfile");
-    FPS "%-20s Key database directory (default is ~/.netscape)\n",
-	"   -d keydir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
-	"   -p phone");
-    FPS "%-20s Output the cert request in ASCII (RFC1113); default is binary\n",
-	"   -a");
-    FPS "%-20s \n",
-	"   See -S for available extension options");
-    FPS "\n");
-
-    FPS "%-15s Validate a certificate\n",
-	"-V");
-    FPS "%-20s The nickname of the cert to Validate\n",
-	"   -n cert-name");
-    FPS "%-20s validity time (\"YYMMDDHHMMSS[+HHMM|-HHMM|Z]\")\n",
-	"   -b time");
-    FPS "%-20s Check certificate signature \n",
-	"   -e ");   
-    FPS "%-20s Specify certificate usage:\n", "   -u certusage");
-    FPS "%-25s C \t SSL Client\n", "");
-    FPS "%-25s V \t SSL Server\n", "");
-    FPS "%-25s S \t Email signer\n", "");
-    FPS "%-25s R \t Email Recipient\n", "");   
-    FPS "%-25s O \t OCSP status responder\n", "");   
-    FPS "%-25s J \t Object signer\n", "");   
-    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "%-20s force the database to open R/W\n",
-	"   -X");
-    FPS "\n");
-
-    FPS "%-15s Upgrade an old database and merge it into a new one\n",
-	"--upgrade-merge");
-    FPS "%-20s Cert database directory to merge into (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-20s Cert & Key database prefix of the target database\n",
-	"   -P dbprefix");
-    FPS "%-20s Specify the password file for the target database\n",
-	"   -f pwfile");
-    FPS "%-20s \n%-20s Cert database directory to upgrade from\n",
-	"   --source-dir certdir", "");
-    FPS "%-20s \n%-20s Cert & Key database prefix of the upgrade database\n",
-	"   --soruce-prefix dbprefix", "");
-    FPS "%-20s \n%-20s Unique identifier for the upgrade database\n",
-	"   --upgrade-id uniqueID", "");
-    FPS "%-20s \n%-20s Name of the token while it is in upgrade state\n",
-	"   --upgrade-token-name name", "");
-    FPS "%-20s Specify the password file for the upgrade database\n",
-	"   -@ pwfile");
-    FPS "\n");
-
-    FPS "%-15s Merge source database into the target database\n",
-	"--merge");
-    FPS "%-20s Cert database directory of target (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-20s Cert & Key database prefix of the target database\n",
-	"   -P dbprefix");
-    FPS "%-20s Specify the password file for the target database\n",
-	"   -f pwfile");
-    FPS "%-20s \n%-20s Cert database directory of the source database\n",
-	"   --source-dir certdir", "");
-    FPS "%-20s \n%-20s Cert & Key database prefix of the source database\n",
-	"   --source-prefix dbprefix", "");
-    FPS "%-20s Specify the password file for the source database\n",
-	"   -@ pwfile");
-    FPS "\n");
-
-    FPS "%-15s Make a certificate and add to database\n",
-        "-S");
-    FPS "%-20s Specify the nickname of the cert\n",
-        "   -n key-name");
-    FPS "%-20s Specify the subject name (using RFC1485)\n",
-        "   -s subject");
-    FPS "%-20s The nickname of the issuer cert\n",
-	"   -c issuer-name");
-    FPS "%-20s Set the certificate trust attributes (see -A above)\n",
-	"   -t trustargs");
-#ifdef NSS_ENABLE_ECC
-    FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
-#else
-    FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
-#endif /* NSS_ENABLE_ECC */
-	"   -k key-type-or-id");
-    FPS "%-20s Name of token in which to generate key (default is internal)\n",
-	"   -h token-name");
-    FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
-	"   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
-    FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
-	"   -q pqgfile");
-#ifdef NSS_ENABLE_ECC
-    FPS "%-20s Elliptic curve name (ec only)\n",
-	"   -q curve-name");
-    FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
-	"");
-#endif /* NSS_ENABLE_ECC */
-    FPS "%-20s Self sign\n",
-	"   -x");
-    FPS "%-20s Cert serial number\n",
-	"   -m serial-number");
-    FPS "%-20s Time Warp\n",
-	"   -w warp-months");
-    FPS "%-20s Months valid (default is 3)\n",
-        "   -v months-valid");
-    FPS "%-20s Specify the password file\n",
-	"   -f pwfile");
-    FPS "%-20s Cert database directory (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-20s Cert & Key database prefix\n",
-	"   -P dbprefix");
-    FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
-	"   -p phone");
-    FPS "%-20s Create key usage extension\n",
-	"   -1 ");
-    FPS "%-20s Create basic constraint extension\n",
-	"   -2 ");
-    FPS "%-20s Create authority key ID extension\n",
-	"   -3 ");
-    FPS "%-20s Create crl distribution point extension\n",
-	"   -4 ");
-    FPS "%-20s Create netscape cert type extension\n",
-	"   -5 ");
-    FPS "%-20s Create extended key usage extension\n",
-	"   -6 ");
-    FPS "%-20s Create an email subject alt name extension\n",
-	"   -7 emailAddrs ");
-    FPS "%-20s Create a DNS subject alt name extension\n",
-	"   -8 DNS-names");
-    FPS "%-20s Create an Authority Information Access extension\n",
-	"   --extAIA ");
-    FPS "%-20s Create a Subject Information Access extension\n",
-	"   --extSIA ");
-    FPS "%-20s Create a Certificate Policies extension\n",
-	"   --extCP ");
-    FPS "%-20s Create a Policy Mappings extension\n",
-	"   --extPM ");
-    FPS "%-20s Create a Policy Constraints extension\n",
-	"   --extPC ");
-    FPS "%-20s Create an Inhibit Any Policy extension\n",
-	"   --extIA ");
-    FPS "%-20s Create a subject key ID extension\n",
-	"   --extSKID ");
-    FPS "\n");
-
-    exit(1);
-#undef FPS
-}
-
-
-static CERTCertificate *
-MakeV1Cert(	CERTCertDBHandle *	handle, 
-		CERTCertificateRequest *req,
-	    	char *			issuerNickName, 
-		PRBool 			selfsign, 
-		unsigned int 		serialNumber,
-		int 			warpmonths,
-                int                     validityMonths)
-{
-    CERTCertificate *issuerCert = NULL;
-    CERTValidity *validity;
-    CERTCertificate *cert = NULL;
-    PRExplodedTime printableTime;
-    PRTime now, after;
-
-    if ( !selfsign ) {
-	issuerCert = CERT_FindCertByNicknameOrEmailAddr(handle, issuerNickName);
-	if (!issuerCert) {
-	    SECU_PrintError(progName, "could not find certificate named \"%s\"",
-			    issuerNickName);
-	    return NULL;
-	}
-    }
-
-    now = PR_Now();
-    PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
-    if ( warpmonths ) {
-	printableTime.tm_month += warpmonths;
-	now = PR_ImplodeTime (&printableTime);
-	PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
-    }
-    printableTime.tm_month += validityMonths;
-    after = PR_ImplodeTime (&printableTime);
-
-    /* note that the time is now in micro-second unit */
-    validity = CERT_CreateValidity (now, after);
-    if (validity) {
-        cert = CERT_CreateCertificate(serialNumber, 
-				      (selfsign ? &req->subject 
-				                : &issuerCert->subject), 
-	                              validity, req);
-    
-        CERT_DestroyValidity(validity);
-    }
-    if ( issuerCert ) {
-	CERT_DestroyCertificate (issuerCert);
-    }
-    
-    return(cert);
-}
-
-static SECItem *
-SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, 
-         SECOidTag hashAlgTag,
-         SECKEYPrivateKey *privKey, char *issuerNickName, void *pwarg)
-{
-    SECItem der;
-    SECItem *result = NULL;
-    SECKEYPrivateKey *caPrivateKey = NULL;    
-    SECStatus rv;
-    PRArenaPool *arena;
-    SECOidTag algID;
-    void *dummy;
-
-    if( !selfsign ) {
-      CERTCertificate *issuer = PK11_FindCertFromNickname(issuerNickName, pwarg);
-      if( (CERTCertificate *)NULL == issuer ) {
-        SECU_PrintError(progName, "unable to find issuer with nickname %s", 
-	                issuerNickName);
-        return (SECItem *)NULL;
-      }
-
-      privKey = caPrivateKey = PK11_FindKeyByAnyCert(issuer, pwarg);
-      CERT_DestroyCertificate(issuer);
-      if (caPrivateKey == NULL) {
-	SECU_PrintError(progName, "unable to retrieve key %s", issuerNickName);
-	return NULL;
-      }
-    }
-	
-    arena = cert->arena;
-
-    algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, hashAlgTag);
-    if (algID == SEC_OID_UNKNOWN) {
-	fprintf(stderr, "Unknown key or hash type for issuer.");
-	goto done;
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
-    if (rv != SECSuccess) {
-	fprintf(stderr, "Could not set signature algorithm id.");
-	goto done;
-    }
-
-    /* we only deal with cert v3 here */
-    *(cert->version.data) = 2;
-    cert->version.len = 1;
-
-    der.len = 0;
-    der.data = NULL;
-    dummy = SEC_ASN1EncodeItem (arena, &der, cert,
-			 	SEC_ASN1_GET(CERT_CertificateTemplate));
-    if (!dummy) {
-	fprintf (stderr, "Could not encode certificate.\n");
-	goto done;
-    }
-
-    result = (SECItem *) PORT_ArenaZAlloc (arena, sizeof (SECItem));
-    if (result == NULL) {
-	fprintf (stderr, "Could not allocate item for certificate data.\n");
-	goto done;
-    }
-
-    rv = SEC_DerSignData(arena, result, der.data, der.len, privKey, algID);
-    if (rv != SECSuccess) {
-	fprintf (stderr, "Could not sign encoded certificate data.\n");
-	/* result allocated out of the arena, it will be freed
-	 * when the arena is freed */
-	result = NULL;
-	goto done;
-    }
-    cert->derCert = *result;
-done:
-    if (caPrivateKey) {
-	SECKEY_DestroyPrivateKey(caPrivateKey);
-    }
-    return result;
-}
-
-static SECStatus
-CreateCert(
-	CERTCertDBHandle *handle, 
-	PK11SlotInfo *slot,
-	char *  issuerNickName, 
-	PRFileDesc *inFile,
-	PRFileDesc *outFile, 
-	SECKEYPrivateKey **selfsignprivkey,
-	void 	*pwarg,
-	SECOidTag hashAlgTag,
-	unsigned int serialNumber, 
-	int     warpmonths,
-	int     validityMonths,
-	const char *emailAddrs,
-	const char *dnsNames,
-	PRBool  ascii,
-	PRBool  selfsign,
-	certutilExtnList extnList)
-{
-    void *	extHandle;
-    SECItem *	certDER;
-    CERTCertificate *subjectCert 	= NULL;
-    CERTCertificateRequest *certReq	= NULL;
-    SECStatus 	rv 			= SECSuccess;
-    SECItem 	reqDER;
-    CERTCertExtension **CRexts;
-
-    reqDER.data = NULL;
-    do {
-	/* Create a certrequest object from the input cert request der */
-	certReq = GetCertRequest(inFile, ascii);
-	if (certReq == NULL) {
-	    GEN_BREAK (SECFailure)
-	}
-
-	subjectCert = MakeV1Cert (handle, certReq, issuerNickName, selfsign,
-				  serialNumber, warpmonths, validityMonths);
-	if (subjectCert == NULL) {
-	    GEN_BREAK (SECFailure)
-	}
-        
-        
-	extHandle = CERT_StartCertExtensions (subjectCert);
-	if (extHandle == NULL) {
-	    GEN_BREAK (SECFailure)
-	}
-        
-        rv = AddExtensions(extHandle, emailAddrs, dnsNames, extnList);
-        if (rv != SECSuccess) {
-	    GEN_BREAK (SECFailure)
-	}
-        
-        if (certReq->attributes != NULL &&
-	    certReq->attributes[0] != NULL &&
-	    certReq->attributes[0]->attrType.data != NULL &&
-	    certReq->attributes[0]->attrType.len   > 0    &&
-            SECOID_FindOIDTag(&certReq->attributes[0]->attrType)
-                == SEC_OID_PKCS9_EXTENSION_REQUEST) {
-            rv = CERT_GetCertificateRequestExtensions(certReq, &CRexts);
-            if (rv != SECSuccess)
-                break;
-            rv = CERT_MergeExtensions(extHandle, CRexts);
-            if (rv != SECSuccess)
-                break;
-        }
-
-	CERT_FinishExtensions(extHandle);
-
-	/* self-signing a cert request, find the private key */
-	if (selfsign && *selfsignprivkey == NULL) {
-	    *selfsignprivkey = PK11_FindKeyByDERCert(slot, subjectCert, pwarg);
-	    if (!*selfsignprivkey) {
-		fprintf(stderr, "Failed to locate private key.\n");
-		rv = SECFailure;
-		break;
-	    }
-	}
-
-	certDER = SignCert(handle, subjectCert, selfsign, hashAlgTag,
-	                   *selfsignprivkey, issuerNickName,pwarg);
-
-	if (certDER) {
-	   if (ascii) {
-		PR_fprintf(outFile, "%s\n%s\n%s\n", NS_CERT_HEADER, 
-		           BTOA_DataToAscii(certDER->data, certDER->len), 
-			   NS_CERT_TRAILER);
-	   } else {
-		PR_Write(outFile, certDER->data, certDER->len);
-	   }
-	}
-
-    } while (0);
-    CERT_DestroyCertificateRequest (certReq);
-    CERT_DestroyCertificate (subjectCert);
-    if (rv != SECSuccess) {
-	PRErrorCode  perr = PR_GetError();
-        fprintf(stderr, "%s: unable to create cert (%s)\n", progName,
-               SECU_Strerror(perr));
-    }
-    return (rv);
-}
-
-
-/*
- * map a class to a user presentable string
- */
-static const char *objClassArray[] = {
-   "Data",
-   "Certificate",
-   "Public Key",
-   "Private Key",
-   "Secret Key",
-   "Hardware Feature",
-   "Domain Parameters",
-   "Mechanism"
-};
-
-static const char *objNSSClassArray[] = {
-   "CKO_NSS",
-   "Crl",
-   "SMIME Record",
-   "Trust",
-   "Builtin Root List"
-};
-
-
-const char *
-getObjectClass(CK_ULONG classType)
-{
-    static char buf[sizeof(CK_ULONG)*2+3];
-
-    if (classType <= CKO_MECHANISM) {
-	return objClassArray[classType];
-    }
-    if (classType >= CKO_NSS && classType <= CKO_NSS_BUILTIN_ROOT_LIST) {
-	return objNSSClassArray[classType - CKO_NSS];
-    }
-    sprintf(buf, "0x%lx", classType);
-    return buf;
-}
-
-char *mkNickname(unsigned char *data, int len)
-{
-   char *nick = PORT_Alloc(len+1);
-   if (!nick) {
-	return nick;
-   }
-   PORT_Memcpy(nick, data, len);
-   nick[len] = 0;
-   return nick;
-}
-
-/*
- * dump a PK11_MergeTokens error log to the console
- */
-void
-DumpMergeLog(const char *progname, PK11MergeLog *log)
-{
-    PK11MergeLogNode *node;
-
-    for (node = log->head; node; node = node->next) {
-	SECItem  attrItem;
-	char *nickname = NULL;
-	const char *objectClass = NULL;
-	SECStatus rv;
-
-	attrItem.data = NULL;
-	rv = PK11_ReadRawAttribute(PK11_TypeGeneric, node->object, 
-				   CKA_LABEL, &attrItem);
-	if (rv == SECSuccess) {
-	    nickname = mkNickname(attrItem.data, attrItem.len);
-	    PORT_Free(attrItem.data);
-	}
-	attrItem.data = NULL;
-	rv = PK11_ReadRawAttribute(PK11_TypeGeneric, node->object, 
-				   CKA_CLASS, &attrItem);
-	if (rv == SECSuccess) {
-	     if (attrItem.len == sizeof(CK_ULONG)) {
-		objectClass = getObjectClass(*(CK_ULONG *)attrItem.data);
-	     }
-	     PORT_Free(attrItem.data);
-	}
-
-	fprintf(stderr, "%s: Could not merge object %s (type %s): %s\n",
-		progName,
-		nickname ? nickname : "unnamed",
-		objectClass ? objectClass : "unknown",
-		SECU_Strerror(node->error));
-
-	if (nickname) {
-	    PORT_Free(nickname);
-	}
-    }
-}
-
-/*  Certutil commands  */
-enum {
-    cmd_AddCert = 0,
-    cmd_CreateNewCert,
-    cmd_DeleteCert,
-    cmd_AddEmailCert,
-    cmd_DeleteKey,
-    cmd_GenKeyPair,
-    cmd_PrintHelp,
-    cmd_ListKeys,
-    cmd_ListCerts,
-    cmd_ModifyCertTrust,
-    cmd_NewDBs,
-    cmd_DumpChain,
-    cmd_CertReq,
-    cmd_CreateAndAddCert,
-    cmd_TokenReset,
-    cmd_ListModules,
-    cmd_CheckCertValidity,
-    cmd_ChangePassword,
-    cmd_Version,
-    cmd_Batch,
-    cmd_Merge,
-    cmd_UpgradeMerge /* test only */
-};
-
-/*  Certutil options */
-enum certutilOpts {
-    opt_SSOPass = 0,
-    opt_AddKeyUsageExt,
-    opt_AddBasicConstraintExt,
-    opt_AddAuthorityKeyIDExt,
-    opt_AddCRLDistPtsExt,
-    opt_AddNSCertTypeExt,
-    opt_AddExtKeyUsageExt,
-    opt_ExtendedEmailAddrs,
-    opt_ExtendedDNSNames,
-    opt_ASCIIForIO,
-    opt_ValidityTime,
-    opt_IssuerName,
-    opt_CertDir,
-    opt_VerifySig,
-    opt_PasswordFile,
-    opt_KeySize,
-    opt_TokenName,
-    opt_InputFile,
-    opt_KeyIndex,
-    opt_KeyType,
-    opt_DetailedInfo,
-    opt_SerialNumber,
-    opt_Nickname,
-    opt_OutputFile,
-    opt_PhoneNumber,
-    opt_DBPrefix,
-    opt_PQGFile,
-    opt_BinaryDER,
-    opt_Subject,
-    opt_Trust,
-    opt_Usage,
-    opt_Validity,
-    opt_OffsetMonths,
-    opt_SelfSign,
-    opt_RW,
-    opt_Exponent,
-    opt_NoiseFile,
-    opt_Hash,
-    opt_NewPasswordFile,
-    opt_AddAuthInfoAccExt,
-    opt_AddSubjInfoAccExt,
-    opt_AddCertPoliciesExt,
-    opt_AddPolicyMapExt,
-    opt_AddPolicyConstrExt,
-    opt_AddInhibAnyExt,
-    opt_AddSubjectKeyIDExt,
-    opt_AddCmdKeyUsageExt,
-    opt_AddCmdNSCertTypeExt,
-    opt_AddCmdExtKeyUsageExt,
-    opt_SourceDir,
-    opt_SourcePrefix,
-    opt_UpgradeID,
-    opt_UpgradeTokenName
-};
-
-static const
-secuCommandFlag commands_init[] =
-{
-	{ /* cmd_AddCert             */  'A', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_CreateNewCert       */  'C', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_DeleteCert          */  'D', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_AddEmailCert        */  'E', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_DeleteKey           */  'F', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_GenKeyPair          */  'G', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_PrintHelp           */  'H', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_ListKeys            */  'K', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_ListCerts           */  'L', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_ModifyCertTrust     */  'M', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_NewDBs              */  'N', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_DumpChain           */  'O', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_CertReq             */  'R', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_CreateAndAddCert    */  'S', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_TokenReset          */  'T', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_ListModules         */  'U', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_CheckCertValidity   */  'V', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_ChangePassword      */  'W', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_Version             */  'Y', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_Batch               */  'B', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_Merge               */   0,  PR_FALSE, 0, PR_FALSE, "merge" },
-	{ /* cmd_UpgradeMerge        */   0,  PR_FALSE, 0, PR_FALSE, 
-                                                   "upgrade-merge" }
-};
-#define NUM_COMMANDS ((sizeof commands_init) / (sizeof commands_init[0]))
- 
-static const 
-secuCommandFlag options_init[] =
-{
-	{ /* opt_SSOPass             */  '0', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_AddKeyUsageExt      */  '1', PR_FALSE, 0, PR_FALSE },
-	{ /* opt_AddBasicConstraintExt*/ '2', PR_FALSE, 0, PR_FALSE },
-	{ /* opt_AddAuthorityKeyIDExt*/  '3', PR_FALSE, 0, PR_FALSE },
-	{ /* opt_AddCRLDistPtsExt    */  '4', PR_FALSE, 0, PR_FALSE },
-	{ /* opt_AddNSCertTypeExt    */  '5', PR_FALSE, 0, PR_FALSE },
-	{ /* opt_AddExtKeyUsageExt   */  '6', PR_FALSE, 0, PR_FALSE },
-	{ /* opt_ExtendedEmailAddrs  */  '7', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_ExtendedDNSNames    */  '8', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_ASCIIForIO          */  'a', PR_FALSE, 0, PR_FALSE },
-	{ /* opt_ValidityTime        */  'b', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_IssuerName          */  'c', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_CertDir             */  'd', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_VerifySig           */  'e', PR_FALSE, 0, PR_FALSE },
-	{ /* opt_PasswordFile        */  'f', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_KeySize             */  'g', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_TokenName           */  'h', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_InputFile           */  'i', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_KeyIndex            */  'j', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_KeyType             */  'k', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_DetailedInfo        */  'l', PR_FALSE, 0, PR_FALSE },
-	{ /* opt_SerialNumber        */  'm', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_Nickname            */  'n', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_OutputFile          */  'o', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_PhoneNumber         */  'p', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_DBPrefix            */  'P', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_PQGFile             */  'q', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_BinaryDER           */  'r', PR_FALSE, 0, PR_FALSE },
-	{ /* opt_Subject             */  's', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_Trust               */  't', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_Usage               */  'u', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_Validity            */  'v', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_OffsetMonths        */  'w', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_SelfSign            */  'x', PR_FALSE, 0, PR_FALSE },
-	{ /* opt_RW                  */  'X', PR_FALSE, 0, PR_FALSE },
-	{ /* opt_Exponent            */  'y', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_NoiseFile           */  'z', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_Hash                */  'Z', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_NewPasswordFile     */  '@', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_AddAuthInfoAccExt   */  0,   PR_FALSE, 0, PR_FALSE, "extAIA" },
-	{ /* opt_AddSubjInfoAccExt   */  0,   PR_FALSE, 0, PR_FALSE, "extSIA" },
-	{ /* opt_AddCertPoliciesExt  */  0,   PR_FALSE, 0, PR_FALSE, "extCP" },
-	{ /* opt_AddPolicyMapExt     */  0,   PR_FALSE, 0, PR_FALSE, "extPM" },
-	{ /* opt_AddPolicyConstrExt  */  0,   PR_FALSE, 0, PR_FALSE, "extPC" },
-	{ /* opt_AddInhibAnyExt      */  0,   PR_FALSE, 0, PR_FALSE, "extIA" },
-	{ /* opt_AddSubjectKeyIDExt  */  0,   PR_FALSE, 0, PR_FALSE, 
-						   "extSKID" },
-	{ /* opt_AddCmdKeyUsageExt   */  0,   PR_TRUE,  0, PR_FALSE,
-                                                   "keyUsage" },
-	{ /* opt_AddCmdNSCertTypeExt */   0,   PR_TRUE,  0, PR_FALSE,
-                                                   "nsCertType" },
-	{ /* opt_AddCmdExtKeyUsageExt*/  0,   PR_TRUE,  0, PR_FALSE,
-                                                   "extKeyUsage" },
-
-	{ /* opt_SourceDir           */  0,   PR_TRUE,  0, PR_FALSE,
-                                                   "source-dir"},
-	{ /* opt_SourcePrefix        */  0,   PR_TRUE,  0, PR_FALSE, 
-						   "source-prefix"},
-	{ /* opt_UpgradeID           */  0,   PR_TRUE,  0, PR_FALSE, 
-                                                   "upgrade-id"},
-	{ /* opt_UpgradeTokenName    */  0,   PR_TRUE,  0, PR_FALSE, 
-                                                   "upgrade-token-name"},
-};
-#define NUM_OPTIONS ((sizeof options_init)  / (sizeof options_init[0]))
-
-static secuCommandFlag certutil_commands[NUM_COMMANDS];
-static secuCommandFlag certutil_options [NUM_OPTIONS ];
-
-static const secuCommand certutil = {
-    NUM_COMMANDS, 
-    NUM_OPTIONS, 
-    certutil_commands, 
-    certutil_options
-};
-
-static certutilExtnList certutil_extns;
-
-static int 
-certutil_main(int argc, char **argv, PRBool initialize)
-{
-    CERTCertDBHandle *certHandle;
-    PK11SlotInfo *slot = NULL;
-    CERTName *  subject         = 0;
-    PRFileDesc *inFile          = PR_STDIN;
-    PRFileDesc *outFile         = NULL;
-    char *      certfile        = "tempcert";
-    char *      certreqfile     = "tempcertreq";
-    char *      slotname        = "internal";
-    char *      certPrefix      = "";
-    char *      sourceDir       = "";
-    char *      srcCertPrefix   = "";
-    char *      upgradeID        = "";
-    char *      upgradeTokenName     = "";
-    KeyType     keytype         = rsaKey;
-    char *      name            = NULL;
-    char *      keysource       = NULL;
-    SECOidTag   hashAlgTag      = SEC_OID_UNKNOWN;
-    int	        keysize	        = DEFAULT_KEY_BITS;
-    int         publicExponent  = 0x010001;
-    unsigned int serialNumber   = 0;
-    int         warpmonths      = 0;
-    int         validityMonths  = 3;
-    int         commandsEntered = 0;
-    char        commandToRun    = '\0';
-    secuPWData  pwdata          = { PW_NONE, 0 };
-    secuPWData  pwdata2         = { PW_NONE, 0 };
-    PRBool      readOnly        = PR_FALSE;
-    PRBool      initialized     = PR_FALSE;
-
-    SECKEYPrivateKey *privkey = NULL;
-    SECKEYPublicKey *pubkey = NULL;
-
-    int i;
-    SECStatus rv;
-
-    progName = PORT_Strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-    memcpy(certutil_commands, commands_init, sizeof commands_init);
-    memcpy(certutil_options,  options_init,  sizeof options_init);
-
-    rv = SECU_ParseCommandLine(argc, argv, progName, &certutil);
-
-    if (rv != SECSuccess)
-	Usage(progName);
-
-    if (certutil.commands[cmd_PrintHelp].activated)
-	LongUsage(progName);
-
-    if (certutil.options[opt_PasswordFile].arg) {
-	pwdata.source = PW_FROMFILE;
-	pwdata.data = certutil.options[opt_PasswordFile].arg;
-    }
-    if (certutil.options[opt_NewPasswordFile].arg) {
-	pwdata2.source = PW_FROMFILE;
-	pwdata2.data = certutil.options[opt_NewPasswordFile].arg;
-    }
-
-    if (certutil.options[opt_CertDir].activated)
-	SECU_ConfigDirectory(certutil.options[opt_CertDir].arg);
-
-    if (certutil.options[opt_SourceDir].activated)
-	sourceDir = certutil.options[opt_SourceDir].arg;
-
-    if (certutil.options[opt_UpgradeID].activated)
-	upgradeID = certutil.options[opt_UpgradeID].arg;
-
-    if (certutil.options[opt_UpgradeTokenName].activated)
-	upgradeTokenName = certutil.options[opt_UpgradeTokenName].arg;
-
-    if (certutil.options[opt_KeySize].activated) {
-	keysize = PORT_Atoi(certutil.options[opt_KeySize].arg);
-	if ((keysize < MIN_KEY_BITS) || (keysize > MAX_KEY_BITS)) {
-	    PR_fprintf(PR_STDERR, 
-                       "%s -g:  Keysize must be between %d and %d.\n",
-		       progName, MIN_KEY_BITS, MAX_KEY_BITS);
-	    return 255;
-	}
-#ifdef NSS_ENABLE_ECC
-	if (keytype == ecKey) {
-	    PR_fprintf(PR_STDERR, "%s -g:  Not for ec keys.\n", progName);
-	    return 255;
-	}
-#endif /* NSS_ENABLE_ECC */
-
-    }
-
-    /*  -h specify token name  */
-    if (certutil.options[opt_TokenName].activated) {
-	if (PL_strcmp(certutil.options[opt_TokenName].arg, "all") == 0)
-	    slotname = NULL;
-	else
-	    slotname = PL_strdup(certutil.options[opt_TokenName].arg);
-    }
-
-    /*  -Z hash type  */
-    if (certutil.options[opt_Hash].activated) {
-	char * arg = certutil.options[opt_Hash].arg;
-        hashAlgTag = SECU_StringToSignatureAlgTag(arg);
-        if (hashAlgTag == SEC_OID_UNKNOWN) {
-	    PR_fprintf(PR_STDERR, "%s -Z:  %s is not a recognized type.\n",
-	               progName, arg);
-	    return 255;
-	}
-    }
-
-    /*  -k key type  */
-    if (certutil.options[opt_KeyType].activated) {
-	char * arg = certutil.options[opt_KeyType].arg;
-	if (PL_strcmp(arg, "rsa") == 0) {
-	    keytype = rsaKey;
-	} else if (PL_strcmp(arg, "dsa") == 0) {
-	    keytype = dsaKey;
-#ifdef NSS_ENABLE_ECC
-	} else if (PL_strcmp(arg, "ec") == 0) {
-	    keytype = ecKey;
-#endif /* NSS_ENABLE_ECC */
-	} else if (PL_strcmp(arg, "all") == 0) {
-	    keytype = nullKey;
-	} else {
-	    /* use an existing private/public key pair */
-	    keysource = arg;
-	}
-    } else if (certutil.commands[cmd_ListKeys].activated) {
-	keytype = nullKey;
-    }
-
-    /*  -m serial number */
-    if (certutil.options[opt_SerialNumber].activated) {
-	int sn = PORT_Atoi(certutil.options[opt_SerialNumber].arg);
-	if (sn < 0) {
-	    PR_fprintf(PR_STDERR, "%s -m:  %s is not a valid serial number.\n",
-	               progName, certutil.options[opt_SerialNumber].arg);
-	    return 255;
-	}
-	serialNumber = sn;
-    }
-
-    /*  -P certdb name prefix */
-    if (certutil.options[opt_DBPrefix].activated) {
-        if (certutil.options[opt_DBPrefix].arg) {
-            certPrefix = strdup(certutil.options[opt_DBPrefix].arg);
-        } else {
-            Usage(progName);
-        }
-    }
-
-    /*  --source-prefix certdb name prefix */
-    if (certutil.options[opt_SourcePrefix].activated) {
-        if (certutil.options[opt_SourcePrefix].arg) {
-            srcCertPrefix = strdup(certutil.options[opt_SourcePrefix].arg);
-        } else {
-            Usage(progName);
-        }
-    }
-
-    /*  -q PQG file or curve name */
-    if (certutil.options[opt_PQGFile].activated) {
-#ifdef NSS_ENABLE_ECC
-	if ((keytype != dsaKey) && (keytype != ecKey)) {
-	    PR_fprintf(PR_STDERR, "%s -q: specifies a PQG file for DSA keys" \
-		       " (-k dsa) or a named curve for EC keys (-k ec)\n)",
-	               progName);
-#else   /* } */
-	if (keytype != dsaKey) {
-	    PR_fprintf(PR_STDERR, "%s -q: PQG file is for DSA key (-k dsa).\n)",
-	               progName);
-#endif /* NSS_ENABLE_ECC */
-	    return 255;
-	}
-    }
-
-    /*  -s subject name  */
-    if (certutil.options[opt_Subject].activated) {
-	subject = CERT_AsciiToName(certutil.options[opt_Subject].arg);
-	if (!subject) {
-	    PR_fprintf(PR_STDERR, "%s -s: improperly formatted name: \"%s\"\n",
-	               progName, certutil.options[opt_Subject].arg);
-	    return 255;
-	}
-    }
-
-    /*  -v validity period  */
-    if (certutil.options[opt_Validity].activated) {
-	validityMonths = PORT_Atoi(certutil.options[opt_Validity].arg);
-	if (validityMonths < 0) {
-	    PR_fprintf(PR_STDERR, "%s -v: incorrect validity period: \"%s\"\n",
-	               progName, certutil.options[opt_Validity].arg);
-	    return 255;
-	}
-    }
-
-    /*  -w warp months  */
-    if (certutil.options[opt_OffsetMonths].activated)
-	warpmonths = PORT_Atoi(certutil.options[opt_OffsetMonths].arg);
-
-    /*  -y public exponent (for RSA)  */
-    if (certutil.options[opt_Exponent].activated) {
-	publicExponent = PORT_Atoi(certutil.options[opt_Exponent].arg);
-	if ((publicExponent != 3) &&
-	    (publicExponent != 17) &&
-	    (publicExponent != 65537)) {
-	    PR_fprintf(PR_STDERR, "%s -y: incorrect public exponent %d.", 
-	                           progName, publicExponent);
-	    PR_fprintf(PR_STDERR, "Must be 3, 17, or 65537.\n");
-	    return 255;
-	}
-    }
-
-    /*  Check number of commands entered.  */
-    commandsEntered = 0;
-    for (i=0; i< certutil.numCommands; i++) {
-	if (certutil.commands[i].activated) {
-	    commandToRun = certutil.commands[i].flag;
-	    commandsEntered++;
-	}
-	if (commandsEntered > 1)
-	    break;
-    }
-    if (commandsEntered > 1) {
-	PR_fprintf(PR_STDERR, "%s: only one command at a time!\n", progName);
-	PR_fprintf(PR_STDERR, "You entered: ");
-	for (i=0; i< certutil.numCommands; i++) {
-	    if (certutil.commands[i].activated)
-		PR_fprintf(PR_STDERR, " -%c", certutil.commands[i].flag);
-	}
-	PR_fprintf(PR_STDERR, "\n");
-	return 255;
-    }
-    if (commandsEntered == 0) {
-	PR_fprintf(PR_STDERR, "%s: you must enter a command!\n", progName);
-	Usage(progName);
-    }
-
-    if (certutil.commands[cmd_ListCerts].activated ||
-         certutil.commands[cmd_PrintHelp].activated ||
-         certutil.commands[cmd_ListKeys].activated ||
-         certutil.commands[cmd_ListModules].activated ||
-         certutil.commands[cmd_CheckCertValidity].activated ||
-         certutil.commands[cmd_Version].activated ) {
-	readOnly = !certutil.options[opt_RW].activated;
-    }
-
-    /*  -A, -D, -F, -M, -S, -V, and all require -n  */
-    if ((certutil.commands[cmd_AddCert].activated ||
-         certutil.commands[cmd_DeleteCert].activated ||
-         certutil.commands[cmd_DeleteKey].activated ||
-	 certutil.commands[cmd_DumpChain].activated ||
-         certutil.commands[cmd_ModifyCertTrust].activated ||
-         certutil.commands[cmd_CreateAndAddCert].activated ||
-         certutil.commands[cmd_CheckCertValidity].activated) &&
-        !certutil.options[opt_Nickname].activated) {
-	PR_fprintf(PR_STDERR, 
-	          "%s -%c: nickname is required for this command (-n).\n",
-	           progName, commandToRun);
-	return 255;
-    }
-
-    /*  -A, -E, -M, -S require trust  */
-    if ((certutil.commands[cmd_AddCert].activated ||
-         certutil.commands[cmd_AddEmailCert].activated ||
-         certutil.commands[cmd_ModifyCertTrust].activated ||
-         certutil.commands[cmd_CreateAndAddCert].activated) &&
-        !certutil.options[opt_Trust].activated) {
-	PR_fprintf(PR_STDERR, 
-	          "%s -%c: trust is required for this command (-t).\n",
-	           progName, commandToRun);
-	return 255;
-    }
-
-    /*  if -L is given raw or ascii mode, it must be for only one cert.  */
-    if (certutil.commands[cmd_ListCerts].activated &&
-        (certutil.options[opt_ASCIIForIO].activated ||
-         certutil.options[opt_BinaryDER].activated) &&
-        !certutil.options[opt_Nickname].activated) {
-	PR_fprintf(PR_STDERR, 
-	        "%s: nickname is required to dump cert in raw or ascii mode.\n",
-	           progName);
-	return 255;
-    }
-    
-    /*  -L can only be in (raw || ascii).  */
-    if (certutil.commands[cmd_ListCerts].activated &&
-        certutil.options[opt_ASCIIForIO].activated &&
-        certutil.options[opt_BinaryDER].activated) {
-	PR_fprintf(PR_STDERR, 
-	           "%s: cannot specify both -r and -a when dumping cert.\n",
-	           progName);
-	return 255;
-    }
-
-    /*  If making a cert request, need a subject.  */
-    if ((certutil.commands[cmd_CertReq].activated ||
-         certutil.commands[cmd_CreateAndAddCert].activated) &&
-        !(certutil.options[opt_Subject].activated || keysource)) {
-	PR_fprintf(PR_STDERR, 
-	           "%s -%c: subject is required to create a cert request.\n",
-	           progName, commandToRun);
-	return 255;
-    }
-
-    /*  If making a cert, need a serial number.  */
-    if ((certutil.commands[cmd_CreateNewCert].activated ||
-         certutil.commands[cmd_CreateAndAddCert].activated) &&
-         !certutil.options[opt_SerialNumber].activated) {
-	/*  Make a default serial number from the current time.  */
-	PRTime now = PR_Now();
-	LL_USHR(now, now, 19);
-	LL_L2UI(serialNumber, now);
-    }
-
-    /*  Validation needs the usage to validate for.  */
-    if (certutil.commands[cmd_CheckCertValidity].activated &&
-        !certutil.options[opt_Usage].activated) {
-	PR_fprintf(PR_STDERR, 
-	           "%s -V: specify a usage to validate the cert for (-u).\n",
-	           progName);
-	return 255;
-    }
-
-    /* Upgrade/Merge needs a source database and a upgrade id. */
-    if (certutil.commands[cmd_UpgradeMerge].activated &&
-        !(certutil.options[opt_SourceDir].activated &&
-          certutil.options[opt_UpgradeID].activated)) {
-
-	PR_fprintf(PR_STDERR, 
-	           "%s --upgrade-merge: specify an upgrade database directory "
-		   "(--source-dir) and\n"
-                   "   an upgrade ID (--upgrade-id).\n",
-	           progName);
-	return 255;
-    }
-
-    /* Merge needs a source database */
-    if (certutil.commands[cmd_Merge].activated &&
-        !certutil.options[opt_SourceDir].activated) {
-
-
-	PR_fprintf(PR_STDERR, 
-	           "%s --merge: specify an source database directory "
-		   "(--source-dir)\n",
-	           progName);
-	return 255;
-    }
-
-    
-    /*  To make a cert, need either a issuer or to self-sign it.  */
-    if (certutil.commands[cmd_CreateAndAddCert].activated &&
-	!(certutil.options[opt_IssuerName].activated ||
-          certutil.options[opt_SelfSign].activated)) {
-	PR_fprintf(PR_STDERR,
-	           "%s -S: must specify issuer (-c) or self-sign (-x).\n",
-	           progName);
-	return 255;
-    }
-
-    /*  Using slotname == NULL for listing keys and certs on all slots, 
-     *  but only that. */
-    if (!(certutil.commands[cmd_ListKeys].activated ||
-	  certutil.commands[cmd_DumpChain].activated ||
-    	  certutil.commands[cmd_ListCerts].activated) && slotname == NULL) {
-	PR_fprintf(PR_STDERR,
-	           "%s -%c: cannot use \"-h all\" for this command.\n",
-	           progName, commandToRun);
-	return 255;
-    }
-
-    /*  Using keytype == nullKey for list all key types, but only that.  */
-    if (!certutil.commands[cmd_ListKeys].activated && keytype == nullKey) {
-	PR_fprintf(PR_STDERR,
-	           "%s -%c: cannot use \"-k all\" for this command.\n",
-	           progName, commandToRun);
-	return 255;
-    }
-
-    /*  -S  open outFile, temporary file for cert request.  */
-    if (certutil.commands[cmd_CreateAndAddCert].activated) {
-	outFile = PR_Open(certreqfile,
-                          PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE, 00660);
-	if (!outFile) {
-	    PR_fprintf(PR_STDERR, 
-		       "%s -o: unable to open \"%s\" for writing (%ld, %ld)\n",
-		       progName, certreqfile,
-		       PR_GetError(), PR_GetOSError());
-	    return 255;
-	}
-    }
-
-    /*  Open the input file.  */
-    if (certutil.options[opt_InputFile].activated) {
-	inFile = PR_Open(certutil.options[opt_InputFile].arg, PR_RDONLY, 0);
-	if (!inFile) {
-	    PR_fprintf(PR_STDERR,
-	               "%s:  unable to open \"%s\" for reading (%ld, %ld).\n",
-	               progName, certutil.options[opt_InputFile].arg,
-	               PR_GetError(), PR_GetOSError());
-	    return 255;
-	}
-    }
-
-    /*  Open the output file.  */
-    if (certutil.options[opt_OutputFile].activated && !outFile) {
-	outFile = PR_Open(certutil.options[opt_OutputFile].arg, 
-                          PR_CREATE_FILE | PR_RDWR | PR_TRUNCATE, 00660);
-	if (!outFile) {
-	    PR_fprintf(PR_STDERR,
-	               "%s:  unable to open \"%s\" for writing (%ld, %ld).\n",
-	               progName, certutil.options[opt_OutputFile].arg,
-	               PR_GetError(), PR_GetOSError());
-	    return 255;
-	}
-    }
-
-    name = SECU_GetOptionArg(&certutil, opt_Nickname);
-
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-    if (PR_TRUE == initialize) {
-        /*  Initialize NSPR and NSS.  */
-        PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-	if (!certutil.commands[cmd_UpgradeMerge].activated) {
-            rv = NSS_Initialize(SECU_ConfigDirectory(NULL), 
-			    certPrefix, certPrefix,
-                            "secmod.db", readOnly ? NSS_INIT_READONLY: 0);
-	} else {
-            rv = NSS_InitWithMerge(SECU_ConfigDirectory(NULL), 
-			    certPrefix, certPrefix, "secmod.db",
-			    sourceDir, srcCertPrefix, srcCertPrefix, 
-			    upgradeID, upgradeTokenName,
-                            readOnly ? NSS_INIT_READONLY: 0);
-	}
-        if (rv != SECSuccess) {
-	    SECU_PrintPRandOSError(progName);
-	    rv = SECFailure;
-	    goto shutdown;
-        }
-        initialized = PR_TRUE;
-    	SECU_RegisterDynamicOids();
-    }
-    certHandle = CERT_GetDefaultCertDB();
-
-    if (certutil.commands[cmd_Version].activated) {
-	printf("Certificate database content version: command not implemented.\n");
-    }
-
-    if (PL_strcmp(slotname, "internal") == 0)
-	slot = PK11_GetInternalKeySlot();
-    else if (slotname != NULL)
-	slot = PK11_FindSlotByName(slotname);
-
-    
-
-   
-    if ( !slot && (certutil.commands[cmd_NewDBs].activated ||
-         certutil.commands[cmd_ModifyCertTrust].activated  || 
-         certutil.commands[cmd_ChangePassword].activated   ||
-         certutil.commands[cmd_TokenReset].activated       ||
-         certutil.commands[cmd_CreateAndAddCert].activated ||
-         certutil.commands[cmd_AddCert].activated          ||
-         certutil.commands[cmd_Merge].activated          ||
-         certutil.commands[cmd_UpgradeMerge].activated          ||
-         certutil.commands[cmd_AddEmailCert].activated)) {
-      
-         SECU_PrintError(progName, "could not find the slot %s",slotname);
-         rv = SECFailure;
-         goto shutdown;
-    }
-
-    /*  If creating new database, initialize the password.  */
-    if (certutil.commands[cmd_NewDBs].activated) {
-	SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg,
-				certutil.options[opt_NewPasswordFile].arg);
-    }
-
-    /* walk through the upgrade merge if necessary.
-     * This option is more to test what some applications will want to do
-     * to do an automatic upgrade. The --merge command is more useful for
-     * the general case where 2 database need to be merged together.
-     */
-    if (certutil.commands[cmd_UpgradeMerge].activated) {
-	if (*upgradeTokenName == 0) {
-	    upgradeTokenName = upgradeID;
-	}
-	if (!PK11_IsInternal(slot)) {
-	    fprintf(stderr, "Only internal DB's can be upgraded\n");
-	    rv = SECSuccess;
-	    goto shutdown;
-	}
-	if (!PK11_IsRemovable(slot)) {
-	    printf("database already upgraded.\n");
-	    rv = SECSuccess;
-	    goto shutdown;
-	}
-	if (!PK11_NeedLogin(slot)) {
-	    printf("upgrade complete!\n");
-	    rv = SECSuccess;
-	    goto shutdown;
-	}
-	/* authenticate to the old DB if necessary */
-	if (PORT_Strcmp(PK11_GetTokenName(slot), upgradeTokenName) ==  0) {
-	    /* if we need a password, supply it. This will be the password
-	     * for the old database */
-	    rv = PK11_Authenticate(slot, PR_FALSE, &pwdata2);
-	    if (rv != SECSuccess) {
-         	SECU_PrintError(progName, "Could not get password for %s",
-				upgradeTokenName);
-		goto shutdown;
-	    }
-	    /* 
-	     * if we succeeded above, but still aren't logged in, that means
-	     * we just supplied the password for the old database. We may
-	     * need the password for the new database. NSS will automatically
-	     * change the token names at this point
-	     */
-	    if (PK11_IsLoggedIn(slot, &pwdata)) {
-		printf("upgrade complete!\n");
-		rv = SECSuccess;
-		goto shutdown;
-	    }
- 	}
-
-	/* call PK11_IsPresent to update our cached token information */
-	if (!PK11_IsPresent(slot)) {
-	    /* this shouldn't happen. We call isPresent to force a token
-	     * info update */
-	    fprintf(stderr, "upgrade/merge internal error\n");
-	    rv = SECFailure;
-	    goto shutdown;
-	}
-
-	/* the token is now set to the state of the source database,
-	 * if we need a password for it, PK11_Authenticate will 
-	 * automatically prompt us */
-	rv = PK11_Authenticate(slot, PR_FALSE, &pwdata);
-	if (rv == SECSuccess) {
-	    printf("upgrade complete!\n");
-	} else {
-            SECU_PrintError(progName, "Could not get password for %s",
-				PK11_GetTokenName(slot));
-	}
-	goto shutdown;
-    }
-
-    /*
-     * merge 2 databases.
-     */
-    if (certutil.commands[cmd_Merge].activated) {
-	PK11SlotInfo *sourceSlot = NULL;
-	PK11MergeLog *log;
-	char *modspec = PR_smprintf(
-		"configDir='%s' certPrefix='%s' tokenDescription='%s'",
-		sourceDir, srcCertPrefix, 
-		*upgradeTokenName ? upgradeTokenName : "Source Database");
-
-	if (!modspec) {
-	    rv = SECFailure;
-	    goto shutdown;
-	}
-
-	sourceSlot = SECMOD_OpenUserDB(modspec);
-	PR_smprintf_free(modspec);
-	if (!sourceSlot) {
-	    SECU_PrintError(progName, "couldn't open source database");
-	    rv = SECFailure;
-	    goto shutdown;
-	}
-
-	rv = PK11_Authenticate(slot, PR_FALSE, &pwdata);
-	if (rv != SECSuccess) {
-	    SECU_PrintError(progName, "Couldn't get password for %s",
-					PK11_GetTokenName(slot));
-	    goto merge_fail;
-	}
-
-	rv = PK11_Authenticate(sourceSlot, PR_FALSE, &pwdata2);
-	if (rv != SECSuccess) {
-	    SECU_PrintError(progName, "Couldn't get password for %s",
-					PK11_GetTokenName(sourceSlot));
-	    goto merge_fail;
-	}
-
-	log = PK11_CreateMergeLog();
-	if (!log) {
-	    rv = SECFailure;
-	    SECU_PrintError(progName, "couldn't create error log");
-	    goto merge_fail;
-	}
-
-	rv = PK11_MergeTokens(slot, sourceSlot, log, &pwdata, &pwdata2);
-	if (rv != SECSuccess) {
-	    DumpMergeLog(progName, log);
-	}
-	PK11_DestroyMergeLog(log);
-
-merge_fail:
-	SECMOD_CloseUserDB(sourceSlot);
-	PK11_FreeSlot(sourceSlot);
-	goto shutdown;
-    }
-
-    /* The following 8 options are mutually exclusive with all others. */
-
-    /*  List certs (-L)  */
-    if (certutil.commands[cmd_ListCerts].activated) {
-	rv = ListCerts(certHandle, name, slot,
-	               certutil.options[opt_BinaryDER].activated,
-	               certutil.options[opt_ASCIIForIO].activated, 
-                       (outFile) ? outFile : PR_STDOUT, &pwdata);
-	goto shutdown;
-    }
-    if (certutil.commands[cmd_DumpChain].activated) {
-	rv = DumpChain(certHandle, name);
-	goto shutdown;
-    }
-    /*  XXX needs work  */
-    /*  List keys (-K)  */
-    if (certutil.commands[cmd_ListKeys].activated) {
-	rv = ListKeys(slot, name, 0 /*keyindex*/, keytype, PR_FALSE /*dopriv*/,
-	              &pwdata);
-	goto shutdown;
-    }
-    /*  List modules (-U)  */
-    if (certutil.commands[cmd_ListModules].activated) {
-	rv = ListModules();
-	goto shutdown;
-    }
-    /*  Delete cert (-D)  */
-    if (certutil.commands[cmd_DeleteCert].activated) {
-	rv = DeleteCert(certHandle, name);
-	goto shutdown;
-    }
-    /*  Delete key (-F)  */
-    if (certutil.commands[cmd_DeleteKey].activated) {
-	rv = DeleteKey(name, &pwdata);
-	goto shutdown;
-    }
-    /*  Modify trust attribute for cert (-M)  */
-    if (certutil.commands[cmd_ModifyCertTrust].activated) {
-	rv = ChangeTrustAttributes(certHandle, slot, name, 
-	                           certutil.options[opt_Trust].arg, &pwdata);
-	goto shutdown;
-    }
-    /*  Change key db password (-W) (future - change pw to slot?)  */
-    if (certutil.commands[cmd_ChangePassword].activated) {
-	rv = SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg,
-				certutil.options[opt_NewPasswordFile].arg);
-	goto shutdown;
-    }
-    /*  Reset the a token */
-    if (certutil.commands[cmd_TokenReset].activated) {
-	char *sso_pass = "";
-
-	if (certutil.options[opt_SSOPass].activated) {
-	    sso_pass = certutil.options[opt_SSOPass].arg;
- 	}
-	rv = PK11_ResetToken(slot,sso_pass);
-
-	goto shutdown;
-    }
-    /*  Check cert validity against current time (-V)  */
-    if (certutil.commands[cmd_CheckCertValidity].activated) {
-	/* XXX temporary hack for fips - must log in to get priv key */
-	if (certutil.options[opt_VerifySig].activated) {
-	    if (slot && PK11_NeedLogin(slot)) {
-                SECStatus newrv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
-                if (newrv != SECSuccess) {
-                    SECU_PrintError(progName, "could not authenticate to token %s.",
-                                    PK11_GetTokenName(slot));
-                    goto shutdown;
-                }
-            }
-	}
-	rv = ValidateCert(certHandle, name, 
-	                  certutil.options[opt_ValidityTime].arg,
-			  certutil.options[opt_Usage].arg,
-			  certutil.options[opt_VerifySig].activated,
-			  certutil.options[opt_DetailedInfo].activated,
-	                  &pwdata);
-	if (rv != SECSuccess && PR_GetError() == SEC_ERROR_INVALID_ARGS)
-            SECU_PrintError(progName, "validation failed");
-	goto shutdown;
-    }
-
-    /*
-     *  Key generation
-     */
-
-    /*  These commands may require keygen.  */
-    if (certutil.commands[cmd_CertReq].activated ||
-        certutil.commands[cmd_CreateAndAddCert].activated ||
-	certutil.commands[cmd_GenKeyPair].activated) {
-	if (keysource) {
-	    CERTCertificate *keycert;
-	    keycert = CERT_FindCertByNicknameOrEmailAddr(certHandle, keysource);
-	    if (!keycert) {
-		keycert = PK11_FindCertFromNickname(keysource, NULL);
-		if (!keycert) {
-		    SECU_PrintError(progName,
-			    "%s is neither a key-type nor a nickname", keysource);
-		    return SECFailure;
-		}
-	    }
-	    privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
-	    if (privkey)
-		pubkey = CERT_ExtractPublicKey(keycert);
-	    if (!pubkey) {
-		SECU_PrintError(progName,
-				"Could not get keys from cert %s", keysource);
-		rv = SECFailure;
-		CERT_DestroyCertificate(keycert);
-		goto shutdown;
-	    }
-	    keytype = privkey->keyType;
-	    /* On CertReq for renewal if no subject has been
-	     * specified obtain it from the certificate. 
-	     */
-	    if (certutil.commands[cmd_CertReq].activated && !subject) {
-	        subject = CERT_AsciiToName(keycert->subjectName);
-	        if (!subject) {
-	            SECU_PrintError(progName,
-			"Could not get subject from certificate %s", keysource);
-	            CERT_DestroyCertificate(keycert);
-	            rv = SECFailure;
-	            goto shutdown;
-	        }
-	    }
-	    CERT_DestroyCertificate(keycert);
-	} else {
-	    privkey = 
-		CERTUTIL_GeneratePrivateKey(keytype, slot, keysize,
-					    publicExponent, 
-					    certutil.options[opt_NoiseFile].arg,
-					    &pubkey, 
-					    certutil.options[opt_PQGFile].arg,
-					    &pwdata);
-	    if (privkey == NULL) {
-		SECU_PrintError(progName, "unable to generate key(s)\n");
-		rv = SECFailure;
-		goto shutdown;
-	    }
-	}
-	privkey->wincx = &pwdata;
-	PORT_Assert(pubkey != NULL);
-
-	/*  If all that was needed was keygen, exit.  */
-	if (certutil.commands[cmd_GenKeyPair].activated) {
-	    rv = SECSuccess;
-	    goto shutdown;
-	}
-    }
-
-    /* If we need a list of extensions convert the flags into list format */
-    if (certutil.commands[cmd_CertReq].activated ||
-        certutil.commands[cmd_CreateAndAddCert].activated ||
-        certutil.commands[cmd_CreateNewCert].activated) {
-        certutil_extns[ext_keyUsage].activated =
-            certutil.options[opt_AddCmdKeyUsageExt].activated;
-        if (!certutil_extns[ext_keyUsage].activated) {
-            certutil_extns[ext_keyUsage].activated =
-                certutil.options[opt_AddKeyUsageExt].activated;
-        } else {
-            certutil_extns[ext_keyUsage].arg =
-                certutil.options[opt_AddCmdKeyUsageExt].arg;
-        }
-        certutil_extns[ext_basicConstraint].activated =
-				certutil.options[opt_AddBasicConstraintExt].activated;
-        certutil_extns[ext_authorityKeyID].activated =
-				certutil.options[opt_AddAuthorityKeyIDExt].activated;
-        certutil_extns[ext_subjectKeyID].activated =
-				certutil.options[opt_AddSubjectKeyIDExt].activated;
-        certutil_extns[ext_CRLDistPts].activated =
-				certutil.options[opt_AddCRLDistPtsExt].activated;
-        certutil_extns[ext_NSCertType].activated =
-            certutil.options[opt_AddCmdNSCertTypeExt].activated;
-        if (!certutil_extns[ext_NSCertType].activated) {
-            certutil_extns[ext_NSCertType].activated =
-                certutil.options[opt_AddNSCertTypeExt].activated;
-        } else {
-            certutil_extns[ext_NSCertType].arg =
-                certutil.options[opt_AddCmdNSCertTypeExt].arg;
-        }
-
-        certutil_extns[ext_extKeyUsage].activated =
-            certutil.options[opt_AddCmdExtKeyUsageExt].activated;
-        if (!certutil_extns[ext_extKeyUsage].activated) {
-            certutil_extns[ext_extKeyUsage].activated =
-                certutil.options[opt_AddExtKeyUsageExt].activated;
-        } else {
-            certutil_extns[ext_extKeyUsage].arg =
-                certutil.options[opt_AddCmdExtKeyUsageExt].arg;
-        }
-
-        certutil_extns[ext_authInfoAcc].activated =
-				certutil.options[opt_AddAuthInfoAccExt].activated;
-        certutil_extns[ext_subjInfoAcc].activated =
-				certutil.options[opt_AddSubjInfoAccExt].activated;
-        certutil_extns[ext_certPolicies].activated =
-				certutil.options[opt_AddCertPoliciesExt].activated;
-        certutil_extns[ext_policyMappings].activated =
-				certutil.options[opt_AddPolicyMapExt].activated;
-        certutil_extns[ext_policyConstr].activated =
-				certutil.options[opt_AddPolicyConstrExt].activated;
-        certutil_extns[ext_inhibitAnyPolicy].activated =
-				certutil.options[opt_AddInhibAnyExt].activated;
-    }
-    /*
-     *  Certificate request
-     */
-
-    /*  Make a cert request (-R).  */
-    if (certutil.commands[cmd_CertReq].activated) {
-	rv = CertReq(privkey, pubkey, keytype, hashAlgTag, subject,
-	             certutil.options[opt_PhoneNumber].arg,
-	             certutil.options[opt_ASCIIForIO].activated,
-		     certutil.options[opt_ExtendedEmailAddrs].arg,
-		     certutil.options[opt_ExtendedDNSNames].arg,
-                     certutil_extns,
-                     outFile ? outFile : PR_STDOUT);
-	if (rv) 
-	    goto shutdown;
-	privkey->wincx = &pwdata;
-    }
-
-    /*
-     *  Certificate creation
-     */
-
-    /*  If making and adding a cert, create a cert request file first without
-     *  any extensions, then load it with the command line extensions
-     *  and output the cert to another file.
-     */
-    if (certutil.commands[cmd_CreateAndAddCert].activated) {
-	static certutilExtnList nullextnlist = {{PR_FALSE, NULL}};
-	rv = CertReq(privkey, pubkey, keytype, hashAlgTag, subject,
-	             certutil.options[opt_PhoneNumber].arg,
-	             certutil.options[opt_ASCIIForIO].activated,
-		     NULL,
-		     NULL,
-                     nullextnlist,
-                     outFile ? outFile : PR_STDOUT);
-	if (rv) 
-	    goto shutdown;
-	privkey->wincx = &pwdata;
-	PR_Close(outFile);
-	inFile  = PR_Open(certreqfile, PR_RDONLY, 0);
-	if (!inFile) {
-	    PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
-                       certreqfile, PR_GetError(), PR_GetOSError());
-	    rv = SECFailure;
-	    goto shutdown;
-	}
-	outFile = PR_Open(certfile,
-                          PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE, 00660);
-	if (!outFile) {
-	    PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
-                       certfile, PR_GetError(), PR_GetOSError());
-	    rv = SECFailure;
-	    goto shutdown;
-	}
-    }
-
-    /*  Create a certificate (-C or -S).  */
-    if (certutil.commands[cmd_CreateAndAddCert].activated ||
-         certutil.commands[cmd_CreateNewCert].activated) {
-	rv = CreateCert(certHandle, slot,
-	                certutil.options[opt_IssuerName].arg,
-	                inFile, outFile, &privkey, &pwdata, hashAlgTag,
-	                serialNumber, warpmonths, validityMonths,
-		        certutil.options[opt_ExtendedEmailAddrs].arg,
-		        certutil.options[opt_ExtendedDNSNames].arg,
-	                certutil.options[opt_ASCIIForIO].activated,
-	                certutil.options[opt_SelfSign].activated,
-	                certutil_extns);
-	if (rv) 
-	    goto shutdown;
-    }
-
-    /* 
-     * Adding a cert to the database (or slot)
-     */
- 
-    if (certutil.commands[cmd_CreateAndAddCert].activated) { 
-	PORT_Assert(inFile != PR_STDIN);
-	PR_Close(inFile);
-	PR_Close(outFile);
-	inFile = PR_Open(certfile, PR_RDONLY, 0);
-	if (!inFile) {
-	    PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
-                       certfile, PR_GetError(), PR_GetOSError());
-	    rv = SECFailure;
-	    goto shutdown;
-	}
-    }
-
-    /* -A -E or -S    Add the cert to the DB */
-    if (certutil.commands[cmd_CreateAndAddCert].activated ||
-         certutil.commands[cmd_AddCert].activated ||
-	 certutil.commands[cmd_AddEmailCert].activated) {
-	rv = AddCert(slot, certHandle, name, 
-	             certutil.options[opt_Trust].arg,
-	             inFile, 
-	             certutil.options[opt_ASCIIForIO].activated,
-	             certutil.commands[cmd_AddEmailCert].activated,&pwdata);
-	if (rv) 
-	    goto shutdown;
-    }
-
-    if (certutil.commands[cmd_CreateAndAddCert].activated) {
-	PORT_Assert(inFile != PR_STDIN);
-	PR_Close(inFile);
-	PR_Delete(certfile);
-	PR_Delete(certreqfile);
-    }
-
-shutdown:
-    if (slot) {
-	PK11_FreeSlot(slot);
-    }
-    if (privkey) {
-	SECKEY_DestroyPrivateKey(privkey);
-    }
-    if (pubkey) {
-	SECKEY_DestroyPublicKey(pubkey);
-    }
-
-    /* Open the batch command file.
-     *
-     * - If -B <command line> option is specified, the contents in the
-     * command file will be interpreted as subsequent certutil
-     * commands to be executed in the current certutil process
-     * context after the current certutil command has been executed.
-     * - Each line in the command file consists of the command
-     * line arguments for certutil.
-     * - The -d <configdir> option will be ignored if specified in the
-     * command file.
-     * - Quoting with double quote characters ("...") is supported
-     * to allow white space in a command line argument.  The
-     * double quote character cannot be escaped and quoting cannot
-     * be nested in this version.
-     * - each line in the batch file is limited to 512 characters
-    */
-
-    if ((SECSuccess == rv) && certutil.commands[cmd_Batch].activated) {
-	FILE* batchFile = NULL;
-        char nextcommand[512];
-        if (!certutil.options[opt_InputFile].activated ||
-            !certutil.options[opt_InputFile].arg) {
-	    PR_fprintf(PR_STDERR,
-	               "%s:  no batch input file specified.\n",
-	               progName);
-	    return 255;
-        }
-        batchFile = fopen(certutil.options[opt_InputFile].arg, "r");
-        if (!batchFile) {
-	    PR_fprintf(PR_STDERR,
-	               "%s:  unable to open \"%s\" for reading (%ld, %ld).\n",
-	               progName, certutil.options[opt_InputFile].arg,
-	               PR_GetError(), PR_GetOSError());
-	    return 255;
-        }
-        /* read and execute command-lines in a loop */
-        while ( (SECSuccess == rv ) &&
-                fgets(nextcommand, sizeof(nextcommand), batchFile)) {
-            /* we now need to split the command into argc / argv format */
-            char* commandline = PORT_Strdup(nextcommand);
-            PRBool invalid = PR_FALSE;
-            int newargc = 2;
-            char* space = NULL;
-            char* nextarg = NULL;
-            char** newargv = NULL;
-            char* crlf = PORT_Strrchr(commandline, '\n');
-            if (crlf) {
-                *crlf = '\0';
-            }
-
-            newargv = PORT_Alloc(sizeof(char*)*(newargc+1));
-            newargv[0] = progName;
-            newargv[1] = commandline;
-            nextarg = commandline;
-            while ((space = PORT_Strpbrk(nextarg, " \f\n\r\t\v")) ) {
-                while (isspace(*space) ) {
-                    *space = '\0';
-                    space ++;
-                }
-                if (*space == '\0') {
-                    break;
-                } else if (*space != '\"') {
-                    nextarg = space;
-                } else {
-                    char* closingquote = strchr(space+1, '\"');
-                    if (closingquote) {
-                        *closingquote = '\0';
-                        space++;
-                        nextarg = closingquote+1;
-                    } else {
-                        invalid = PR_TRUE;
-                        nextarg = space;
-                    }
-                }
-                newargc++;
-                newargv = PORT_Realloc(newargv, sizeof(char*)*(newargc+1));
-                newargv[newargc-1] = space;
-            }
-            newargv[newargc] = NULL;
-            
-            /* invoke next command */
-            if (PR_TRUE == invalid) {
-                PR_fprintf(PR_STDERR, "Missing closing quote in batch command :\n%s\nNot executed.\n",
-                           nextcommand);
-                rv = SECFailure;
-            } else {
-                if (0 != certutil_main(newargc, newargv, PR_FALSE) )
-                    rv = SECFailure;
-            }
-            PORT_Free(newargv);
-            PORT_Free(commandline);
-        }
-        fclose(batchFile);
-    }
-
-    if ((initialized == PR_TRUE) && NSS_Shutdown() != SECSuccess) {
-        exit(1);
-    }
-    if (rv == SECSuccess) {
-	return 0;
-    } else {
-	return 255;
-    }
-}
-
-int
-main(int argc, char **argv)
-{
-    int rv = certutil_main(argc, argv, PR_TRUE);
-    PR_Cleanup();
-    return rv;
-}
-
diff --git a/security/nss/cmd/certutil/certutil.h b/security/nss/cmd/certutil/certutil.h
deleted file mode 100644
index 0f9470d6f..000000000
--- a/security/nss/cmd/certutil/certutil.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _CERTUTIL_H
-#define	_CERTUTIL_H
-
-extern SECKEYPrivateKey *
-CERTUTIL_GeneratePrivateKey(KeyType keytype,
-                            PK11SlotInfo *slot, 
-                            int rsasize,
-                            int publicExponent,
-                            char *noise,
-                            SECKEYPublicKey **pubkeyp,
-                            char *pqgFile,
-                            secuPWData *pwdata);
-
-extern char *progName;
-
-enum certutilExtns {
-    ext_keyUsage = 0,
-    ext_basicConstraint,
-    ext_authorityKeyID,
-    ext_CRLDistPts,
-    ext_NSCertType,
-    ext_extKeyUsage,
-    ext_authInfoAcc,
-    ext_subjInfoAcc,
-    ext_certPolicies,
-    ext_policyMappings,
-    ext_policyConstr,
-    ext_inhibitAnyPolicy,
-    ext_subjectKeyID,
-    ext_End
-};
-
-typedef struct ExtensionEntryStr {
-    PRBool activated;
-    const char  *arg;
-} ExtensionEntry;
-
-typedef ExtensionEntry certutilExtnList[ext_End];
-
-extern SECStatus
-AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
-              certutilExtnList extList);
-
-#endif	/* _CERTUTIL_H */
-
diff --git a/security/nss/cmd/certutil/keystuff.c b/security/nss/cmd/certutil/keystuff.c
deleted file mode 100644
index ae4003141..000000000
--- a/security/nss/cmd/certutil/keystuff.c
+++ /dev/null
@@ -1,615 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include <stdio.h>
-#include <string.h>
-#include "secutil.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#include <sys/time.h>
-#include <termios.h>
-#endif
-
-#if defined(XP_WIN) || defined (XP_PC)
-#include <time.h>
-#include <conio.h>
-#endif
-
-#if defined(__sun) && !defined(SVR4)
-extern int fclose(FILE*);
-extern int fprintf(FILE *, char *, ...);
-extern int isatty(int);
-extern char *sys_errlist[];
-#define strerror(errno) sys_errlist[errno]
-#endif
-
-#include "nspr.h"
-#include "prtypes.h"
-#include "prtime.h"
-#include "prlong.h"
-
-#include "pk11func.h"
-
-#define NUM_KEYSTROKES 120
-#define RAND_BUF_SIZE 60
-
-#define ERROR_BREAK rv = SECFailure;break;
-
-const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
-    { 0, }
-};
-
-/* returns 0 for success, -1 for failure (EOF encountered) */
-static int
-UpdateRNG(void)
-{
-    char           randbuf[RAND_BUF_SIZE];
-    int            fd,  count;
-    int            c;
-    int            rv		= 0;
-#ifdef XP_UNIX
-    cc_t           orig_cc_min;
-    cc_t           orig_cc_time;
-    tcflag_t       orig_lflag;
-    struct termios tio;
-#endif
-    char meter[] = { 
-      "\r|                                                            |" };
-
-#define FPS fprintf(stderr, 
-    FPS "\n");
-    FPS "A random seed must be generated that will be used in the\n");
-    FPS "creation of your key.  One of the easiest ways to create a\n");
-    FPS "random seed is to use the timing of keystrokes on a keyboard.\n");
-    FPS "\n");
-    FPS "To begin, type keys on the keyboard until this progress meter\n");
-    FPS "is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!\n");
-    FPS "\n");
-    FPS "\n");
-    FPS "Continue typing until the progress meter is full:\n\n");
-    FPS meter);
-    FPS "\r|");
-
-    /* turn off echo on stdin & return on 1 char instead of NL */
-    fd = fileno(stdin);
-
-#if defined(XP_UNIX) && !defined(VMS)
-    tcgetattr(fd, &tio);
-    orig_lflag = tio.c_lflag;
-    orig_cc_min = tio.c_cc[VMIN];
-    orig_cc_time = tio.c_cc[VTIME];
-    tio.c_lflag &= ~ECHO;
-    tio.c_lflag &= ~ICANON;
-    tio.c_cc[VMIN] = 1;
-    tio.c_cc[VTIME] = 0;
-    tcsetattr(fd, TCSAFLUSH, &tio);
-#endif
-
-    /* Get random noise from keyboard strokes */
-    count = 0;
-    while (count < sizeof randbuf) {
-#ifdef VMS
-	c = GENERIC_GETCHAR_NOECHO();
-#elif XP_UNIX
-	c = getc(stdin);
-#else
-	c = getch();
-#endif
-	if (c == EOF) {
-	    rv = -1;
-	    break;
-	}
-	randbuf[count] = c;
-	if (count == 0 || c != randbuf[count-1]) {
-	    count++;
-	    FPS "*");
-	}
-    }
-    PK11_RandomUpdate(randbuf, sizeof randbuf);
-    memset(randbuf, 0, sizeof randbuf);
-
-    FPS "\n\n");
-    FPS "Finished.  Press enter to continue: ");
-#if defined(VMS)
-    while((c = GENERIC_GETCHAR_NO_ECHO()) != '\r' && c != EOF)
-	;
-#else
-    while ((c = getc(stdin)) != '\n' && c != EOF)
-	;
-#endif
-    if (c == EOF) 
-	rv = -1;
-    FPS "\n");
-
-#undef FPS
-
-#if defined(XP_UNIX) && !defined(VMS)
-    /* set back termio the way it was */
-    tio.c_lflag = orig_lflag;
-    tio.c_cc[VMIN] = orig_cc_min;
-    tio.c_cc[VTIME] = orig_cc_time;
-    tcsetattr(fd, TCSAFLUSH, &tio);
-#endif
-    return rv;
-}
-
-static const unsigned char P[] = { 0, 
-       0x98, 0xef, 0x3a, 0xae, 0x70, 0x98, 0x9b, 0x44, 
-       0xdb, 0x35, 0x86, 0xc1, 0xb6, 0xc2, 0x47, 0x7c, 
-       0xb4, 0xff, 0x99, 0xe8, 0xae, 0x44, 0xf2, 0xeb, 
-       0xc3, 0xbe, 0x23, 0x0f, 0x65, 0xd0, 0x4c, 0x04, 
-       0x82, 0x90, 0xa7, 0x9d, 0x4a, 0xc8, 0x93, 0x7f, 
-       0x41, 0xdf, 0xf8, 0x80, 0x6b, 0x0b, 0x68, 0x7f, 
-       0xaf, 0xe4, 0xa8, 0xb5, 0xb2, 0x99, 0xc3, 0x69, 
-       0xfb, 0x3f, 0xe7, 0x1b, 0xd0, 0x0f, 0xa9, 0x7a, 
-       0x4a, 0x04, 0xbf, 0x50, 0x9e, 0x22, 0x33, 0xb8, 
-       0x89, 0x53, 0x24, 0x10, 0xf9, 0x68, 0x77, 0xad, 
-       0xaf, 0x10, 0x68, 0xb8, 0xd3, 0x68, 0x5d, 0xa3, 
-       0xc3, 0xeb, 0x72, 0x3b, 0xa0, 0x0b, 0x73, 0x65, 
-       0xc5, 0xd1, 0xfa, 0x8c, 0xc0, 0x7d, 0xaa, 0x52, 
-       0x29, 0x34, 0x44, 0x01, 0xbf, 0x12, 0x25, 0xfe, 
-       0x18, 0x0a, 0xc8, 0x3f, 0xc1, 0x60, 0x48, 0xdb, 
-       0xad, 0x93, 0xb6, 0x61, 0x67, 0xd7, 0xa8, 0x2d };
-static const unsigned char Q[] = { 0,
-       0xb5, 0xb0, 0x84, 0x8b, 0x44, 0x29, 0xf6, 0x33, 
-       0x59, 0xa1, 0x3c, 0xbe, 0xd2, 0x7f, 0x35, 0xa1, 
-       0x76, 0x27, 0x03, 0x81                         };
-static const unsigned char G[] = { 
-       0x04, 0x0e, 0x83, 0x69, 0xf1, 0xcd, 0x7d, 0xe5, 
-       0x0c, 0x78, 0x93, 0xd6, 0x49, 0x6f, 0x00, 0x04, 
-       0x4e, 0x0e, 0x6c, 0x37, 0xaa, 0x38, 0x22, 0x47, 
-       0xd2, 0x58, 0xec, 0x83, 0x12, 0x95, 0xf9, 0x9c, 
-       0xf1, 0xf4, 0x27, 0xff, 0xd7, 0x99, 0x57, 0x35, 
-       0xc6, 0x64, 0x4c, 0xc0, 0x47, 0x12, 0x31, 0x50, 
-       0x82, 0x3c, 0x2a, 0x07, 0x03, 0x01, 0xef, 0x30, 
-       0x09, 0x89, 0x82, 0x41, 0x76, 0x71, 0xda, 0x9e, 
-       0x57, 0x8b, 0x76, 0x38, 0x37, 0x5f, 0xa5, 0xcd, 
-       0x32, 0x84, 0x45, 0x8d, 0x4c, 0x17, 0x54, 0x2b, 
-       0x5d, 0xc2, 0x6b, 0xba, 0x3e, 0xa0, 0x7b, 0x95, 
-       0xd7, 0x00, 0x42, 0xf7, 0x08, 0xb8, 0x83, 0x87, 
-       0x60, 0xe1, 0xe5, 0xf4, 0x1a, 0x54, 0xc2, 0x20, 
-       0xda, 0x38, 0x3a, 0xd1, 0xb6, 0x10, 0xf4, 0xcb, 
-       0x35, 0xda, 0x97, 0x92, 0x87, 0xd6, 0xa5, 0x37, 
-       0x62, 0xb4, 0x93, 0x4a, 0x15, 0x21, 0xa5, 0x10 };
-
-/*  h:
- *      4a:76:30:89:eb:e1:81:7c:99:0b:39:7f:95:4a:65:72:
- *      c6:b4:05:92:48:6c:3c:b2:7e:e7:39:f3:92:7d:c1:3f:
- *      bf:e1:fd:b3:4a:46:3e:ce:29:80:e3:d6:f4:59:c6:92:
- *      16:2b:0e:d7:d6:bb:ef:94:36:31:c2:66:46:c5:4a:77:
- *      aa:95:84:ef:99:7e:e3:9c:d9:a0:32:42:09:b6:4e:d0:
- *      b3:c8:5e:06:df:a1:ac:4d:2d:f9:08:c2:cb:4b:a4:42:
- *      db:8a:5b:de:25:6e:2b:5b:ca:00:75:2c:57:00:18:aa:
- *      68:59:a1:94:03:07:94:78:38:bc:f8:7c:1e:1c:a3:2e
- *  SEED:
- *      b5:44:66:c9:0f:f1:ca:1c:95:45:ce:90:74:89:14:f2:
- *      13:3e:23:5a:b0:6a:bf:86:ad:cb:a0:7d:ce:3b:c8:16:
- *      7f:2d:a2:1a:cb:33:7d:c1:e7:d7:07:aa:1b:a2:d7:89:
- *      f5:a4:db:f7:8b:50:00:cd:b4:7d:25:81:3f:f8:a8:dd:
- *      6c:46:e5:77:b5:60:7e:75:79:b8:99:57:c1:c4:f3:f7:
- *      17:ca:43:00:b8:33:b6:06:8f:4d:91:ed:23:a5:66:1b:
- *      ef:14:d7:bc:21:2b:82:d8:ab:fa:fd:a7:c3:4d:bf:52:
- *      af:8e:57:59:61:1a:4e:65:c6:90:d6:a6:ff:0b:15:b1
- *  g:       1024
- *  counter: 1003
- */
-
-static const SECKEYPQGParams default_pqg_params = {
-    NULL,
-    { 0, (unsigned char *)P, sizeof(P) },
-    { 0, (unsigned char *)Q, sizeof(Q) },
-    { 0, (unsigned char *)G, sizeof(G) }
-};
-
-static SECKEYPQGParams *
-decode_pqg_params(const char *str)
-{
-    char *buf;
-    unsigned int len;
-    PRArenaPool *arena;
-    SECKEYPQGParams *params;
-    SECStatus status;
- 
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-        return NULL;
- 
-    params = PORT_ArenaZAlloc(arena, sizeof(SECKEYPQGParams));
-    if (params == NULL)
-        goto loser;
-    params->arena = arena;
- 
-    buf = (char *)ATOB_AsciiToData(str, &len);
-    if ((buf == NULL) || (len == 0))
-        goto loser;
- 
-    status = SEC_ASN1Decode(arena, params, SECKEY_PQGParamsTemplate, buf, len);
-    if (status != SECSuccess)
-        goto loser;
- 
-    return params;
- 
-loser:
-    if (arena != NULL)
-        PORT_FreeArena(arena, PR_FALSE);
-    return NULL;
-}
-
-void  
-CERTUTIL_DestroyParamsPQG(SECKEYPQGParams *params)
-{
-    if (params->arena) {
-        PORT_FreeArena(params->arena, PR_FALSE);
-    }
-}
-
-static int
-pqg_prime_bits(const SECKEYPQGParams *params)
-{
-    int primeBits = 0;
- 
-    if (params != NULL) {
-	int i;
-	for (i = 0; params->prime.data[i] == 0; i++) {
-	    /* empty */;
-	}
-	primeBits = (params->prime.len - i) * 8;
-    }
- 
-    return primeBits;
-}
-
-static char *
-getPQGString(const char *filename)
-{
-    unsigned char *buf      = NULL;
-    PRFileDesc    *src;
-    PRInt32        numBytes;
-    PRStatus       prStatus;
-    PRFileInfo     info;
-
-    src   = PR_Open(filename, PR_RDONLY, 0);
-    if (!src) {
-    	fprintf(stderr, "Failed to open PQG file %s\n", filename);
-	return NULL;
-    }
-
-    prStatus = PR_GetOpenFileInfo(src, &info);
-
-    if (prStatus == PR_SUCCESS) {
-	buf = (unsigned char*)PORT_Alloc(info.size + 1);
-    }
-    if (!buf) {
-	PR_Close(src);
-    	fprintf(stderr, "Failed to read PQG file %s\n", filename);
-	return NULL;
-    }
-
-    numBytes = PR_Read(src, buf, info.size);
-    PR_Close(src);
-    if (numBytes != info.size) {
-	PORT_Free(buf);
-    	fprintf(stderr, "Failed to read PQG file %s\n", filename);
-	PORT_SetError(SEC_ERROR_IO);
-	return NULL;
-    }
-
-    if (buf[numBytes-1] == '\n') 
-    	numBytes--;
-    if (buf[numBytes-1] == '\r') 
-    	numBytes--;
-    buf[numBytes] = 0;
-    
-    return (char *)buf;
-}
-
-static SECKEYPQGParams*
-getpqgfromfile(int keyBits, const char *pqgFile)
-{
-    char *end, *str, *pqgString;
-    SECKEYPQGParams* params = NULL;
-
-    str = pqgString = getPQGString(pqgFile);
-    if (!str) 
-	return NULL;
-
-    do {
-	end = PORT_Strchr(str, ',');
-	if (end)
-	    *end = '\0';
-	params = decode_pqg_params(str);
-	if (params) {
-	    int primeBits = pqg_prime_bits(params);
-	    if (keyBits == primeBits)
-		break;
-	    CERTUTIL_DestroyParamsPQG(params);
-	    params = NULL;
-	}
-	if (end)
-	    str = end + 1;
-    } while (end);
-
-    PORT_Free(pqgString);
-    return params;
-}
-
-static SECStatus 
-CERTUTIL_FileForRNG(const char *noise)
-{
-    char buf[2048];
-    PRFileDesc *fd;
-    PRInt32 count;
-
-    fd = PR_Open(noise,PR_RDONLY,0);
-    if (!fd) {
-	fprintf(stderr, "failed to open noise file.");
-	return SECFailure;
-    }
-
-    do {
-	count = PR_Read(fd,buf,sizeof(buf));
-	if (count > 0) {
-	    PK11_RandomUpdate(buf,count);
-	}
-    } while (count > 0);
-
-    PR_Close(fd);
-    return SECSuccess;
-}
-
-#ifdef NSS_ENABLE_ECC
-typedef struct curveNameTagPairStr {
-    char *curveName;
-    SECOidTag curveOidTag;
-} CurveNameTagPair;
-
-#define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP192R1
-/* #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP160R1 */
-
-static CurveNameTagPair nameTagPair[] =
-{ 
-  { "sect163k1", SEC_OID_SECG_EC_SECT163K1},
-  { "nistk163", SEC_OID_SECG_EC_SECT163K1},
-  { "sect163r1", SEC_OID_SECG_EC_SECT163R1},
-  { "sect163r2", SEC_OID_SECG_EC_SECT163R2},
-  { "nistb163", SEC_OID_SECG_EC_SECT163R2},
-  { "sect193r1", SEC_OID_SECG_EC_SECT193R1},
-  { "sect193r2", SEC_OID_SECG_EC_SECT193R2},
-  { "sect233k1", SEC_OID_SECG_EC_SECT233K1},
-  { "nistk233", SEC_OID_SECG_EC_SECT233K1},
-  { "sect233r1", SEC_OID_SECG_EC_SECT233R1},
-  { "nistb233", SEC_OID_SECG_EC_SECT233R1},
-  { "sect239k1", SEC_OID_SECG_EC_SECT239K1},
-  { "sect283k1", SEC_OID_SECG_EC_SECT283K1},
-  { "nistk283", SEC_OID_SECG_EC_SECT283K1},
-  { "sect283r1", SEC_OID_SECG_EC_SECT283R1},
-  { "nistb283", SEC_OID_SECG_EC_SECT283R1},
-  { "sect409k1", SEC_OID_SECG_EC_SECT409K1},
-  { "nistk409", SEC_OID_SECG_EC_SECT409K1},
-  { "sect409r1", SEC_OID_SECG_EC_SECT409R1},
-  { "nistb409", SEC_OID_SECG_EC_SECT409R1},
-  { "sect571k1", SEC_OID_SECG_EC_SECT571K1},
-  { "nistk571", SEC_OID_SECG_EC_SECT571K1},
-  { "sect571r1", SEC_OID_SECG_EC_SECT571R1},
-  { "nistb571", SEC_OID_SECG_EC_SECT571R1},
-  { "secp160k1", SEC_OID_SECG_EC_SECP160K1},
-  { "secp160r1", SEC_OID_SECG_EC_SECP160R1},
-  { "secp160r2", SEC_OID_SECG_EC_SECP160R2},
-  { "secp192k1", SEC_OID_SECG_EC_SECP192K1},
-  { "secp192r1", SEC_OID_SECG_EC_SECP192R1},
-  { "nistp192", SEC_OID_SECG_EC_SECP192R1},
-  { "secp224k1", SEC_OID_SECG_EC_SECP224K1},
-  { "secp224r1", SEC_OID_SECG_EC_SECP224R1},
-  { "nistp224", SEC_OID_SECG_EC_SECP224R1},
-  { "secp256k1", SEC_OID_SECG_EC_SECP256K1},
-  { "secp256r1", SEC_OID_SECG_EC_SECP256R1},
-  { "nistp256", SEC_OID_SECG_EC_SECP256R1},
-  { "secp384r1", SEC_OID_SECG_EC_SECP384R1},
-  { "nistp384", SEC_OID_SECG_EC_SECP384R1},
-  { "secp521r1", SEC_OID_SECG_EC_SECP521R1},
-  { "nistp521", SEC_OID_SECG_EC_SECP521R1},
-
-  { "prime192v1", SEC_OID_ANSIX962_EC_PRIME192V1 },
-  { "prime192v2", SEC_OID_ANSIX962_EC_PRIME192V2 },
-  { "prime192v3", SEC_OID_ANSIX962_EC_PRIME192V3 },
-  { "prime239v1", SEC_OID_ANSIX962_EC_PRIME239V1 },
-  { "prime239v2", SEC_OID_ANSIX962_EC_PRIME239V2 },
-  { "prime239v3", SEC_OID_ANSIX962_EC_PRIME239V3 },
-
-  { "c2pnb163v1", SEC_OID_ANSIX962_EC_C2PNB163V1 },
-  { "c2pnb163v2", SEC_OID_ANSIX962_EC_C2PNB163V2 },
-  { "c2pnb163v3", SEC_OID_ANSIX962_EC_C2PNB163V3 },
-  { "c2pnb176v1", SEC_OID_ANSIX962_EC_C2PNB176V1 },
-  { "c2tnb191v1", SEC_OID_ANSIX962_EC_C2TNB191V1 },
-  { "c2tnb191v2", SEC_OID_ANSIX962_EC_C2TNB191V2 },
-  { "c2tnb191v3", SEC_OID_ANSIX962_EC_C2TNB191V3 },
-  { "c2onb191v4", SEC_OID_ANSIX962_EC_C2ONB191V4 },
-  { "c2onb191v5", SEC_OID_ANSIX962_EC_C2ONB191V5 },
-  { "c2pnb208w1", SEC_OID_ANSIX962_EC_C2PNB208W1 },
-  { "c2tnb239v1", SEC_OID_ANSIX962_EC_C2TNB239V1 },
-  { "c2tnb239v2", SEC_OID_ANSIX962_EC_C2TNB239V2 },
-  { "c2tnb239v3", SEC_OID_ANSIX962_EC_C2TNB239V3 },
-  { "c2onb239v4", SEC_OID_ANSIX962_EC_C2ONB239V4 },
-  { "c2onb239v5", SEC_OID_ANSIX962_EC_C2ONB239V5 },
-  { "c2pnb272w1", SEC_OID_ANSIX962_EC_C2PNB272W1 },
-  { "c2pnb304w1", SEC_OID_ANSIX962_EC_C2PNB304W1 },
-  { "c2tnb359v1", SEC_OID_ANSIX962_EC_C2TNB359V1 },
-  { "c2pnb368w1", SEC_OID_ANSIX962_EC_C2PNB368W1 },
-  { "c2tnb431r1", SEC_OID_ANSIX962_EC_C2TNB431R1 },
-
-  { "secp112r1", SEC_OID_SECG_EC_SECP112R1},
-  { "secp112r2", SEC_OID_SECG_EC_SECP112R2},
-  { "secp128r1", SEC_OID_SECG_EC_SECP128R1},
-  { "secp128r2", SEC_OID_SECG_EC_SECP128R2},
-
-  { "sect113r1", SEC_OID_SECG_EC_SECT113R1},
-  { "sect113r2", SEC_OID_SECG_EC_SECT113R2},
-  { "sect131r1", SEC_OID_SECG_EC_SECT131R1},
-  { "sect131r2", SEC_OID_SECG_EC_SECT131R2},
-};
-
-static SECKEYECParams * 
-getECParams(const char *curve)
-{
-    SECKEYECParams *ecparams;
-    SECOidData *oidData = NULL;
-    SECOidTag curveOidTag = SEC_OID_UNKNOWN; /* default */
-    int i, numCurves;
-
-    if (curve != NULL) {
-        numCurves = sizeof(nameTagPair)/sizeof(CurveNameTagPair);
-	for (i = 0; ((i < numCurves) && (curveOidTag == SEC_OID_UNKNOWN)); 
-	     i++) {
-	    if (PL_strcmp(curve, nameTagPair[i].curveName) == 0)
-	        curveOidTag = nameTagPair[i].curveOidTag;
-	}
-    }
-
-    /* Return NULL if curve name is not recognized */
-    if ((curveOidTag == SEC_OID_UNKNOWN) || 
-	(oidData = SECOID_FindOIDByTag(curveOidTag)) == NULL) {
-        fprintf(stderr, "Unrecognized elliptic curve %s\n", curve);
-	return NULL;
-    }
-
-    ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
-
-    /* 
-     * ecparams->data needs to contain the ASN encoding of an object ID (OID)
-     * representing the named curve. The actual OID is in 
-     * oidData->oid.data so we simply prepend 0x06 and OID length
-     */
-    ecparams->data[0] = SEC_ASN1_OBJECT_ID;
-    ecparams->data[1] = oidData->oid.len;
-    memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
-
-    return ecparams;
-}
-#endif /* NSS_ENABLE_ECC */
-
-SECKEYPrivateKey *
-CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
-			    int publicExponent, const char *noise, 
-			    SECKEYPublicKey **pubkeyp, const char *pqgFile,
-                            secuPWData *pwdata)
-{
-    CK_MECHANISM_TYPE  mechanism;
-    SECOidTag          algtag;
-    PK11RSAGenParams   rsaparams;
-    SECKEYPQGParams  * dsaparams = NULL;
-    void             * params;
-    SECKEYPrivateKey * privKey = NULL;
-
-    if (slot == NULL)
-	return NULL;
-
-    if (PK11_Authenticate(slot, PR_TRUE, pwdata) != SECSuccess)
-	return NULL;
-
-    /*
-     * Do some random-number initialization.
-     */
-
-    if (noise) {
-    	SECStatus rv = CERTUTIL_FileForRNG(noise);
-	if (rv != SECSuccess) {
-	    PORT_SetError(PR_END_OF_FILE_ERROR); /* XXX */
-	    return NULL;
-    	}
-    } else {
-	int rv = UpdateRNG();
-	if (rv) {
-	    PORT_SetError(PR_END_OF_FILE_ERROR);
-	    return NULL;
-	}
-    }
-
-    switch (keytype) {
-    case rsaKey:
-	rsaparams.keySizeInBits = size;
-	rsaparams.pe = publicExponent;
-	mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
-	algtag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
-	params = &rsaparams;
-	break;
-    case dsaKey:
-	mechanism = CKM_DSA_KEY_PAIR_GEN;
-	algtag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-	if (pqgFile) {
-	    dsaparams = getpqgfromfile(size, pqgFile);
-	    if (dsaparams == NULL)
-	    	return NULL;
-	    params = dsaparams;
-	} else {
-	    /* cast away const, and don't set dsaparams */
-	    params = (void *)&default_pqg_params;
-	}
-	break;
-#ifdef NSS_ENABLE_ECC
-    case ecKey:
-	mechanism = CKM_EC_KEY_PAIR_GEN;
-	/* For EC keys, PQGFile determines EC parameters */
-	if ((params = (void *) getECParams(pqgFile)) == NULL)
-	    return NULL;
-	break;
-#endif /* NSS_ENABLE_ECC */
-    default:
-	return NULL;
-    }
-
-    fprintf(stderr, "\n\n");
-    fprintf(stderr, "Generating key.  This may take a few moments...\n\n");
-
-    privKey = PK11_GenerateKeyPair(slot, mechanism, params, pubkeyp,
-				PR_TRUE /*isPerm*/, PR_TRUE /*isSensitive*/, 
-				pwdata /*wincx*/);
-    /* free up the params */
-    switch (keytype) {
-    case dsaKey: if (dsaparams) CERTUTIL_DestroyParamsPQG(dsaparams); 
-	                                                      break;
-#ifdef NSS_ENABLE_ECC
-    case ecKey: SECITEM_FreeItem((SECItem *)params, PR_TRUE); break;
-#endif
-    default: /* nothing to free */                            break;
-    }
-    return privKey;
-}
diff --git a/security/nss/cmd/certutil/manifest.mn b/security/nss/cmd/certutil/manifest.mn
deleted file mode 100644
index d8c755dc1..000000000
--- a/security/nss/cmd/certutil/manifest.mn
+++ /dev/null
@@ -1,57 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-DEFINES += -DNSPR20
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-CSRCS = \
-	certext.c \
-	certutil.c \
-	keystuff.c \
-	$(NULL)
-
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = dbm seccmd
-
-PROGRAM = certutil
-
-#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/checkcert/Makefile b/security/nss/cmd/checkcert/Makefile
deleted file mode 100644
index 140b4191f..000000000
--- a/security/nss/cmd/checkcert/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/checkcert/checkcert.c b/security/nss/cmd/checkcert/checkcert.c
deleted file mode 100644
index 27c201e1b..000000000
--- a/security/nss/cmd/checkcert/checkcert.c
+++ /dev/null
@@ -1,591 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secutil.h"
-#include "plgetopt.h"
-#include "cert.h"
-#include "secoid.h"
-#include "cryptohi.h"
-
-/* maximum supported modulus length in bits (indicate problem if over this) */
-#define MAX_MODULUS (1024)
-
-
-static void Usage(char *progName)
-{
-    fprintf(stderr, "Usage: %s [aAvf] [certtocheck] [issuingcert]\n",
-	    progName);
-    fprintf(stderr, "%-20s Cert to check is base64 encoded\n",
-	    "-a");
-    fprintf(stderr, "%-20s Issuer's cert is base64 encoded\n",
-	    "-A");
-    fprintf(stderr, "%-20s Verbose (indicate decoding progress etc.)\n",
-	    "-v");
-    fprintf(stderr, "%-20s Force sanity checks even if pretty print fails.\n",
-	    "-f");
-    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
-	    "-o output");
-    fprintf(stderr, "%-20s Specify the input type (no default)\n",
-	    "-t type");
-    exit(-1);
-}
-
-
-/*
- * Check integer field named fieldName, printing out results and
- * returning the length of the integer in bits
- */   
-
-static
-int checkInteger(SECItem *intItem, char *fieldName, int verbose) 
-{
-    int len, bitlen;
-    if (verbose) {
-	printf("Checking %s\n", fieldName);
-    }
-
-    len = intItem->len;
-
-    if (len && (intItem->data[0] & 0x80)) {
-	printf("PROBLEM: %s is NEGATIVE 2's-complement integer.\n",
-	       fieldName);
-    }
-
-
-    /* calculate bit length and check for unnecessary leading zeros */
-    bitlen = len << 3;
-    if (len > 1 && intItem->data[0] == 0) {
-	/* leading zero byte(s) */
-	if (!(intItem->data[1] & 0x80)) {
-	    printf("PROBLEM: %s has unneeded leading zeros.  Violates DER.\n",
-		   fieldName);
-	}
-	/* strip leading zeros in length calculation */
-	{
-	    int i=0;
-	    while (bitlen > 8 && intItem->data[i] == 0) {
-		bitlen -= 8;
-		i++;
-	    }
-	}
-    }
-    return bitlen;
-}
-
-
-
-
-static
-void checkName(CERTName *n, char *fieldName, int verbose)
-{
-    char *v=0;
-    if (verbose) {
-	printf("Checking %s\n", fieldName);
-    }
-
-    v = CERT_GetCountryName(n);
-    if (!v) {
-	printf("PROBLEM: %s lacks Country Name (C)\n",
-	       fieldName);
-    }
-    PORT_Free(v);
-
-    v = CERT_GetOrgName(n);
-    if (!v) {
-	printf("PROBLEM: %s lacks Organization Name (O)\n",
-	       fieldName);
-    }
-    PORT_Free(v);
-
-    v = CERT_GetOrgUnitName(n);
-    if (!v) {
-	printf("WARNING: %s lacks Organization Unit Name (OU)\n",
-	       fieldName);
-    }
-    PORT_Free(v);	
-
-    v = CERT_GetCommonName(n);
-    if (!v) {
-	printf("PROBLEM: %s lacks Common Name (CN)\n",
-	       fieldName);
-    }
-    PORT_Free(v);
-}
-
-
-static
-SECStatus
-OurVerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
-	      SECItem *sig, SECAlgorithmID *sigAlgorithm)
-{
-    SECStatus rv;
-    VFYContext *cx;
-    SECOidData *sigAlgOid, *oiddata;
-    SECOidTag sigAlgTag;
-    SECOidTag hashAlgTag;
-    int showDigestOid=0;
-
-    cx = VFY_CreateContextWithAlgorithmID(key, sig, sigAlgorithm, &hashAlgTag, 
-                                          NULL);
-    if (cx == NULL)
-	return SECFailure;
-
-    sigAlgOid = SECOID_FindOID(&sigAlgorithm->algorithm);
-    if (sigAlgOid == 0)
-	return SECFailure;
-    sigAlgTag = sigAlgOid->offset;
-
-
-    if (showDigestOid) {
-	oiddata = SECOID_FindOIDByTag(hashAlgTag);
-	if ( oiddata ) {
-	    printf("PROBLEM: (cont) Digest OID is %s\n", oiddata->desc);
-	} else {
-	    SECU_PrintAsHex(stdout,
-			    &oiddata->oid, "PROBLEM: UNKNOWN OID", 0);
-	}
-    }
-
-    rv = VFY_Begin(cx);
-    if (rv == SECSuccess) {
-	rv = VFY_Update(cx, buf, len);
-	if (rv == SECSuccess)
-	    rv = VFY_End(cx);
-    }
-
-    VFY_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
-
-
-
-static
-SECStatus
-OurVerifySignedData(CERTSignedData *sd, CERTCertificate *cert)
-{
-    SECItem sig;
-    SECKEYPublicKey *pubKey = 0;
-    SECStatus rv;
-
-    /* check the certificate's validity */
-    rv = CERT_CertTimesValid(cert);
-    if ( rv ) {
-	return(SECFailure);
-    }
-
-    /* get cert's public key */
-    pubKey = CERT_ExtractPublicKey(cert);
-    if ( !pubKey ) {
-	return(SECFailure);
-    }
-
-    /* check the signature */
-    sig = sd->signature;
-    DER_ConvertBitString(&sig);
-    rv = OurVerifyData(sd->data.data, sd->data.len, pubKey, &sig,
-		       &sd->signatureAlgorithm);
-
-    SECKEY_DestroyPublicKey(pubKey);
-
-    if ( rv ) {
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-
-
-
-static
-CERTCertificate *createEmptyCertificate(void)
-{
-    PRArenaPool *arena = 0;
-    CERTCertificate *c = 0;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-	return 0;
-    }
-
-
-    c = (CERTCertificate *) PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
-
-    if (c) {
-	c->referenceCount = 1;
-	c->arena = arena;
-    } else {
-	PORT_FreeArena(arena,PR_TRUE);
-    }
-
-    return c;
-}    
-
-
-
-
-int main(int argc, char **argv)
-{
-    int rv, verbose=0, force=0;
-    int ascii=0, issuerAscii=0;
-    char *progName=0;
-    PRFileDesc *inFile=0, *issuerCertFile=0;
-    SECItem derCert, derIssuerCert;
-    PRArenaPool *arena=0;
-    CERTSignedData *signedData=0;
-    CERTCertificate *cert=0, *issuerCert=0;
-    SECKEYPublicKey *rsapubkey=0;
-    SECAlgorithmID md5WithRSAEncryption, md2WithRSAEncryption;
-    SECAlgorithmID sha1WithRSAEncryption, rsaEncryption;
-    SECItem spk;
-    int selfSigned=0;
-    int invalid=0;
-    char *inFileName = NULL, *issuerCertFileName = NULL;
-    PLOptState *optstate;
-    PLOptStatus status;
-
-    PORT_Memset(&md5WithRSAEncryption, 0, sizeof(md5WithRSAEncryption));
-    PORT_Memset(&md2WithRSAEncryption, 0, sizeof(md2WithRSAEncryption));
-    PORT_Memset(&sha1WithRSAEncryption, 0, sizeof(sha1WithRSAEncryption));
-    PORT_Memset(&rsaEncryption, 0, sizeof(rsaEncryption));
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    optstate = PL_CreateOptState(argc, argv, "aAvf");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case 'v':
-	    verbose = 1;
-	    break;
-
-	  case 'f':
-	    force = 1;
-	    break;
-
-	  case 'a':
-	    ascii = 1;
-	    break;
-
-	  case 'A':
-	    issuerAscii = 1;
-	    break;
-
-	  case '\0':
-	    if (!inFileName)
-		inFileName = PL_strdup(optstate->value);
-	    else if (!issuerCertFileName)
-		issuerCertFileName = PL_strdup(optstate->value);
-	    else
-		Usage(progName);
-	    break;
-	}
-    }
-
-    if (!inFileName || !issuerCertFileName || status == PL_OPT_BAD) {
-	/* insufficient or excess args */
-	Usage(progName);
-    }
-
-    inFile = PR_Open(inFileName, PR_RDONLY, 0);
-    if (!inFile) {
-	fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-	                 progName, inFileName);
-	exit(1);
-    }
-
-    issuerCertFile = PR_Open(issuerCertFileName, PR_RDONLY, 0);
-    if (!issuerCertFile) {
-	fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-	                 progName, issuerCertFileName);
-	exit(1);
-    }
-
-    if (SECU_ReadDERFromFile(&derCert, inFile, ascii) != SECSuccess) {
-	printf("Couldn't read input certificate as DER binary or base64\n");
-	exit(1);
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == 0) {
-	fprintf(stderr,"%s: can't allocate scratch arena!", progName);
-	exit(1);
-    }
-
-    if (issuerCertFile) {
-	CERTSignedData *issuerCertSD=0;
-	if (SECU_ReadDERFromFile(&derIssuerCert, issuerCertFile, issuerAscii)
-	    != SECSuccess) {
-	    printf("Couldn't read issuer certificate as DER binary or base64.\n");
-	    exit(1);
-	}
-	issuerCertSD = PORT_ArenaZNew(arena, CERTSignedData);
-	if (!issuerCertSD) {
-	    fprintf(stderr,"%s: can't allocate issuer signed data!", progName);
-	    exit(1);
-	}
-	rv = SEC_ASN1DecodeItem(arena, issuerCertSD, 
-	                        SEC_ASN1_GET(CERT_SignedDataTemplate),
-				&derIssuerCert);
-	if (rv) {
-	    fprintf(stderr, "%s: Issuer cert isn't X509 SIGNED Data?\n",
-		    progName);
-	    exit(1);
-	}
-	issuerCert = createEmptyCertificate();
-	if (!issuerCert) {
-	    printf("%s: can't allocate space for issuer cert.", progName);
-	    exit(1);
-	}
-	rv = SEC_ASN1DecodeItem(arena, issuerCert, 
-	                    SEC_ASN1_GET(CERT_CertificateTemplate),
-			    &issuerCertSD->data);
-	if (rv) {
-	    printf("%s: Does not appear to be an X509 Certificate.\n",
-		   progName);
-	    exit(1);
-	}
-    }
-
-    signedData =  PORT_ArenaZNew(arena,CERTSignedData);
-    if (!signedData) {
-	fprintf(stderr,"%s: can't allocate signedData!", progName);
-	exit(1);
-    }
-
-    rv = SEC_ASN1DecodeItem(arena, signedData, 
-                            SEC_ASN1_GET(CERT_SignedDataTemplate), 
-			    &derCert);
-    if (rv) {
-	fprintf(stderr, "%s: Does not appear to be X509 SIGNED Data.\n",
-		progName);
-	exit(1);
-    }
-
-    if (verbose) {
-	printf("Decoded ok as X509 SIGNED data.\n");
-    }
-
-    cert = createEmptyCertificate();
-    if (!cert) {
-	fprintf(stderr, "%s: can't allocate cert", progName);
-	exit(1);
-    }
-
-    rv = SEC_ASN1DecodeItem(arena, cert, 
-                        SEC_ASN1_GET(CERT_CertificateTemplate), 
-			&signedData->data);
-    if (rv) {
-	fprintf(stderr, "%s: Does not appear to be an X509 Certificate.\n",
-		progName);
-	exit(1);
-    }
-
-
-    if (verbose) {
-	printf("Decoded ok as an X509 certificate.\n");
-    }
-
-    SECU_RegisterDynamicOids();
-    rv = SECU_PrintSignedData(stdout, &derCert, "Certificate", 0,
-			      SECU_PrintCertificate);
-
-    if (rv) {
-	fprintf(stderr, "%s: Unable to pretty print cert. Error: %d\n",
-		progName, PORT_GetError());
-	if (!force) {
-	    exit(1);
-	}
-    }
-
-
-    /* Do various checks on the cert */
-
-    printf("\n");
-
-    /* Check algorithms */
-    SECOID_SetAlgorithmID(arena, &md5WithRSAEncryption,
-		       SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, NULL);
-
-    SECOID_SetAlgorithmID(arena, &md2WithRSAEncryption,
-		       SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION, NULL);
-
-    SECOID_SetAlgorithmID(arena, &sha1WithRSAEncryption,
-		       SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL);
-
-    SECOID_SetAlgorithmID(arena, &rsaEncryption,
-		       SEC_OID_PKCS1_RSA_ENCRYPTION, NULL);
-
-    {
-	int isMD5RSA = (SECOID_CompareAlgorithmID(&cert->signature,
-					       &md5WithRSAEncryption) == 0);
-	int isMD2RSA = (SECOID_CompareAlgorithmID(&cert->signature,
-					       &md2WithRSAEncryption) == 0);
-	int isSHA1RSA = (SECOID_CompareAlgorithmID(&cert->signature,
-					       &sha1WithRSAEncryption) == 0);
-
-	if (verbose) {
-	    printf("\nDoing algorithm checks.\n");
-	}
-
-	if (!(isMD5RSA || isMD2RSA || isSHA1RSA)) {
-	    printf("PROBLEM: Signature not PKCS1 MD5, MD2, or SHA1 + RSA.\n");
-	} else if (!isMD5RSA) {
-	    printf("WARNING: Signature not PKCS1 MD5 with RSA Encryption\n");
-	}
-
-	if (SECOID_CompareAlgorithmID(&cert->signature,
-				   &signedData->signatureAlgorithm)) {
-	    printf("PROBLEM: Algorithm in sig and certInfo don't match.\n");
-	}
-    }
-
-    if (SECOID_CompareAlgorithmID(&cert->subjectPublicKeyInfo.algorithm,
-			       &rsaEncryption)) {
-	printf("PROBLEM: Public key algorithm is not PKCS1 RSA Encryption.\n");
-    }
-
-    /* Check further public key properties */
-    spk = cert->subjectPublicKeyInfo.subjectPublicKey;
-    DER_ConvertBitString(&spk);
-
-    if (verbose) {
-	printf("\nsubjectPublicKey DER\n");
-	rv = DER_PrettyPrint(stdout, &spk, PR_FALSE);
-	printf("\n");
-    }
-
-    rsapubkey = (SECKEYPublicKey *) 
-	             PORT_ArenaZAlloc(arena,sizeof(SECKEYPublicKey));
-    if (!rsapubkey) {
-	fprintf(stderr, "%s: rsapubkey allocation failed.\n", progName);
-	exit(1);
-    }
-
-    rv = SEC_ASN1DecodeItem(arena, rsapubkey, 
-                            SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), &spk);
-    if (rv) {
-	printf("PROBLEM: subjectPublicKey is not a DER PKCS1 RSAPublicKey.\n");
-    } else {
-	int mlen;
-	int pubexp;
-	if (verbose) {
-	    printf("Decoded RSA Public Key ok.  Doing key checks.\n");
-	}
-	PORT_Assert(rsapubkey->keyType == rsaKey); /* XXX RSA */
-	mlen = checkInteger(&rsapubkey->u.rsa.modulus, "Modulus", verbose);
-	printf("INFO: Public Key modulus length in bits: %d\n", mlen);
-	if (mlen > MAX_MODULUS) {
-	    printf("PROBLEM: Modulus length exceeds %d bits.\n",
-		   MAX_MODULUS);
-	}
-	if (mlen < 512) {
-	    printf("WARNING: Short modulus.\n");
-	}
-	if (mlen != (1 << (ffs(mlen)-1))) {
-	    printf("WARNING: Unusual modulus length (not a power of two).\n");
-	}
-	checkInteger(&rsapubkey->u.rsa.publicExponent, "Public Exponent",
-                     verbose);
-	pubexp = DER_GetInteger(&rsapubkey->u.rsa.publicExponent);
-	if (pubexp != 17 && pubexp != 3 && pubexp != 65537) {
-	    printf("WARNING: Public exponent not any of: 3, 17, 65537\n");
-	}
-    }
-
-
-    /* Name checks */
-    checkName(&cert->issuer, "Issuer Name", verbose);
-    checkName(&cert->subject, "Subject Name", verbose);
-
-    if (issuerCert) {
-	SECComparison c =
-	    CERT_CompareName(&cert->issuer, &issuerCert->subject);
-	if (c) {
-         printf("PROBLEM: Issuer Name and Subject in Issuing Cert differ\n");
-        }
-    }
-
-    /* Check if self-signed */
-    selfSigned = (CERT_CompareName(&cert->issuer, &cert->subject) == 0);
-    if (selfSigned) {
-	printf("INFO: Certificate is self signed.\n");
-    } else {
-	printf("INFO: Certificate is NOT self-signed.\n");
-    }
-
-
-    /* Validity time check */
-    if (CERT_CertTimesValid(cert) == SECSuccess) {
-	printf("INFO: Inside validity period of certificate.\n");
-    } else {
-	printf("PROBLEM: Not in validity period of certificate.\n");
-	invalid = 1;
-    }
-
-    /* Signature check if self-signed */
-    if (selfSigned && !invalid) {
-	if (rsapubkey->u.rsa.modulus.len) {
-	    SECStatus ver;
-	    if (verbose) {
-		printf("Checking self signature.\n");
-	    }
-	    ver = OurVerifySignedData(signedData, cert);
-	    if (ver != SECSuccess) {
-		printf("PROBLEM: Verification of self-signature failed!\n");
-	    } else {
-		printf("INFO: Self-signature verifies ok.\n");
-	    }
-	} else {
-	    printf("INFO: Not checking signature due to key problems.\n");
-	}
-    } else if (!selfSigned && !invalid && issuerCert) {
-	SECStatus ver;
-	ver = OurVerifySignedData(signedData, issuerCert);
-	if (ver != SECSuccess) {
-	    printf("PROBLEM: Verification of issuer's signature failed!\n");
-	} else {
-	    printf("INFO: Issuer's signature verifies ok.\n");
-	}
-    } else {
-	printf("INFO: Not checking signature.\n");
-    }
-
-    return 0;    
-}
-
-
-
diff --git a/security/nss/cmd/checkcert/manifest.mn b/security/nss/cmd/checkcert/manifest.mn
deleted file mode 100644
index 91cbf1f4c..000000000
--- a/security/nss/cmd/checkcert/manifest.mn
+++ /dev/null
@@ -1,51 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH	= ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-REQUIRES = seccmd dbm 
-
-DEFINES = -DNSPR20
-
-CSRCS = checkcert.c
-
-PROGRAM	= checkcert
diff --git a/security/nss/cmd/crlutil/Makefile b/security/nss/cmd/crlutil/Makefile
deleted file mode 100644
index 0f01f4c47..000000000
--- a/security/nss/cmd/crlutil/Makefile
+++ /dev/null
@@ -1,85 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-#
-# crlgen_lex can be generated on linux by flex or solaris by lex
-#
-crlgen_lex:
-	${LEX} -t crlgen_lex_orig.l > crlgen_lex_fix.c
-	sed -f crlgen_lex_fix.sed < crlgen_lex_fix.c > crlgen_lex.c
-	rm -f crlgen_lex_fix.c
-
-include ../platrules.mk
diff --git a/security/nss/cmd/crlutil/crlgen.c b/security/nss/cmd/crlutil/crlgen.c
deleted file mode 100644
index e0d525e3b..000000000
--- a/security/nss/cmd/crlutil/crlgen.c
+++ /dev/null
@@ -1,1630 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-** crlgen.c
-**
-** utility for managing certificates revocation lists generation
-**
-*/
-
-
-#include <stdio.h>
-#include <math.h>
-
-#include "nspr.h"
-#include "plgetopt.h"
-#include "nss.h"
-#include "secutil.h"
-#include "cert.h"
-#include "certi.h"
-#include "certdb.h"
-#include "pk11func.h"
-#include "crlgen.h"
-
-
-/* these reroutines were taken from secitem.c, which is supposed to
- * replace this file some day */
-/*
- * This is the hash function.  We simply XOR the encoded form with
- * itself in sizeof(PLHashNumber)-byte chunks.  Improving this
- * routine is left as an excercise for the more mathematically
- * inclined student.
- */
-PLHashNumber PR_CALLBACK
-SECITEM_Hash ( const void *key)
-{
-    const SECItem *item = (const SECItem *)key;
-    PLHashNumber rv = 0;
-
-    PRUint8 *data = (PRUint8 *)item->data;
-    PRUint32 i;
-    PRUint8 *rvc = (PRUint8 *)&rv;
-
-    for( i = 0; i < item->len; i++ ) {
-        rvc[ i % sizeof(rv) ] ^= *data;
-        data++;
-    }
-
-    return rv;
-}
-
-/*
- * This is the key-compare function.  It simply does a lexical
- * comparison on the item data.  This does not result in
- * quite the same ordering as the "sequence of numbers" order,
- * but heck it's only used internally by the hash table anyway.
- */
-PRIntn PR_CALLBACK
-SECITEM_HashCompare ( const void *k1, const void *k2)
-{
-    const SECItem *i1 = (const SECItem *)k1;
-    const SECItem *i2 = (const SECItem *)k2;
-
-    return SECITEM_ItemsAreEqual(i1,i2);
-}
-
-/* Destroys extHandle and data. data was create on heap.
- * extHandle creaded by CERT_StartCRLEntryExtensions. entry
- * was allocated on arena.*/
-static void
-destroyEntryData(CRLGENEntryData *data)
-{
-    if (!data)
-        return;
-    PORT_Assert(data->entry);
-    if (data->extHandle)
-        CERT_FinishExtensions(data->extHandle);
-    PORT_Free(data);
-}
-
-
-/* Prints error messages along with line number */
-void 
-crlgen_PrintError(int line, char *msg, ...)
-{
-    va_list args;
-
-    va_start(args, msg);
-
-    fprintf(stderr, "crlgen: (line: %d) ", line);
-    vfprintf(stderr, msg, args);
-
-    va_end(args);
-}
-/* Finds CRLGENEntryData in hashtable according PRUint64 value
- * - certId : cert serial number*/
-static CRLGENEntryData*
-crlgen_FindEntry(CRLGENGeneratorData *crlGenData, SECItem *certId) 
-{
-    if (!crlGenData->entryDataHashTable || !certId)
-        return NULL;
-    return (CRLGENEntryData*)
-        PL_HashTableLookup(crlGenData->entryDataHashTable,
-                           certId);
-}
-
-
-/* Removes CRLGENEntryData from hashtable according to certId
- * - certId : cert serial number*/
-static SECStatus
-crlgen_RmEntry(CRLGENGeneratorData *crlGenData, SECItem *certId) 
-{
-    CRLGENEntryData *data = NULL;
-
-    if (!crlGenData->entryDataHashTable)
-        return SECSuccess;
-    data = crlgen_FindEntry(crlGenData, certId);
-    if (!data)
-        return SECSuccess;
-    if (PL_HashTableRemove(crlGenData->entryDataHashTable, certId))
-        return SECSuccess;
-    destroyEntryData(data);
-    return SECFailure;
-}
-
-
-/* Stores CRLGENEntryData in hashtable according to certId
- * - certId : cert serial number*/
-static CRLGENEntryData*
-crlgen_PlaceAnEntry(CRLGENGeneratorData *crlGenData,
-                    CERTCrlEntry *entry, SECItem *certId)
-{
-    CRLGENEntryData *newData = NULL;
-
-    PORT_Assert(crlGenData && crlGenData->entryDataHashTable &&
-                entry);
-    if (!crlGenData || !crlGenData->entryDataHashTable || !entry) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    newData = PORT_ZNew(CRLGENEntryData);
-    if (!newData) {
-        return NULL;
-    }
-    newData->entry = entry;
-    newData->certId = certId;
-    if (!PL_HashTableAdd(crlGenData->entryDataHashTable,
-                         newData->certId, newData)) { 
-        crlgen_PrintError(crlGenData->parsedLineNum,
-                          "Can not add entryData structure\n");
-        return NULL;
-    }
-    return newData;
-}
-
-/* Use this structure to keep pointer when commiting entries extensions */
-struct commitData {
-    int pos;
-    CERTCrlEntry **entries;
-};
-
-/* HT PL_HashTableEnumerateEntries callback. Sorts hashtable entries of the
- * table he. Returns value through arg parameter*/
-static PRIntn PR_CALLBACK 
-crlgen_CommitEntryData(PLHashEntry *he, PRIntn i, void *arg)
-{
-    CRLGENEntryData *data = NULL;
-
-    PORT_Assert(he);
-    if (!he) {
-        return HT_ENUMERATE_NEXT;
-    }
-    data = (CRLGENEntryData*)he->value;
-
-    PORT_Assert(data);
-    PORT_Assert(arg);
-
-    if (data) {
-        struct commitData *dt = (struct commitData*)arg;
-        dt->entries[dt->pos++] = data->entry;
-        destroyEntryData(data);
-    }
-    return HT_ENUMERATE_NEXT;
-}
-
-
-
-/* Copy char * datainto allocated in arena SECItem */
-static SECStatus 
-crlgen_SetString(PRArenaPool *arena, const char *dataIn, SECItem *value)
-{
-    SECItem item;
-
-    PORT_Assert(arena && dataIn);
-    if (!arena || !dataIn) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    item.data = (void*)dataIn;
-    item.len = PORT_Strlen(dataIn);
-
-    return SECITEM_CopyItem(arena, value, &item);
-}
-
-/* Creates CERTGeneralName from parsed data for the Authority Key Extension */
-static CERTGeneralName *
-crlgen_GetGeneralName (PRArenaPool *arena, CRLGENGeneratorData *crlGenData,
-                       const char *data)
-{
-    CERTGeneralName *namesList = NULL;
-    CERTGeneralName *current;
-    CERTGeneralName *tail = NULL;
-    SECStatus rv = SECSuccess;
-    const char *nextChunk = NULL;
-    const char *currData = NULL;
-    int intValue;
-    char buffer[512];
-    void *mark;
-
-    if (!data)
-        return NULL;
-    PORT_Assert (arena);
-    if (!arena) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    mark = PORT_ArenaMark (arena);
-
-    nextChunk = data;
-    currData = data;
-    do {
-        int nameLen = 0;
-        char name[128];
-        const char *sepPrt = NULL;
-        nextChunk = PORT_Strchr(currData, '|');
-        if (!nextChunk)
-            nextChunk = data + strlen(data);
-        sepPrt = PORT_Strchr(currData, ':');
-        if (sepPrt == NULL || sepPrt >= nextChunk) {
-            *buffer = '\0';
-            sepPrt = nextChunk;
-        } else {
-            PORT_Memcpy(buffer, sepPrt + 1,
-                        (nextChunk - sepPrt - 1));
-            buffer[nextChunk - sepPrt - 1] = '\0';
-        }
-        nameLen = PR_MIN(sepPrt - currData, sizeof(name) - 1 );
-        PORT_Memcpy(name, currData, nameLen);
-        name[nameLen] = '\0';
-        currData = nextChunk + 1;
-
-        if (!PORT_Strcmp(name, "otherName"))
-            intValue = certOtherName;
-        else if (!PORT_Strcmp(name, "rfc822Name"))
-            intValue = certRFC822Name;
-        else if (!PORT_Strcmp(name, "dnsName"))
-            intValue = certDNSName;
-        else if (!PORT_Strcmp(name, "x400Address"))
-            intValue = certX400Address;
-        else if (!PORT_Strcmp(name, "directoryName"))
-            intValue = certDirectoryName;
-        else if (!PORT_Strcmp(name, "ediPartyName"))
-            intValue = certEDIPartyName;
-        else if (!PORT_Strcmp(name, "URI"))
-            intValue = certURI;
-        else if (!PORT_Strcmp(name, "ipAddress"))
-            intValue = certIPAddress;
-        else if (!PORT_Strcmp(name, "registerID"))
-            intValue = certRegisterID;
-        else intValue = -1;
-
-        if (intValue >= certOtherName && intValue <= certRegisterID) {
-            if (namesList == NULL) {
-                namesList = current = tail = PORT_ArenaZNew(arena,
-                                                            CERTGeneralName);
-            } else {
-                current = PORT_ArenaZNew(arena, CERTGeneralName);
-            }
-            if (current == NULL) {
-                rv = SECFailure;
-                break;
-            }
-        } else {
-            PORT_SetError(SEC_ERROR_INVALID_ARGS);
-            break;
-        }
-        current->type = intValue;
-        switch (current->type) {
-          case certURI:
-          case certDNSName:
-          case certRFC822Name:
-              current->name.other.data = PORT_ArenaAlloc (arena, strlen (buffer));
-              if (current->name.other.data == NULL) {
-                  rv = SECFailure;
-                  break;
-              }
-              PORT_Memcpy(current->name.other.data, buffer,
-                          current->name.other.len = strlen(buffer));
-              break;
-
-          case certEDIPartyName:
-          case certIPAddress:
-          case certOtherName:
-          case certRegisterID:
-          case certX400Address: {
-
-              current->name.other.data = PORT_ArenaAlloc (arena, strlen (buffer) + 2);
-              if (current->name.other.data == NULL) {
-                  rv = SECFailure;
-                  break;
-              }
-
-              PORT_Memcpy (current->name.other.data + 2, buffer, strlen (buffer));
-/* This may not be accurate for all cases.For now, use this tag type */
-              current->name.other.data[0] = (char)(((current->type - 1) & 0x1f)| 0x80);
-              current->name.other.data[1] = (char)strlen (buffer);
-              current->name.other.len = strlen (buffer) + 2;
-              break;
-          }
-
-          case certDirectoryName: {
-              CERTName *directoryName = NULL;
-
-              directoryName = CERT_AsciiToName (buffer);
-              if (!directoryName) {
-                  rv = SECFailure;
-                  break;
-              }
-
-              rv = CERT_CopyName (arena, &current->name.directoryName, directoryName);
-              CERT_DestroyName (directoryName);
-
-              break;
-          }
-        }
-        if (rv != SECSuccess)
-            break;
-        current->l.next = &(namesList->l);
-        current->l.prev = &(tail->l);
-        tail->l.next = &(current->l);
-        tail = current;
-
-    } while(nextChunk != data + strlen(data));
-
-    if (rv != SECSuccess) {
-        PORT_ArenaRelease (arena, mark);
-        namesList = NULL;
-    }
-    return (namesList);
-}
-
-/* Creates CERTGeneralName from parsed data for the Authority Key Extension */
-static CERTGeneralName *
-crlgen_DistinguishedName (PRArenaPool *arena, CRLGENGeneratorData *crlGenData,
-                          const char *data)
-{
-    CERTName *directoryName = NULL;
-    CERTGeneralName *current;
-    SECStatus rv = SECFailure;
-    void *mark;
-
-    if (!data)
-        return NULL;
-    PORT_Assert (arena);
-    if (!arena) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    mark = PORT_ArenaMark (arena);
-
-    current = PORT_ArenaZNew(arena, CERTGeneralName);
-    if (current == NULL) {
-        goto loser;
-    }
-    current->type = certDirectoryName;
-    current->l.next = &current->l;
-    current->l.prev = &current->l;
-    
-    directoryName = CERT_AsciiToName ((char*)data);
-    if (!directoryName) {
-        goto loser;
-    }
-    
-    rv = CERT_CopyName (arena, &current->name.directoryName, directoryName);
-    CERT_DestroyName (directoryName);
-
-  loser:
-    if (rv != SECSuccess) {
-        PORT_SetError (rv);
-        PORT_ArenaRelease (arena, mark);
-        current = NULL;
-    }
-    return (current);
-}
-
-
-/* Adding Authority Key ID extension to extension handle. */
-static SECStatus 
-crlgen_AddAuthKeyID (CRLGENGeneratorData *crlGenData,
-                     const char **dataArr)
-{
-    void *extHandle = NULL;
-    CERTAuthKeyID *authKeyID = NULL;
-    PRArenaPool *arena = NULL;
-    SECStatus rv = SECSuccess;
-
-    PORT_Assert(dataArr && crlGenData);
-    if (!crlGenData || !dataArr) {
-        return SECFailure;
-    }
-
-    extHandle = crlGenData->crlExtHandle;
-
-    if (!dataArr[0] || !dataArr[1] || !dataArr[2]) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        crlgen_PrintError(crlGenData->parsedLineNum,
-                          "insufficient number of parameters.\n");
-        return SECFailure;
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (!arena) {
-        return SECFailure;
-    }
-
-    authKeyID = PORT_ArenaZNew(arena, CERTAuthKeyID);
-    if (authKeyID == NULL) {
-        rv = SECFailure;
-        goto loser;
-    }
-
-    if (dataArr[3] == NULL) {
-        rv = crlgen_SetString (arena, dataArr[2], &authKeyID->keyID);
-        if (rv != SECSuccess)
-            goto loser;
-    } else {
-        rv = crlgen_SetString (arena, dataArr[3],
-                               &authKeyID->authCertSerialNumber);
-        if (rv != SECSuccess)
-            goto loser;
-
-        authKeyID->authCertIssuer = 
-            crlgen_DistinguishedName (arena, crlGenData, dataArr[2]);
-        if (authKeyID->authCertIssuer == NULL && SECFailure == PORT_GetError ()){
-            crlgen_PrintError(crlGenData->parsedLineNum, "syntax error.\n");
-            rv = SECFailure;
-            goto loser;
-        }
-    }
-
-    rv =
-        SECU_EncodeAndAddExtensionValue(arena, extHandle, authKeyID,
-                                        (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE,
-                                        SEC_OID_X509_AUTH_KEY_ID, 
-                                        (EXTEN_EXT_VALUE_ENCODER) CERT_EncodeAuthKeyID);
-  loser:
-    if (arena)
-        PORT_FreeArena (arena, PR_FALSE);
-    return rv;
-} 
-
-/* Creates and add Subject Alternative Names extension */
-static SECStatus 
-crlgen_AddIssuerAltNames(CRLGENGeneratorData *crlGenData,
-                          const char **dataArr)
-{
-    CERTGeneralName *nameList = NULL;
-    PRArenaPool *arena = NULL;
-    void *extHandle = NULL;
-    SECStatus rv = SECSuccess;
-
-
-    PORT_Assert(dataArr && crlGenData);
-    if (!crlGenData || !dataArr) {
-        return SECFailure;
-    }
-
-    if (!dataArr || !dataArr[0] || !dataArr[1] || !dataArr[2]) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        crlgen_PrintError(crlGenData->parsedLineNum,
-                          "insufficient number of arguments.\n");
-        return SECFailure;
-    }
-
-    PORT_Assert(dataArr && crlGenData);
-    if (!crlGenData || !dataArr) {
-        return SECFailure;
-    }
-
-    extHandle = crlGenData->crlExtHandle;
-
-    if (!dataArr[0] || !dataArr[1] || !dataArr[2]) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        crlgen_PrintError(crlGenData->parsedLineNum,
-                          "insufficient number of parameters.\n");
-        return SECFailure;
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (!arena) {
-        return SECFailure;
-    }
-
-    nameList = crlgen_GetGeneralName(arena, crlGenData, dataArr[2]);
-    if (nameList == NULL) {
-        crlgen_PrintError(crlGenData->parsedLineNum, "syntax error.\n");
-        rv = SECFailure;
-        goto loser;
-    }
-
-    rv =
-        SECU_EncodeAndAddExtensionValue(arena, extHandle, nameList,
-                                        (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE,
-                                        SEC_OID_X509_ISSUER_ALT_NAME, 
-                                        (EXTEN_EXT_VALUE_ENCODER)CERT_EncodeAltNameExtension);
-  loser:
-    if (arena)
-        PORT_FreeArena (arena, PR_FALSE);
-    return rv;
-}
-
-/* Creates and adds CRLNumber extension to extension handle.
- * Since, this is CRL extension, extension handle is the one 
- * related to CRL extensions */
-static SECStatus
-crlgen_AddCrlNumber(CRLGENGeneratorData *crlGenData, const char **dataArr)
-{
-    PRArenaPool *arena = NULL;
-    SECItem encodedItem;
-    void *extHandle = crlGenData->crlExtHandle;
-    void *dummy;
-    SECStatus rv = SECFailure;
-    int code = 0;
-
-    PORT_Assert(dataArr && crlGenData);
-    if (!crlGenData || !dataArr) {
-        goto loser;
-    }
-
-    if (!dataArr[0] || !dataArr[1] || !dataArr[2]) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        crlgen_PrintError(crlGenData->parsedLineNum,
-                          "insufficient number of arguments.\n");
-        goto loser;
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-        goto loser;
-    }
-
-    code = atoi(dataArr[2]);
-    if (code == 0 && *dataArr[2] != '0') {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        goto loser;
-    }
-
-    dummy = SEC_ASN1EncodeInteger(arena, &encodedItem, code);
-    if (!dummy) {
-        rv = SECFailure;
-        goto loser;
-    }
-
-    rv = CERT_AddExtension (extHandle, SEC_OID_X509_CRL_NUMBER, &encodedItem, 
-                            (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE,
-                            PR_TRUE);
-
-  loser:
-    if (arena)
-        PORT_FreeArena(arena, PR_FALSE);
-    return rv;
-
-}
-
-
-/* Creates Cert Revocation Reason code extension. Encodes it and
- * returns as SECItem structure */
-static SECItem*
-crlgen_CreateReasonCode(PRArenaPool *arena, const char **dataArr,
-                        int *extCode)
-{
-    SECItem *encodedItem;
-    void *dummy;
-    void *mark;
-    int code = 0;
-
-    PORT_Assert(arena && dataArr);
-    if (!arena || !dataArr) {
-        goto loser;
-    } 
-
-    mark = PORT_ArenaMark(arena);
-
-    encodedItem = PORT_ArenaZNew (arena, SECItem);
-    if (encodedItem == NULL) {
-        goto loser;
-    }
-
-    if (dataArr[2] == NULL) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        goto loser;
-    }
-
-    code = atoi(dataArr[2]);
-    /* aACompromise(10) is the last possible of the values 
-     * for the Reason Core Extension */
-    if ((code == 0 && *dataArr[2] != '0') || code > 10) {
-        
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        goto loser;
-    }
-
-    dummy = SEC_ASN1EncodeInteger(arena, encodedItem, code);
-    if (!dummy) {
-        goto loser;
-    }
-
-    *extCode = SEC_OID_X509_REASON_CODE;
-    return encodedItem;
-
-  loser:
-    PORT_ArenaRelease (arena, mark);
-    return NULL;
-}
-
-/* Creates Cert Invalidity Date extension. Encodes it and
- * returns as SECItem structure */
-static SECItem*
-crlgen_CreateInvalidityDate(PRArenaPool *arena, const char **dataArr,
-                       int *extCode)
-{
-    SECItem *encodedItem;
-    int length = 0;
-    void *mark;
-
-    PORT_Assert(arena && dataArr);
-    if (!arena || !dataArr) {
-        goto loser;
-    } 
-
-    mark = PORT_ArenaMark(arena);
-
-    encodedItem = PORT_ArenaZNew(arena, SECItem);
-    if (encodedItem == NULL) {
-        goto loser;
-    }
-
-    length = PORT_Strlen(dataArr[2]);
-
-    encodedItem->type = siGeneralizedTime;
-    encodedItem->data = PORT_ArenaAlloc(arena, length);
-    if (!encodedItem->data) {
-        goto loser;
-    }
-
-    PORT_Memcpy(encodedItem->data, dataArr[2], (encodedItem->len = length) *
-                sizeof(char));
-
-    *extCode = SEC_OID_X509_INVALID_DATE;
-    return encodedItem;
-    
-  loser:
-    PORT_ArenaRelease(arena, mark);
-    return NULL;
-}
-
-/* Creates(by calling extCreator function) and adds extension to a set
- * of already added certs. Uses values of rangeFrom and rangeTo from
- * CRLGENCrlGenCtl structure for identifying the inclusive set of certs */
-static SECStatus
-crlgen_AddEntryExtension(CRLGENGeneratorData *crlGenData,
-                         const char **dataArr, char *extName,
-                         SECItem* (*extCreator)(PRArenaPool *arena,
-                                                const char **dataArr,
-                                                int *extCode))
-{
-    PRUint64 i = 0;
-    SECStatus rv = SECFailure;
-    int extCode = 0;
-    PRUint64 lastRange ;
-    SECItem *ext = NULL;
-    PRArenaPool *arena = NULL;
-
-
-    PORT_Assert(crlGenData &&  dataArr);
-    if (!crlGenData || !dataArr) {
-        goto loser;
-    } 
-    
-    if (!dataArr[0] || !dataArr[1]) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        crlgen_PrintError(crlGenData->parsedLineNum, 
-                          "insufficient number of arguments.\n");
-    }
-
-    lastRange = crlGenData->rangeTo - crlGenData->rangeFrom + 1;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-        goto loser;
-    }
-
-    ext = extCreator(arena, dataArr, &extCode);
-    if (ext == NULL) {
-        crlgen_PrintError(crlGenData->parsedLineNum, 
-                          "got error while creating extension: %s\n",
-                          extName);
-        goto loser;
-    }
-
-    for (i = 0;i < lastRange;i++) {
-        CRLGENEntryData * extData = NULL;
-        void *extHandle = NULL;
-        SECItem * certIdItem =
-            SEC_ASN1EncodeInteger(arena, NULL,
-                                  crlGenData->rangeFrom + i);
-        if (!certIdItem) {
-            rv = SECFailure;
-            goto loser;
-        }
-
-        extData = crlgen_FindEntry(crlGenData, certIdItem);
-        if (!extData) {
-            crlgen_PrintError(crlGenData->parsedLineNum,
-                              "can not add extension: crl entry "
-                              "(serial number: %d) is not in the list yet.\n",
-                              crlGenData->rangeFrom + i);
-            continue;
-        }
-
-        extHandle = extData->extHandle;
-        if (extHandle == NULL) {
-            extHandle = extData->extHandle =
-                CERT_StartCRLEntryExtensions(&crlGenData->signCrl->crl,
-                                             (CERTCrlEntry*)extData->entry);
-        }
-        rv = CERT_AddExtension (extHandle, extCode, ext, 
-                               (*dataArr[1] == '1') ? PR_TRUE : PR_FALSE,
-                               PR_TRUE);
-        if (rv == SECFailure) {
-            goto loser;
-        }
-    }
-
-  loser:
-    if (arena)
-        PORT_FreeArena(arena, PR_FALSE);
-    return rv;
-}
-
-
-/* Commits all added entries and their's extensions into CRL. */
-SECStatus
-CRLGEN_CommitExtensionsAndEntries(CRLGENGeneratorData *crlGenData)
-{
-    int size = 0;
-    CERTCrl *crl;
-    PRArenaPool *arena;
-    SECStatus rv = SECSuccess;
-    void *mark;
-
-    PORT_Assert(crlGenData && crlGenData->signCrl && crlGenData->signCrl->arena);
-    if (!crlGenData || !crlGenData->signCrl || !crlGenData->signCrl->arena) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    arena = crlGenData->signCrl->arena;
-    crl = &crlGenData->signCrl->crl;
-
-    mark = PORT_ArenaMark(arena);
-
-    if (crlGenData->crlExtHandle)
-        CERT_FinishExtensions(crlGenData->crlExtHandle);
-
-    size = crlGenData->entryDataHashTable->nentries;
-    crl->entries = NULL;
-    if (size) {
-        crl->entries = PORT_ArenaZNewArray(arena, CERTCrlEntry*, size + 1);
-        if (!crl->entries) {
-            rv = SECFailure;
-        } else {
-            struct commitData dt;
-            dt.entries = crl->entries;
-            dt.pos = 0;
-            PL_HashTableEnumerateEntries(crlGenData->entryDataHashTable,
-                                         &crlgen_CommitEntryData, &dt);
-            /* Last should be NULL */
-            crl->entries[size] = NULL;
-        }
-    }
-
-    if (rv != SECSuccess)
-        PORT_ArenaRelease(arena, mark);
-    return rv;
-}
-
-/* Initializes extHandle with data from extensions array */
-static SECStatus
-crlgen_InitExtensionHandle(void *extHandle,
-                           CERTCertExtension **extensions)
-{
-    CERTCertExtension *extension = NULL;
-
-    if (!extensions)
-        return SECSuccess;
-
-    PORT_Assert(extHandle != NULL);
-    if (!extHandle) {
-        return SECFailure;
-    }
-
-    extension = *extensions;
-    while (extension) {
-        SECOidTag oidTag = SECOID_FindOIDTag (&extension->id);
-/* shell we skip unknown extensions? */
-        CERT_AddExtension (extHandle, oidTag, &extension->value, 
-                           (extension->critical.len != 0) ? PR_TRUE : PR_FALSE,
-                           PR_FALSE);
-        extension = *(++extensions);
-    }
-    return SECSuccess;
-}
-
-/* Used for initialization of extension handles for crl and certs
- * extensions from existing CRL data then modifying existing CRL.*/
-SECStatus
-CRLGEN_ExtHandleInit(CRLGENGeneratorData *crlGenData)
-{
-    CERTCrl *crl = NULL;
-    PRUint64 maxSN = 0;
-
-    PORT_Assert(crlGenData && crlGenData->signCrl &&
-                crlGenData->entryDataHashTable);
-    if (!crlGenData || !crlGenData->signCrl ||
-        !crlGenData->entryDataHashTable) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    crl = &crlGenData->signCrl->crl;
-    crlGenData->crlExtHandle = CERT_StartCRLExtensions(crl);
-    crlgen_InitExtensionHandle(crlGenData->crlExtHandle,
-                               crl->extensions);
-    crl->extensions = NULL;
-
-    if (crl->entries) {
-        CERTCrlEntry **entry = crl->entries;
-        while (*entry) {
-            PRUint64 sn = DER_GetInteger(&(*entry)->serialNumber);
-            CRLGENEntryData *extData =
-                crlgen_PlaceAnEntry(crlGenData, *entry, &(*entry)->serialNumber);
-            if ((*entry)->extensions) {
-                extData->extHandle = 
-                    CERT_StartCRLEntryExtensions(&crlGenData->signCrl->crl,
-                                                 (CERTCrlEntry*)extData->entry);
-                if (crlgen_InitExtensionHandle(extData->extHandle,
-                                               (*entry)->extensions) == SECFailure)
-                    return SECFailure;
-            }
-            (*entry)->extensions = NULL;
-            entry++;
-            maxSN = PR_MAX(maxSN, sn);
-        }
-    }
-
-    crlGenData->rangeFrom = crlGenData->rangeTo = maxSN + 1;
-    return SECSuccess;
-}
-
-/*****************************************************************************
- * Parser trigger functions start here
- */
-
-/* Sets new internal range value for add/rm certs.*/
-static SECStatus
-crlgen_SetNewRangeField(CRLGENGeneratorData *crlGenData, char *value)
-{
-    long rangeFrom = 0, rangeTo = 0;
-    char *dashPos = NULL;
-
-    PORT_Assert(crlGenData);
-    if (!crlGenData) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    if (value == NULL) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        crlgen_PrintError(crlGenData->parsedLineNum,
-                          "insufficient number of arguments.\n");
-        return SECFailure;
-    }
-
-    if ((dashPos = strchr(value, '-')) != NULL) {
-        char *rangeToS, *rangeFromS = value;
-        *dashPos = '\0';
-        rangeFrom = atoi(rangeFromS);
-        *dashPos = '-';
-
-        rangeToS = (char*)(dashPos + 1);
-        rangeTo = atol(rangeToS);
-    } else {
-        rangeFrom = atol(value);
-        rangeTo = rangeFrom;
-    }
-
-    if (rangeFrom < 1 || rangeTo<rangeFrom) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        crlgen_PrintError(crlGenData->parsedLineNum,
-                          "bad cert id range: %s.\n", value);
-        return SECFailure;
-    }
-
-    crlGenData->rangeFrom = rangeFrom;
-    crlGenData->rangeTo = rangeTo;
-
-    return SECSuccess;
-}
-
-/* Changes issuer subject field in CRL. By default this data is taken from
- * issuer cert subject field.Not yet implemented */
-static SECStatus
-crlgen_SetIssuerField(CRLGENGeneratorData *crlGenData, char *value)
-{
-    crlgen_PrintError(crlGenData->parsedLineNum, 
-                      "Can not change CRL issuer field.\n");
-    return SECFailure;
-}
-
-/* Encode and sets CRL thisUpdate and nextUpdate time fields*/
-static SECStatus
-crlgen_SetTimeField(CRLGENGeneratorData *crlGenData, char *value,
-                    PRBool setThisUpdate)
-{
-    CERTSignedCrl *signCrl;
-    PRArenaPool *arena;
-    CERTCrl *crl;
-    int length = 0;
-    SECItem *timeDest = NULL;
-
-    PORT_Assert(crlGenData && crlGenData->signCrl &&
-                crlGenData->signCrl->arena);
-    if (!crlGenData || !crlGenData->signCrl || !crlGenData->signCrl->arena) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    signCrl = crlGenData->signCrl;
-    arena = signCrl->arena;
-    crl = &signCrl->crl;
-
-    if (value == NULL) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        crlgen_PrintError(crlGenData->parsedLineNum,
-                          "insufficient number of arguments.\n");
-        return SECFailure;
-    }
-    length = PORT_Strlen(value);
-    
-    if (setThisUpdate == PR_TRUE) {
-        timeDest = &crl->lastUpdate;
-    } else {
-        timeDest = &crl->nextUpdate;
-    }
-
-    timeDest->type = siGeneralizedTime;
-    timeDest->data = PORT_ArenaAlloc(arena, length);
-    if (!timeDest->data) {
-        return SECFailure;
-    }
-    PORT_Memcpy(timeDest->data, value, length);
-    timeDest->len = length;
-
-    return SECSuccess;
-}
-
-
-/* Adds new extension into CRL or added cert handles */
-static SECStatus
-crlgen_AddExtension(CRLGENGeneratorData *crlGenData, const char **extData)
-{
-    PORT_Assert(crlGenData && crlGenData->crlExtHandle);
-    if (!crlGenData || !crlGenData->crlExtHandle) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    if (extData == NULL || *extData == NULL) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        crlgen_PrintError(crlGenData->parsedLineNum, 
-                          "insufficient number of arguments.\n");
-        return SECFailure;
-    }
-    if (!PORT_Strcmp(*extData, "authKeyId"))
-        return crlgen_AddAuthKeyID(crlGenData, extData);
-    else if (!PORT_Strcmp(*extData, "issuerAltNames"))
-        return crlgen_AddIssuerAltNames(crlGenData, extData);
-    else if (!PORT_Strcmp(*extData, "crlNumber"))
-        return crlgen_AddCrlNumber(crlGenData, extData);
-    else if (!PORT_Strcmp(*extData, "reasonCode"))
-        return crlgen_AddEntryExtension(crlGenData, extData, "reasonCode",
-                                        crlgen_CreateReasonCode);
-    else if (!PORT_Strcmp(*extData, "invalidityDate"))
-        return crlgen_AddEntryExtension(crlGenData, extData, "invalidityDate",
-                                        crlgen_CreateInvalidityDate);
-    else {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        crlgen_PrintError(crlGenData->parsedLineNum,
-                          "insufficient number of arguments.\n");
-        return SECFailure;
-    }
-}
-
-
-
-/* Created CRLGENEntryData for cert with serial number certId and
- * adds it to entryDataHashTable. certId can be a single cert serial
- * number or an inclusive rage of certs */
-static SECStatus
-crlgen_AddCert(CRLGENGeneratorData *crlGenData,
-        char *certId, char *revocationDate)
-{
-    CERTSignedCrl *signCrl;
-    SECItem *certIdItem;
-    PRArenaPool *arena;
-    PRUint64 rangeFrom = 0, rangeTo = 0, i = 0;
-    int timeValLength = -1;
-    SECStatus rv = SECFailure;
-    void *mark;
-
-
-    PORT_Assert(crlGenData && crlGenData->signCrl &&
-                crlGenData->signCrl->arena);
-    if (!crlGenData || !crlGenData->signCrl || !crlGenData->signCrl->arena) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    signCrl = crlGenData->signCrl;
-    arena = signCrl->arena;
-
-    if (!certId || !revocationDate) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        crlgen_PrintError(crlGenData->parsedLineNum,
-                          "insufficient number of arguments.\n");
-        return SECFailure;
-    }
-
-    timeValLength = strlen(revocationDate);
-
-    if (crlgen_SetNewRangeField(crlGenData, certId) == SECFailure &&
-        certId) {
-        return SECFailure;
-    }
-    rangeFrom = crlGenData->rangeFrom;
-    rangeTo = crlGenData->rangeTo;
-
-    for (i = 0;i < rangeTo - rangeFrom + 1;i++) {
-        CERTCrlEntry *entry;
-        mark = PORT_ArenaMark(arena);
-        entry = PORT_ArenaZNew(arena, CERTCrlEntry);
-        if (entry == NULL) {
-            goto loser;
-        }
-
-        certIdItem = SEC_ASN1EncodeInteger(arena, &entry->serialNumber,
-                                           rangeFrom + i);
-        if (!certIdItem) {
-            goto loser;
-        }
-
-        if (crlgen_FindEntry(crlGenData, certIdItem)) {
-            crlgen_PrintError(crlGenData->parsedLineNum,
-                              "entry already exists. Use \"range\" "
-                              "and \"rmcert\" before adding a new one with the "
-                              "same serial number %ld\n", rangeFrom + i);
-            goto loser;
-        }
-
-        entry->serialNumber.type = siBuffer;
-
-        entry->revocationDate.type = siGeneralizedTime;
-
-        entry->revocationDate.data =
-            PORT_ArenaAlloc(arena, timeValLength);
-        if (entry->revocationDate.data == NULL) {
-            goto loser;
-        }
-
-        PORT_Memcpy(entry->revocationDate.data, revocationDate,
-                    timeValLength * sizeof(char));
-        entry->revocationDate.len = timeValLength;
-
-
-        entry->extensions = NULL;
-        if (!crlgen_PlaceAnEntry(crlGenData, entry, certIdItem)) {
-            goto loser;
-        }
-        mark = NULL;
-    }
-
-    rv = SECSuccess;
-  loser:
-    if (mark) {
-        PORT_ArenaRelease(arena, mark);
-    }
-    return rv;
-}
-
-
-/* Removes certs from entryDataHashTable which have certId serial number.
- * certId can have value of a range of certs */
-static SECStatus
-crlgen_RmCert(CRLGENGeneratorData *crlGenData, char *certId)
-{
-    PRUint64 i = 0;
-    PRArenaPool *arena;
-
-    PORT_Assert(crlGenData && certId);
-    if (!crlGenData || !certId) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    arena = crlGenData->signCrl->arena;
-
-    if (crlgen_SetNewRangeField(crlGenData, certId) == SECFailure &&
-        certId) {
-        return SECFailure;
-    }
-
-    for (i = 0;i < crlGenData->rangeTo - crlGenData->rangeFrom + 1;i++) {
-        SECItem* certIdItem = SEC_ASN1EncodeInteger(NULL, NULL,
-                                                    crlGenData->rangeFrom + i);
-        if (certIdItem) {
-            CRLGENEntryData *extData =
-                crlgen_FindEntry(crlGenData, certIdItem);
-            if (!extData) {
-                printf("Cert with id %s is not in the list\n", certId);
-            } else {
-                crlgen_RmEntry(crlGenData, certIdItem);
-            }
-            SECITEM_FreeItem(certIdItem, PR_TRUE);
-        }
-    }
-
-    return SECSuccess;
-}
-
-/*************************************************************************
- * Lex Parser Helper functions are used to store parsed information
- * in context related structures. Context(or state) is identified base on 
- * a type of a instruction parser currently is going through. New context
- * is identified by first token in a line. It can be addcert context,
- * addext context, etc. */
-
-/* Updates CRL field depending on current context */ 
-static SECStatus
-crlgen_updateCrlFn_field(CRLGENGeneratorData *crlGenData, void *str)
-{
-    CRLGENCrlField *fieldStr = (CRLGENCrlField*)str;
-
-    PORT_Assert(crlGenData);
-    if (!crlGenData) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    switch(crlGenData->contextId) {
-      case CRLGEN_ISSUER_CONTEXT:
-          crlgen_SetIssuerField(crlGenData, fieldStr->value);
-          break;
-      case CRLGEN_UPDATE_CONTEXT:
-          return crlgen_SetTimeField(crlGenData, fieldStr->value, PR_TRUE);
-          break;
-      case CRLGEN_NEXT_UPDATE_CONTEXT:
-          return crlgen_SetTimeField(crlGenData, fieldStr->value, PR_FALSE);
-          break;
-      case CRLGEN_CHANGE_RANGE_CONTEXT:
-          return crlgen_SetNewRangeField(crlGenData, fieldStr->value);
-          break;
-      default:
-          crlgen_PrintError(crlGenData->parsedLineNum,
-                            "syntax error (unknow token type: %d)\n",
-                            crlGenData->contextId);
-          PORT_SetError(SEC_ERROR_INVALID_ARGS);
-          return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* Sets parsed data for CRL field update into temporary structure */ 
-static SECStatus
-crlgen_setNextDataFn_field(CRLGENGeneratorData *crlGenData, void *str,
-                    void *data, unsigned short dtype)
-{
-    CRLGENCrlField *fieldStr = (CRLGENCrlField*)str;
-
-    PORT_Assert(crlGenData);
-    if (!crlGenData) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    switch (crlGenData->contextId) {
-      case CRLGEN_CHANGE_RANGE_CONTEXT:
-          if (dtype != CRLGEN_TYPE_DIGIT || dtype != CRLGEN_TYPE_DIGIT_RANGE) {
-              crlgen_PrintError(crlGenData->parsedLineNum,
-                                "range value should have "
-                                "numeric or numeric range values.\n");
-              return SECFailure;
-          }
-          break;
-      case CRLGEN_NEXT_UPDATE_CONTEXT:
-      case CRLGEN_UPDATE_CONTEXT:
-          if (dtype != CRLGEN_TYPE_ZDATE){
-              crlgen_PrintError(crlGenData->parsedLineNum,
-                                "bad formated date. Should be "
-                                "YYYYMMDDHHMMSSZ.\n");
-              return SECFailure;
-          }
-          break;
-      default:
-          PORT_SetError(SEC_ERROR_INVALID_ARGS);
-          crlgen_PrintError(crlGenData->parsedLineNum,
-                            "syntax error (unknow token type: %d).\n",
-                            crlGenData->contextId, data);
-          return SECFailure;
-    }
-    fieldStr->value = PORT_Strdup(data);
-    if (!fieldStr->value) {
-        return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* Triggers cert entries update depending on current context */ 
-static SECStatus
-crlgen_updateCrlFn_cert(CRLGENGeneratorData *crlGenData, void *str)
-{
-    CRLGENCertEntry *certStr = (CRLGENCertEntry*)str;
-
-    PORT_Assert(crlGenData);
-    if (!crlGenData) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    switch(crlGenData->contextId) {
-      case CRLGEN_ADD_CERT_CONTEXT:
-          return crlgen_AddCert(crlGenData, certStr->certId,
-                         certStr->revocationTime);
-      case CRLGEN_RM_CERT_CONTEXT:
-          return crlgen_RmCert(crlGenData, certStr->certId);
-      default:
-          PORT_SetError(SEC_ERROR_INVALID_ARGS);
-          crlgen_PrintError(crlGenData->parsedLineNum,
-                            "syntax error (unknow token type: %d).\n",
-                            crlGenData->contextId);
-          return SECFailure;
-    }
-}
-
-
-/* Sets parsed data for CRL entries update into temporary structure */ 
-static SECStatus
-crlgen_setNextDataFn_cert(CRLGENGeneratorData *crlGenData, void *str,
-                   void *data, unsigned short dtype)
-{
-    CRLGENCertEntry *certStr = (CRLGENCertEntry*)str;
-
-    PORT_Assert(crlGenData);
-    if (!crlGenData) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    switch(dtype) {
-      case CRLGEN_TYPE_DIGIT:
-      case CRLGEN_TYPE_DIGIT_RANGE:
-          certStr->certId = PORT_Strdup(data);
-          if (!certStr->certId) {
-              return SECFailure;
-          }
-          break;
-      case CRLGEN_TYPE_DATE:
-      case CRLGEN_TYPE_ZDATE:
-          certStr->revocationTime = PORT_Strdup(data);
-          if (!certStr->revocationTime) {
-              return SECFailure;
-          }
-          break;
-      default:
-          PORT_SetError(SEC_ERROR_INVALID_ARGS);
-          crlgen_PrintError(crlGenData->parsedLineNum,
-                            "syntax error (unknow token type: %d).\n",
-                            crlGenData->contextId);
-          return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* Triggers cert entries/crl extension update */ 
-static SECStatus
-crlgen_updateCrlFn_extension(CRLGENGeneratorData *crlGenData, void *str)
-{
-    CRLGENExtensionEntry *extStr = (CRLGENExtensionEntry*)str;
-
-    return crlgen_AddExtension(crlGenData, (const char**)extStr->extData);
-}
-
-/* Defines maximum number of fields extension may have */
-#define MAX_EXT_DATA_LENGTH 10
-
-/* Sets parsed extension data for CRL entries/CRL extensions update
- * into temporary structure */ 
-static SECStatus
-crlgen_setNextDataFn_extension(CRLGENGeneratorData *crlGenData, void *str,
-                        void *data, unsigned short dtype)
-{
-    CRLGENExtensionEntry *extStr = (CRLGENExtensionEntry*)str;
-
-    PORT_Assert(crlGenData);
-    if (!crlGenData) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    if (extStr->extData == NULL) {
-        extStr->extData = PORT_ZNewArray(char *, MAX_EXT_DATA_LENGTH);
-        if (!extStr->extData) {
-            return SECFailure;
-        }
-    }
-    if (extStr->nextUpdatedData >= MAX_EXT_DATA_LENGTH) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        crlgen_PrintError(crlGenData->parsedLineNum, 
-                          "number of fields in extension "
-                          "exceeded maximum allowed data length: %d.\n",
-                          MAX_EXT_DATA_LENGTH);
-        return SECFailure;
-    }
-    extStr->extData[extStr->nextUpdatedData] = PORT_Strdup(data);
-    if (!extStr->extData[extStr->nextUpdatedData]) {
-        return SECFailure;
-    }
-    extStr->nextUpdatedData += 1;
-
-    return SECSuccess;
-}
-
-
-/****************************************************************************************
- * Top level functions are triggered directly by parser.
- */
-
-/*
- * crl generation script parser recreates a temporary data staructure
- * for each line it is going through. This function cleans temp structure.
- */
-void
-crlgen_destroyTempData(CRLGENGeneratorData *crlGenData)
-{
-    if (crlGenData->contextId != CRLGEN_UNKNOWN_CONTEXT) {
-        switch(crlGenData->contextId) {
-          case CRLGEN_ISSUER_CONTEXT:
-          case CRLGEN_UPDATE_CONTEXT:
-          case CRLGEN_NEXT_UPDATE_CONTEXT:
-          case CRLGEN_CHANGE_RANGE_CONTEXT:
-              if (crlGenData->crlField->value)
-                  PORT_Free(crlGenData->crlField->value);
-              PORT_Free(crlGenData->crlField);
-              break;
-          case CRLGEN_ADD_CERT_CONTEXT:
-          case CRLGEN_RM_CERT_CONTEXT:
-              if (crlGenData->certEntry->certId)
-                  PORT_Free(crlGenData->certEntry->certId);
-              if (crlGenData->certEntry->revocationTime)
-                  PORT_Free(crlGenData->certEntry->revocationTime);
-              PORT_Free(crlGenData->certEntry);
-              break;
-          case CRLGEN_ADD_EXTENSION_CONTEXT:
-              if (crlGenData->extensionEntry->extData) {
-                  int i = 0;
-                  for (;i < crlGenData->extensionEntry->nextUpdatedData;i++)
-                      PORT_Free(*(crlGenData->extensionEntry->extData + i));
-                  PORT_Free(crlGenData->extensionEntry->extData);
-              }
-              PORT_Free(crlGenData->extensionEntry);
-              break;
-        }
-        crlGenData->contextId = CRLGEN_UNKNOWN_CONTEXT;
-    }
-}
-
-SECStatus
-crlgen_updateCrl(CRLGENGeneratorData *crlGenData)
-{
-    SECStatus rv = SECSuccess;
-
-    PORT_Assert(crlGenData);
-    if (!crlGenData) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    switch(crlGenData->contextId) {
-      case CRLGEN_ISSUER_CONTEXT:
-      case CRLGEN_UPDATE_CONTEXT:
-      case CRLGEN_NEXT_UPDATE_CONTEXT:
-      case CRLGEN_CHANGE_RANGE_CONTEXT:
-          rv = crlGenData->crlField->updateCrlFn(crlGenData, crlGenData->crlField);
-          break;
-      case CRLGEN_RM_CERT_CONTEXT:
-      case CRLGEN_ADD_CERT_CONTEXT:
-          rv = crlGenData->certEntry->updateCrlFn(crlGenData, crlGenData->certEntry);
-          break;
-      case CRLGEN_ADD_EXTENSION_CONTEXT:
-          rv = crlGenData->extensionEntry->
-              updateCrlFn(crlGenData, crlGenData->extensionEntry);
-          break;
-      case CRLGEN_UNKNOWN_CONTEXT:
-          break;
-      default:
-          crlgen_PrintError(crlGenData->parsedLineNum,
-                            "unknown lang context type code: %d.\n",
-                            crlGenData->contextId);
-          PORT_Assert(0);
-          return SECFailure;
-    }
-    /* Clrean structures after crl update */
-    crlgen_destroyTempData(crlGenData);
-
-    crlGenData->parsedLineNum += 1;
-
-    return rv;
-}
-
-SECStatus
-crlgen_setNextData(CRLGENGeneratorData *crlGenData, void *data,
-                   unsigned short dtype)
-{
-    SECStatus rv = SECSuccess;
-
-    PORT_Assert(crlGenData);
-    if (!crlGenData) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    switch(crlGenData->contextId) {
-      case CRLGEN_ISSUER_CONTEXT:
-      case CRLGEN_UPDATE_CONTEXT:
-      case CRLGEN_NEXT_UPDATE_CONTEXT:
-      case CRLGEN_CHANGE_RANGE_CONTEXT:
-          rv = crlGenData->crlField->setNextDataFn(crlGenData, crlGenData->crlField,
-                                                   data, dtype);
-          break;
-      case CRLGEN_ADD_CERT_CONTEXT:
-      case CRLGEN_RM_CERT_CONTEXT:
-          rv = crlGenData->certEntry->setNextDataFn(crlGenData, crlGenData->certEntry,
-                                                    data, dtype);
-          break;
-      case CRLGEN_ADD_EXTENSION_CONTEXT:
-          rv =
-              crlGenData->extensionEntry->
-              setNextDataFn(crlGenData, crlGenData->extensionEntry, data, dtype);
-          break;
-      case CRLGEN_UNKNOWN_CONTEXT:
-          break;
-      default:
-          crlgen_PrintError(crlGenData->parsedLineNum,
-                            "unknown context type: %d.\n",
-                            crlGenData->contextId);
-          PORT_Assert(0);
-          return SECFailure;
-    }
-    return rv;
-}
-
-SECStatus
-crlgen_createNewLangStruct(CRLGENGeneratorData *crlGenData,
-                           unsigned structType)
-{
-    PORT_Assert(crlGenData &&
-                crlGenData->contextId == CRLGEN_UNKNOWN_CONTEXT);
-    if (!crlGenData ||
-        crlGenData->contextId != CRLGEN_UNKNOWN_CONTEXT) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    switch(structType) {
-      case CRLGEN_ISSUER_CONTEXT:
-      case CRLGEN_UPDATE_CONTEXT:
-      case CRLGEN_NEXT_UPDATE_CONTEXT:
-      case CRLGEN_CHANGE_RANGE_CONTEXT:
-          crlGenData->crlField = PORT_New(CRLGENCrlField);
-          if (!crlGenData->crlField) {
-              return SECFailure;
-          }
-          crlGenData->contextId = structType;
-          crlGenData->crlField->value = NULL;
-          crlGenData->crlField->updateCrlFn = &crlgen_updateCrlFn_field;
-          crlGenData->crlField->setNextDataFn = &crlgen_setNextDataFn_field;
-          break;
-      case CRLGEN_RM_CERT_CONTEXT:
-      case CRLGEN_ADD_CERT_CONTEXT:
-          crlGenData->certEntry = PORT_New(CRLGENCertEntry);
-          if (!crlGenData->certEntry) {
-              return SECFailure;
-          }
-          crlGenData->contextId = structType;
-          crlGenData->certEntry->certId = 0;
-          crlGenData->certEntry->revocationTime = NULL;
-          crlGenData->certEntry->updateCrlFn = &crlgen_updateCrlFn_cert;
-          crlGenData->certEntry->setNextDataFn = &crlgen_setNextDataFn_cert;
-          break;
-      case CRLGEN_ADD_EXTENSION_CONTEXT:
-          crlGenData->extensionEntry = PORT_New(CRLGENExtensionEntry);
-          if (!crlGenData->extensionEntry) {
-              return SECFailure;
-          }
-          crlGenData->contextId = structType;
-          crlGenData->extensionEntry->extData = NULL;
-          crlGenData->extensionEntry->nextUpdatedData = 0;
-          crlGenData->extensionEntry->updateCrlFn =
-              &crlgen_updateCrlFn_extension;
-          crlGenData->extensionEntry->setNextDataFn =
-              &crlgen_setNextDataFn_extension;
-          break;
-      case CRLGEN_UNKNOWN_CONTEXT:
-          break;
-      default:
-          crlgen_PrintError(crlGenData->parsedLineNum,
-                            "unknown context type: %d.\n", structType);
-          PORT_Assert(0);
-          return SECFailure;
-    }
-    return SECSuccess;
-}
-
-
-/* Parser initialization function */
-CRLGENGeneratorData*
-CRLGEN_InitCrlGeneration(CERTSignedCrl *signCrl, PRFileDesc *src)
-{
-    CRLGENGeneratorData *crlGenData = NULL;
-
-    PORT_Assert(signCrl && src);
-    if (!signCrl || !src) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    crlGenData = PORT_ZNew(CRLGENGeneratorData);
-    if (!crlGenData) {
-        return NULL;
-    }
-
-    crlGenData->entryDataHashTable = 
-        PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
-                        PL_CompareValues, NULL, NULL);
-    if (!crlGenData->entryDataHashTable) {
-        PORT_Free(crlGenData);
-        return NULL;
-    }
-
-    crlGenData->src = src;
-    crlGenData->parsedLineNum = 1;
-    crlGenData->contextId = CRLGEN_UNKNOWN_CONTEXT;
-    crlGenData->signCrl = signCrl;
-    crlGenData->rangeFrom = 0;
-    crlGenData->rangeTo = 0;
-    crlGenData->crlExtHandle = NULL;
-
-    PORT_SetError(0);
-
-    return crlGenData;
-}
-
-void
-CRLGEN_FinalizeCrlGeneration(CRLGENGeneratorData *crlGenData)
-{
-    if (!crlGenData)
-        return;
-    if (crlGenData->src)
-        PR_Close(crlGenData->src);
-    PL_HashTableDestroy(crlGenData->entryDataHashTable);
-    PORT_Free(crlGenData);
-}
-
diff --git a/security/nss/cmd/crlutil/crlgen.h b/security/nss/cmd/crlutil/crlgen.h
deleted file mode 100644
index 4eb5304e3..000000000
--- a/security/nss/cmd/crlutil/crlgen.h
+++ /dev/null
@@ -1,182 +0,0 @@
-
-#ifndef _CRLGEN_H_
-#define _CRLGEN_H_
-
-#include "prio.h"
-#include "prprf.h"
-#include "plhash.h"
-#include "seccomon.h"
-#include "certt.h"
-#include "secoidt.h"
-
-
-#define CRLGEN_UNKNOWN_CONTEXT                   0
-#define CRLGEN_ISSUER_CONTEXT                    1
-#define CRLGEN_UPDATE_CONTEXT                    2
-#define CRLGEN_NEXT_UPDATE_CONTEXT               3
-#define CRLGEN_ADD_EXTENSION_CONTEXT             4
-#define CRLGEN_ADD_CERT_CONTEXT                  6
-#define CRLGEN_CHANGE_RANGE_CONTEXT              7
-#define CRLGEN_RM_CERT_CONTEXT                   8
-
-#define CRLGEN_TYPE_DATE                         0
-#define CRLGEN_TYPE_ZDATE                        1
-#define CRLGEN_TYPE_DIGIT                        2
-#define CRLGEN_TYPE_DIGIT_RANGE                  3
-#define CRLGEN_TYPE_OID                          4
-#define CRLGEN_TYPE_STRING                       5
-#define CRLGEN_TYPE_ID                           6
-
-
-typedef struct CRLGENGeneratorDataStr          CRLGENGeneratorData;
-typedef struct CRLGENEntryDataStr              CRLGENEntryData;
-typedef struct CRLGENExtensionEntryStr         CRLGENExtensionEntry;
-typedef struct CRLGENCertEntrySrt              CRLGENCertEntry;
-typedef struct CRLGENCrlFieldStr               CRLGENCrlField;
-typedef struct CRLGENEntriesSortedDataStr      CRLGENEntriesSortedData;
-
-/* Exported functions */
-
-/* Used for initialization of extension handles for crl and certs
- * extensions from existing CRL data then modifying existing CRL.*/
-extern SECStatus CRLGEN_ExtHandleInit(CRLGENGeneratorData *crlGenData);
-
-/* Commits all added entries and their's extensions into CRL. */
-extern SECStatus CRLGEN_CommitExtensionsAndEntries(CRLGENGeneratorData *crlGenData);
-
-/* Lunches the crl generation script parse */
-extern SECStatus CRLGEN_StartCrlGen(CRLGENGeneratorData *crlGenData);
-
-/* Closes crl generation script file and frees crlGenData */
-extern void CRLGEN_FinalizeCrlGeneration(CRLGENGeneratorData *crlGenData);
-
-/* Parser initialization function. Creates CRLGENGeneratorData structure
- *  for the current thread */
-extern CRLGENGeneratorData* CRLGEN_InitCrlGeneration(CERTSignedCrl *newCrl,
-                                                     PRFileDesc *src);
-
-
-/* This lock is defined in crlgen_lex.c(derived from crlgen_lex.l).
- * It controls access to invocation of yylex, allows to parse one
- * script at a time */
-extern void CRLGEN_InitCrlGenParserLock();
-extern void CRLGEN_DestroyCrlGenParserLock();
-
-
-/* The following function types are used to define functions for each of
- * CRLGENExtensionEntryStr, CRLGENCertEntrySrt, CRLGENCrlFieldStr to
- * provide functionality needed for these structures*/
-typedef SECStatus updateCrlFn_t(CRLGENGeneratorData *crlGenData, void *str);
-typedef SECStatus setNextDataFn_t(CRLGENGeneratorData *crlGenData, void *str,
-                                  void *data, unsigned short dtype);
-typedef SECStatus createNewLangStructFn_t(CRLGENGeneratorData *crlGenData,
-                                          void *str, unsigned i);
-
-/* Sets reports failure to parser if anything goes wrong */
-extern void      crlgen_setFailure(CRLGENGeneratorData *str, char *);
-
-/* Collects data in to one of the current data structure that corresponds
- * to the correct context type. This function gets called after each token
- * is found for a particular line */
-extern SECStatus crlgen_setNextData(CRLGENGeneratorData *str, void *data,
-                             unsigned short dtype);
-
-/* initiates crl update with collected data. This function is called at the
- * end of each line */
-extern SECStatus crlgen_updateCrl(CRLGENGeneratorData *str);
-
-/* Creates new context structure depending on token that was parsed
- * at the beginning of a line */
-extern SECStatus crlgen_createNewLangStruct(CRLGENGeneratorData *str,
-                                            unsigned structType);
-
-
-/* CRLGENExtensionEntry is used to store addext request data for either 
- * CRL extensions or CRL entry extensions. The differentiation between
- * is based on order and type of extension been added.
- *    - extData : all data in request staring from name of the extension are
- *                in saved here.
- *    - nextUpdatedData: counter of elements added to extData
- */
-struct CRLGENExtensionEntryStr {
-    char **extData;
-    int    nextUpdatedData;
-    updateCrlFn_t    *updateCrlFn;
-    setNextDataFn_t  *setNextDataFn;
-};
-
-/* CRLGENCeryestEntry is used to store addcert request data
- *   - certId : certificate id or range of certificate with dash as a delimiter
- *              All certs from range will be inclusively added to crl
- *   - revocationTime: revocation time of cert(s)
- */
-struct CRLGENCertEntrySrt {
-    char *certId;
-    char *revocationTime;
-    updateCrlFn_t   *updateCrlFn;
-    setNextDataFn_t *setNextDataFn;
-};
-
-
-/* CRLGENCrlField is used to store crl fields record like update time, next
- * update time, etc.
- *  - value: value of the parsed field data*/
-struct CRLGENCrlFieldStr {
-    char *value;
-    updateCrlFn_t   *updateCrlFn;
-    setNextDataFn_t *setNextDataFn;
-};
-
-/* Can not create entries extension until completely done with parsing.
- * Therefore need to keep joined data
- *   - certId : serial number of certificate
- *   - extHandle: head pointer to a list of extensions that belong to
- *                 entry
- *   - entry : CERTCrlEntry structure pointer*/
-struct CRLGENEntryDataStr {
-    SECItem *certId;
-    void *extHandle;
-    CERTCrlEntry *entry;
-};
-
-/* Crl generator/parser main structure. Keeps info regarding current state of
- * parser(context, status), parser helper functions pointers, parsed data and
- * generated data.
- *  - contextId : current parsing context. Context in this parser environment
- *                defines what type of crl operations parser is going through
- *                in the current line of crl generation script.
- *                setting or new cert or an extension addition, etc.
- *  - createNewLangStructFn: pointer to top level function which creates
- *                             data structures according contextId
- *  - setNextDataFn : pointer to top level function which sets new parsed data
- *                    in temporary structure
- *  - updateCrlFn   : pointer to top level function which triggers actual
- *                    crl update functions with gathered data
- *  - union         : data union create according to contextId
- *  - rangeFrom, rangeTo : holds last range in which certs was added
- *  - newCrl        : pointer to CERTSignedCrl newly created crl
- *  - crlExtHandle : pointer to crl extension handle
- *  - entryDataHashTable: hash of CRLGENEntryData.
- *                     key: cert serial number
- *                     data: CRLGENEntryData pointer
- *  - parserStatus  : current status of parser. Triggers parser to abort when
- *                    set to SECFailure
- *  - src : PRFileDesc structure pointer of crl generator config file
- *  - parsedLineNum : currently parsing line. Keeping it to report errors */ 
-struct CRLGENGeneratorDataStr {
-    unsigned short contextId;
-    CRLGENCrlField       *crlField;
-    CRLGENCertEntry      *certEntry;
-    CRLGENExtensionEntry *extensionEntry;	
-    PRUint64 rangeFrom;
-    PRUint64 rangeTo;
-    CERTSignedCrl *signCrl;
-    void *crlExtHandle;
-    PLHashTable *entryDataHashTable;
-    
-    PRFileDesc *src;
-    int parsedLineNum;
-};
-
-
-#endif /* _CRLGEN_H_ */
diff --git a/security/nss/cmd/crlutil/crlgen_lex.c b/security/nss/cmd/crlutil/crlgen_lex.c
deleted file mode 100644
index 76988aef7..000000000
--- a/security/nss/cmd/crlutil/crlgen_lex.c
+++ /dev/null
@@ -1,1783 +0,0 @@
-/* A lexical scanner generated by flex */
-
-/* Scanner skeleton version:
- * $Header$
- */
-
-#define FLEX_SCANNER
-#define YY_FLEX_MAJOR_VERSION 2
-#define YY_FLEX_MINOR_VERSION 5
-
-#include <stdio.h>
-#ifdef _WIN32
-#include <io.h>
-#else
-#include <unistd.h>
-#endif
-
-/* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */
-#ifdef c_plusplus
-#ifndef __cplusplus
-#define __cplusplus
-#endif
-#endif
-
-#ifdef __cplusplus
-
-#include <stdlib.h>
-
-/* Use prototypes in function declarations. */
-#define YY_USE_PROTOS
-
-/* The "const" storage-class-modifier is valid. */
-#define YY_USE_CONST
-
-#else	/* ! __cplusplus */
-
-#if __STDC__
-
-#define YY_USE_PROTOS
-#define YY_USE_CONST
-
-#endif	/* __STDC__ */
-#endif	/* ! __cplusplus */
-
-#ifdef __TURBOC__
- #pragma warn -rch
- #pragma warn -use
-#include <io.h>
-#include <stdlib.h>
-#define YY_USE_CONST
-#define YY_USE_PROTOS
-#endif
-
-#ifdef YY_USE_CONST
-#define yyconst const
-#else
-#define yyconst
-#endif
-
-
-#ifdef YY_USE_PROTOS
-#define YY_PROTO(proto) proto
-#else
-#define YY_PROTO(proto) ()
-#endif
-
-/* Returned upon end-of-file. */
-#define YY_NULL 0
-
-/* Promotes a possibly negative, possibly signed char to an unsigned
- * integer for use as an array index.  If the signed char is negative,
- * we want to instead treat it as an 8-bit unsigned char, hence the
- * double cast.
- */
-#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
-
-/* Enter a start condition.  This macro really ought to take a parameter,
- * but we do it the disgusting crufty way forced on us by the ()-less
- * definition of BEGIN.
- */
-#define BEGIN yy_start = 1 + 2 *
-
-/* Translate the current start state into a value that can be later handed
- * to BEGIN to return to the state.  The YYSTATE alias is for lex
- * compatibility.
- */
-#define YY_START ((yy_start - 1) / 2)
-#define YYSTATE YY_START
-
-/* Action number for EOF rule of a given start state. */
-#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
-
-/* Special action meaning "start processing a new file". */
-#define YY_NEW_FILE yyrestart( yyin )
-
-#define YY_END_OF_BUFFER_CHAR 0
-
-/* Size of default input buffer. */
-#define YY_BUF_SIZE 16384
-
-typedef struct yy_buffer_state *YY_BUFFER_STATE;
-
-extern int yyleng;
-extern FILE *yyin, *yyout;
-
-#define EOB_ACT_CONTINUE_SCAN 0
-#define EOB_ACT_END_OF_FILE 1
-#define EOB_ACT_LAST_MATCH 2
-
-/* The funky do-while in the following #define is used to turn the definition
- * int a single C statement (which needs a semi-colon terminator).  This
- * avoids problems with code like:
- *
- * 	if ( condition_holds )
- *		yyless( 5 );
- *	else
- *		do_something_else();
- *
- * Prior to using the do-while the compiler would get upset at the
- * "else" because it interpreted the "if" statement as being all
- * done when it reached the ';' after the yyless() call.
- */
-
-/* Return all but the first 'n' matched characters back to the input stream. */
-
-#define yyless(n) \
-	do \
-		{ \
-		/* Undo effects of setting up yytext. */ \
-		*yy_cp = yy_hold_char; \
-		YY_RESTORE_YY_MORE_OFFSET \
-		yy_c_buf_p = yy_cp = yy_bp + n - YY_MORE_ADJ; \
-		YY_DO_BEFORE_ACTION; /* set up yytext again */ \
-		} \
-	while ( 0 )
-
-#define unput(c) yyunput( c, yytext_ptr )
-
-/* The following is because we cannot portably get our hands on size_t
- * (without autoconf's help, which isn't available because we want
- * flex-generated scanners to compile on their own).
- */
-typedef unsigned int yy_size_t;
-
-
-struct yy_buffer_state
-	{
-	FILE *yy_input_file;
-
-	char *yy_ch_buf;		/* input buffer */
-	char *yy_buf_pos;		/* current position in input buffer */
-
-	/* Size of input buffer in bytes, not including room for EOB
-	 * characters.
-	 */
-	yy_size_t yy_buf_size;
-
-	/* Number of characters read into yy_ch_buf, not including EOB
-	 * characters.
-	 */
-	int yy_n_chars;
-
-	/* Whether we "own" the buffer - i.e., we know we created it,
-	 * and can realloc() it to grow it, and should free() it to
-	 * delete it.
-	 */
-	int yy_is_our_buffer;
-
-	/* Whether this is an "interactive" input source; if so, and
-	 * if we're using stdio for input, then we want to use getc()
-	 * instead of fread(), to make sure we stop fetching input after
-	 * each newline.
-	 */
-	int yy_is_interactive;
-
-	/* Whether we're considered to be at the beginning of a line.
-	 * If so, '^' rules will be active on the next match, otherwise
-	 * not.
-	 */
-	int yy_at_bol;
-
-	/* Whether to try to fill the input buffer when we reach the
-	 * end of it.
-	 */
-	int yy_fill_buffer;
-
-	int yy_buffer_status;
-#define YY_BUFFER_NEW 0
-#define YY_BUFFER_NORMAL 1
-	/* When an EOF's been seen but there's still some text to process
-	 * then we mark the buffer as YY_EOF_PENDING, to indicate that we
-	 * shouldn't try reading from the input source any more.  We might
-	 * still have a bunch of tokens to match, though, because of
-	 * possible backing-up.
-	 *
-	 * When we actually see the EOF, we change the status to "new"
-	 * (via yyrestart()), so that the user can continue scanning by
-	 * just pointing yyin at a new input file.
-	 */
-#define YY_BUFFER_EOF_PENDING 2
-	};
-
-static YY_BUFFER_STATE yy_current_buffer = 0;
-
-/* We provide macros for accessing buffer states in case in the
- * future we want to put the buffer states in a more general
- * "scanner state".
- */
-#define YY_CURRENT_BUFFER yy_current_buffer
-
-
-/* yy_hold_char holds the character lost when yytext is formed. */
-static char yy_hold_char;
-
-static int yy_n_chars;		/* number of characters read into yy_ch_buf */
-
-
-int yyleng;
-
-/* Points to current character in buffer. */
-static char *yy_c_buf_p = (char *) 0;
-static int yy_init = 1;		/* whether we need to initialize */
-static int yy_start = 0;	/* start state number */
-
-/* Flag which is used to allow yywrap()'s to do buffer switches
- * instead of setting up a fresh yyin.  A bit of a hack ...
- */
-static int yy_did_buffer_switch_on_eof;
-
-void yyrestart YY_PROTO(( FILE *input_file ));
-
-void yy_switch_to_buffer YY_PROTO(( YY_BUFFER_STATE new_buffer ));
-void yy_load_buffer_state YY_PROTO(( void ));
-YY_BUFFER_STATE yy_create_buffer YY_PROTO(( FILE *file, int size ));
-void yy_delete_buffer YY_PROTO(( YY_BUFFER_STATE b ));
-void yy_init_buffer YY_PROTO(( YY_BUFFER_STATE b, FILE *file ));
-void yy_flush_buffer YY_PROTO(( YY_BUFFER_STATE b ));
-#define YY_FLUSH_BUFFER yy_flush_buffer( yy_current_buffer )
-
-YY_BUFFER_STATE yy_scan_buffer YY_PROTO(( char *base, yy_size_t size ));
-YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *yy_str ));
-YY_BUFFER_STATE yy_scan_bytes YY_PROTO(( yyconst char *bytes, int len ));
-
-static void *yy_flex_alloc YY_PROTO(( yy_size_t ));
-static void *yy_flex_realloc YY_PROTO(( void *, yy_size_t ));
-static void yy_flex_free YY_PROTO(( void * ));
-
-#define yy_new_buffer yy_create_buffer
-
-#define yy_set_interactive(is_interactive) \
-	{ \
-	if ( ! yy_current_buffer ) \
-		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
-	yy_current_buffer->yy_is_interactive = is_interactive; \
-	}
-
-#define yy_set_bol(at_bol) \
-	{ \
-	if ( ! yy_current_buffer ) \
-		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
-	yy_current_buffer->yy_at_bol = at_bol; \
-	}
-
-#define YY_AT_BOL() (yy_current_buffer->yy_at_bol)
-
-typedef unsigned char YY_CHAR;
-FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
-typedef int yy_state_type;
-extern char *yytext;
-#define yytext_ptr yytext
-
-static yy_state_type yy_get_previous_state YY_PROTO(( void ));
-static yy_state_type yy_try_NUL_trans YY_PROTO(( yy_state_type current_state ));
-static int yy_get_next_buffer YY_PROTO(( void ));
-static void yy_fatal_error YY_PROTO(( yyconst char msg[] ));
-
-/* Done after the current pattern has been matched and before the
- * corresponding action - sets up yytext.
- */
-#define YY_DO_BEFORE_ACTION \
-	yytext_ptr = yy_bp; \
-	yytext_ptr -= yy_more_len; \
-	yyleng = (int) (yy_cp - yytext_ptr); \
-	yy_hold_char = *yy_cp; \
-	*yy_cp = '\0'; \
-	yy_c_buf_p = yy_cp;
-
-#define YY_NUM_RULES 17
-#define YY_END_OF_BUFFER 18
-static yyconst short int yy_accept[67] =
-    {   0,
-        0,    0,   18,   16,   14,   15,   16,   11,   12,    2,
-       10,    9,    9,    9,    9,    9,   13,   14,   15,   11,
-       12,    0,   12,    2,    9,    9,    9,    9,    9,   13,
-        3,    4,    2,    9,    9,    9,    9,    2,    9,    9,
-        9,    9,    2,    2,    9,    9,    8,    9,    2,    5,
-        9,    6,    2,    9,    2,    9,    2,    9,    2,    7,
-        2,    2,    2,    2,    1,    0
-    } ;
-
-static yyconst int yy_ec[256] =
-    {   0,
-        1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
-        1,    1,    4,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    2,    1,    5,    6,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    7,    8,    1,    9,    9,   10,
-       11,   12,   12,   12,   13,   13,   13,   14,    1,    1,
-       15,    1,    1,    1,   16,   16,   16,   16,   16,   16,
-       16,   16,   16,   16,   16,   16,   16,   16,   16,   16,
-       16,   16,   16,   16,   16,   16,   16,   16,   16,   17,
-        1,    1,    1,    1,    1,    1,   18,   16,   16,   19,
-
-       20,   16,   21,   16,   22,   16,   16,   16,   16,   23,
-       16,   24,   16,   25,   26,   27,   28,   16,   16,   29,
-       16,   16,    1,   14,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1
-    } ;
-
-static yyconst int yy_meta[30] =
-    {   0,
-        1,    1,    2,    1,    3,    1,    1,    4,    5,    5,
-        5,    5,    5,    4,    1,    4,    4,    4,    4,    4,
-        4,    4,    4,    4,    4,    4,    4,    4,    4
-    } ;
-
-static yyconst short int yy_base[72] =
-    {   0,
-        0,  149,  154,  205,  138,  205,  103,    0,    0,   23,
-      205,   29,   30,   31,   32,   33,    0,   99,  205,    0,
-        0,    0,   50,   55,   34,   61,   41,   63,   64,    0,
-        0,    0,   79,   65,   68,   86,   66,   99,  105,   88,
-      106,   90,  118,   76,  107,  110,   89,  125,   43,   91,
-      127,  128,  138,  144,  113,  129,  154,  160,  160,  130,
-      172,  166,  177,  144,    0,  205,  190,  192,  194,  199,
-       76
-    } ;
-
-static yyconst short int yy_def[72] =
-    {   0,
-       66,    1,   66,   66,   66,   66,   66,   67,   68,   68,
-       66,   69,   69,   69,   69,   69,   70,   66,   66,   67,
-       68,   71,   68,   10,   69,   69,   69,   69,   69,   70,
-       71,   23,   10,   69,   69,   69,   69,   10,   69,   69,
-       69,   69,   10,   38,   69,   69,   69,   69,   38,   69,
-       69,   69,   38,   69,   38,   69,   38,   69,   38,   69,
-       38,   38,   38,   38,   68,    0,   66,   66,   66,   66,
-       66
-    } ;
-
-static yyconst short int yy_nxt[235] =
-    {   0,
-        4,    5,    6,    7,    8,    4,    4,    9,   10,   10,
-       10,   10,   10,    9,   11,   12,   12,   12,   12,   12,
-       12,   13,   14,   12,   15,   12,   12,   16,   12,   22,
-       23,   24,   24,   24,   24,   24,   21,   21,   21,   21,
-       21,   21,   21,   21,   21,   21,   21,   21,   21,   28,
-       27,   53,   53,   53,   21,   26,   29,   32,   32,   32,
-       32,   32,   32,   33,   33,   33,   33,   33,   21,   35,
-       21,   21,   21,   21,   21,   21,   21,   21,   21,   21,
-       31,   21,   37,   42,   44,   36,   34,   38,   38,   38,
-       38,   38,   39,   21,   40,   21,   21,   21,   21,   21,
-
-       18,   21,   21,   21,   21,   19,   41,   43,   44,   44,
-       44,   44,   21,   21,   21,   46,   48,   21,   21,   21,
-       21,   57,   57,   21,   45,   47,   49,   49,   49,   49,
-       49,   50,   21,   51,   21,   21,   21,   21,   21,   18,
-       21,   21,   21,   21,   52,   54,   55,   55,   55,   55,
-       55,   21,   44,   66,   17,   58,   66,   21,   66,   66,
-       65,   56,   59,   59,   59,   59,   59,   21,   61,   61,
-       61,   61,   66,   21,   63,   63,   63,   63,   66,   60,
-       62,   62,   62,   62,   62,   64,   64,   64,   64,   64,
-       20,   20,   66,   20,   20,   21,   21,   25,   25,   30,
-
-       66,   30,   30,   30,    3,   66,   66,   66,   66,   66,
-       66,   66,   66,   66,   66,   66,   66,   66,   66,   66,
-       66,   66,   66,   66,   66,   66,   66,   66,   66,   66,
-       66,   66,   66,   66
-    } ;
-
-static yyconst short int yy_chk[235] =
-    {   0,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,   10,
-       10,   10,   10,   10,   10,   10,   12,   13,   14,   15,
-       16,   25,   12,   13,   14,   15,   16,   25,   27,   15,
-       14,   49,   49,   49,   27,   13,   16,   23,   23,   23,
-       23,   23,   23,   24,   24,   24,   24,   24,   26,   27,
-       28,   29,   34,   37,   26,   35,   28,   29,   34,   37,
-       71,   35,   29,   37,   44,   28,   26,   33,   33,   33,
-       33,   33,   34,   36,   35,   40,   47,   42,   50,   36,
-
-       18,   40,   47,   42,   50,    7,   36,   38,   38,   38,
-       38,   38,   39,   41,   45,   40,   42,   46,   39,   41,
-       45,   55,   55,   46,   39,   41,   43,   43,   43,   43,
-       43,   45,   48,   46,   51,   52,   56,   60,   48,    5,
-       51,   52,   56,   60,   48,   51,   53,   53,   53,   53,
-       53,   54,   64,    3,    2,   56,    0,   54,    0,    0,
-       64,   54,   57,   57,   57,   57,   57,   58,   59,   59,
-       59,   59,    0,   58,   62,   62,   62,   62,    0,   58,
-       61,   61,   61,   61,   61,   63,   63,   63,   63,   63,
-       67,   67,    0,   67,   67,   68,   68,   69,   69,   70,
-
-        0,   70,   70,   70,   66,   66,   66,   66,   66,   66,
-       66,   66,   66,   66,   66,   66,   66,   66,   66,   66,
-       66,   66,   66,   66,   66,   66,   66,   66,   66,   66,
-       66,   66,   66,   66
-    } ;
-
-static yy_state_type yy_last_accepting_state;
-static char *yy_last_accepting_cpos;
-
-/* The intent behind this definition is that it'll catch
- * any uses of REJECT which flex missed.
- */
-#define REJECT reject_used_but_not_detected
-static int yy_more_flag = 0;
-static int yy_more_len = 0;
-#define yymore() (yy_more_flag = 1)
-#define YY_MORE_ADJ yy_more_len
-#define YY_RESTORE_YY_MORE_OFFSET
-char *yytext;
-#line 1 "crlgen_lex_orig.l"
-#define INITIAL 0
-#line 2 "crlgen_lex_orig.l"
-
-#include "crlgen.h"
-
-static SECStatus parserStatus = SECSuccess;
-static CRLGENGeneratorData *parserData;
-static PRFileDesc *src;
-
-#define YY_INPUT(buf,result,max_size) \
-    if ( parserStatus != SECFailure) { \
-	 if (((result = PR_Read(src, buf, max_size)) == 0) && \
-	     ferror( yyin )) \
-	   return SECFailure; \
-    } else  { return SECFailure; }
-              
-
-
-/* Macros after this point can all be overridden by user definitions in
- * section 1.
- */
-
-#ifndef YY_SKIP_YYWRAP
-#ifdef __cplusplus
-extern "C" int yywrap YY_PROTO(( void ));
-#else
-extern int yywrap YY_PROTO(( void ));
-#endif
-#endif
-
-#ifndef YY_NO_UNPUT
-static void yyunput YY_PROTO(( int c, char *buf_ptr ));
-#endif
-
-#ifndef yytext_ptr
-static void yy_flex_strncpy YY_PROTO(( char *, yyconst char *, int ));
-#endif
-
-#ifdef YY_NEED_STRLEN
-static int yy_flex_strlen YY_PROTO(( yyconst char * ));
-#endif
-
-#ifndef YY_NO_INPUT
-#ifdef __cplusplus
-static int yyinput YY_PROTO(( void ));
-#else
-static int input YY_PROTO(( void ));
-#endif
-#endif
-
-#if YY_STACK_USED
-static int yy_start_stack_ptr = 0;
-static int yy_start_stack_depth = 0;
-static int *yy_start_stack = 0;
-#ifndef YY_NO_PUSH_STATE
-static void yy_push_state YY_PROTO(( int new_state ));
-#endif
-#ifndef YY_NO_POP_STATE
-static void yy_pop_state YY_PROTO(( void ));
-#endif
-#ifndef YY_NO_TOP_STATE
-static int yy_top_state YY_PROTO(( void ));
-#endif
-
-#else
-#define YY_NO_PUSH_STATE 1
-#define YY_NO_POP_STATE 1
-#define YY_NO_TOP_STATE 1
-#endif
-
-#ifdef YY_MALLOC_DECL
-YY_MALLOC_DECL
-#else
-#if __STDC__
-#ifndef __cplusplus
-#include <stdlib.h>
-#endif
-#else
-/* Just try to get by without declaring the routines.  This will fail
- * miserably on non-ANSI systems for which sizeof(size_t) != sizeof(int)
- * or sizeof(void*) != sizeof(int).
- */
-#endif
-#endif
-
-/* Amount of stuff to slurp up with each read. */
-#ifndef YY_READ_BUF_SIZE
-#define YY_READ_BUF_SIZE 8192
-#endif
-
-/* Copy whatever the last rule matched to the standard output. */
-
-#ifndef ECHO
-/* This used to be an fputs(), but since the string might contain NUL's,
- * we now use fwrite().
- */
-#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
-#endif
-
-/* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
- * is returned in "result".
- */
-#ifndef YY_INPUT
-#define YY_INPUT(buf,result,max_size) \
-	if ( yy_current_buffer->yy_is_interactive ) \
-		{ \
-		int c = '*', n; \
-		for ( n = 0; n < max_size && \
-			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
-			buf[n] = (char) c; \
-		if ( c == '\n' ) \
-			buf[n++] = (char) c; \
-		if ( c == EOF && ferror( yyin ) ) \
-			YY_FATAL_ERROR( "input in flex scanner failed" ); \
-		result = n; \
-		} \
-	else if ( ((result = fread( buf, 1, max_size, yyin )) == 0) \
-		  && ferror( yyin ) ) \
-		YY_FATAL_ERROR( "input in flex scanner failed" );
-#endif
-
-/* No semi-colon after return; correct usage is to write "yyterminate();" -
- * we don't want an extra ';' after the "return" because that will cause
- * some compilers to complain about unreachable statements.
- */
-#ifndef yyterminate
-#define yyterminate() return YY_NULL
-#endif
-
-/* Number of entries by which start-condition stack grows. */
-#ifndef YY_START_STACK_INCR
-#define YY_START_STACK_INCR 25
-#endif
-
-/* Report a fatal error. */
-#ifndef YY_FATAL_ERROR
-#define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
-#endif
-
-/* Default declaration of generated scanner - a define so the user can
- * easily add parameters.
- */
-#ifndef YY_DECL
-#define YY_DECL int yylex YY_PROTO(( void ))
-#endif
-
-/* Code executed at the beginning of each rule, after yytext and yyleng
- * have been set up.
- */
-#ifndef YY_USER_ACTION
-#define YY_USER_ACTION
-#endif
-
-/* Code executed at the end of each rule. */
-#ifndef YY_BREAK
-#define YY_BREAK break;
-#endif
-
-#define YY_RULE_SETUP \
-	if ( yyleng > 0 ) \
-		yy_current_buffer->yy_at_bol = \
-				(yytext[yyleng - 1] == '\n'); \
-	YY_USER_ACTION
-
-YY_DECL
-	{
-	register yy_state_type yy_current_state;
-	register char *yy_cp = NULL, *yy_bp = NULL;
-	register int yy_act;
-
-#line 28 "crlgen_lex_orig.l"
-
-
-
-	if ( yy_init )
-		{
-		yy_init = 0;
-
-#ifdef YY_USER_INIT
-		YY_USER_INIT;
-#endif
-
-		if ( ! yy_start )
-			yy_start = 1;	/* first start state */
-
-		if ( ! yyin )
-			yyin = stdin;
-
-		if ( ! yyout )
-			yyout = stdout;
-
-		if ( ! yy_current_buffer )
-			yy_current_buffer =
-				yy_create_buffer( yyin, YY_BUF_SIZE );
-
-		yy_load_buffer_state();
-		}
-
-	while ( 1 )		/* loops until end-of-file is reached */
-		{
-		yy_more_len = 0;
-		if ( yy_more_flag )
-			{
-			yy_more_len = yy_c_buf_p - yytext_ptr;
-			yy_more_flag = 0;
-			}
-		yy_cp = yy_c_buf_p;
-
-		/* Support of yytext. */
-		*yy_cp = yy_hold_char;
-
-		/* yy_bp points to the position in yy_ch_buf of the start of
-		 * the current run.
-		 */
-		yy_bp = yy_cp;
-
-		yy_current_state = yy_start;
-		yy_current_state += YY_AT_BOL();
-yy_match:
-		do
-			{
-			register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)];
-			if ( yy_accept[yy_current_state] )
-				{
-				yy_last_accepting_state = yy_current_state;
-				yy_last_accepting_cpos = yy_cp;
-				}
-			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
-				{
-				yy_current_state = (int) yy_def[yy_current_state];
-				if ( yy_current_state >= 67 )
-					yy_c = yy_meta[(unsigned int) yy_c];
-				}
-			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
-			++yy_cp;
-			}
-		while ( yy_base[yy_current_state] != 205 );
-
-yy_find_action:
-		yy_act = yy_accept[yy_current_state];
-		if ( yy_act == 0 )
-			{ /* have to back up */
-			yy_cp = yy_last_accepting_cpos;
-			yy_current_state = yy_last_accepting_state;
-			yy_act = yy_accept[yy_current_state];
-			}
-
-		YY_DO_BEFORE_ACTION;
-
-
-do_action:	/* This label is used only to access EOF actions. */
-
-
-		switch ( yy_act )
-	{ /* beginning of action switch */
-			case 0: /* must back up */
-			/* undo the effects of YY_DO_BEFORE_ACTION */
-			*yy_cp = yy_hold_char;
-			yy_cp = yy_last_accepting_cpos;
-			yy_current_state = yy_last_accepting_state;
-			goto yy_find_action;
-
-case 1:
-YY_RULE_SETUP
-#line 30 "crlgen_lex_orig.l"
-{
-parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_ZDATE);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-	YY_BREAK
-case 2:
-YY_RULE_SETUP
-#line 36 "crlgen_lex_orig.l"
-{
-parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_DIGIT);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-	YY_BREAK
-case 3:
-YY_RULE_SETUP
-#line 42 "crlgen_lex_orig.l"
-{
-parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_DIGIT_RANGE);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-	YY_BREAK
-case 4:
-YY_RULE_SETUP
-#line 48 "crlgen_lex_orig.l"
-{
-parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_OID);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-	YY_BREAK
-case 5:
-YY_RULE_SETUP
-#line 54 "crlgen_lex_orig.l"
-{
-parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_ISSUER_CONTEXT);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-	YY_BREAK
-case 6:
-YY_RULE_SETUP
-#line 60 "crlgen_lex_orig.l"
-{
-parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_UPDATE_CONTEXT);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-	YY_BREAK
-case 7:
-YY_RULE_SETUP
-#line 65 "crlgen_lex_orig.l"
-{
-parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_NEXT_UPDATE_CONTEXT);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-	YY_BREAK
-case 8:
-YY_RULE_SETUP
-#line 71 "crlgen_lex_orig.l"
-{
-parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_CHANGE_RANGE_CONTEXT);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-	YY_BREAK
-case 9:
-YY_RULE_SETUP
-#line 77 "crlgen_lex_orig.l"
-{
-if (strcmp(yytext, "addcert") == 0) {
-    parserStatus = crlgen_createNewLangStruct(parserData,
-                                    CRLGEN_ADD_CERT_CONTEXT);
-    if (parserStatus != SECSuccess)
-        return parserStatus;
-} else if (strcmp(yytext, "rmcert") == 0) {
-    parserStatus = crlgen_createNewLangStruct(parserData,
-                                    CRLGEN_RM_CERT_CONTEXT);
-    if (parserStatus != SECSuccess)
-        return parserStatus;
-} else if (strcmp(yytext, "addext") == 0) {
-    parserStatus = crlgen_createNewLangStruct(parserData,
-                                    CRLGEN_ADD_EXTENSION_CONTEXT);
-    if (parserStatus != SECSuccess)
-        return parserStatus;
-} else {
-    parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_ID);
-    if (parserStatus != SECSuccess)
-        return parserStatus;
-}
-}
-	YY_BREAK
-case 10:
-YY_RULE_SETUP
-#line 100 "crlgen_lex_orig.l"
-
-	YY_BREAK
-case 11:
-YY_RULE_SETUP
-#line 102 "crlgen_lex_orig.l"
-{
-if (yytext[yyleng-1] == '\\') {
-    yymore();
-} else {
-    register int c;
-    c = input();
-    if (c != '\"') {
-        printf( "Error: Line ending \" is missing:  %c\n", c);
-        unput(c);
-    } else {
-        parserStatus = crlgen_setNextData(parserData, yytext + 1,
-                                          CRLGEN_TYPE_STRING);
-        if (parserStatus != SECSuccess)
-            return parserStatus;
-    }
-}
-}
-	YY_BREAK
-case 12:
-YY_RULE_SETUP
-#line 120 "crlgen_lex_orig.l"
-{
-parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_STRING);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-	YY_BREAK
-case 13:
-YY_RULE_SETUP
-#line 128 "crlgen_lex_orig.l"
-/* eat up one-line comments */ {}
-	YY_BREAK
-case 14:
-YY_RULE_SETUP
-#line 130 "crlgen_lex_orig.l"
-{}
-	YY_BREAK
-case 15:
-YY_RULE_SETUP
-#line 132 "crlgen_lex_orig.l"
-{
-parserStatus = crlgen_updateCrl(parserData);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-	YY_BREAK
-case 16:
-YY_RULE_SETUP
-#line 138 "crlgen_lex_orig.l"
-{
-    fprintf(stderr, "Syntax error at line %d: unknown token %s\n",
-            parserData->parsedLineNum, yytext);
-    return SECFailure;
-}
-	YY_BREAK
-case 17:
-YY_RULE_SETUP
-#line 144 "crlgen_lex_orig.l"
-ECHO;
-	YY_BREAK
-case YY_STATE_EOF(INITIAL):
-	yyterminate();
-
-	case YY_END_OF_BUFFER:
-		{
-		/* Amount of text matched not including the EOB char. */
-		int yy_amount_of_matched_text = (int) (yy_cp - yytext_ptr) - 1;
-
-		/* Undo the effects of YY_DO_BEFORE_ACTION. */
-		*yy_cp = yy_hold_char;
-		YY_RESTORE_YY_MORE_OFFSET
-
-		if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_NEW )
-			{
-			/* We're scanning a new file or input source.  It's
-			 * possible that this happened because the user
-			 * just pointed yyin at a new source and called
-			 * yylex().  If so, then we have to assure
-			 * consistency between yy_current_buffer and our
-			 * globals.  Here is the right place to do so, because
-			 * this is the first action (other than possibly a
-			 * back-up) that will match for the new input source.
-			 */
-			yy_n_chars = yy_current_buffer->yy_n_chars;
-			yy_current_buffer->yy_input_file = yyin;
-			yy_current_buffer->yy_buffer_status = YY_BUFFER_NORMAL;
-			}
-
-		/* Note that here we test for yy_c_buf_p "<=" to the position
-		 * of the first EOB in the buffer, since yy_c_buf_p will
-		 * already have been incremented past the NUL character
-		 * (since all states make transitions on EOB to the
-		 * end-of-buffer state).  Contrast this with the test
-		 * in input().
-		 */
-		if ( yy_c_buf_p <= &yy_current_buffer->yy_ch_buf[yy_n_chars] )
-			{ /* This was really a NUL. */
-			yy_state_type yy_next_state;
-
-			yy_c_buf_p = yytext_ptr + yy_amount_of_matched_text;
-
-			yy_current_state = yy_get_previous_state();
-
-			/* Okay, we're now positioned to make the NUL
-			 * transition.  We couldn't have
-			 * yy_get_previous_state() go ahead and do it
-			 * for us because it doesn't know how to deal
-			 * with the possibility of jamming (and we don't
-			 * want to build jamming into it because then it
-			 * will run more slowly).
-			 */
-
-			yy_next_state = yy_try_NUL_trans( yy_current_state );
-
-			yy_bp = yytext_ptr + YY_MORE_ADJ;
-
-			if ( yy_next_state )
-				{
-				/* Consume the NUL. */
-				yy_cp = ++yy_c_buf_p;
-				yy_current_state = yy_next_state;
-				goto yy_match;
-				}
-
-			else
-				{
-				yy_cp = yy_c_buf_p;
-				goto yy_find_action;
-				}
-			}
-
-		else switch ( yy_get_next_buffer() )
-			{
-			case EOB_ACT_END_OF_FILE:
-				{
-				yy_did_buffer_switch_on_eof = 0;
-
-				if ( yywrap() )
-					{
-					/* Note: because we've taken care in
-					 * yy_get_next_buffer() to have set up
-					 * yytext, we can now set up
-					 * yy_c_buf_p so that if some total
-					 * hoser (like flex itself) wants to
-					 * call the scanner after we return the
-					 * YY_NULL, it'll still work - another
-					 * YY_NULL will get returned.
-					 */
-					yy_c_buf_p = yytext_ptr + YY_MORE_ADJ;
-
-					yy_act = YY_STATE_EOF(YY_START);
-					goto do_action;
-					}
-
-				else
-					{
-					if ( ! yy_did_buffer_switch_on_eof )
-						YY_NEW_FILE;
-					}
-				break;
-				}
-
-			case EOB_ACT_CONTINUE_SCAN:
-				yy_c_buf_p =
-					yytext_ptr + yy_amount_of_matched_text;
-
-				yy_current_state = yy_get_previous_state();
-
-				yy_cp = yy_c_buf_p;
-				yy_bp = yytext_ptr + YY_MORE_ADJ;
-				goto yy_match;
-
-			case EOB_ACT_LAST_MATCH:
-				yy_c_buf_p =
-				&yy_current_buffer->yy_ch_buf[yy_n_chars];
-
-				yy_current_state = yy_get_previous_state();
-
-				yy_cp = yy_c_buf_p;
-				yy_bp = yytext_ptr + YY_MORE_ADJ;
-				goto yy_find_action;
-			}
-		break;
-		}
-
-	default:
-		YY_FATAL_ERROR(
-			"fatal flex scanner internal error--no action found" );
-	} /* end of action switch */
-		} /* end of scanning one token */
-	} /* end of yylex */
-
-
-/* yy_get_next_buffer - try to read in a new buffer
- *
- * Returns a code representing an action:
- *	EOB_ACT_LAST_MATCH -
- *	EOB_ACT_CONTINUE_SCAN - continue scanning from current position
- *	EOB_ACT_END_OF_FILE - end of file
- */
-
-static int yy_get_next_buffer()
-	{
-	register char *dest = yy_current_buffer->yy_ch_buf;
-	register char *source = yytext_ptr;
-	register int number_to_move, i;
-	int ret_val;
-
-	if ( yy_c_buf_p > &yy_current_buffer->yy_ch_buf[yy_n_chars + 1] )
-		YY_FATAL_ERROR(
-		"fatal flex scanner internal error--end of buffer missed" );
-
-	if ( yy_current_buffer->yy_fill_buffer == 0 )
-		{ /* Don't try to fill the buffer, so this is an EOF. */
-		if ( yy_c_buf_p - yytext_ptr - YY_MORE_ADJ == 1 )
-			{
-			/* We matched a single character, the EOB, so
-			 * treat this as a final EOF.
-			 */
-			return EOB_ACT_END_OF_FILE;
-			}
-
-		else
-			{
-			/* We matched some text prior to the EOB, first
-			 * process it.
-			 */
-			return EOB_ACT_LAST_MATCH;
-			}
-		}
-
-	/* Try to read more data. */
-
-	/* First move last chars to start of buffer. */
-	number_to_move = (int) (yy_c_buf_p - yytext_ptr) - 1;
-
-	for ( i = 0; i < number_to_move; ++i )
-		*(dest++) = *(source++);
-
-	if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_EOF_PENDING )
-		/* don't do the read, it's not guaranteed to return an EOF,
-		 * just force an EOF
-		 */
-		yy_current_buffer->yy_n_chars = yy_n_chars = 0;
-
-	else
-		{
-		int num_to_read =
-			yy_current_buffer->yy_buf_size - number_to_move - 1;
-
-		while ( num_to_read <= 0 )
-			{ /* Not enough room in the buffer - grow it. */
-#ifdef YY_USES_REJECT
-			YY_FATAL_ERROR(
-"input buffer overflow, can't enlarge buffer because scanner uses REJECT" );
-#else
-
-			/* just a shorter name for the current buffer */
-			YY_BUFFER_STATE b = yy_current_buffer;
-
-			int yy_c_buf_p_offset =
-				(int) (yy_c_buf_p - b->yy_ch_buf);
-
-			if ( b->yy_is_our_buffer )
-				{
-				int new_size = b->yy_buf_size * 2;
-
-				if ( new_size <= 0 )
-					b->yy_buf_size += b->yy_buf_size / 8;
-				else
-					b->yy_buf_size *= 2;
-
-				b->yy_ch_buf = (char *)
-					/* Include room in for 2 EOB chars. */
-					yy_flex_realloc( (void *) b->yy_ch_buf,
-							 b->yy_buf_size + 2 );
-				}
-			else
-				/* Can't grow it, we don't own it. */
-				b->yy_ch_buf = 0;
-
-			if ( ! b->yy_ch_buf )
-				YY_FATAL_ERROR(
-				"fatal error - scanner input buffer overflow" );
-
-			yy_c_buf_p = &b->yy_ch_buf[yy_c_buf_p_offset];
-
-			num_to_read = yy_current_buffer->yy_buf_size -
-						number_to_move - 1;
-#endif
-			}
-
-		if ( num_to_read > YY_READ_BUF_SIZE )
-			num_to_read = YY_READ_BUF_SIZE;
-
-		/* Read in more data. */
-		YY_INPUT( (&yy_current_buffer->yy_ch_buf[number_to_move]),
-			yy_n_chars, num_to_read );
-
-		yy_current_buffer->yy_n_chars = yy_n_chars;
-		}
-
-	if ( yy_n_chars == 0 )
-		{
-		if ( number_to_move == YY_MORE_ADJ )
-			{
-			ret_val = EOB_ACT_END_OF_FILE;
-			yyrestart( yyin );
-			}
-
-		else
-			{
-			ret_val = EOB_ACT_LAST_MATCH;
-			yy_current_buffer->yy_buffer_status =
-				YY_BUFFER_EOF_PENDING;
-			}
-		}
-
-	else
-		ret_val = EOB_ACT_CONTINUE_SCAN;
-
-	yy_n_chars += number_to_move;
-	yy_current_buffer->yy_ch_buf[yy_n_chars] = YY_END_OF_BUFFER_CHAR;
-	yy_current_buffer->yy_ch_buf[yy_n_chars + 1] = YY_END_OF_BUFFER_CHAR;
-
-	yytext_ptr = &yy_current_buffer->yy_ch_buf[0];
-
-	return ret_val;
-	}
-
-
-/* yy_get_previous_state - get the state just before the EOB char was reached */
-
-static yy_state_type yy_get_previous_state()
-	{
-	register yy_state_type yy_current_state;
-	register char *yy_cp;
-
-	yy_current_state = yy_start;
-	yy_current_state += YY_AT_BOL();
-
-	for ( yy_cp = yytext_ptr + YY_MORE_ADJ; yy_cp < yy_c_buf_p; ++yy_cp )
-		{
-		register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
-		if ( yy_accept[yy_current_state] )
-			{
-			yy_last_accepting_state = yy_current_state;
-			yy_last_accepting_cpos = yy_cp;
-			}
-		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
-			{
-			yy_current_state = (int) yy_def[yy_current_state];
-			if ( yy_current_state >= 67 )
-				yy_c = yy_meta[(unsigned int) yy_c];
-			}
-		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
-		}
-
-	return yy_current_state;
-	}
-
-
-/* yy_try_NUL_trans - try to make a transition on the NUL character
- *
- * synopsis
- *	next_state = yy_try_NUL_trans( current_state );
- */
-
-#ifdef YY_USE_PROTOS
-static yy_state_type yy_try_NUL_trans( yy_state_type yy_current_state )
-#else
-static yy_state_type yy_try_NUL_trans( yy_current_state )
-yy_state_type yy_current_state;
-#endif
-	{
-	register int yy_is_jam;
-	register char *yy_cp = yy_c_buf_p;
-
-	register YY_CHAR yy_c = 1;
-	if ( yy_accept[yy_current_state] )
-		{
-		yy_last_accepting_state = yy_current_state;
-		yy_last_accepting_cpos = yy_cp;
-		}
-	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
-		{
-		yy_current_state = (int) yy_def[yy_current_state];
-		if ( yy_current_state >= 67 )
-			yy_c = yy_meta[(unsigned int) yy_c];
-		}
-	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
-	yy_is_jam = (yy_current_state == 66);
-
-	return yy_is_jam ? 0 : yy_current_state;
-	}
-
-
-#ifndef YY_NO_UNPUT
-#ifdef YY_USE_PROTOS
-static void yyunput( int c, register char *yy_bp )
-#else
-static void yyunput( c, yy_bp )
-int c;
-register char *yy_bp;
-#endif
-	{
-	register char *yy_cp = yy_c_buf_p;
-
-	/* undo effects of setting up yytext */
-	*yy_cp = yy_hold_char;
-
-	if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
-		{ /* need to shift things up to make room */
-		/* +2 for EOB chars. */
-		register int number_to_move = yy_n_chars + 2;
-		register char *dest = &yy_current_buffer->yy_ch_buf[
-					yy_current_buffer->yy_buf_size + 2];
-		register char *source =
-				&yy_current_buffer->yy_ch_buf[number_to_move];
-
-		while ( source > yy_current_buffer->yy_ch_buf )
-			*--dest = *--source;
-
-		yy_cp += (int) (dest - source);
-		yy_bp += (int) (dest - source);
-		yy_current_buffer->yy_n_chars =
-			yy_n_chars = yy_current_buffer->yy_buf_size;
-
-		if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
-			YY_FATAL_ERROR( "flex scanner push-back overflow" );
-		}
-
-	*--yy_cp = (char) c;
-
-
-	yytext_ptr = yy_bp;
-	yy_hold_char = *yy_cp;
-	yy_c_buf_p = yy_cp;
-	}
-#endif	/* ifndef YY_NO_UNPUT */
-
-
-#ifndef YY_NO_INPUT
-#ifdef __cplusplus
-static int yyinput()
-#else
-static int input()
-#endif
-	{
-	int c;
-
-	*yy_c_buf_p = yy_hold_char;
-
-	if ( *yy_c_buf_p == YY_END_OF_BUFFER_CHAR )
-		{
-		/* yy_c_buf_p now points to the character we want to return.
-		 * If this occurs *before* the EOB characters, then it's a
-		 * valid NUL; if not, then we've hit the end of the buffer.
-		 */
-		if ( yy_c_buf_p < &yy_current_buffer->yy_ch_buf[yy_n_chars] )
-			/* This was really a NUL. */
-			*yy_c_buf_p = '\0';
-
-		else
-			{ /* need more input */
-			int offset = yy_c_buf_p - yytext_ptr;
-			++yy_c_buf_p;
-
-			switch ( yy_get_next_buffer() )
-				{
-				case EOB_ACT_LAST_MATCH:
-					/* This happens because yy_g_n_b()
-					 * sees that we've accumulated a
-					 * token and flags that we need to
-					 * try matching the token before
-					 * proceeding.  But for input(),
-					 * there's no matching to consider.
-					 * So convert the EOB_ACT_LAST_MATCH
-					 * to EOB_ACT_END_OF_FILE.
-					 */
-
-					/* Reset buffer status. */
-					yyrestart( yyin );
-
-					/* fall through */
-
-				case EOB_ACT_END_OF_FILE:
-					{
-					if ( yywrap() )
-						return EOF;
-
-					if ( ! yy_did_buffer_switch_on_eof )
-						YY_NEW_FILE;
-#ifdef __cplusplus
-					return yyinput();
-#else
-					return input();
-#endif
-					}
-
-				case EOB_ACT_CONTINUE_SCAN:
-					yy_c_buf_p = yytext_ptr + offset;
-					break;
-				}
-			}
-		}
-
-	c = *(unsigned char *) yy_c_buf_p;	/* cast for 8-bit char's */
-	*yy_c_buf_p = '\0';	/* preserve yytext */
-	yy_hold_char = *++yy_c_buf_p;
-
-	yy_current_buffer->yy_at_bol = (c == '\n');
-
-	return c;
-	}
-#endif /* YY_NO_INPUT */
-
-#ifdef YY_USE_PROTOS
-void yyrestart( FILE *input_file )
-#else
-void yyrestart( input_file )
-FILE *input_file;
-#endif
-	{
-	if ( ! yy_current_buffer )
-		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE );
-
-	yy_init_buffer( yy_current_buffer, input_file );
-	yy_load_buffer_state();
-	}
-
-
-#ifdef YY_USE_PROTOS
-void yy_switch_to_buffer( YY_BUFFER_STATE new_buffer )
-#else
-void yy_switch_to_buffer( new_buffer )
-YY_BUFFER_STATE new_buffer;
-#endif
-	{
-	if ( yy_current_buffer == new_buffer )
-		return;
-
-	if ( yy_current_buffer )
-		{
-		/* Flush out information for old buffer. */
-		*yy_c_buf_p = yy_hold_char;
-		yy_current_buffer->yy_buf_pos = yy_c_buf_p;
-		yy_current_buffer->yy_n_chars = yy_n_chars;
-		}
-
-	yy_current_buffer = new_buffer;
-	yy_load_buffer_state();
-
-	/* We don't actually know whether we did this switch during
-	 * EOF (yywrap()) processing, but the only time this flag
-	 * is looked at is after yywrap() is called, so it's safe
-	 * to go ahead and always set it.
-	 */
-	yy_did_buffer_switch_on_eof = 1;
-	}
-
-
-#ifdef YY_USE_PROTOS
-void yy_load_buffer_state( void )
-#else
-void yy_load_buffer_state()
-#endif
-	{
-	yy_n_chars = yy_current_buffer->yy_n_chars;
-	yytext_ptr = yy_c_buf_p = yy_current_buffer->yy_buf_pos;
-	yyin = yy_current_buffer->yy_input_file;
-	yy_hold_char = *yy_c_buf_p;
-	}
-
-
-#ifdef YY_USE_PROTOS
-YY_BUFFER_STATE yy_create_buffer( FILE *file, int size )
-#else
-YY_BUFFER_STATE yy_create_buffer( file, size )
-FILE *file;
-int size;
-#endif
-	{
-	YY_BUFFER_STATE b;
-
-	b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) );
-	if ( ! b )
-		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
-
-	b->yy_buf_size = size;
-
-	/* yy_ch_buf has to be 2 characters longer than the size given because
-	 * we need to put in 2 end-of-buffer characters.
-	 */
-	b->yy_ch_buf = (char *) yy_flex_alloc( b->yy_buf_size + 2 );
-	if ( ! b->yy_ch_buf )
-		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
-
-	b->yy_is_our_buffer = 1;
-
-	yy_init_buffer( b, file );
-
-	return b;
-	}
-
-
-#ifdef YY_USE_PROTOS
-void yy_delete_buffer( YY_BUFFER_STATE b )
-#else
-void yy_delete_buffer( b )
-YY_BUFFER_STATE b;
-#endif
-	{
-	if ( ! b )
-		return;
-
-	if ( b == yy_current_buffer )
-		yy_current_buffer = (YY_BUFFER_STATE) 0;
-
-	if ( b->yy_is_our_buffer )
-		yy_flex_free( (void *) b->yy_ch_buf );
-
-	yy_flex_free( (void *) b );
-	}
-
-
-
-#ifdef YY_USE_PROTOS
-void yy_init_buffer( YY_BUFFER_STATE b, FILE *file )
-#else
-void yy_init_buffer( b, file )
-YY_BUFFER_STATE b;
-FILE *file;
-#endif
-
-
-	{
-	yy_flush_buffer( b );
-
-	b->yy_input_file = file;
-	b->yy_fill_buffer = 1;
-
-#if YY_ALWAYS_INTERACTIVE
-	b->yy_is_interactive = 1;
-#else
-#if YY_NEVER_INTERACTIVE
-	b->yy_is_interactive = 0;
-#else
-	b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
-#endif
-#endif
-	}
-
-
-#ifdef YY_USE_PROTOS
-void yy_flush_buffer( YY_BUFFER_STATE b )
-#else
-void yy_flush_buffer( b )
-YY_BUFFER_STATE b;
-#endif
-
-	{
-	if ( ! b )
-		return;
-
-	b->yy_n_chars = 0;
-
-	/* We always need two end-of-buffer characters.  The first causes
-	 * a transition to the end-of-buffer state.  The second causes
-	 * a jam in that state.
-	 */
-	b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR;
-	b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR;
-
-	b->yy_buf_pos = &b->yy_ch_buf[0];
-
-	b->yy_at_bol = 1;
-	b->yy_buffer_status = YY_BUFFER_NEW;
-
-	if ( b == yy_current_buffer )
-		yy_load_buffer_state();
-	}
-
-
-#ifndef YY_NO_SCAN_BUFFER
-#ifdef YY_USE_PROTOS
-YY_BUFFER_STATE yy_scan_buffer( char *base, yy_size_t size )
-#else
-YY_BUFFER_STATE yy_scan_buffer( base, size )
-char *base;
-yy_size_t size;
-#endif
-	{
-	YY_BUFFER_STATE b;
-
-	if ( size < 2 ||
-	     base[size-2] != YY_END_OF_BUFFER_CHAR ||
-	     base[size-1] != YY_END_OF_BUFFER_CHAR )
-		/* They forgot to leave room for the EOB's. */
-		return 0;
-
-	b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) );
-	if ( ! b )
-		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
-
-	b->yy_buf_size = size - 2;	/* "- 2" to take care of EOB's */
-	b->yy_buf_pos = b->yy_ch_buf = base;
-	b->yy_is_our_buffer = 0;
-	b->yy_input_file = 0;
-	b->yy_n_chars = b->yy_buf_size;
-	b->yy_is_interactive = 0;
-	b->yy_at_bol = 1;
-	b->yy_fill_buffer = 0;
-	b->yy_buffer_status = YY_BUFFER_NEW;
-
-	yy_switch_to_buffer( b );
-
-	return b;
-	}
-#endif
-
-
-#ifndef YY_NO_SCAN_STRING
-#ifdef YY_USE_PROTOS
-YY_BUFFER_STATE yy_scan_string( yyconst char *yy_str )
-#else
-YY_BUFFER_STATE yy_scan_string( yy_str )
-yyconst char *yy_str;
-#endif
-	{
-	int len;
-	for ( len = 0; yy_str[len]; ++len )
-		;
-
-	return yy_scan_bytes( yy_str, len );
-	}
-#endif
-
-
-#ifndef YY_NO_SCAN_BYTES
-#ifdef YY_USE_PROTOS
-YY_BUFFER_STATE yy_scan_bytes( yyconst char *bytes, int len )
-#else
-YY_BUFFER_STATE yy_scan_bytes( bytes, len )
-yyconst char *bytes;
-int len;
-#endif
-	{
-	YY_BUFFER_STATE b;
-	char *buf;
-	yy_size_t n;
-	int i;
-
-	/* Get memory for full buffer, including space for trailing EOB's. */
-	n = len + 2;
-	buf = (char *) yy_flex_alloc( n );
-	if ( ! buf )
-		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
-
-	for ( i = 0; i < len; ++i )
-		buf[i] = bytes[i];
-
-	buf[len] = buf[len+1] = YY_END_OF_BUFFER_CHAR;
-
-	b = yy_scan_buffer( buf, n );
-	if ( ! b )
-		YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
-
-	/* It's okay to grow etc. this buffer, and we should throw it
-	 * away when we're done.
-	 */
-	b->yy_is_our_buffer = 1;
-
-	return b;
-	}
-#endif
-
-
-#ifndef YY_NO_PUSH_STATE
-#ifdef YY_USE_PROTOS
-static void yy_push_state( int new_state )
-#else
-static void yy_push_state( new_state )
-int new_state;
-#endif
-	{
-	if ( yy_start_stack_ptr >= yy_start_stack_depth )
-		{
-		yy_size_t new_size;
-
-		yy_start_stack_depth += YY_START_STACK_INCR;
-		new_size = yy_start_stack_depth * sizeof( int );
-
-		if ( ! yy_start_stack )
-			yy_start_stack = (int *) yy_flex_alloc( new_size );
-
-		else
-			yy_start_stack = (int *) yy_flex_realloc(
-					(void *) yy_start_stack, new_size );
-
-		if ( ! yy_start_stack )
-			YY_FATAL_ERROR(
-			"out of memory expanding start-condition stack" );
-		}
-
-	yy_start_stack[yy_start_stack_ptr++] = YY_START;
-
-	BEGIN(new_state);
-	}
-#endif
-
-
-#ifndef YY_NO_POP_STATE
-static void yy_pop_state()
-	{
-	if ( --yy_start_stack_ptr < 0 )
-		YY_FATAL_ERROR( "start-condition stack underflow" );
-
-	BEGIN(yy_start_stack[yy_start_stack_ptr]);
-	}
-#endif
-
-
-#ifndef YY_NO_TOP_STATE
-static int yy_top_state()
-	{
-	return yy_start_stack[yy_start_stack_ptr - 1];
-	}
-#endif
-
-#ifndef YY_EXIT_FAILURE
-#define YY_EXIT_FAILURE 2
-#endif
-
-#ifdef YY_USE_PROTOS
-static void yy_fatal_error( yyconst char msg[] )
-#else
-static void yy_fatal_error( msg )
-char msg[];
-#endif
-	{
-	(void) fprintf( stderr, "%s\n", msg );
-	exit( YY_EXIT_FAILURE );
-	}
-
-
-
-/* Redefine yyless() so it works in section 3 code. */
-
-#undef yyless
-#define yyless(n) \
-	do \
-		{ \
-		/* Undo effects of setting up yytext. */ \
-		yytext[yyleng] = yy_hold_char; \
-		yy_c_buf_p = yytext + n; \
-		yy_hold_char = *yy_c_buf_p; \
-		*yy_c_buf_p = '\0'; \
-		yyleng = n; \
-		} \
-	while ( 0 )
-
-
-/* Internal utility routines. */
-
-#ifndef yytext_ptr
-#ifdef YY_USE_PROTOS
-static void yy_flex_strncpy( char *s1, yyconst char *s2, int n )
-#else
-static void yy_flex_strncpy( s1, s2, n )
-char *s1;
-yyconst char *s2;
-int n;
-#endif
-	{
-	register int i;
-	for ( i = 0; i < n; ++i )
-		s1[i] = s2[i];
-	}
-#endif
-
-#ifdef YY_NEED_STRLEN
-#ifdef YY_USE_PROTOS
-static int yy_flex_strlen( yyconst char *s )
-#else
-static int yy_flex_strlen( s )
-yyconst char *s;
-#endif
-	{
-	register int n;
-	for ( n = 0; s[n]; ++n )
-		;
-
-	return n;
-	}
-#endif
-
-
-#ifdef YY_USE_PROTOS
-static void *yy_flex_alloc( yy_size_t size )
-#else
-static void *yy_flex_alloc( size )
-yy_size_t size;
-#endif
-	{
-	return (void *) malloc( size );
-	}
-
-#ifdef YY_USE_PROTOS
-static void *yy_flex_realloc( void *ptr, yy_size_t size )
-#else
-static void *yy_flex_realloc( ptr, size )
-void *ptr;
-yy_size_t size;
-#endif
-	{
-	/* The cast to (char *) in the following accommodates both
-	 * implementations that use char* generic pointers, and those
-	 * that use void* generic pointers.  It works with the latter
-	 * because both ANSI C and C++ allow castless assignment from
-	 * any pointer type to void*, and deal with argument conversions
-	 * as though doing an assignment.
-	 */
-	return (void *) realloc( (char *) ptr, size );
-	}
-
-#ifdef YY_USE_PROTOS
-static void yy_flex_free( void *ptr )
-#else
-static void yy_flex_free( ptr )
-void *ptr;
-#endif
-	{
-	free( ptr );
-	}
-
-#if YY_MAIN
-int main()
-	{
-	yylex();
-	return 0;
-	}
-#endif
-#line 144 "crlgen_lex_orig.l"
-
-#include "prlock.h"
-
-static PRLock *parserInvocationLock;
-
-void CRLGEN_InitCrlGenParserLock()
-{
-    parserInvocationLock = PR_NewLock();
-}
-
-void CRLGEN_DestroyCrlGenParserLock()
-{
-    PR_DestroyLock(parserInvocationLock);
-}
-
-
-SECStatus CRLGEN_StartCrlGen(CRLGENGeneratorData *parserCtlData)
-{
-    SECStatus rv;
-
-    PR_Lock(parserInvocationLock);
-
-    parserStatus = SECSuccess;
-    parserData = parserCtlData;
-    src = parserCtlData->src;
-
-    rv = yylex();
-
-    PR_Unlock(parserInvocationLock);
-
-    return rv;
-}
-
-int yywrap() {return 1;}
diff --git a/security/nss/cmd/crlutil/crlgen_lex_fix.sed b/security/nss/cmd/crlutil/crlgen_lex_fix.sed
deleted file mode 100644
index 603dd2d1b..000000000
--- a/security/nss/cmd/crlutil/crlgen_lex_fix.sed
+++ /dev/null
@@ -1,6 +0,0 @@
-/<unistd.h>/ {
-        i #ifdef _WIN32
-	i #include <io.h>
-	i #else
-        a #endif
-}
diff --git a/security/nss/cmd/crlutil/crlgen_lex_orig.l b/security/nss/cmd/crlutil/crlgen_lex_orig.l
deleted file mode 100644
index 7cb1e5cde..000000000
--- a/security/nss/cmd/crlutil/crlgen_lex_orig.l
+++ /dev/null
@@ -1,177 +0,0 @@
-%{
-
-#include "crlgen.h"
-
-static SECStatus parserStatus = SECSuccess;
-static CRLGENGeneratorData *parserData;
-static PRFileDesc *src;
-
-#define YY_INPUT(buf,result,max_size) \
-    if ( parserStatus != SECFailure) { \
-	 if (((result = PR_Read(src, buf, max_size)) == 0) && \
-	     ferror( yyin )) \
-	   return SECFailure; \
-    } else  { return SECFailure; }
-              
-
-%}
-
-%a 5000
-DIGIT          [0-9]+
-DIGIT_RANGE    [0-9]+-[0-9]+
-ID             [a-zA-Z][a-zA-Z0-9]*
-OID            [0-9]+\.[\.0-9]+
-DATE           [0-9]{4}[01][0-9][0-3][0-9][0-2][0-9][0-6][0-9][0-6][0-9]
-ZDATE          [0-9]{4}[01][0-9][0-3][0-9][0-2][0-9][0-6][0-9][0-6][0-9]Z
-N_SP_STRING    [a-zA-Z0-9\:\|\.]+
-
-%%
-
-{ZDATE}   {
-parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_ZDATE);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-
-{DIGIT}   {
-parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_DIGIT);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-
-{DIGIT_RANGE}  {
-parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_DIGIT_RANGE);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-
-{OID}     {
-parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_OID);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-
-issuer     {
-parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_ISSUER_CONTEXT);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-
-update     {
-parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_UPDATE_CONTEXT);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-nextupdate {
-parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_NEXT_UPDATE_CONTEXT);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-
-range      {
-parserStatus = crlgen_createNewLangStruct(parserData, CRLGEN_CHANGE_RANGE_CONTEXT);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-
-{ID}      {
-if (strcmp(yytext, "addcert") == 0) {
-    parserStatus = crlgen_createNewLangStruct(parserData,
-                                    CRLGEN_ADD_CERT_CONTEXT);
-    if (parserStatus != SECSuccess)
-        return parserStatus;
-} else if (strcmp(yytext, "rmcert") == 0) {
-    parserStatus = crlgen_createNewLangStruct(parserData,
-                                    CRLGEN_RM_CERT_CONTEXT);
-    if (parserStatus != SECSuccess)
-        return parserStatus;
-} else if (strcmp(yytext, "addext") == 0) {
-    parserStatus = crlgen_createNewLangStruct(parserData,
-                                    CRLGEN_ADD_EXTENSION_CONTEXT);
-    if (parserStatus != SECSuccess)
-        return parserStatus;
-} else {
-    parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_ID);
-    if (parserStatus != SECSuccess)
-        return parserStatus;
-}
-}
-
-"="
-
-\"[^\"]* {
-if (yytext[yyleng-1] == '\\') {
-    yymore();
-} else {
-    register int c;
-    c = input();
-    if (c != '\"') {
-        printf( "Error: Line ending \" is missing:  %c\n", c);
-        unput(c);
-    } else {
-        parserStatus = crlgen_setNextData(parserData, yytext + 1,
-                                          CRLGEN_TYPE_STRING);
-        if (parserStatus != SECSuccess)
-            return parserStatus;
-    }
-}
-}
-
-{N_SP_STRING} {
-parserStatus = crlgen_setNextData(parserData, yytext, CRLGEN_TYPE_STRING);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-
-
-
-^#[^\n]*     /* eat up one-line comments */ {}
-
-[ \t]+      {}
-
-(\n|\r\n)  {
-parserStatus = crlgen_updateCrl(parserData);
-if (parserStatus != SECSuccess)
-    return parserStatus;
-}
-
-.           {
-    fprintf(stderr, "Syntax error at line %d: unknown token %s\n",
-            parserData->parsedLineNum, yytext);
-    return SECFailure;
-}
-
-%%
-#include "prlock.h"
-
-static PRLock *parserInvocationLock;
-
-void CRLGEN_InitCrlGenParserLock()
-{
-    parserInvocationLock = PR_NewLock();
-}
-
-void CRLGEN_DestroyCrlGenParserLock()
-{
-    PR_DestroyLock(parserInvocationLock);
-}
-
-
-SECStatus CRLGEN_StartCrlGen(CRLGENGeneratorData *parserCtlData)
-{
-    SECStatus rv;
-
-    PR_Lock(parserInvocationLock);
-
-    parserStatus = SECSuccess;
-    parserData = parserCtlData;
-    src = parserCtlData->src;
-
-    rv = yylex();
-
-    PR_Unlock(parserInvocationLock);
-
-    return rv;
-}
-
-int yywrap() {return 1;}
diff --git a/security/nss/cmd/crlutil/crlutil.c b/security/nss/cmd/crlutil/crlutil.c
deleted file mode 100644
index 9ee54335c..000000000
--- a/security/nss/cmd/crlutil/crlutil.c
+++ /dev/null
@@ -1,1089 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-** certutil.c
-**
-** utility for managing certificates and the cert database
-**
-*/
-/* test only */
-
-#include "nspr.h"
-#include "plgetopt.h"
-#include "secutil.h"
-#include "cert.h"
-#include "certi.h"
-#include "certdb.h"
-#include "nss.h"
-#include "pk11func.h"
-#include "crlgen.h"
-
-#define SEC_CERT_DB_EXISTS 0
-#define SEC_CREATE_CERT_DB 1
-
-static char *progName;
-
-static CERTSignedCrl *FindCRL
-   (CERTCertDBHandle *certHandle, char *name, int type)
-{
-    CERTSignedCrl *crl = NULL;    
-    CERTCertificate *cert = NULL;
-    SECItem derName;
-
-    derName.data = NULL;
-    derName.len = 0;
-
-    cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, name);
-    if (!cert) {
-        CERTName *certName = NULL;
-        PRArenaPool *arena = NULL;
-    
-        certName = CERT_AsciiToName(name);
-        if (certName) {
-            arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-            if (arena) {
-                SECItem *nameItem = 
-                    SEC_ASN1EncodeItem (arena, NULL, (void *)certName,
-                                        SEC_ASN1_GET(CERT_NameTemplate));
-                if (nameItem) {
-                    SECITEM_CopyItem(NULL, &derName, nameItem);
-                }
-                PORT_FreeArena(arena, PR_FALSE);
-            }
-            CERT_DestroyName(certName);
-        }
-
-        if (!derName.len || !derName.data) {
-            SECU_PrintError(progName, "could not find certificate named '%s'", name);
-            return ((CERTSignedCrl *)NULL);
-        }
-    } else {
-        SECITEM_CopyItem(NULL, &derName, &cert->derSubject);
-        CERT_DestroyCertificate (cert);
-    }
- 
-    crl = SEC_FindCrlByName(certHandle, &derName, type);
-    if (crl ==NULL) 
-	SECU_PrintError
-		(progName, "could not find %s's CRL", name);
-    if (derName.data) {
-        SECITEM_FreeItem(&derName, PR_FALSE);
-    }
-    return (crl);
-}
-
-static SECStatus DisplayCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
-{
-    CERTSignedCrl *crl = NULL;
-
-    crl = FindCRL (certHandle, nickName, crlType);
-	
-    if (crl) {
-	SECU_PrintCRLInfo (stdout, &crl->crl, "CRL Info:\n", 0);
-	SEC_DestroyCrl (crl);
-	return SECSuccess;
-    }
-    return SECFailure;
-}
-
-static void ListCRLNames (CERTCertDBHandle *certHandle, int crlType, PRBool deletecrls)
-{
-    CERTCrlHeadNode *crlList = NULL;
-    CERTCrlNode *crlNode = NULL;
-    CERTName *name = NULL;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-
-    do {
-	arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
-	if (arena == NULL) {
-	    fprintf(stderr, "%s: fail to allocate memory\n", progName);
-	    break;
-	}
-	
-	name = PORT_ArenaZAlloc (arena, sizeof(*name));
-	if (name == NULL) {
-	    fprintf(stderr, "%s: fail to allocate memory\n", progName);
-	    break;
-	}
-	name->arena = arena;
-	    
-	rv = SEC_LookupCrls (certHandle, &crlList, crlType);
-	if (rv != SECSuccess) {
-	    fprintf(stderr, "%s: fail to look up CRLs (%s)\n", progName,
-	    SECU_Strerror(PORT_GetError()));
-	    break;
-	}
-	
-	/* just in case */
-	if (!crlList)
-	    break;
-
-	crlNode  = crlList->first;
-
-        fprintf (stdout, "\n");
-	fprintf (stdout, "\n%-40s %-5s\n\n", "CRL names", "CRL Type");
-	while (crlNode) {
-	    char* asciiname = NULL;
-	    CERTCertificate *cert = NULL;
-	    if (crlNode->crl && &crlNode->crl->crl.derName) {
-	        cert = CERT_FindCertByName(certHandle,
-	                                   &crlNode->crl->crl.derName);
-	        if (!cert) {
-	            SECU_PrintError(progName, "could not find signing "
-	                         "certificate in database");
-	        }
-	    }
-	    if (cert) {
-	        char* certName = NULL;
-                 if (cert->nickname && PORT_Strlen(cert->nickname) > 0) {
-	            certName = cert->nickname;
-	        } else if (cert->emailAddr && PORT_Strlen(cert->emailAddr) > 0) {
-	            certName = cert->emailAddr;
-	        }
-	        if (certName) {
-	            asciiname = PORT_Strdup(certName);
-	        }
-	        CERT_DestroyCertificate(cert);
-	    }
-                
-	    if (!asciiname) {
-	        name = &crlNode->crl->crl.name;
-	        if (!name){
-	            SECU_PrintError(progName, "fail to get the CRL "
-	                           "issuer name");
-	            continue;
-	        }
-	        asciiname = CERT_NameToAscii(name);
-	    }
-	    fprintf (stdout, "%-40s %-5s\n", asciiname, "CRL");
-	    if (asciiname) {
-		PORT_Free(asciiname);
-	    }
-            if ( PR_TRUE == deletecrls) {
-                CERTSignedCrl* acrl = NULL;
-                SECItem* issuer = &crlNode->crl->crl.derName;
-                acrl = SEC_FindCrlByName(certHandle, issuer, crlType);
-                if (acrl)
-                {
-                    SEC_DeletePermCRL(acrl);
-                    SEC_DestroyCrl(acrl);
-                }
-            }
-            crlNode = crlNode->next;
-	} 
-	
-    } while (0);
-    if (crlList)
-	PORT_FreeArena (crlList->arena, PR_FALSE);
-    PORT_FreeArena (arena, PR_FALSE);
-}
-
-static SECStatus ListCRL (CERTCertDBHandle *certHandle, char *nickName, int crlType)
-{
-    if (nickName == NULL) {
-	ListCRLNames (certHandle, crlType, PR_FALSE);
-	return SECSuccess;
-    } 
-
-    return DisplayCRL (certHandle, nickName, crlType);
-}
-
-
-
-static SECStatus DeleteCRL (CERTCertDBHandle *certHandle, char *name, int type)
-{
-    CERTSignedCrl *crl = NULL;    
-    SECStatus rv = SECFailure;
-
-    crl = FindCRL (certHandle, name, type);
-    if (!crl) {
-	SECU_PrintError
-		(progName, "could not find the issuer %s's CRL", name);
-	return SECFailure;
-    }
-    rv = SEC_DeletePermCRL (crl);
-    SEC_DestroyCrl(crl);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "fail to delete the issuer %s's CRL "
-	                "from the perm database (reason: %s)",
-	                name, SECU_Strerror(PORT_GetError()));
-	return SECFailure;
-    }
-    return (rv);
-}
-
-SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type, 
-                     PRFileDesc *inFile, PRInt32 importOptions, PRInt32 decodeOptions)
-{
-    CERTSignedCrl *crl = NULL;
-    SECItem crlDER;
-    PK11SlotInfo* slot = NULL;
-    int rv;
-#if defined(DEBUG_jp96085)
-    PRIntervalTime starttime, endtime, elapsed;
-    PRUint32 mins, secs, msecs;
-#endif
-
-    crlDER.data = NULL;
-
-
-    /* Read in the entire file specified with the -f argument */
-    rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "unable to read input file");
-	return (SECFailure);
-    }
-
-    decodeOptions |= CRL_DECODE_DONT_COPY_DER;
-
-    slot = PK11_GetInternalKeySlot();
- 
-#if defined(DEBUG_jp96085)
-    starttime = PR_IntervalNow();
-#endif
-    crl = PK11_ImportCRL(slot, &crlDER, url, type,
-          NULL, importOptions, NULL, decodeOptions);
-#if defined(DEBUG_jp96085)
-    endtime = PR_IntervalNow();
-    elapsed = endtime - starttime;
-    mins = PR_IntervalToSeconds(elapsed) / 60;
-    secs = PR_IntervalToSeconds(elapsed) % 60;
-    msecs = PR_IntervalToMilliseconds(elapsed) % 1000;
-    printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs);
-#endif
-    if (!crl) {
-	const char *errString;
-
-	rv = SECFailure;
-	errString = SECU_Strerror(PORT_GetError());
-	if ( errString && PORT_Strlen (errString) == 0)
-	    SECU_PrintError (progName, 
-	        "CRL is not imported (error: input CRL is not up to date.)");
-	else    
-	    SECU_PrintError (progName, "unable to import CRL");
-    } else {
-	SEC_DestroyCrl (crl);
-    }
-    if (slot) {
-        PK11_FreeSlot(slot);
-    }
-    return (rv);
-}
-
-
-static CERTCertificate*
-FindSigningCert(CERTCertDBHandle *certHandle, CERTSignedCrl *signCrl,
-                char *certNickName)
-{                   
-    CERTCertificate *cert = NULL, *certTemp = NULL;
-    SECStatus rv = SECFailure;
-    CERTAuthKeyID* authorityKeyID = NULL;
-    SECItem* subject = NULL;
-
-    PORT_Assert(certHandle != NULL);
-    if (!certHandle || (!signCrl && !certNickName)) {
-        SECU_PrintError(progName, "invalid args for function "
-                        "FindSigningCert \n");
-        return NULL;
-    }
-
-    if (signCrl) {
-#if 0
-        authorityKeyID = SECU_FindCRLAuthKeyIDExten(tmpArena, scrl);
-#endif
-        subject = &signCrl->crl.derName;
-    } else {
-        certTemp = CERT_FindCertByNickname(certHandle, certNickName);
-        if (!certTemp) {
-            SECU_PrintError(progName, "could not find certificate \"%s\" "
-                            "in database", certNickName);
-            goto loser;
-        }
-        subject = &certTemp->derSubject;
-    }
-
-    cert = SECU_FindCrlIssuer(certHandle, subject, authorityKeyID, PR_Now());
-    if (!cert) {
-        SECU_PrintError(progName, "could not find signing certificate "
-                        "in database");
-        goto loser;
-    } else {
-        rv = SECSuccess;
-    }
-
-  loser:
-    if (certTemp)
-        CERT_DestroyCertificate(certTemp);
-    if (cert && rv != SECSuccess)
-        CERT_DestroyCertificate(cert);
-    return cert;
-}
-
-static CERTSignedCrl*
-CreateModifiedCRLCopy(PRArenaPool *arena, CERTCertDBHandle *certHandle,
-                CERTCertificate **cert, char *certNickName,
-                PRFileDesc *inFile, PRInt32 decodeOptions,
-                PRInt32 importOptions)
-{
-    SECItem crlDER = {0, NULL, 0};
-    CERTSignedCrl *signCrl = NULL;
-    CERTSignedCrl *modCrl = NULL;
-    PRArenaPool *modArena = NULL;
-    SECStatus rv = SECSuccess;
-
-    if (!arena || !certHandle || !certNickName) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        SECU_PrintError(progName, "CreateModifiedCRLCopy: invalid args\n");
-        return NULL;
-    }
-
-    modArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if (!modArena) {
-        SECU_PrintError(progName, "fail to allocate memory\n");
-        return NULL;
-    }
-    
-    if (inFile != NULL) {
-        rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
-        if (rv != SECSuccess) {
-            SECU_PrintError(progName, "unable to read input file");
-            PORT_FreeArena(modArena, PR_FALSE);
-            goto loser;
-        }
-        
-        decodeOptions |= CRL_DECODE_DONT_COPY_DER;
-        
-        modCrl = CERT_DecodeDERCrlWithFlags(modArena, &crlDER, SEC_CRL_TYPE,
-                                            decodeOptions);
-        if (!modCrl) {
-            SECU_PrintError(progName, "fail to decode CRL");
-            goto loser;
-        }
-        
-        if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)){
-            /* If caCert is a v2 certificate, make sure that it
-             * can be used for crl signing purpose */
-            *cert = FindSigningCert(certHandle, modCrl, NULL);
-            if (!*cert) {
-                goto loser;
-            }
-
-            rv = CERT_VerifySignedData(&modCrl->signatureWrap, *cert,
-                                       PR_Now(), NULL);
-            if (rv != SECSuccess) {
-                SECU_PrintError(progName, "fail to verify signed data\n");
-                goto loser;
-            }
-        }
-    } else {
-        modCrl = FindCRL(certHandle, certNickName, SEC_CRL_TYPE);
-        if (!modCrl) {
-            SECU_PrintError(progName, "fail to find crl %s in database\n",
-                            certNickName);
-            goto loser;
-        }
-    }
-
-    signCrl = PORT_ArenaZNew(arena, CERTSignedCrl);
-    if (signCrl == NULL) {
-        SECU_PrintError(progName, "fail to allocate memory\n");
-        goto loser;
-    }
-
-    rv = SECU_CopyCRL(arena, &signCrl->crl, &modCrl->crl);
-    if (rv != SECSuccess) {
-        SECU_PrintError(progName, "unable to dublicate crl for "
-                        "modification.");
-        goto loser;
-    }  
-
-    /* Make sure the update time is current. It can be modified later
-     * by "update <time>" command from crl generation script */
-    rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now());
-    if (rv != SECSuccess) {
-        SECU_PrintError(progName, "fail to encode current time\n");
-        goto loser;
-    }
-
-    signCrl->arena = arena;
-
-  loser:
-    if (crlDER.data) {
-        SECITEM_FreeItem(&crlDER, PR_FALSE);
-    }
-    if (modCrl)
-        SEC_DestroyCrl(modCrl);
-    if (rv != SECSuccess && signCrl) {
-        SEC_DestroyCrl(signCrl);
-        signCrl = NULL;
-    }
-    return signCrl;
-}
-
-
-static CERTSignedCrl*
-CreateNewCrl(PRArenaPool *arena, CERTCertDBHandle *certHandle,
-             CERTCertificate *cert)
-{ 
-    CERTSignedCrl *signCrl = NULL;
-    void *dummy = NULL;
-    SECStatus rv;
-    void* mark = NULL;
-
-    /* if the CERTSignedCrl structure changes, this function will need to be
-       updated as well */
-    if (!cert || !arena) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        SECU_PrintError(progName, "invalid args for function "
-                        "CreateNewCrl\n");
-        return NULL;
-    }
-
-    mark = PORT_ArenaMark(arena);
-        
-    signCrl = PORT_ArenaZNew(arena, CERTSignedCrl);
-    if (signCrl == NULL) {
-        SECU_PrintError(progName, "fail to allocate memory\n");
-        return NULL;
-    }
-
-    dummy = SEC_ASN1EncodeInteger(arena, &signCrl->crl.version,
-                                  SEC_CRL_VERSION_2);
-    /* set crl->version */
-    if (!dummy) {
-        SECU_PrintError(progName, "fail to create crl version data "
-                        "container\n");
-        goto loser;
-    }
-    
-    /* copy SECItem name from cert */
-    rv = SECITEM_CopyItem(arena, &signCrl->crl.derName, &cert->derSubject);
-    if (rv != SECSuccess) {
-        SECU_PrintError(progName, "fail to duplicate der name from "
-                        "certificate.\n");
-        goto loser;
-    }
-        
-    /* copy CERTName name structure from cert issuer */
-    rv = CERT_CopyName (arena, &signCrl->crl.name, &cert->subject);
-    if (rv != SECSuccess) {
-        SECU_PrintError(progName, "fail to duplicate RD name from "
-                        "certificate.\n");
-        goto loser;
-    }
-
-    rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now());
-    if (rv != SECSuccess) {
-        SECU_PrintError(progName, "fail to encode current time\n");
-        goto loser;
-    }
-
-    /* set fields */
-    signCrl->arena = arena;
-    signCrl->dbhandle = certHandle;
-    signCrl->crl.arena = arena;
-
-    return signCrl;
-
-  loser:
-    PORT_ArenaRelease(arena, mark);
-    return NULL;
-}
-
-
-static SECStatus
-UpdateCrl(CERTSignedCrl *signCrl, PRFileDesc *inCrlInitFile)
-{
-    CRLGENGeneratorData *crlGenData = NULL;
-    SECStatus rv;
-    
-    if (!signCrl || !inCrlInitFile) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        SECU_PrintError(progName, "invalid args for function "
-                        "CreateNewCrl\n");
-        return SECFailure;
-    }
-
-    crlGenData = CRLGEN_InitCrlGeneration(signCrl, inCrlInitFile);
-    if (!crlGenData) {
-	SECU_PrintError(progName, "can not initialize parser structure.\n");
-	return SECFailure;
-    }
-
-    rv = CRLGEN_ExtHandleInit(crlGenData);
-    if (rv == SECFailure) {
-	SECU_PrintError(progName, "can not initialize entries handle.\n");
-	goto loser;
-    }
-	
-    rv = CRLGEN_StartCrlGen(crlGenData);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "crl generation failed");
-	goto loser;
-    }
-
-  loser:
-    /* CommitExtensionsAndEntries is partially responsible for freeing
-     * up memory that was used for CRL generation. Should be called regardless
-     * of previouse call status, but only after initialization of
-     * crlGenData was done. It will commit all changes that was done before
-     * an error has occured.
-     */
-    if (SECSuccess != CRLGEN_CommitExtensionsAndEntries(crlGenData)) {
-        SECU_PrintError(progName, "crl generation failed");
-        rv = SECFailure;
-    }
-    CRLGEN_FinalizeCrlGeneration(crlGenData);    
-    return rv;
-}
-
-static SECStatus
-SignAndStoreCrl(CERTSignedCrl *signCrl, CERTCertificate *cert,
-                char *outFileName, SECOidTag hashAlgTag, int ascii,
-                char *slotName, char *url, secuPWData *pwdata)
-{
-    PK11SlotInfo *slot = NULL;
-    PRFileDesc   *outFile = NULL;
-    SECStatus rv;
-    SignAndEncodeFuncExitStat errCode;
-
-    PORT_Assert(signCrl && (!ascii || outFileName));
-    if (!signCrl || (ascii && !outFileName)) {
-        SECU_PrintError(progName, "invalid args for function "
-                        "SignAndStoreCrl\n");
-        return SECFailure;
-    }
-
-    if (!slotName || !PL_strcmp(slotName, "internal"))
-	slot = PK11_GetInternalKeySlot();
-    else
-	slot = PK11_FindSlotByName(slotName);
-    if (!slot) {
-	SECU_PrintError(progName, "can not find requested slot");
-	return SECFailure;
-    }
-
-    if (PK11_NeedLogin(slot)) {
-        rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
-	if (rv != SECSuccess)
-	    goto loser;
-    }
-
-    rv = SECU_SignAndEncodeCRL(cert, signCrl, hashAlgTag, &errCode);
-    if (rv != SECSuccess) {
-        char* errMsg = NULL;
-        switch (errCode)
-        {
-            case noKeyFound:
-                errMsg = "No private key found of signing cert";
-                break;
-
-            case noSignatureMatch:
-                errMsg = "Key and Algorithm OId are do not match";
-                break;
-
-            default:
-            case failToEncode:
-                errMsg = "Failed to encode crl structure";
-                break;
-
-            case failToSign:
-                errMsg = "Failed to sign crl structure";
-                break;
-
-            case noMem:
-                errMsg = "Can not allocate memory";
-                break;
-        }
-	SECU_PrintError(progName, "%s\n", errMsg);
-	goto loser;
-    }
-
-    if (outFileName) {
-	outFile = PR_Open(outFileName, PR_WRONLY|PR_CREATE_FILE, PR_IRUSR | PR_IWUSR);
-	if (!outFile) {
-	    SECU_PrintError(progName, "unable to open \"%s\" for writing\n",
-			    outFileName);
-	    goto loser;
-	}
-    }
-
-    rv = SECU_StoreCRL(slot, signCrl->derCrl, outFile, ascii, url);
-    if (rv != SECSuccess) {
-        SECU_PrintError(progName, "fail to save CRL\n");
-    }
-
-  loser:
-    if (outFile)
-	PR_Close(outFile);
-    if (slot)
-	PK11_FreeSlot(slot);
-    return rv;
-}
-
-static SECStatus
-GenerateCRL (CERTCertDBHandle *certHandle, char *certNickName, 
-	     PRFileDesc *inCrlInitFile,  PRFileDesc *inFile,
-	     char *outFileName, int ascii, char *slotName,
-	     PRInt32 importOptions, char *alg, PRBool quiet,
-             PRInt32 decodeOptions, char *url, secuPWData *pwdata,
-             int modifyFlag)
-{
-    CERTCertificate *cert = NULL;
-    CERTSignedCrl *signCrl = NULL;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    SECOidTag hashAlgTag = SEC_OID_UNKNOWN;
-
-    if (alg) {
-        hashAlgTag = SECU_StringToSignatureAlgTag(alg);
-        if (hashAlgTag == SEC_OID_UNKNOWN) {
-            SECU_PrintError(progName, "%s -Z:  %s is not a recognized type.\n",
-                            progName, alg);
-            return SECFailure;
-        }
-    } else {
-        hashAlgTag = SEC_OID_UNKNOWN;
-    }
-
-    arena = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if (!arena) {
-        SECU_PrintError(progName, "fail to allocate memory\n");
-        return SECFailure;
-    }
-
-    if (modifyFlag == PR_TRUE) {
-        signCrl = CreateModifiedCRLCopy(arena, certHandle, &cert, certNickName,
-                                         inFile, decodeOptions, importOptions);
-        if (signCrl == NULL) {
-            goto loser;
-        }
-    }
-
-    if (!cert) {
-        cert = FindSigningCert(certHandle, signCrl, certNickName);
-        if (cert == NULL) {
-            goto loser;
-        }
-    }
-
-    if (!signCrl) {
-        if (modifyFlag == PR_TRUE) {
-            if (!outFileName) {
-                int len = strlen(certNickName) + 5;
-                outFileName = PORT_ArenaAlloc(arena, len);
-                PR_snprintf(outFileName, len, "%s.crl", certNickName);
-            }
-            SECU_PrintError(progName, "Will try to generate crl. "
-                            "It will be saved in file: %s",
-                            outFileName);
-        }
-        signCrl = CreateNewCrl(arena, certHandle, cert);
-        if (!signCrl)
-            goto loser;
-    }
-
-    rv = UpdateCrl(signCrl, inCrlInitFile);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = SignAndStoreCrl(signCrl, cert, outFileName, hashAlgTag, ascii,
-                         slotName, url, pwdata);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    if (signCrl && !quiet) {
-	SECU_PrintCRLInfo (stdout, &signCrl->crl, "CRL Info:\n", 0);
-    }
-
-  loser:
-    if (arena && (!signCrl || !signCrl->arena))
-        PORT_FreeArena (arena, PR_FALSE);
-    if (signCrl)
-	SEC_DestroyCrl (signCrl);
-    if (cert)
-	CERT_DestroyCertificate (cert);
-    return (rv);
-}
-
-static void Usage(char *progName)
-{
-    fprintf(stderr,
-	    "Usage:  %s -L [-n nickname] [-d keydir] [-P dbprefix] [-t crlType]\n"
-	    "        %s -D -n nickname [-d keydir] [-P dbprefix]\n"
-	    "        %s -I -i crl -t crlType [-u url] [-d keydir] [-P dbprefix] [-B] "
-            "[-p pwd-file] -w [pwd-string]\n"
-	    "        %s -E -t crlType [-d keydir] [-P dbprefix]\n"
-	    "        %s -T\n"
-	    "        %s -G|-M -c crl-init-file -n nickname [-i crl] [-u url] "
-            "[-d keydir] [-P dbprefix] [-Z alg] ] [-p pwd-file] -w [pwd-string] "
-            "[-a] [-B]\n",
-	    progName, progName, progName, progName, progName, progName);
-
-    fprintf (stderr, "%-15s List CRL\n", "-L");
-    fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n",
-	    "-n nickname");
-    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
-	    "-d keydir");
-    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
-	    "-P dbprefix");
-   
-    fprintf (stderr, "%-15s Delete a CRL from the cert database\n", "-D");    
-    fprintf(stderr, "%-20s Specify the nickname for the CA certificate\n",
-	    "-n nickname");
-    fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
-    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
-	    "-d keydir");
-    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
-	    "-P dbprefix");
-
-    fprintf (stderr, "%-15s Erase all CRLs of specified type from hte cert database\n", "-E");
-    fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
-    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
-	    "-d keydir");
-    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
-	    "-P dbprefix");
-
-    fprintf (stderr, "%-15s Import a CRL to the cert database\n", "-I");    
-    fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n",
-	    "-i crl");
-    fprintf(stderr, "%-20s Specify the url.\n", "-u url");
-    fprintf(stderr, "%-20s Specify the crl type.\n", "-t crlType");
-    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
-	    "-d keydir");
-    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
-	    "-P dbprefix");
-#ifdef DEBUG
-    fprintf (stderr, "%-15s Test . Only for debugging purposes. See source code\n", "-T");
-#endif
-    fprintf(stderr, "%-20s CRL Types (default is SEC_CRL_TYPE):\n", " ");
-    fprintf(stderr, "%-20s \t 0 - SEC_KRL_TYPE\n", " ");
-    fprintf(stderr, "%-20s \t 1 - SEC_CRL_TYPE\n", " ");        
-    fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B");
-    fprintf(stderr, "\n%-20s Partial decode for faster operation.\n", "-p");
-    fprintf(stderr, "%-20s Repeat the operation.\n", "-r <iterations>");
-    fprintf(stderr, "\n%-15s Create CRL\n", "-G");
-    fprintf(stderr, "%-15s Modify CRL\n", "-M");
-    fprintf(stderr, "%-20s Specify crl initialization file\n",
-	    "-c crl-conf-file");
-    fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n",
-	    "-n nickname");
-    fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n",
-	    "-i crl");
-    fprintf(stderr, "%-20s Specify a CRL output file\n",
-	    "-o crl-output-file");
-    fprintf(stderr, "%-20s Specify to use base64 encoded CRL output format\n",
-	    "-a");
-    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
-	    "-d keydir");
-    fprintf(stderr, "%-20s Provide path to a default pwd file\n",
-	    "-f pwd-file");
-    fprintf(stderr, "%-20s Provide db password in command line\n",
-	    "-w pwd-string");
-    fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n",
-	    "-P dbprefix");
-    fprintf(stderr, "%-20s Specify the url.\n", "-u url");
-    fprintf(stderr, "\n%-20s Bypass CA certificate checks.\n", "-B");
-
-    exit(-1);
-}
-
-int main(int argc, char **argv)
-{
-    SECItem privKeyDER;
-    CERTCertDBHandle *certHandle;
-    FILE *certFile;
-    PRFileDesc *inFile;
-    PRFileDesc *inCrlInitFile = NULL;
-    int generateCRL;
-    int modifyCRL;
-    int listCRL;
-    int importCRL;
-    int deleteCRL;
-    int rv;
-    char *nickName;
-    char *url;
-    char *dbPrefix = "";
-    char *alg = NULL;
-    char *outFile = NULL;
-    char *slotName = NULL;
-    int ascii = 0;
-    int crlType;
-    PLOptState *optstate;
-    PLOptStatus status;
-    SECStatus secstatus;
-    PRInt32 decodeOptions = CRL_DECODE_DEFAULT_OPTIONS;
-    PRInt32 importOptions = CRL_IMPORT_DEFAULT_OPTIONS;
-    PRBool quiet = PR_FALSE;
-    PRBool test = PR_FALSE;
-    PRBool erase = PR_FALSE;
-    PRInt32 i = 0;
-    PRInt32 iterations = 1;
-    PRBool readonly = PR_FALSE;
-
-    secuPWData  pwdata          = { PW_NONE, 0 };
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    rv = 0;
-    deleteCRL = importCRL = listCRL = generateCRL = modifyCRL = 0;
-    certFile = NULL;
-    inFile = NULL;
-    nickName = url = NULL;
-    privKeyDER.data = NULL;
-    certHandle = NULL;
-    crlType = SEC_CRL_TYPE;
-    /*
-     * Parse command line arguments
-     */
-    optstate = PL_CreateOptState(argc, argv, "sqBCDGILMTEP:f:d:i:h:n:p:t:u:r:aZ:o:c:");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case '?':
-	    Usage(progName);
-	    break;
-
-          case 'T':
-            test = PR_TRUE;
-            break;
-
-          case 'E':
-            erase = PR_TRUE;
-            break;
-
-	  case 'B':
-            importOptions |= CRL_IMPORT_BYPASS_CHECKS;
-            break;
-
-	  case 'G':
-	    generateCRL = 1;
-	    break;
-
-          case 'M':
-            modifyCRL = 1;
-            break;
-
-	  case 'D':
-	      deleteCRL = 1;
-	      break;
-
-	  case 'I':
-	      importCRL = 1;
-	      break;
-	           
-	  case 'C':
-	  case 'L':
-	      listCRL = 1;
-	      break;
-
-	  case 'P':
- 	    dbPrefix = strdup(optstate->value);
- 	    break;
-              
-	  case 'Z':
-              alg = strdup(optstate->value);
-              break;
-              
-	  case 'a':
-	      ascii = 1;
-	      break;
-
-	  case 'c':
-              inCrlInitFile = PR_Open(optstate->value, PR_RDONLY, 0);
-              if (!inCrlInitFile) {
-                  PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
-                             progName, optstate->value);
-                  PL_DestroyOptState(optstate);
-                  return -1;
-              }
-              break;
-	    
-	  case 'd':
-              SECU_ConfigDirectory(optstate->value);
-              break;
-
-	  case 'f':
-	      pwdata.source = PW_FROMFILE;
-	      pwdata.data = strdup(optstate->value);
-	      break;
-
-	  case 'h':
-              slotName = strdup(optstate->value);
-              break;
-
-	  case 'i':
-	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
-	    if (!inFile) {
-		PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
-			progName, optstate->value);
-		PL_DestroyOptState(optstate);
-		return -1;
-	    }
-	    break;
-	    
-	  case 'n':
-	    nickName = strdup(optstate->value);
-	    break;
-
-	  case 'o':
-	    outFile = strdup(optstate->value);
-	    break;
-	    
-	  case 'p':
-	    decodeOptions |= CRL_DECODE_SKIP_ENTRIES;
-	    break;
-
-	  case 'r': {
-	    const char* str = optstate->value;
-	    if (str && atoi(str)>0)
-		iterations = atoi(str);
-	    }
-	    break;
-	    
-	  case 't': {
-	    char *type;
-	    
-	    type = strdup(optstate->value);
-	    crlType = atoi (type);
-	    if (crlType != SEC_CRL_TYPE && crlType != SEC_KRL_TYPE) {
-		PR_fprintf(PR_STDERR, "%s: invalid crl type\n", progName);
-		PL_DestroyOptState(optstate);
-		return -1;
-	    }
-	    break;
-
-	  case 'q':
-            quiet = PR_TRUE;
-	    break;
-
-	  case 'w':
-	      pwdata.source = PW_PLAINTEXT;
-	      pwdata.data = strdup(optstate->value);
-	      break;
-
-	  case 'u':
-	    url = strdup(optstate->value);
-	    break;
-
-          }
-	}
-    }
-    PL_DestroyOptState(optstate);
-
-    if (deleteCRL && !nickName) Usage (progName);
-    if (importCRL && !inFile) Usage (progName);
-    if ((generateCRL && !nickName) ||
-        (modifyCRL && !inFile && !nickName)) Usage (progName);
-    if (!(listCRL || deleteCRL || importCRL || generateCRL ||
-	  modifyCRL || test || erase)) Usage (progName);
-
-    if (listCRL) {
-        readonly = PR_TRUE;
-    }
-    
-    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-    secstatus = NSS_Initialize(SECU_ConfigDirectory(NULL), dbPrefix, dbPrefix,
-			       "secmod.db", readonly ? NSS_INIT_READONLY : 0);
-    if (secstatus != SECSuccess) {
-	SECU_PrintPRandOSError(progName);
-	return -1;
-    }
-    SECU_RegisterDynamicOids();
-
-    certHandle = CERT_GetDefaultCertDB();
-    if (certHandle == NULL) {
-	SECU_PrintError(progName, "unable to open the cert db");	    	
-	/*ignoring return value of NSS_Shutdown() as code returns -1*/
-	(void) NSS_Shutdown();
-	return (-1);
-    }
-
-    CRLGEN_InitCrlGenParserLock();
-
-    for (i=0; i<iterations; i++) {
-	/* Read in the private key info */
-	if (deleteCRL) 
-	    DeleteCRL (certHandle, nickName, crlType);
-	else if (listCRL) {
-	    rv = ListCRL (certHandle, nickName, crlType);
-	}
-	else if (importCRL) {
-	    rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
-			    decodeOptions);
-	} else if (generateCRL || modifyCRL) {
-	    if (!inCrlInitFile)
-		inCrlInitFile = PR_STDIN;
-	    rv = GenerateCRL (certHandle, nickName, inCrlInitFile,
-			      inFile, outFile, ascii,  slotName,
-			      importOptions, alg, quiet,
-			      decodeOptions, url, &pwdata,
-			      modifyCRL);
-	}
-	else if (erase) {
-	    /* list and delete all CRLs */
-	    ListCRLNames (certHandle, crlType, PR_TRUE);
-	}
-#ifdef DEBUG
-	else if (test) {
-	    /* list and delete all CRLs */
-	    ListCRLNames (certHandle, crlType, PR_TRUE);
-	    /* list CRLs */
-	    ListCRLNames (certHandle, crlType, PR_FALSE);
-	    /* import CRL as a blob */
-	    rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
-			    decodeOptions);
-	    /* list CRLs */
-	    ListCRLNames (certHandle, crlType, PR_FALSE);
-	}
-#endif    
-    }
-
-    CRLGEN_DestroyCrlGenParserLock();
-
-    if (NSS_Shutdown() != SECSuccess) {
-        rv = SECFailure;
-    }
-
-    return (rv != SECSuccess);
-}
diff --git a/security/nss/cmd/crlutil/manifest.mn b/security/nss/cmd/crlutil/manifest.mn
deleted file mode 100644
index c56ac20c7..000000000
--- a/security/nss/cmd/crlutil/manifest.mn
+++ /dev/null
@@ -1,57 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH	= ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = seccmd dbm 
-
-DEFINES = -DNSPR20
-
-CSRCS = crlgen_lex.c crlgen.c crlutil.c 
-
-# this has to be different for NT and UNIX.
-# PROGRAM	= ./$(OBJDIR)/crlutil.exe
-PROGRAM	= crlutil
-
-#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/crmf-cgi/Makefile b/security/nss/cmd/crmf-cgi/Makefile
deleted file mode 100644
index 1d0bb7b95..000000000
--- a/security/nss/cmd/crmf-cgi/Makefile
+++ /dev/null
@@ -1,85 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-EXTRA_LIBS += $(DIST)/lib/crmf.lib
-else
-EXTRA_LIBS += $(DIST)/lib/libcrmf.$(LIB_SUFFIX) 
-endif
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/crmf-cgi/config.mk b/security/nss/cmd/crmf-cgi/config.mk
deleted file mode 100644
index f3a06d153..000000000
--- a/security/nss/cmd/crmf-cgi/config.mk
+++ /dev/null
@@ -1,48 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(PROGRAM)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-LIBRARY        =
-
diff --git a/security/nss/cmd/crmf-cgi/crmfcgi.c b/security/nss/cmd/crmf-cgi/crmfcgi.c
deleted file mode 100644
index 7e6f00e98..000000000
--- a/security/nss/cmd/crmf-cgi/crmfcgi.c
+++ /dev/null
@@ -1,1122 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "seccomon.h"
-#include "nss.h"
-#include "key.h"
-#include "cert.h"
-#include "pk11func.h"
-#include "secmod.h"
-#include "cmmf.h"
-#include "crmf.h"
-#include "base64.h"
-#include "secasn1.h"
-#include "cryptohi.h"
-#include <string.h>
-#include <stdlib.h>
-#include <stdio.h>
-
-#define DEFAULT_ALLOC_SIZE 200
-#define DEFAULT_CGI_VARS   20
-
-typedef struct CGIVariableStr {
-  char *name;
-  char *value;
-} CGIVariable;
-
-typedef struct CGIVarTableStr {
-  CGIVariable **variables;
-  int           numVars;
-  int           numAlloc; 
-} CGIVarTable;
-
-typedef struct CertResponseInfoStr {
-  CERTCertificate *cert;
-  long             certReqID;
-} CertResponseInfo;
-
-typedef struct ChallengeCreationInfoStr {
-  long             random;
-  SECKEYPublicKey *pubKey;
-} ChallengeCreationInfo;
-
-char *missingVar = NULL;
-
-/*
- * Error values.
- */
-typedef enum {
-  NO_ERROR = 0,
-  NSS_INIT_FAILED,
-  AUTH_FAILED,
-  REQ_CGI_VAR_NOT_PRESENT,
-  CRMF_REQ_NOT_PRESENT,
-  BAD_ASCII_FOR_REQ,
-  CGI_VAR_MISSING,
-  COULD_NOT_FIND_CA,
-  COULD_NOT_DECODE_REQS,
-  OUT_OF_MEMORY,
-  ERROR_RETRIEVING_REQUEST_MSG,
-  ERROR_RETRIEVING_CERT_REQUEST,
-  ERROR_RETRIEVING_SUBJECT_FROM_REQ,
-  ERROR_RETRIEVING_PUBLIC_KEY_FROM_REQ,
-  ERROR_CREATING_NEW_CERTIFICATE,
-  COULD_NOT_START_EXTENSIONS,
-  ERROR_RETRIEVING_EXT_FROM_REQ,
-  ERROR_ADDING_EXT_TO_CERT,
-  ERROR_ENDING_EXTENSIONS,
-  COULD_NOT_FIND_ISSUER_PRIVATE_KEY,
-  UNSUPPORTED_SIGN_OPERATION_FOR_ISSUER,
-  ERROR_SETTING_SIGN_ALG,
-  ERROR_ENCODING_NEW_CERT,
-  ERROR_SIGNING_NEW_CERT,
-  ERROR_CREATING_CERT_REP_CONTENT,
-  ERROR_CREATING_SINGLE_CERT_RESPONSE,
-  ERROR_SETTING_CERT_RESPONSES,
-  ERROR_CREATING_CA_LIST,
-  ERROR_ADDING_ISSUER_TO_CA_LIST,
-  ERROR_ENCODING_CERT_REP_CONTENT,
-  NO_POP_FOR_REQUEST,
-  UNSUPPORTED_POP,
-  ERROR_RETRIEVING_POP_SIGN_KEY,
-  ERROR_RETRIEVING_ALG_ID_FROM_SIGN_KEY,
-  ERROR_RETRIEVING_SIGNATURE_FROM_POP_SIGN_KEY,
-  DO_CHALLENGE_RESPONSE,
-  ERROR_RETRIEVING_PUB_KEY_FROM_NEW_CERT,
-  ERROR_ENCODING_CERT_REQ_FOR_POP,
-  ERROR_VERIFYING_SIGNATURE_POP,
-  ERROR_RETRIEVING_PUB_KEY_FOR_CHALL,
-  ERROR_CREATING_EMPTY_CHAL_CONTENT,
-  ERROR_EXTRACTING_GEN_NAME_FROM_ISSUER,
-  ERROR_SETTING_CHALLENGE,
-  ERROR_ENCODING_CHALL,
-  ERROR_CONVERTING_CHALL_TO_BASE64,
-  ERROR_CONVERTING_RESP_FROM_CHALL_TO_BIN,
-  ERROR_CREATING_KEY_RESP_FROM_DER,
-  ERROR_RETRIEVING_CLIENT_RESPONSE_TO_CHALLENGE,
-  ERROR_RETURNED_CHALL_NOT_VALUE_EXPECTED,
-  ERROR_GETTING_KEY_ENCIPHERMENT,
-  ERROR_NO_POP_FOR_PRIVKEY,
-  ERROR_UNSUPPORTED_POPOPRIVKEY_TYPE
-} ErrorCode;
-
-const char *
-CGITableFindValue(CGIVarTable *varTable, const char *key);
-
-void
-spitOutHeaders(void)
-{
-  printf("Content-type: text/html\n\n");
-}
-
-void
-dumpRequest(CGIVarTable *varTable)
-{
-  int i;
-  CGIVariable *var;
-
-  printf ("<table border=1 cellpadding=1 cellspacing=1 width=\"100%%\">\n");
-  printf ("<tr><td><b><center>Variable Name<center></b></td>"
-          "<td><b><center>Value</center></b></td></tr>\n");
-  for (i=0; i<varTable->numVars; i++) {
-    var = varTable->variables[i];
-    printf ("<tr><td><pre>%s</pre></td><td><pre>%s</pre></td></tr>\n", 
-             var->name, var->value);
-  }
-  printf("</table>\n");
-}
-
-void
-echo_request(CGIVarTable *varTable)
-{
-  spitOutHeaders();
-  printf("<html><head><title>CGI Echo Page</title></head>\n"
-	 "<body><h1>Got the following request</h1>\n");
-  dumpRequest(varTable);
-  printf("</body></html>");
-}
-
-void
-processVariable(CGIVariable *var)
-{
-  char *plusSign, *percentSign;
-
-  /*First look for all of the '+' and convert them to spaces */
-  plusSign = var->value;
-  while ((plusSign=strchr(plusSign, '+')) != NULL) {
-    *plusSign = ' ';
-  }
-  percentSign = var->value;
-  while ((percentSign=strchr(percentSign, '%')) != NULL) {
-    char string[3];
-    int  value;
-
-    string[0] = percentSign[1];
-    string[1] = percentSign[2];
-    string[2] = '\0';
-
-    sscanf(string,"%x", &value);
-    *percentSign = (char)value;
-    memmove(&percentSign[1], &percentSign[3], 1+strlen(&percentSign[3]));
-  }
-}
-
-char *
-parseNextVariable(CGIVarTable *varTable, char *form_output)
-{
-  char *ampersand, *equal;
-  CGIVariable *var;
-
-  if (varTable->numVars == varTable->numAlloc) {
-    CGIVariable **newArr = realloc(varTable->variables, 
-                                   (varTable->numAlloc + DEFAULT_CGI_VARS)*sizeof(CGIVariable*));
-    if (newArr == NULL) {
-      return NULL;
-    }
-    varTable->variables = newArr;
-    varTable->numAlloc += DEFAULT_CGI_VARS;
-  }
-  equal     = strchr(form_output, '=');
-  if (equal == NULL) {
-    return NULL;
-  }
-  ampersand = strchr(equal, '&');
-  if (ampersand == NULL) {
-    return NULL;
-  }
-  equal[0] = '\0';
-  if (ampersand != NULL) {
-    ampersand[0] = '\0';
-  }
-  var = malloc(sizeof(CGIVariable));
-  var->name = form_output; 
-  var->value = &equal[1];
-  varTable->variables[varTable->numVars] = var;
-  varTable->numVars++;
-  processVariable(var);
-  return (ampersand != NULL) ? &ampersand[1] : NULL;
-}
-
-void
-ParseInputVariables(CGIVarTable *varTable, char *form_output)
-{
-  varTable->variables = malloc(sizeof(CGIVariable*)*DEFAULT_CGI_VARS);
-  varTable->numVars = 0;
-  varTable->numAlloc = DEFAULT_CGI_VARS;
-  while (form_output && form_output[0] != '\0') {
-    form_output = parseNextVariable(varTable, form_output);
-  }
-}
-
-const char *
-CGITableFindValue(CGIVarTable *varTable, const char *key)
-{
-  const char *retVal = NULL;
-  int i;
-
-  for (i=0; i<varTable->numVars; i++) {
-    if (strcmp(varTable->variables[i]->name, key) == 0) {
-      retVal = varTable->variables[i]->value;
-      break;
-    } 
-  }
-  return retVal;
-}
-
-char*
-passwordCallback(PK11SlotInfo *slot, PRBool retry, void *arg)
-{
-  const char *passwd;
-  if (retry) {
-    return NULL;
-  }
-  passwd = CGITableFindValue((CGIVarTable*)arg, "dbPassword");
-  if (passwd == NULL) {
-    return NULL;
-  }
-  return PORT_Strdup(passwd);
-}
-
-ErrorCode
-initNSS(CGIVarTable *varTable)
-{
-  const char *nssDir;
-  PK11SlotInfo *keySlot;
-  SECStatus rv;
-
-  nssDir = CGITableFindValue(varTable,"NSSDirectory");
-  if (nssDir == NULL) {
-    missingVar = "NSSDirectory";
-    return REQ_CGI_VAR_NOT_PRESENT;
-  }
-  rv = NSS_Init(nssDir);
-  if (rv != SECSuccess) {
-    return NSS_INIT_FAILED;
-  }
-  PK11_SetPasswordFunc(passwordCallback);
-  keySlot = PK11_GetInternalKeySlot();
-  rv = PK11_Authenticate(keySlot, PR_FALSE, varTable);
-  PK11_FreeSlot(keySlot);
-  if (rv != SECSuccess) {
-    return AUTH_FAILED;
-  }
-  return NO_ERROR;
-}
-
-void
-dumpErrorMessage(ErrorCode errNum)
-{
-  spitOutHeaders();
-  printf("<html><head><title>Error</title></head><body><h1>Error processing "
-	 "data</h1> Received the error %d<p>", errNum);
-  if (errNum  ==   REQ_CGI_VAR_NOT_PRESENT) {
-    printf ("The missing variable is %s.", missingVar);
-  }
-  printf ("<i>More useful information here in the future.</i></body></html>");
-}
-
-ErrorCode
-initOldCertReq(CERTCertificateRequest *oldCertReq,
-	       CERTName *subject, CERTSubjectPublicKeyInfo *spki)
-{
-  PRArenaPool *poolp;
-
-  poolp = oldCertReq->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-  SEC_ASN1EncodeInteger(poolp, &oldCertReq->version, 
-			SEC_CERTIFICATE_VERSION_3);
-  CERT_CopyName(poolp, &oldCertReq->subject, subject);
-  SECKEY_CopySubjectPublicKeyInfo(poolp, &oldCertReq->subjectPublicKeyInfo,
-				  spki);
-  oldCertReq->attributes = NULL;
-  return NO_ERROR;
-}
-
-ErrorCode
-addExtensions(CERTCertificate *newCert, CRMFCertRequest *certReq)
-{
-  int numExtensions, i;
-  void *extHandle;
-  ErrorCode rv = NO_ERROR;
-  CRMFCertExtension *ext;
-  SECStatus srv;
-
-  numExtensions = CRMF_CertRequestGetNumberOfExtensions(certReq);
-  if (numExtensions == 0) {
-    /* No extensions to add */
-    return NO_ERROR;
-  }
-  extHandle = CERT_StartCertExtensions(newCert);
-  if (extHandle == NULL) {
-    rv = COULD_NOT_START_EXTENSIONS;
-    goto loser;
-  }
-  for (i=0; i<numExtensions; i++) {
-    ext = CRMF_CertRequestGetExtensionAtIndex(certReq, i);
-    if (ext == NULL) {
-      rv = ERROR_RETRIEVING_EXT_FROM_REQ;
-    }
-    srv = CERT_AddExtension(extHandle, CRMF_CertExtensionGetOidTag(ext),
-			    CRMF_CertExtensionGetValue(ext),
-			    CRMF_CertExtensionGetIsCritical(ext), PR_FALSE);
-    if (srv != SECSuccess) {
-      rv = ERROR_ADDING_EXT_TO_CERT;
-    }
-  }
-  srv = CERT_FinishExtensions(extHandle);
-  if (srv != SECSuccess) {
-    rv = ERROR_ENDING_EXTENSIONS;
-    goto loser;
-  }
-  return NO_ERROR;
- loser:
-  return rv;
-}
-
-void
-writeOutItem(const char *filePath, SECItem *der)
-{
-  PRFileDesc *outfile;
-
-  outfile = PR_Open (filePath,
-		     PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
-		     0666);
-  PR_Write(outfile, der->data, der->len);
-  PR_Close(outfile);
-
-}
-
-ErrorCode
-createNewCert(CERTCertificate**issuedCert,CERTCertificateRequest *oldCertReq,
-	      CRMFCertReqMsg *currReq, CRMFCertRequest *certReq, 
-	      CERTCertificate *issuerCert, CGIVarTable *varTable)
-{
-  CERTCertificate *newCert = NULL;
-  CERTValidity *validity;
-  PRExplodedTime printableTime;
-  PRTime now, after;
-  ErrorCode rv=NO_ERROR;
-  SECKEYPrivateKey *issuerPrivKey;
-  SECItem derCert = { 0 };
-  SECOidTag signTag;
-  SECStatus srv;
-  long version;
-
-  now = PR_Now();
-  PR_ExplodeTime(now, PR_GMTParameters, &printableTime);
-  printableTime.tm_month += 9;
-  after = PR_ImplodeTime(&printableTime);
-  validity = CERT_CreateValidity(now, after);
-  newCert = *issuedCert = 
-    CERT_CreateCertificate(rand(), &(issuerCert->subject), validity, 
-			   oldCertReq);
-  if (newCert == NULL) {
-    rv = ERROR_CREATING_NEW_CERTIFICATE;
-    goto loser;
-  }
-  rv = addExtensions(newCert, certReq);
-  if (rv != NO_ERROR) {
-    goto loser;
-  }
-  issuerPrivKey = PK11_FindKeyByAnyCert(issuerCert, varTable);
-  if (issuerPrivKey == NULL) {
-    rv = COULD_NOT_FIND_ISSUER_PRIVATE_KEY;
-  }
-  signTag = SEC_GetSignatureAlgorithmOidTag(issuerPrivatekey->keytype, 
-					    SEC_OID_UNKNOWN);
-  if (signTag == SEC_OID_UNKNOWN) {
-    rv = UNSUPPORTED_SIGN_OPERATION_FOR_ISSUER;
-    goto loser;
-  }
-  srv = SECOID_SetAlgorithmID(newCert->arena, &newCert->signature, 
-			      signTag, 0);
-  if (srv != SECSuccess) {
-    rv = ERROR_SETTING_SIGN_ALG;
-    goto loser;
-  }
-  srv = CRMF_CertRequestGetCertTemplateVersion(certReq, &version);
-  if (srv != SECSuccess) {
-    /* No version included in the request */
-    *(newCert->version.data) = SEC_CERTIFICATE_VERSION_3;
-  } else {
-    SECITEM_FreeItem(&newCert->version, PR_FALSE);
-    SEC_ASN1EncodeInteger(newCert->arena, &newCert->version, version);
-  }
-  SEC_ASN1EncodeItem(newCert->arena, &derCert, newCert, 
-		     CERT_CertificateTemplate);
-  if (derCert.data == NULL) {
-    rv = ERROR_ENCODING_NEW_CERT;
-    goto loser;
-  }
-  srv = SEC_DerSignData(newCert->arena, &(newCert->derCert), derCert.data,
-			derCert.len, issuerPrivKey, signTag);
-  if (srv != SECSuccess) {
-    rv = ERROR_SIGNING_NEW_CERT;
-    goto loser;
-  }
-#ifdef WRITE_OUT_RESPONSE
-  writeOutItem("newcert.der", &newCert->derCert);
-#endif
-  return NO_ERROR;
- loser:
-  *issuedCert = NULL;
-  if (newCert) {
-    CERT_DestroyCertificate(newCert);
-  }
-  return rv;
-		     
-}
-
-void
-formatCMMFResponse(char *nickname, char *base64Response)
-{
-  char *currLine, *nextLine;
-
-  printf("var retVal = crypto.importUserCertificates(\"%s\",\n", nickname);
-  currLine = base64Response;
-  while (1) {
-    nextLine = strchr(currLine, '\n');
-    if (nextLine == NULL) {
-      /* print out the last line here. */
-      printf ("\"%s\",\n", currLine);
-      break;
-    }
-    nextLine[0] = '\0';
-    printf("\"%s\\n\"+\n", currLine);
-    currLine = nextLine+1;
-  }
-  printf("true);\n"
-	 "if(retVal == '') {\n"
-	 "\tdocument.write(\"<h1>New Certificate Successfully Imported.</h1>\");\n"
-	 "} else {\n"
-	 "\tdocument.write(\"<h2>Unable to import New Certificate</h2>\");\n"
-	 "\tdocument.write(\"crypto.importUserCertificates returned <b>\");\n"
-	 "\tdocument.write(retVal);\n"
-	 "\tdocument.write(\"</b>\");\n"
-	 "}\n");
-}
-
-void
-spitOutCMMFResponse(char *nickname, char *base64Response)
-{
-  spitOutHeaders();
-  printf("<html>\n<head>\n<title>CMMF Resonse Page</title>\n</head>\n\n"
-	 "<body><h1>CMMF Response Page</h1>\n"
-	 "<script language=\"JavaScript\">\n"
-	 "<!--\n");
-  formatCMMFResponse(nickname, base64Response);
-  printf("// -->\n"
-	 "</script>\n</body>\n</html>");
-}
-
-char*
-getNickname(CERTCertificate *cert)
-{
-  char *nickname;
-
-  if (cert->nickname != NULL) {
-    return cert->nickname;
-  }
-  nickname = CERT_GetCommonName(&cert->subject);
-  if (nickname != NULL) {
-    return nickname;
-  }
-  return CERT_NameToAscii(&cert->subject);
-}
-
-ErrorCode
-createCMMFResponse(CertResponseInfo *issuedCerts, int numCerts, 
-		   CERTCertificate *issuerCert, char **base64der)
-{
- CMMFCertRepContent *certRepContent=NULL;
-  ErrorCode rv = NO_ERROR;
-  CMMFCertResponse **responses, *currResponse;
-  CERTCertList *caList;
-  int i;
-  SECStatus srv;
-  PRArenaPool *poolp;
-  SECItem *der;
-
-  certRepContent = CMMF_CreateCertRepContent();
-  if (certRepContent == NULL) {
-    rv = ERROR_CREATING_CERT_REP_CONTENT;
-    goto loser;
-  }
-  responses = PORT_NewArray(CMMFCertResponse*, numCerts);
-  if (responses == NULL) {
-    rv = OUT_OF_MEMORY;
-    goto loser;
-  }
-  for (i=0; i<numCerts;i++) {
-    responses[i] = currResponse = 
-      CMMF_CreateCertResponse(issuedCerts[i].certReqID);
-    if (currResponse == NULL) {
-      rv = ERROR_CREATING_SINGLE_CERT_RESPONSE;
-      goto loser;
-    }
-    CMMF_CertResponseSetPKIStatusInfoStatus(currResponse, cmmfGranted);
-    CMMF_CertResponseSetCertificate(currResponse, issuedCerts[i].cert);
-  }
-  srv = CMMF_CertRepContentSetCertResponses(certRepContent, responses,
-					    numCerts);
-  if (srv != SECSuccess) {
-    rv = ERROR_SETTING_CERT_RESPONSES;
-    goto loser;
-  }
-  caList = CERT_NewCertList();
-  if (caList == NULL) {
-    rv = ERROR_CREATING_CA_LIST;
-    goto loser;
-  }
-  srv = CERT_AddCertToListTail(caList, issuerCert);
-  if (srv != SECSuccess) {
-    rv = ERROR_ADDING_ISSUER_TO_CA_LIST;
-    goto loser;
-  }
-  srv = CMMF_CertRepContentSetCAPubs(certRepContent, caList);
-  CERT_DestroyCertList(caList);
-  poolp = PORT_NewArena(1024);
-  der = SEC_ASN1EncodeItem(poolp, NULL, certRepContent, 
-			   CMMFCertRepContentTemplate);
-  if (der == NULL) {
-    rv = ERROR_ENCODING_CERT_REP_CONTENT;
-    goto loser;
-  }
-#ifdef WRITE_OUT_RESPONSE
-  writeOutItem("CertRepContent.der", der);
-#endif
-  *base64der = BTOA_DataToAscii(der->data, der->len);
-  return NO_ERROR;
- loser:
-  return rv;
-}
-
-ErrorCode
-issueCerts(CertResponseInfo *issuedCerts, int numCerts, 
-	   CERTCertificate *issuerCert)
-{
-  ErrorCode rv;
-  char *base64Response;
-
-  rv = createCMMFResponse(issuedCerts, numCerts, issuerCert, &base64Response);
-  if (rv != NO_ERROR) {
-    goto loser;
-  }
-  spitOutCMMFResponse(getNickname(issuedCerts[0].cert),base64Response);
-  return NO_ERROR;
- loser:
-  return rv;
-}
-
-ErrorCode
-verifySignature(CGIVarTable *varTable, CRMFCertReqMsg *currReq, 
-		CRMFCertRequest *certReq, CERTCertificate *newCert)
-{
-  SECStatus srv;
-  ErrorCode rv = NO_ERROR;
-  CRMFPOPOSigningKey *signKey   = NULL;
-  SECAlgorithmID     *algID     = NULL;
-  SECItem            *signature = NULL;
-  SECKEYPublicKey    *pubKey    = NULL;
-  SECItem            *reqDER    = NULL;
-
-  srv = CRMF_CertReqMsgGetPOPOSigningKey(currReq, &signKey);
-  if (srv != SECSuccess || signKey == NULL) {
-    rv = ERROR_RETRIEVING_POP_SIGN_KEY;
-    goto loser;
-  }
-  algID = CRMF_POPOSigningKeyGetAlgID(signKey);
-  if (algID == NULL) {
-    rv = ERROR_RETRIEVING_ALG_ID_FROM_SIGN_KEY;
-    goto loser;
-  }
-  signature = CRMF_POPOSigningKeyGetSignature(signKey);
-  if (signature == NULL) {
-    rv = ERROR_RETRIEVING_SIGNATURE_FROM_POP_SIGN_KEY;
-    goto loser;
-  }
-  /* Make the length the number of bytes instead of bits */
-  signature->len = (signature->len+7)/8;
-  pubKey = CERT_ExtractPublicKey(newCert);
-  if (pubKey == NULL) {
-    rv = ERROR_RETRIEVING_PUB_KEY_FROM_NEW_CERT;
-    goto loser;
-  }
-  reqDER = SEC_ASN1EncodeItem(NULL, NULL, certReq, CRMFCertRequestTemplate);
-  if (reqDER == NULL) {
-    rv = ERROR_ENCODING_CERT_REQ_FOR_POP;
-    goto loser;
-  }
-  srv = VFY_VerifyDataWithAlgorithmID(reqDER->data, reqDER->len, pubKey, 
-			signature, &algID->algorithm, NULL, varTable);
-  if (srv != SECSuccess) {
-    rv = ERROR_VERIFYING_SIGNATURE_POP;
-    goto loser;
-  }
-  /* Fall thru in successfull case. */
- loser:
-  if (pubKey != NULL) {
-    SECKEY_DestroyPublicKey(pubKey);
-  }
-  if (reqDER != NULL) {
-    SECITEM_FreeItem(reqDER, PR_TRUE);
-  }
-  if (signature != NULL) {
-    SECITEM_FreeItem(signature, PR_TRUE);
-  }
-  if (algID != NULL) {
-    SECOID_DestroyAlgorithmID(algID, PR_TRUE);
-  }
-  if (signKey != NULL) {
-    CRMF_DestroyPOPOSigningKey(signKey);
-  }  
-  return rv;
-}
-
-ErrorCode
-doChallengeResponse(CGIVarTable *varTable, CRMFCertReqMsg *currReq, 
-		    CRMFCertRequest *certReq, CERTCertificate *newCert,
-		    ChallengeCreationInfo *challs, int *numChall)
-{
-  CRMFPOPOPrivKey *privKey = NULL;
-  CRMFPOPOPrivKeyChoice privKeyChoice;
-  SECStatus srv;
-  ErrorCode rv = NO_ERROR;
- 
-  srv = CRMF_CertReqMsgGetPOPKeyEncipherment(currReq, &privKey);
-  if (srv != SECSuccess || privKey == NULL) {
-    rv = ERROR_GETTING_KEY_ENCIPHERMENT;
-    goto loser;
-  } 
-  privKeyChoice = CRMF_POPOPrivKeyGetChoice(privKey);
-  CRMF_DestroyPOPOPrivKey(privKey);
-  switch (privKeyChoice) {
-  case crmfSubsequentMessage:
-    challs = &challs[*numChall];
-    challs->random = rand();
-    challs->pubKey = CERT_ExtractPublicKey(newCert);
-    if (challs->pubKey == NULL) {
-      rv = ERROR_RETRIEVING_PUB_KEY_FOR_CHALL;
-      goto loser;
-    }
-    (*numChall)++;
-    rv = DO_CHALLENGE_RESPONSE;
-    break;
-  case crmfThisMessage:
-    /* There'd better be a PKIArchiveControl in this message */
-    if (!CRMF_CertRequestIsControlPresent(certReq, 
-					  crmfPKIArchiveOptionsControl)) {
-      rv = ERROR_NO_POP_FOR_PRIVKEY;
-      goto loser;
-    }
-    break;
-  default:
-    rv = ERROR_UNSUPPORTED_POPOPRIVKEY_TYPE;
-    goto loser;
-  }
-loser:
-  return rv;
-}
-
-ErrorCode
-doProofOfPossession(CGIVarTable *varTable, CRMFCertReqMsg *currReq, 
-		    CRMFCertRequest *certReq, CERTCertificate *newCert,
-		    ChallengeCreationInfo *challs, int *numChall)
-{
-  CRMFPOPChoice popChoice;
-  ErrorCode rv = NO_ERROR;
-
-  popChoice = CRMF_CertReqMsgGetPOPType(currReq);
-  if (popChoice == crmfNoPOPChoice) {
-    rv = NO_POP_FOR_REQUEST;
-    goto loser;
-  }
-  switch (popChoice) {
-  case crmfSignature:
-    rv = verifySignature(varTable, currReq, certReq, newCert);
-    break;
-  case crmfKeyEncipherment:
-    rv = doChallengeResponse(varTable, currReq, certReq, newCert,
-			     challs, numChall);
-    break;
-  case crmfRAVerified:
-  case crmfKeyAgreement:
-  default:
-    rv = UNSUPPORTED_POP;
-    goto loser;
-  }
- loser:
-  return rv;
-}
-
-void
-convertB64ToJS(char *base64)
-{
-  int i;
-
-  for (i=0; base64[i] != '\0'; i++) {
-    if (base64[i] == '\n') {
-      printf ("\\n");
-    }else {
-      printf ("%c", base64[i]);
-    }
-  }
-}
-
-void
-formatChallenge(char *chall64, char *certRepContentDER,
-		 ChallengeCreationInfo *challInfo, int numChalls)
-{
-  printf ("function respondToChallenge() {\n"
-	  "  var chalForm = document.chalForm;\n\n"
-	  "  chalForm.CertRepContent.value = '");
-  convertB64ToJS(certRepContentDER);
-  printf ("';\n"
-	  "  chalForm.ChallResponse.value = crypto.popChallengeResponse('");
-  convertB64ToJS(chall64);
-  printf("');\n"
-	 "  chalForm.submit();\n"
-	 "}\n");
-
-}
-
-void
-spitOutChallenge(char *chall64, char *certRepContentDER,
-		 ChallengeCreationInfo *challInfo, int numChalls,
-		 char *nickname)
-{
-  int i;
-
-  spitOutHeaders();
-  printf("<html>\n"
-	 "<head>\n"
-	 "<title>Challenge Page</title>\n"
-	 "<script language=\"JavaScript\">\n"
-	 "<!--\n");
-  /* The JavaScript function actually gets defined within
-   * this function call
-   */
-  formatChallenge(chall64, certRepContentDER, challInfo, numChalls);
-  printf("// -->\n"
-	 "</script>\n"
-	 "</head>\n"
-	 "<body onLoad='respondToChallenge()'>\n"
-	 "<h1>Cartman is now responding to the Challenge "
-	 "presented by the CGI</h1>\n"
-	 "<form action='crmfcgi' method='post' name='chalForm'>\n"
-	 "<input type='hidden' name=CertRepContent value=''>\n"
-	 "<input type='hidden' name=ChallResponse value=''>\n");
-  for (i=0;i<numChalls; i++) {
-    printf("<input type='hidden' name='chal%d' value='%d'>\n",
-	   i+1, challInfo[i].random);
-  }
-  printf("<input type='hidden' name='nickname' value='%s'>\n", nickname);
-  printf("</form>\n</body>\n</html>");
-}
-
-ErrorCode
-issueChallenge(CertResponseInfo *issuedCerts, int numCerts, 
-	       ChallengeCreationInfo *challInfo, int numChalls,
-	       CERTCertificate *issuer, CGIVarTable *varTable)
-{
-  ErrorCode rv = NO_ERROR;
-  CMMFPOPODecKeyChallContent *chalContent = NULL;
-  int i;
-  SECStatus srv;
-  PRArenaPool *poolp;
-  CERTGeneralName *genName;
-  SECItem *challDER = NULL;
-  char *chall64, *certRepContentDER;
-
-  rv = createCMMFResponse(issuedCerts, numCerts, issuer, 
-			  &certRepContentDER);
-  if (rv != NO_ERROR) {
-    goto loser;
-  }
-  chalContent = CMMF_CreatePOPODecKeyChallContent();
-  if (chalContent == NULL) {
-    rv = ERROR_CREATING_EMPTY_CHAL_CONTENT;
-    goto loser;
-  }
-  poolp = PORT_NewArena(1024);
-  if (poolp == NULL) {
-    rv = OUT_OF_MEMORY;
-    goto loser;
-  }
-  genName = CERT_GetCertificateNames(issuer, poolp);
-  if (genName == NULL) {
-    rv = ERROR_EXTRACTING_GEN_NAME_FROM_ISSUER;
-    goto loser;
-  }
-  for (i=0;i<numChalls;i++) {
-    srv = CMMF_POPODecKeyChallContentSetNextChallenge(chalContent,
-						      challInfo[i].random,
-						      genName,
-						      challInfo[i].pubKey,
-						      varTable);
-    SECKEY_DestroyPublicKey(challInfo[i].pubKey);
-    if (srv != SECSuccess) {
-      rv = ERROR_SETTING_CHALLENGE;
-      goto loser;
-    }
-  }
-  challDER = SEC_ASN1EncodeItem(NULL, NULL, chalContent, 
-				CMMFPOPODecKeyChallContentTemplate);
-  if (challDER == NULL) {
-    rv = ERROR_ENCODING_CHALL;
-    goto loser;
-  }
-  chall64 = BTOA_DataToAscii(challDER->data, challDER->len);
-  SECITEM_FreeItem(challDER, PR_TRUE);
-  if (chall64 == NULL) {
-    rv = ERROR_CONVERTING_CHALL_TO_BASE64;
-    goto loser;
-  }
-  spitOutChallenge(chall64, certRepContentDER, challInfo, numChalls,
-		   getNickname(issuedCerts[0].cert));
- loser:
-  return rv;
-}
-
-
-ErrorCode
-processRequest(CGIVarTable *varTable)
-{
-  CERTCertDBHandle *certdb;
-  SECKEYKeyDBHandle *keydb;
-  CRMFCertReqMessages *certReqs = NULL;
-  const char *crmfReq;
-  const char *caNickname;
-  CERTCertificate *caCert = NULL;
-  CertResponseInfo *issuedCerts = NULL;
-  CERTSubjectPublicKeyInfo spki = { 0 };
-  ErrorCode rv=NO_ERROR;
-  PRBool doChallengeResponse = PR_FALSE;
-  SECItem der = { 0 };
-  SECStatus srv;
-  CERTCertificateRequest oldCertReq = { 0 };
-  CRMFCertReqMsg **reqMsgs = NULL,*currReq = NULL;
-  CRMFCertRequest **reqs = NULL, *certReq = NULL;
-  CERTName         subject = { 0 };
-  int numReqs,i;
-  ChallengeCreationInfo *challInfo=NULL;
-  int numChalls = 0;
-
-  certdb = CERT_GetDefaultCertDB();
-  keydb = SECKEY_GetDefaultKeyDB();
-  crmfReq = CGITableFindValue(varTable, "CRMFRequest");
-  if (crmfReq == NULL) {
-    rv = CGI_VAR_MISSING;
-    missingVar = "CRMFRequest";
-    goto loser;
-  }
-  caNickname = CGITableFindValue(varTable, "CANickname");
-  if (caNickname == NULL) {
-    rv = CGI_VAR_MISSING;
-    missingVar = "CANickname";
-    goto loser;
-  }
-  caCert = CERT_FindCertByNickname(certdb, caNickname);
-  if (caCert == NULL) {
-    rv = COULD_NOT_FIND_CA;
-    goto loser;
-  }
-  srv = ATOB_ConvertAsciiToItem(&der, crmfReq);
-  if (srv != SECSuccess) {
-    rv = BAD_ASCII_FOR_REQ;
-    goto loser;
-  }
-  certReqs = CRMF_CreateCertReqMessagesFromDER(der.data, der.len);
-  SECITEM_FreeItem(&der, PR_FALSE);
-  if (certReqs == NULL) {
-    rv = COULD_NOT_DECODE_REQS;
-    goto loser;
-  }
-  numReqs = CRMF_CertReqMessagesGetNumMessages(certReqs);
-  issuedCerts = PORT_ZNewArray(CertResponseInfo, numReqs);
-  challInfo   = PORT_ZNewArray(ChallengeCreationInfo, numReqs);
-  if (issuedCerts == NULL || challInfo == NULL) {
-    rv = OUT_OF_MEMORY;
-    goto loser;
-  }
-  reqMsgs = PORT_ZNewArray(CRMFCertReqMsg*,   numReqs);
-  reqs    = PORT_ZNewArray(CRMFCertRequest*, numReqs);
-  if (reqMsgs == NULL || reqs == NULL) {
-    rv =   OUT_OF_MEMORY;
-    goto loser;
-  }
-  for (i=0; i<numReqs; i++) {
-    currReq = reqMsgs[i] = 
-      CRMF_CertReqMessagesGetCertReqMsgAtIndex(certReqs, i);
-    if (currReq == NULL) {
-      rv = ERROR_RETRIEVING_REQUEST_MSG;
-      goto loser;
-    }
-    certReq = reqs[i] = CRMF_CertReqMsgGetCertRequest(currReq);
-    if (certReq == NULL) {
-      rv = ERROR_RETRIEVING_CERT_REQUEST;
-      goto loser;
-    }
-    srv = CRMF_CertRequestGetCertTemplateSubject(certReq, &subject);
-    if (srv != SECSuccess) {
-      rv = ERROR_RETRIEVING_SUBJECT_FROM_REQ;
-      goto loser;
-    }
-    srv = CRMF_CertRequestGetCertTemplatePublicKey(certReq, &spki);
-    if (srv != SECSuccess) {
-      rv = ERROR_RETRIEVING_PUBLIC_KEY_FROM_REQ;
-      goto loser;
-    }
-    rv = initOldCertReq(&oldCertReq, &subject, &spki);
-    if (rv != NO_ERROR) {
-      goto loser;
-    }
-    rv = createNewCert(&issuedCerts[i].cert, &oldCertReq, currReq, certReq, 
-		       caCert, varTable);
-    if (rv != NO_ERROR) {
-      goto loser;
-    }
-    rv = doProofOfPossession(varTable, currReq, certReq, issuedCerts[i].cert,
-			     challInfo, &numChalls);
-    if (rv != NO_ERROR) {
-      if (rv == DO_CHALLENGE_RESPONSE) {
-	doChallengeResponse = PR_TRUE;
-      } else {
-	goto loser;
-      }
-    }
-    CRMF_CertReqMsgGetID(currReq, &issuedCerts[i].certReqID);
-    CRMF_DestroyCertReqMsg(currReq);
-    CRMF_DestroyCertRequest(certReq);
-  }
-  if (doChallengeResponse) {
-    rv = issueChallenge(issuedCerts, numReqs, challInfo, numChalls, caCert,
-			varTable);
-  } else {
-    rv = issueCerts(issuedCerts, numReqs, caCert);
-  }
- loser:
-  if (certReqs != NULL) {
-    CRMF_DestroyCertReqMessages(certReqs);
-  }
-  return rv;
-}
-
-ErrorCode
-processChallengeResponse(CGIVarTable *varTable, const char *certRepContent)
-{
-  SECItem binDER = { 0 };
-  SECStatus srv;
-  ErrorCode rv = NO_ERROR;
-  const char *clientResponse;
-  const char *formChalValue;
-  const char *nickname;
-  CMMFPOPODecKeyRespContent *respContent = NULL;
-  int numResponses,i;
-  long curResponse, expectedResponse;
-  char cgiChalVar[10];
-#ifdef WRITE_OUT_RESPONSE
-  SECItem certRepBinDER = { 0 };
-
-  ATOB_ConvertAsciiToItem(&certRepBinDER, certRepContent);
-  writeOutItem("challCertRepContent.der", &certRepBinDER);
-  PORT_Free(certRepBinDER.data);
-#endif  
-  clientResponse = CGITableFindValue(varTable, "ChallResponse");
-  if (clientResponse == NULL) {
-    rv =   REQ_CGI_VAR_NOT_PRESENT;
-    missingVar = "ChallResponse";
-    goto loser;
-  }
-  srv = ATOB_ConvertAsciiToItem(&binDER, clientResponse);
-  if (srv != SECSuccess) {
-    rv = ERROR_CONVERTING_RESP_FROM_CHALL_TO_BIN;
-    goto loser;
-  }
-  respContent = CMMF_CreatePOPODecKeyRespContentFromDER(binDER.data,
-							binDER.len);
-  SECITEM_FreeItem(&binDER, PR_FALSE);
-  binDER.data = NULL;
-  if (respContent == NULL) {
-    rv = ERROR_CREATING_KEY_RESP_FROM_DER;
-    goto loser;
-  }
-  numResponses = CMMF_POPODecKeyRespContentGetNumResponses(respContent);
-  for (i=0;i<numResponses;i++){
-    srv = CMMF_POPODecKeyRespContentGetResponse(respContent,i,&curResponse);
-    if (srv != SECSuccess) {
-      rv = ERROR_RETRIEVING_CLIENT_RESPONSE_TO_CHALLENGE;
-      goto loser;
-    }
-    sprintf(cgiChalVar, "chal%d", i+1);
-    formChalValue = CGITableFindValue(varTable, cgiChalVar);
-    if (formChalValue == NULL) {
-      rv = REQ_CGI_VAR_NOT_PRESENT;
-      missingVar = strdup(cgiChalVar);
-      goto loser;
-    }
-    sscanf(formChalValue, "%ld", &expectedResponse);
-    if (expectedResponse != curResponse) {
-      rv = ERROR_RETURNED_CHALL_NOT_VALUE_EXPECTED;
-      goto loser;
-    }
-  }
-  nickname = CGITableFindValue(varTable, "nickname");
-  if (nickname == NULL) {
-    rv = REQ_CGI_VAR_NOT_PRESENT;
-    missingVar = "nickname";
-    goto loser;
-  }
-  spitOutCMMFResponse(nickname, certRepContent);
- loser:
-  if (respContent != NULL) {
-    CMMF_DestroyPOPODecKeyRespContent(respContent);
-  }
-  return rv;
-}
-
-int
-main()
-{
-  char *form_output = NULL;
-  int   form_output_len, form_output_used;
-  CGIVarTable varTable = { 0 };
-  ErrorCode errNum = 0;
-  char *certRepContent;
-
-#ifdef ATTACH_CGI
-  /* Put an ifinite loop in here so I can attach to 
-   * the process after the process is spun off
-   */
-  { int stupid = 1;
-    while (stupid);
-  }
-#endif
-
-  form_output_used = 0;
-  srand(time(NULL));
-  while (feof(stdin) == 0) {
-    if (form_output == NULL) {
-      form_output = PORT_NewArray(char, DEFAULT_ALLOC_SIZE+1);
-      form_output_len  = DEFAULT_ALLOC_SIZE;
-    } else if ((form_output_used + DEFAULT_ALLOC_SIZE) >= form_output_len) {
-      form_output_len += DEFAULT_ALLOC_SIZE;
-      form_output = PORT_Realloc(form_output, form_output_len+1);
-    }
-    form_output_used += fread(&form_output[form_output_used], sizeof(char), 
-			      DEFAULT_ALLOC_SIZE, stdin);
-  }
-  ParseInputVariables(&varTable, form_output);
-  certRepContent = CGITableFindValue(&varTable, "CertRepContent");
-  if (certRepContent == NULL) {
-    errNum = initNSS(&varTable);
-    if (errNum != 0) {
-      goto loser;
-    }
-    errNum = processRequest(&varTable);
-  } else {
-    errNum = processChallengeResponse(&varTable, certRepContent);
-  }
-  if (errNum != NO_ERROR) {
-    goto loser;
-  }
-  goto done;
-loser:
-  dumpErrorMessage(errNum);
-done:
-  free (form_output);
-  return 0;
-}
-
diff --git a/security/nss/cmd/crmf-cgi/crmfcgi.html b/security/nss/cmd/crmf-cgi/crmfcgi.html
deleted file mode 100644
index f6f0d8def..000000000
--- a/security/nss/cmd/crmf-cgi/crmfcgi.html
+++ /dev/null
@@ -1,168 +0,0 @@
-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is the Netscape security libraries.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 1994-2000
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-
-<html>
-<head>
-<title>CRMF Test Page for PSM</title>
-<script language=javascript>
-var request;
-//This variable must be set to the first value
-//in the select field "testType" in the form.
-var keyGenType="SigningOnlyRSA";
-
-var requestedDN = "CN=Javi CA Shack ID, O=NSS";
-
-function setTestType() {
-  var testType = document.crmfForm.testType;
-  
-  keyGenType = testType.options[testType.selectedIndex].value;
-}
-
-function setRequest() {
-  with (document.crmfForm) {
-    CRMFRequest.value = request.request;
-    submit();
-  }
-}
-
-function generateSignAndEncryptRSARequest() {
-    request = crypto.generateCRMFRequest(requestedDN,
-                                         null, null, null, "setRequest()",
-                                         crypto.algorithms.rsa.keyEx.keySizes[0],
-                                         null, "rsa-dual-use");    
-}
-
-function generateSigningOnlyRSARequest() {
-    request = crypto.generateCRMFRequest(requestedDN,null,null,null,"setRequest()",
-                                         crypto.algorithms.rsa.signing.keySizes[0],
-                                         null, "rsa-sign");
-}
-
-function generateEncryptionOnlyRSARequest() {
-    request = crypto.generateCRMFRequest(requestedDN, null, null, null, "setRequest()",
-                                         crypto.algorithms.rsa.keyEx.keySizes[0],
-                                         null, "rsa-ex");
-}
-
-function generateDualRSAKeys() {
-    request = crypto.generateCRMFRequest(requestedDN, null, null, null, "setRequest()",
-                                         crypto.algorithms.rsa.keyEx.keySizes[0],
-                                         null, "rsa-ex",
-                                         crypto.algorithms.rsa.signing.keySizes[0],
-                                         null, "rsa-sign");
-}
-
-function generateDSAKey() {
-    request = crypto.generateCRMFRequest(requestedDN, null, null, null, "setRequest()",
-                                         crypto.algorithms.dsa.keySizes[0],
-                                         null, "dsa-sign-nonrepudiation");
-}
-
-function processForm(form) {
-  with (form) {
-    if (typeof(crypto.version) == "undefined") {
-      alert('You must be running PSM in order to use this page.');
-      return false;
-    }
-    if (NSSDirectory.value == "") {
-      alert('You must provide a path for NSS to use.');
-      return false;
-    }
-    if (dbPassword.value == "") {
-      alert('You must provide a password for the certificate database.');
-      return false;
-    }
-    if (CANickname.value == "") {
-      alert('You must provide a CA Nickname to use.');
-      return false;
-    }
-    //Now do the correct key generation.
-    if (keyGenType == "SignAndEncryptRSA") {
-      generateSignAndEncryptRSARequest();
-    } else if (keyGenType == "SigningOnlyRSA") {
-      generateSigningOnlyRSARequest();
-    } else if (keyGenType == "EncryptionOnlyRSA") {
-      generateEncryptionOnlyRSARequest();
-    } else if (keyGenType == "DualRSAKeys") {
-      generateDualRSAKeys();
-    } else if (keyGenType == "DSAKeyGen") {
-      generateDSAKey();
-    }
-  }
-  return true;
-}
-</script>
-</head>
-<body>
-<h1><center>CRMF Test page for PSM</center></h1>
-This page is designed to be used in combination with the executable
-produced by ns/security/cmd/crmf-cgi in a CGI environment.  In order
-to successfully use this page, modify its action to post to a a server
-where you have installed the crmfcgi executable and you'll be able to
-test the functionality.
-<hr>
-<form name="crmfForm" method=post action="http://www.cgi-site.com/cgi-bin/crmfcgi"> 
-<h2>Certificate Database information</h2>
-First, enter all the information for the CGI to use for initializing 
-NSS.  The CGI will use the directory entered below as the directory
-where to look for the certificate and key databases.
-<pre>
-Path for NSS Config: <input size=40 type="text" name="NSSDirectory">
-</pre>
-Enter the password for the certificate database found in the direcotry
-above.
-<pre>
-Database Password:   <input type="password" name="dbPassword" size=40>
-</pre>
-Now enter the nickname of the certificate to use for signing the 
-certificate issued during this test.
-<pre>
-CA Nickname:         <input size=40 type="text" name="CANickname">
-</pre>
-<h2>Now, figure out which type of key generation you want to test:</h2>
-<select name="testType" onChange="setTestType()">`
-<option value="SigningOnlyRSA">Signing Only-RSA
-<option value="EncryptionOnlyRSA">Encryption Only-RSA
-<option value="SignAndEncryptRSA">Sign and Encrypt Single Key -RSA
-<option value="DualRSAKeys">Dual Keys-RSA
-<option value="DSAKeyGen">DSA Key Gen
-</select>
-<input type="hidden" name=CRMFRequest value="">
-<hr>
-<input type="button" value="OK" onclick="processForm(document.crmfForm)">
-</form>
-</body>
-</html>
diff --git a/security/nss/cmd/crmf-cgi/manifest.mn b/security/nss/cmd/crmf-cgi/manifest.mn
deleted file mode 100644
index c8c38e224..000000000
--- a/security/nss/cmd/crmf-cgi/manifest.mn
+++ /dev/null
@@ -1,65 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-MODULE	= sectools
-
-EXPORTS = \
-	$(NULL)
-
-CSRCS = \
-	crmfcgi.c \
-	$(NULL)
-
-
-REQUIRES = nss dbm seccmd
-
-ifdef ATTACH_CGI
-DEFINES += -DATTACH_CGI
-endif
-
-ifdef WRITE_OUT_RESPONSE
-DEFINES += -DWRITE_OUT_RESPONSE
-endif
-
-PROGRAM  = crmfcgi
-
-USE_STATIC_LIBS = 1
-
-INCLUDES = 
-
-DEFINES = -DNSPR20
diff --git a/security/nss/cmd/crmftest/Makefile b/security/nss/cmd/crmftest/Makefile
deleted file mode 100644
index 66d334a7d..000000000
--- a/security/nss/cmd/crmftest/Makefile
+++ /dev/null
@@ -1,96 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-include config.mk
-
-ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
-OS_LIBS += -lsvld 
-endif 
-
-ifeq ($(OS_TARGET)$(OS_RELEASE), SunOS5.6)
-OS_LIBS += -ldl -lxnet -lposix4 -lsocket -lnsl
-endif
-
-EXTRA_LIBS += $(DIST)/lib/$(LIB_PREFIX)crmf.$(LIB_SUFFIX)
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-LDDIST = $(DIST)/lib
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-EXTRA_LIBS += $(LDDIST)/sectool.lib
-endif
-
-include ../platrules.mk
diff --git a/security/nss/cmd/crmftest/config.mk b/security/nss/cmd/crmftest/config.mk
deleted file mode 100644
index ea8b592d6..000000000
--- a/security/nss/cmd/crmftest/config.mk
+++ /dev/null
@@ -1,47 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(PROGRAM)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-LIBRARY        =
-
diff --git a/security/nss/cmd/crmftest/manifest.mn b/security/nss/cmd/crmftest/manifest.mn
deleted file mode 100644
index 93786ee49..000000000
--- a/security/nss/cmd/crmftest/manifest.mn
+++ /dev/null
@@ -1,57 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-DEPTH      = .
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE	= nss
-
-EXPORTS = \
-	$(NULL)
-
-CSRCS = \
-	testcrmf.c \
-	$(NULL)
-
-
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-# REQUIRES = dbm
-
-PROGRAM  = crmftest
-
diff --git a/security/nss/cmd/crmftest/testcrmf.c b/security/nss/cmd/crmftest/testcrmf.c
deleted file mode 100644
index 4d6b058ea..000000000
--- a/security/nss/cmd/crmftest/testcrmf.c
+++ /dev/null
@@ -1,1710 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * This program does 5 separate functions.  By default, it does them all.
- * It can be told to do any subset of them.
- * It does them in this order:
- *
- * 1. Generate file of CRMF cert requests.
- *     Generates 2 keys pairs, one for signing, one for encryption.
- *     Can generate RSA or DSA (XXX - DSA is only useful for signing).
- *     Generate a cert request for each of the two public keys.
- *     Generate a single CRMF cert request message that requests both certs.
- *     Leave the generated CRMF request message in file
- *         configdir/CertReqMessages.der
- *
- * 2. Decode CRMF Request(s) Message.
- *	Reads in the file   configdir/CertReqMessages.der
- *	(either generated by step 1 above, or user supplied).
- *	Decodes it.  NOTHING MORE.  Drops these decoded results on the floor.
- *	The CMMF response (below) contains a completely unrelated cert.  :-(
- *
- * 3. CMMF "Stuff".
- *  a)  Generates a CMMF response, containing a single cert chain, as if 
- *	it was a response to a received CRMF request.  But the cert is 
- *	simply a user cert from the user's local soft token, whose 
- *	nickname is given in the -p option.  The CMMF response has no
- *	relationship to the request generated above.  The CMMF message
- *	is placed in configdir/CertRepContent.der.
- *  b)  Decodes the newly generated CMMF response found in file
- *	configdir/CertRepContent.der and discards the result.  8-/
- *  c)  Generate a CMMF Key Escrow message
- *      needs 2 nicknames: 
- *      It takes the public and private keys for the cert identified
- *      by -p nickname, and wraps them with a sym key that is in turn
- *      wrapped with the pubkey in the CA cert, whose nickname is 
- *      given with the -s option.
- *      Store the message in configdir/KeyRecRepContent.der
- *  d)  Decode the CMMF Key Escrow message generated just above.
- *      Get it from file configdir/KeyRecRepContent.der
- *      This is just a decoder test.  Results are discarded.
- *
- * 4. Key Recovery
- *	This code does not yet compile, and what it was intended to do
- *	has not been fully determined.
- *
- * 5. Challenge/Response.
- *	Haven't analyzed this code yet.
- *
- *
- */
-
-/* KNOWN BUGS:
-** 1. generates BOTH signing and encryption cert requests, even for DSA keys.
-**
-** 2. Does not verify the siganture in the "Proof of Posession" in the
-**	decoded cert requests.  It only checks syntax of the POP.
-** 3. CMMF "Stuff" should be broken up into separate steps, each of 
-**	which may be optionally selected.
-*/
-
-#include <stdio.h>
-#include "nspr.h"
-#include "nss.h"
-#include "crmf.h"
-#include "secerr.h"
-#include "pk11func.h"
-#include "key.h"
-#include "cmmf.h"
-#include "plgetopt.h"
-#include "secutil.h"
-#include "pk11pqg.h"
-
-#if 0
-#include "pkcs11.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "pqggen.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "pkcs11.h"
-#include "secitem.h"
-#include "secasn1.h"
-#include "sechash.h"
-#endif
-
-#define MAX_KEY_LEN 512
-#define PATH_LEN    150
-#define BUFF_SIZE   150
-#define UID_BITS    800
-#define BPB           8
-#define CRMF_FILE   "CertReqMessages.der"
-
-PRTime notBefore;
-char *personalCert      = NULL;
-char *recoveryEncrypter = NULL;
-char *caCertName        = NULL;
-static secuPWData pwdata = { PW_NONE, 0 };
-char *configdir;
-PRBool doingDSA         = PR_FALSE;
-
-CERTCertDBHandle *db;
-
-typedef struct {
-    SECKEYPrivateKey *privKey;
-    SECKEYPublicKey  *pubKey;
-    CRMFCertRequest  *certReq;
-    CRMFCertReqMsg   *certReqMsg;
-} TESTKeyPair;
-
-void 
-debug_test(SECItem *src, char *filePath)
-{
-    PRFileDesc *fileDesc;
-
-    fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 
-			0666);
-    if (fileDesc == NULL) {
-        printf ("Could not cretae file %s.\n", filePath);
-	return;
-    }
-    PR_Write(fileDesc, src->data, src->len);
-    
-}
-
-SECStatus
-get_serial_number(long *dest)
-{
-   SECStatus   rv;
-
-   if (dest == NULL) {
-       PORT_SetError(SEC_ERROR_INVALID_ARGS);
-       return SECFailure;
-   }
-    rv = PK11_GenerateRandom((unsigned char *)dest, sizeof(long));
-    /* make serial number positive */
-    if (*dest < 0L)
-    	*dest = - *dest;
-    return SECSuccess;
-}
-
-PK11RSAGenParams *
-GetRSAParams(void) 
-{
-    PK11RSAGenParams *rsaParams;
-
-    rsaParams = PORT_ZNew(PK11RSAGenParams);
-
-    if (rsaParams == NULL)
-      return NULL;
-
-    rsaParams->keySizeInBits = MAX_KEY_LEN;
-    rsaParams->pe = 0x10001;
-    
-    return rsaParams;
-    
-}
-
-PQGParams*
-GetDSAParams(void)
-{
-    PQGParams *params = NULL;
-    PQGVerify *vfy = NULL;
-
-    SECStatus  rv;
-
-    rv = PK11_PQG_ParamGen(0, &params, &vfy);
-    if (rv != SECSuccess) {
-        return NULL;
-    }
-    PK11_PQG_DestroyVerify(vfy);
-    return params;
-}
-
-/* Generate a key pair, and then generate a subjectPublicKeyInfo
-** for the public key in that pair.  return all 3.
-*/
-CERTSubjectPublicKeyInfo *
-GetSubjectPubKeyInfo(TESTKeyPair *pair)
-{
-    CERTSubjectPublicKeyInfo *spki       = NULL;
-    SECKEYPrivateKey         *privKey    = NULL;
-    SECKEYPublicKey          *pubKey     = NULL;
-    PK11SlotInfo             *keySlot    = NULL;
-    
-    keySlot = PK11_GetInternalKeySlot();
-    PK11_Authenticate(keySlot, PR_FALSE, &pwdata);
-
-
-    if (!doingDSA) {
-	PK11RSAGenParams *rsaParams = GetRSAParams();
-	if (rsaParams == NULL) {
-	    PK11_FreeSlot(keySlot);
-	    return NULL;
-	}
-	privKey = PK11_GenerateKeyPair(keySlot, CKM_RSA_PKCS_KEY_PAIR_GEN,
-				       (void*)rsaParams, &pubKey, PR_FALSE,
-				       PR_FALSE, &pwdata);
-    } else {
-	PQGParams *dsaParams = GetDSAParams();
-	if (dsaParams == NULL) {
-	    PK11_FreeSlot(keySlot);
-	    return NULL;
-	}
-	privKey = PK11_GenerateKeyPair(keySlot, CKM_DSA_KEY_PAIR_GEN,
-				       (void*)dsaParams, &pubKey, PR_FALSE,
-				       PR_FALSE, &pwdata);
-    }
-    PK11_FreeSlot(keySlot);
-    if (privKey == NULL || pubKey == NULL) {
-        if (pubKey) {
-	    SECKEY_DestroyPublicKey(pubKey);
-	}
-	if (privKey) {
-	    SECKEY_DestroyPrivateKey(privKey);
-	}
-	return NULL;
-    }
-
-    spki = SECKEY_CreateSubjectPublicKeyInfo(pubKey);
-    pair->privKey = privKey;
-    pair->pubKey  = pubKey;
-    return spki;
-}
-
-
-SECStatus
-InitPKCS11(void)
-{
-    PK11SlotInfo *keySlot;
-
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-    keySlot    = PK11_GetInternalKeySlot();
-    
-    if (PK11_NeedUserInit(keySlot) && PK11_NeedLogin(keySlot)) {
-        if (SECU_ChangePW(keySlot, NULL, NULL) != SECSuccess) {
-	    printf ("Initializing the PINs failed.\n");
-	    return SECFailure;
-	}
-    }
-
-    PK11_FreeSlot(keySlot);
-    return SECSuccess;
-}
-
-
-void 
-WriteItOut (void *arg, const char *buf, unsigned long len)
-{
-    PRFileDesc *fileDesc = (PRFileDesc*)arg;
-
-    PR_Write(fileDesc, (void*)buf, len);
-}
-
-
-
-CRMFCertExtCreationInfo*
-GetExtensions(void)
-{
-    unsigned char keyUsage[4] = { 0x03, 0x02, 0x07, KU_DIGITAL_SIGNATURE };
-				/* What are these magic numbers? */
-    SECItem data = { 0, NULL, 0 };
-    CRMFCertExtension *extension; 
-    CRMFCertExtCreationInfo *extInfo =
-	    PORT_ZNew(CRMFCertExtCreationInfo);
-
-    data.data = keyUsage;
-    data.len = sizeof keyUsage;
-
-
-    extension = 
-	    CRMF_CreateCertExtension(SEC_OID_X509_KEY_USAGE, PR_FALSE, &data);
-    if (extension && extInfo) {
-	extInfo->numExtensions = 1;
-	extInfo->extensions    = PORT_ZNewArray(CRMFCertExtension*, 1);
-	extInfo->extensions[0] = extension;
-    }
-    return extInfo;
-}
-
-void
-FreeExtInfo(CRMFCertExtCreationInfo *extInfo)
-{
-    int i;
-    
-    for (i=0; i<extInfo->numExtensions; i++) {
-        CRMF_DestroyCertExtension(extInfo->extensions[i]);
-    }
-    PORT_Free(extInfo->extensions);
-    PORT_Free(extInfo);
-}
-
-int
-InjectCertName( CRMFCertRequest       * certReq,
-	        CRMFCertTemplateField   inTemplateField,
-		const char            * inNameString)
-{
-    char      * nameStr;
-    CERTName  * name;
-    int         irv   = 0;
-
-    nameStr = PORT_Strdup(inNameString);
-    if (!nameStr) 
-    	return 5;
-    name = CERT_AsciiToName(nameStr);
-    if (name == NULL) {
-        printf ("Could not create CERTName structure from %s.\n", nameStr);
-	irv = 5;
-	goto finish;
-    }
-
-    irv = CRMF_CertRequestSetTemplateField(certReq, inTemplateField, (void*)name);
-    if (irv != SECSuccess) {
-        printf ("Could not add name to cert template\n");
-	irv = 6;
-    }
-
-finish:
-    PORT_Free(nameStr);
-    if (name)
-	CERT_DestroyName(name);
-    return irv;
-}
-
-int
-CreateCertRequest(TESTKeyPair *pair, long inRequestID)
-{
-    CERTCertificate         * caCert;
-    CERTSubjectPublicKeyInfo *spki;
-    CRMFCertExtCreationInfo * extInfo;
-    CRMFCertRequest         * certReq;
-    CRMFEncryptedKey        * encKey;
-    CRMFPKIArchiveOptions   * pkiArchOpt;
-    SECAlgorithmID          * algID;
-    long                      serialNumber;
-    long                      version       = 3;
-    SECStatus                 rv;
-    CRMFValidityCreationInfo  validity;
-    unsigned char             UIDbuf[UID_BITS / BPB];
-    SECItem                   issuerUID  = { siBuffer, NULL, 0 };
-    SECItem                   subjectUID = { siBuffer, NULL, 0 };
-
-    /* len in bits */
-    issuerUID.data = UIDbuf;
-    issuerUID.len = UID_BITS;
-    subjectUID.data = UIDbuf;
-    subjectUID.len = UID_BITS;
-
-    pair->certReq = NULL;
-    certReq = CRMF_CreateCertRequest(inRequestID);
-    if (certReq == NULL) {
-        printf ("Could not initialize a certificate request.\n");
-	return 1;
-    }
-
-    /* set to version 3 */
-    rv = CRMF_CertRequestSetTemplateField(certReq, crmfVersion, 
-                                          (void*)(&version));
-    if (rv != SECSuccess) {
-        printf("Could not add the version number to the "
-	       "Certificate Request.\n");
-	CRMF_DestroyCertRequest(certReq);
-	return 2;
-    }
-
-    /* set serial number */
-    if (get_serial_number(&serialNumber) != SECSuccess) {
-        printf ("Could not generate a serial number for cert request.\n");
-	CRMF_DestroyCertRequest(certReq);
-	return 3;
-    }
-    rv = CRMF_CertRequestSetTemplateField (certReq, crmfSerialNumber, 
-				      (void*)(&serialNumber));
-    if (rv != SECSuccess) {
-        printf ("Could not add serial number to certificate template\n.");
-	CRMF_DestroyCertRequest(certReq);
-	return 4;
-    }
-
-    /* Set issuer name */
-    rv = InjectCertName(certReq, crmfIssuer, 
-    			"CN=mozilla CA Shack,O=Information Systems");
-    if (rv) {
-        printf ("Could not add issuer to cert template\n");
-	CRMF_DestroyCertRequest(certReq);
-	return 5;
-    }
-
-    /* Set Subject Name */
-    rv = InjectCertName(certReq, crmfSubject, 
-    			"CN=mozilla CA Shack ID,O=Engineering,C=US");
-    if (rv) {
-        printf ("Could not add Subject to cert template\n");
-	CRMF_DestroyCertRequest(certReq);
-	return 5;
-    }
-
-    /* Set Algorithm ID */
-    algID = PK11_CreatePBEAlgorithmID(SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC,
-			              1, NULL);
-    if (algID == NULL) {
-        printf ("Couldn't create algorithm ID\n");
-	CRMF_DestroyCertRequest(certReq);
-	return 9;
-    }
-    rv = CRMF_CertRequestSetTemplateField(certReq, crmfSigningAlg, (void*)algID);
-    SECOID_DestroyAlgorithmID(algID, PR_TRUE);
-    if (rv != SECSuccess) {
-        printf ("Could not add the signing algorithm to the cert template.\n");
-	CRMF_DestroyCertRequest(certReq);
-	return 10;
-    }
-
-    /* Set Validity Dates */
-    validity.notBefore = &notBefore;
-    validity.notAfter  = NULL;
-    notBefore = PR_Now();
-    rv = CRMF_CertRequestSetTemplateField(certReq, crmfValidity,(void*)(&validity));
-    if (rv != SECSuccess) {
-        printf ("Could not add validity to cert template\n");
-	CRMF_DestroyCertRequest(certReq);
-	return 11;
-    }
-
-    /* Generate a key pair and Add the spki to the request */
-    spki = GetSubjectPubKeyInfo(pair);
-    if (spki == NULL) {
-        printf ("Could not create a Subject Public Key Info to add\n");
-	CRMF_DestroyCertRequest(certReq);
-	return 12;
-    }
-    rv = CRMF_CertRequestSetTemplateField(certReq, crmfPublicKey, (void*)spki);
-    SECKEY_DestroySubjectPublicKeyInfo(spki);
-    if (rv != SECSuccess) {
-        printf ("Could not add the public key to the template\n");
-	CRMF_DestroyCertRequest(certReq);
-	return 13;
-    }
-    
-    /* Set the requested isser Unique ID */
-    PK11_GenerateRandom(UIDbuf, sizeof UIDbuf);
-    CRMF_CertRequestSetTemplateField(certReq,crmfIssuerUID,  (void*)&issuerUID);
-
-    /* Set the requested Subject Unique ID */
-    PK11_GenerateRandom(UIDbuf, sizeof UIDbuf);
-    CRMF_CertRequestSetTemplateField(certReq,crmfSubjectUID, (void*)&subjectUID);
-
-    /* Add extensions - XXX need to understand these magic numbers */
-    extInfo = GetExtensions();
-    CRMF_CertRequestSetTemplateField(certReq, crmfExtension, (void*)extInfo);
-    FreeExtInfo(extInfo);
-
-    /* get the recipient CA's cert */
-    caCert = CERT_FindCertByNickname(db, caCertName);
-    if (caCert == NULL) {
-        printf ("Could not find the certificate for %s\n", caCertName);
-        CRMF_DestroyCertRequest(certReq);
-	return 50;
-    }
-    encKey = CRMF_CreateEncryptedKeyWithEncryptedValue(pair->privKey, caCert);
-    CERT_DestroyCertificate(caCert);
-    if (encKey == NULL) {
-        printf ("Could not create Encrypted Key with Encrypted Value.\n");
-	return 14;
-    }
-    pkiArchOpt = CRMF_CreatePKIArchiveOptions(crmfEncryptedPrivateKey, encKey);
-    CRMF_DestroyEncryptedKey(encKey);
-    if (pkiArchOpt == NULL) {
-        printf ("Could not create PKIArchiveOptions.\n");
-	return 15;
-    }
-    rv  = CRMF_CertRequestSetPKIArchiveOptions(certReq, pkiArchOpt);
-    CRMF_DestroyPKIArchiveOptions(pkiArchOpt);
-    if (rv != SECSuccess) {
-        printf ("Could not add the PKIArchiveControl to Cert Request.\n");
-	return 16;
-    }
-    pair->certReq = certReq;
-    return 0;
-}
-
-int 
-Encode(CRMFCertReqMsg *inCertReq1, CRMFCertReqMsg *inCertReq2)
-{   
-    PRFileDesc     *fileDesc;
-    SECStatus       rv;
-    int             irv = 0;
-    CRMFCertReqMsg *msgArr[3];
-    char            filePath[PATH_LEN];
-
-    PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir, CRMF_FILE);
-    fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 
-			0666);
-    if (fileDesc == NULL) {
-        printf ("Could not open file %s\n", filePath);
-	irv = 14;
-	goto finish;
-    }
-    msgArr[0] = inCertReq1;
-    msgArr[1] = inCertReq2;
-    msgArr[2] = NULL;
-    rv = CRMF_EncodeCertReqMessages(msgArr, WriteItOut, (void*)fileDesc);
-    if (rv != SECSuccess) {
-        printf ("An error occurred while encoding.\n");
-	irv = 15;
-    }
-finish:
-    PR_Close(fileDesc);
-    return irv;
-}
-
-int
-AddProofOfPossession(TESTKeyPair *pair,
-		     CRMFPOPChoice inPOPChoice)
-{
-
-    switch(inPOPChoice){
-    case crmfSignature:
-      CRMF_CertReqMsgSetSignaturePOP(pair->certReqMsg, pair->privKey, 
-                                     pair->pubKey, NULL, NULL, &pwdata);
-      break;
-    case crmfRAVerified:
-      CRMF_CertReqMsgSetRAVerifiedPOP(pair->certReqMsg);
-      break;
-    case crmfKeyEncipherment:
-      CRMF_CertReqMsgSetKeyEnciphermentPOP(pair->certReqMsg,
-					   crmfSubsequentMessage, 
-					   crmfChallengeResp, NULL);
-      break;
-    case crmfKeyAgreement:
-      {
-	SECItem pendejo;
-	unsigned char lame[] = { 0xf0, 0x0f, 0xf0, 0x0f, 0xf0 };
-
-	pendejo.data = lame;
-	pendejo.len  = 5;
-	
-	CRMF_CertReqMsgSetKeyAgreementPOP(pair->certReqMsg, crmfThisMessage, 
-					  crmfNoSubseqMess, &pendejo);
-      }
-      break;
-    default:
-      return 1;
-    }
-    return 0;
-}
-
-
-int
-Decode(void)
-{
-    PRFileDesc          *fileDesc;
-    CRMFCertReqMsg      *certReqMsg;
-    CRMFCertRequest     *certReq;
-    CRMFCertReqMessages *certReqMsgs;
-    SECStatus            rv;
-    int                  numMsgs, i;
-    long                 lame;
-    CRMFGetValidity      validity        = {NULL, NULL};
-    SECItem              item            = { siBuffer, NULL, 0 };
-    char                 filePath[PATH_LEN];
-
-    PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir, CRMF_FILE);
-    fileDesc = PR_Open(filePath, PR_RDONLY, 0644);
-    if (fileDesc == NULL) {
-        printf ("Could not open file %s\n", filePath);
-	return 214;
-    }
-    rv = SECU_FileToItem(&item, fileDesc);
-    PR_Close(fileDesc);
-    if (rv != SECSuccess) {
-    	return 215;
-    }
-
-    certReqMsgs = CRMF_CreateCertReqMessagesFromDER((char *)item.data, item.len);
-    if (certReqMsgs == NULL) {
-        printf ("Error decoding CertReqMessages.\n");
-	return 202;
-    }
-    numMsgs = CRMF_CertReqMessagesGetNumMessages(certReqMsgs);
-    if (numMsgs <= 0) {
-        printf ("WARNING: The DER contained %d messages.\n", numMsgs);
-    }
-    for (i=0; i < numMsgs; i++) {
-	SECStatus rv;
-	printf("crmftest: Processing cert request %d\n", i);
-        certReqMsg = CRMF_CertReqMessagesGetCertReqMsgAtIndex(certReqMsgs, i);
-	if (certReqMsg == NULL) {
-	    printf ("ERROR: Could not access the message at index %d of %s\n",
-		    i, filePath);
-	}
-	rv = CRMF_CertReqMsgGetID(certReqMsg, &lame);
-	if (rv) {
-	    SECU_PrintError("crmftest", "CRMF_CertReqMsgGetID");
-	}
-	certReq = CRMF_CertReqMsgGetCertRequest(certReqMsg);
-	if (!certReq) {
-	    SECU_PrintError("crmftest", "CRMF_CertReqMsgGetCertRequest");
-	}
-	rv = CRMF_CertRequestGetCertTemplateValidity(certReq, &validity);
-	if (rv) {
-	    SECU_PrintError("crmftest", "CRMF_CertRequestGetCertTemplateValidity");
-	}
-	if (!validity.notBefore) {
-	    /* We encoded a notBefore, so somthing's wrong if it's not here. */
-	    printf("ERROR: Validity period notBefore date missing.\n");
-	}
-	/* XXX It's all parsed now.  We probably should DO SOMETHING with it.
-	** But nope.  We just throw it all away.
-	** Maybe this was intended to be no more than a decoder test.
-	*/
-	CRMF_DestroyGetValidity(&validity);
-	CRMF_DestroyCertRequest(certReq);
-	CRMF_DestroyCertReqMsg(certReqMsg);
-    }
-    CRMF_DestroyCertReqMessages(certReqMsgs);
-    SECITEM_FreeItem(&item, PR_FALSE);
-    return 0;
-}
-
-int
-GetBitsFromFile(const char *filePath, SECItem *item)
-{
-    PRFileDesc *fileDesc;
-    SECStatus   rv;
-
-    fileDesc = PR_Open(filePath, PR_RDONLY, 0644);
-    if (fileDesc == NULL) {
-        printf ("Could not open file %s\n", filePath);
-	return 14;
-    }
-
-    rv = SECU_FileToItem(item, fileDesc);
-    PR_Close(fileDesc);
-
-    if (rv != SECSuccess) {
-	item->data = NULL;
-	item->len  = 0;
-    	return 15;
-    }
-    return 0;
-} 
-
-int
-DecodeCMMFCertRepContent(char *derFile)
-{
-    CMMFCertRepContent *certRepContent;
-    int                 irv             = 0;
-    SECItem             fileBits	= { siBuffer, NULL, 0 };
-
-    GetBitsFromFile(derFile, &fileBits);
-    if (fileBits.data == NULL) {
-        printf("Could not get bits from file %s\n", derFile);
-        return 304;
-    }
-    certRepContent = CMMF_CreateCertRepContentFromDER(db, 
-                                     (char*)fileBits.data, fileBits.len);
-    if (certRepContent == NULL) {
-        printf ("Error while decoding %s\n", derFile);
-	irv = 303;
-    } else {
-	/* That was fun.  Now, let's throw it away!  */
-	CMMF_DestroyCertRepContent(certRepContent);
-    }
-    SECITEM_FreeItem(&fileBits, PR_FALSE);
-    return irv;
-}
-
-int
-EncodeCMMFCertReply(const char       *filePath, 
-                    CERTCertificate  *cert,
-		    CERTCertList     *list)
-{
-    int                    rv                   = 0;
-    SECStatus              srv;
-    PRFileDesc            *fileDesc		= NULL;
-    CMMFCertRepContent    *certRepContent	= NULL;
-    CMMFCertResponse      *certResp		= NULL;
-    CMMFCertResponse      *certResponses[3];
-
-    certResp = CMMF_CreateCertResponse(0xff123);
-    CMMF_CertResponseSetPKIStatusInfoStatus(certResp, cmmfGranted);
-
-    CMMF_CertResponseSetCertificate(certResp, cert);
-
-    certResponses[0] = certResp;
-    certResponses[1] = NULL;
-    certResponses[2] = NULL;
-
-    certRepContent = CMMF_CreateCertRepContent();
-    CMMF_CertRepContentSetCertResponses(certRepContent, certResponses, 1);
-
-    CMMF_CertRepContentSetCAPubs(certRepContent, list);
-
-    fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 
-			0666);
-    if (fileDesc == NULL) {
-        printf ("Could not open file %s\n", filePath);
-	rv = 400;
-	goto finish;
-    }
-    
-    srv = CMMF_EncodeCertRepContent(certRepContent, WriteItOut, 
-				    (void*)fileDesc);
-    PR_Close(fileDesc);
-    if (srv != SECSuccess) {
-        printf ("CMMF_EncodeCertRepContent failed,\n");
-	rv = 401;
-    }
-finish:
-    if (certRepContent) {
-        CMMF_DestroyCertRepContent(certRepContent);
-    }
-    if (certResp) {
-        CMMF_DestroyCertResponse(certResp);
-    }
-    return rv;
-}
-
-
-/* Extract the public key from the cert whose nickname is given. */
-int
-extractPubKeyFromNamedCert(const char * nickname, SECKEYPublicKey **pPubKey)
-{
-    CERTCertificate  *caCert     = NULL;
-    SECKEYPublicKey  *caPubKey   = NULL;
-    int               rv         = 0;
-
-    caCert = CERT_FindCertByNickname(db, (char *)nickname);
-    if (caCert == NULL) {
-        printf ("Could not get the certifcate for %s\n", caCertName);
-	rv = 411;
-	goto finish;
-    }
-    caPubKey = CERT_ExtractPublicKey(caCert);
-    if (caPubKey == NULL) {
-        printf ("Could not extract the public from the "
-		"certificate for \n%s\n", caCertName);
-	rv = 412;
-    }
-finish:
-    *pPubKey = caPubKey;
-    CERT_DestroyCertificate(caCert);
-    caCert = NULL;
-    return rv;
-}
-
-int
-EncodeCMMFRecoveryMessage(const char * filePath, 
-                    CERTCertificate  *cert,
-		    CERTCertList     *list)
-{
-    SECKEYPublicKey       *caPubKey		= NULL;
-    SECKEYPrivateKey      *privKey 		= NULL;
-    CMMFKeyRecRepContent  *repContent		= NULL;
-    PRFileDesc            *fileDesc;
-    int                    rv 			= 0;
-    SECStatus              srv;
-
-    /* Extract the public key from the cert whose nickname is given in
-    ** the -s option.
-    */
-    rv = extractPubKeyFromNamedCert( caCertName, &caPubKey);
-    if (rv) 
-    	goto finish;
-
-    repContent = CMMF_CreateKeyRecRepContent();
-    if (repContent == NULL) {
-        printf ("Could not allocate a CMMFKeyRecRepContent structure\n");
-	rv = 407;
-	goto finish;
-    }
-    srv = CMMF_KeyRecRepContentSetPKIStatusInfoStatus(repContent, 
-						      cmmfGrantedWithMods);
-    if (srv != SECSuccess) {
-        printf ("Error trying to set PKIStatusInfo for "
-		"CMMFKeyRecRepContent.\n");
-	rv = 406;
-	goto finish;
-    }
-    srv = CMMF_KeyRecRepContentSetNewSignCert(repContent, cert);
-    if (srv != SECSuccess) {
-        printf ("Error trying to set the new signing certificate for "
-		"key recovery\n");
-	rv = 408;
-	goto finish;
-    }
-    srv = CMMF_KeyRecRepContentSetCACerts(repContent, list);
-    if (srv != SECSuccess) {
-        printf ("Errory trying to add the list of CA certs to the "
-		"CMMFKeyRecRepContent structure.\n");
-	rv = 409;
-	goto finish;
-    }
-    privKey = PK11_FindKeyByAnyCert(cert, &pwdata);
-    if (privKey == NULL) {
-        printf ("Could not get the private key associated with the\n"
-		"certificate %s\n", personalCert);
-	rv = 410;
-	goto finish;
-    }
-
-    srv = CMMF_KeyRecRepContentSetCertifiedKeyPair(repContent, cert, privKey,
-						   caPubKey);
-    if (srv != SECSuccess) {
-        printf ("Could not set the Certified Key Pair\n");
-	rv = 413;
-	goto finish;
-    }
-    fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 
-			0666);
-    if (fileDesc == NULL) {
-        printf ("Could not open file %s\n", filePath);
-	rv = 414;
-	goto finish;
-    }
-    
-    srv = CMMF_EncodeKeyRecRepContent(repContent, WriteItOut, 
-				      (void*)fileDesc);
-    PR_Close(fileDesc);
-    if (srv != SECSuccess) {
-        printf ("CMMF_EncodeKeyRecRepContent failed\n");
-    	rv = 415;
-    }
-finish:
-    if (privKey)
-	SECKEY_DestroyPrivateKey(privKey);
-    if (caPubKey)
-	SECKEY_DestroyPublicKey(caPubKey);
-    if (repContent)
-	CMMF_DestroyKeyRecRepContent(repContent);
-    return rv;
-}
-
-int
-decodeCMMFRecoveryMessage(const char * filePath)
-{
-    CMMFKeyRecRepContent  *repContent = NULL;
-    int                    rv         = 0;
-    SECItem                fileBits   = { siBuffer, NULL, 0 };
-
-    GetBitsFromFile(filePath, &fileBits);
-    if (!fileBits.len) {
-    	rv = 451;
-	goto finish;
-    }
-    repContent = 
-        CMMF_CreateKeyRecRepContentFromDER(db, (const char *) fileBits.data,
-					   fileBits.len);
-    if (repContent == NULL) {
-        printf ("ERROR: CMMF_CreateKeyRecRepContentFromDER failed on file:\n"
-		"\t%s\n", filePath);
-	rv = 452;
-    }
-finish:
-    if (repContent) {
-        CMMF_DestroyKeyRecRepContent(repContent);
-    }
-    SECITEM_FreeItem(&fileBits, PR_FALSE);
-    return rv;
-}
-
-int
-DoCMMFStuff(void)
-{
-    CERTCertificate       *cert			= NULL;
-    CERTCertList          *list			= NULL;
-    int                    rv 			= 0;
-    char                   filePath[PATH_LEN];
-
-    /* Do common setup for the following steps.
-    */
-    PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir, "CertRepContent.der");
-
-    cert = CERT_FindCertByNickname(db, personalCert);
-    if (cert == NULL) {
-        printf ("Could not find the certificate for %s\n", personalCert);
-        rv = 416;
-        goto finish;
-    } 
-    list = CERT_GetCertChainFromCert(cert, PR_Now(), certUsageEmailSigner);
-    if (list == NULL) {
-        printf ("Could not find the certificate chain for %s\n", personalCert);
-        rv = 418;
-        goto finish;
-    } 
-
-    /* a) Generate the CMMF response message, using a user cert named
-    **    by -p option, rather than a cert generated from the CRMF
-    **    request itself.   The CMMF message is placed in 
-    **    configdir/CertRepContent.der.
-    */
-    rv = EncodeCMMFCertReply(filePath, cert, list);
-    if (rv != 0) {
-        goto finish;
-    }
-
-    /* b) Decode the CMMF Cert granting message encoded just above,
-    **    found in configdir/CertRepContent.der.
-    **    This only tests the decoding.  The decoded content is discarded.
-    */
-    rv = DecodeCMMFCertRepContent(filePath);
-    if (rv != 0) {
-        goto finish;
-    }
-
-    /* c) Generate a CMMF Key Excrow message
-    **    It takes the public and private keys for the cert identified
-    **    by -p nickname, and wraps them with a sym key that is in turn
-    **    wrapped with the pubkey in the CA cert, whose nickname is 
-    **    given by the -s option.
-    **    Store the message in configdir/KeyRecRepContent.der
-    */
-    PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir, 
-		"KeyRecRepContent.der");
-
-    rv = EncodeCMMFRecoveryMessage(filePath, cert, list);
-    if (rv)
-    	goto finish;
-
-    /* d) Decode the CMMF Key Excrow message generated just above.
-    **    Get it from file configdir/KeyRecRepContent.der
-    **    This is just a decoder test.  Results are discarded.
-    */
-
-    rv = decodeCMMFRecoveryMessage(filePath);
-
- finish:
-    if (cert) {
-        CERT_DestroyCertificate(cert);
-    }
-    if (list) {
-        CERT_DestroyCertList(list);
-    }
-    return rv;
-}
-
-static CK_MECHANISM_TYPE
-mapWrapKeyType(KeyType keyType)
-{
-    switch (keyType) {
-    case rsaKey:
-        return CKM_RSA_PKCS;
-    default:
-        break;
-    }
-    return CKM_INVALID_MECHANISM;
-} 
-
-#define KNOWN_MESSAGE_LENGTH 20 /*160 bits*/
-
-int
-DoKeyRecovery( SECKEYPrivateKey *privKey)
-{
-#ifdef DOING_KEY_RECOVERY  /* Doesn't compile yet. */
-    SECKEYPublicKey      *pubKey;
-    PK11SlotInfo         *slot;
-    unsigned char        *ciphertext;
-    unsigned char        *text_compared;
-    SECKEYPrivateKey     *unwrappedPrivKey;
-    SECKEYPrivateKey     *caPrivKey;
-    CMMFKeyRecRepContent *keyRecRep;
-    CMMFCertifiedKeyPair *certKeyPair;
-    CERTCertificate      *caCert;
-    CERTCertificate      *myCert;
-    SECKEYPublicKey      *caPubKey;
-    PRFileDesc           *fileDesc;
-    CK_ULONG              max_bytes_encrypted;
-    CK_ULONG              bytes_encrypted;
-    CK_ULONG              bytes_compared;
-    CK_ULONG              bytes_decrypted;
-    CK_RV                 crv;
-    CK_OBJECT_HANDLE      id;
-    CK_MECHANISM          mech      = { CKM_INVALID_MECHANISM, NULL, 0};
-    SECStatus             rv;
-    SECItem               fileBits;
-    SECItem               nickname;
-    unsigned char         plaintext[KNOWN_MESSAGE_LENGTH];
-    char                  filePath[PATH_LEN];
-    static const unsigned char known_message[] = { "Known Crypto Message" };
-
-    /*caCert = CERT_FindCertByNickname(db, caCertName);*/
-    myCert = CERT_FindCertByNickname(db, personalCert);
-    if (myCert == NULL) {
-        printf ("Could not find the certificate for %s\n", personalCert);
-        return 700;
-    }
-    caCert = CERT_FindCertByNickname(db, recoveryEncrypter);
-    if (caCert == NULL) {
-        printf ("Could not find the certificate for %s\n", recoveryEncrypter);
-        return 701;
-    }
-    caPubKey = CERT_ExtractPublicKey(caCert);
-    pubKey   = SECKEY_ConvertToPublicKey(privKey);
-    max_bytes_encrypted = PK11_GetPrivateModulusLen(privKey);
-    slot = PK11_GetBestSlot(mapWrapKeyType(privKey->keyType), NULL);
-    id   = PK11_ImportPublicKey(slot, pubKey, PR_FALSE);
-
-    switch(privKey->keyType) {
-    case rsaKey:
-        mech.mechanism = CKM_RSA_PKCS;
-	break;
-    case dsaKey:
-        mech.mechanism = CKM_DSA;
-	break;
-    case dhKey:
-        mech.mechanism = CKM_DH_PKCS_DERIVE;
-	break;
-    default:
-        printf ("Bad Key type in key recovery.\n");
-	return 512;
-
-    }
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_EncryptInit(slot->session, &mech, id);
-    if (crv != CKR_OK) {
-        PK11_ExitSlotMonitor(slot);
-	PK11_FreeSlot(slot);
-	printf ("C_EncryptInit failed in KeyRecovery\n");
-	return 500;
-    }
-    ciphertext = PORT_NewArray(unsigned char, max_bytes_encrypted);
-    if (ciphertext == NULL) {
-        PK11_ExitSlotMonitor(slot);
-	PK11_FreeSlot(slot);
-	printf ("Could not allocate memory for ciphertext.\n");
-	return 501;
-    }
-    bytes_encrypted = max_bytes_encrypted;
-    crv = PK11_GETTAB(slot)->C_Encrypt(slot->session, 
-				       known_message,
-				       KNOWN_MESSAGE_LENGTH,
-				       ciphertext,
-				       &bytes_encrypted);
-    PK11_ExitSlotMonitor(slot);
-    PK11_FreeSlot(slot);
-    if (crv != CKR_OK) {
-       PORT_Free(ciphertext);
-       return 502;
-    }
-    /* Always use the smaller of these two values . . . */
-    bytes_compared = ( bytes_encrypted > KNOWN_MESSAGE_LENGTH )
-                      ? KNOWN_MESSAGE_LENGTH
-                      : bytes_encrypted;
- 
-    /* If there was a failure, the plaintext */
-    /* goes at the end, therefore . . .      */
-    text_compared = ( bytes_encrypted > KNOWN_MESSAGE_LENGTH )
-                    ? (ciphertext + bytes_encrypted -
-		       KNOWN_MESSAGE_LENGTH )
-                     : ciphertext;  
-
-    keyRecRep = CMMF_CreateKeyRecRepContent();
-    if (keyRecRep == NULL) {
-        PORT_Free(ciphertext);
-	PK11_FreeSlot(slot);
-	CMMF_DestroyKeyRecRepContent(keyRecRep);
-	printf ("Could not allocate a CMMFKeyRecRepContent structre.\n");
-	return 503;
-    }
-    rv = CMMF_KeyRecRepContentSetPKIStatusInfoStatus(keyRecRep,
-						     cmmfGranted);
-    if (rv != SECSuccess) {
-        PORT_Free(ciphertext);
-	PK11_FreeSlot(slot);
-	CMMF_DestroyKeyRecRepContent(keyRecRep);
-	printf ("Could not set the status for the KeyRecRepContent\n");
-	return 504;
-    }
-    /* The myCert here should correspond to the certificate corresponding
-     * to the private key, but for this test any certificate will do.
-     */
-    rv = CMMF_KeyRecRepContentSetCertifiedKeyPair(keyRecRep, myCert,
-						  privKey, caPubKey);
-    if (rv != SECSuccess) {
-        PORT_Free(ciphertext);
-	PK11_FreeSlot(slot);
-	CMMF_DestroyKeyRecRepContent(keyRecRep);
-	printf ("Could not set the Certified Key Pair\n");
-	return 505;
-    }
-    PR_snprintf(filePath, PATH_LEN, "%s/%s", configdir, 
-		"KeyRecRepContent.der");
-    fileDesc = PR_Open (filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 
-			0666);
-    if (fileDesc == NULL) {
-        PORT_Free(ciphertext);
-	PK11_FreeSlot(slot);
-	CMMF_DestroyKeyRecRepContent(keyRecRep);
-        printf ("Could not open file %s\n", filePath);
-	return 506;
-    }
-    rv = CMMF_EncodeKeyRecRepContent(keyRecRep, WriteItOut, fileDesc);
-    CMMF_DestroyKeyRecRepContent(keyRecRep);
-    PR_Close(fileDesc);
-
-    if (rv != SECSuccess) {
-        PORT_Free(ciphertext);
-	PK11_FreeSlot(slot);
-	printf ("Error while encoding CMMFKeyRecRepContent\n");
-	return 507;
-    }
-    GetBitsFromFile(filePath, &fileBits);
-    if (fileBits.data == NULL) {
-        PORT_Free(ciphertext);
-	PK11_FreeSlot(slot);
-        printf ("Could not get the bits from file %s\n", filePath);
-	return 508;
-    }
-    keyRecRep = 
-        CMMF_CreateKeyRecRepContentFromDER(db,(const char*)fileBits.data,
-					   fileBits.len);
-    if (keyRecRep == NULL) {
-        printf ("Could not decode the KeyRecRepContent in file %s\n", 
-		filePath);
-	PORT_Free(ciphertext);
-	PK11_FreeSlot(slot);
-	return 509;
-    }
-    caPrivKey = PK11_FindKeyByAnyCert(caCert, &pwdata);
-    if (CMMF_KeyRecRepContentGetPKIStatusInfoStatus(keyRecRep) != 
-	                                                      cmmfGranted) {
-        PORT_Free(ciphertext);
-	PK11_FreeSlot(slot);
-	CMMF_DestroyKeyRecRepContent(keyRecRep);
-	printf ("A bad status came back with the "
-		"KeyRecRepContent structure\n");
-	return 510;
-    }
-
-#define NICKNAME "Key Recovery Test Key"
-    nickname.data = (unsigned char*)NICKNAME;
-    nickname.len  = PORT_Strlen(NICKNAME);
-
-    certKeyPair = CMMF_KeyRecRepContentGetCertKeyAtIndex(keyRecRep, 0);
-    CMMF_DestroyKeyRecRepContent(keyRecRep);
-    rv = CMMF_CertifiedKeyPairUnwrapPrivKey(certKeyPair,
-					    caPrivKey,
-					    &nickname,
-					    PK11_GetInternalKeySlot(),
-					    db,
-					    &unwrappedPrivKey, &pwdata);
-    CMMF_DestroyCertifiedKeyPair(certKeyPair);
-    if (rv != SECSuccess) {
-        printf ("Unwrapping the private key failed.\n");
-	return 511;
-    }
-    /*Now let's try to decrypt the ciphertext with the "recovered" key*/
-    PK11_EnterSlotMonitor(slot);
-    crv = 
-      PK11_GETTAB(slot)->C_DecryptInit(unwrappedPrivKey->pkcs11Slot->session,
-				       &mech,
-				       unwrappedPrivKey->pkcs11ID);
-    if (crv != CKR_OK) {
-        PK11_ExitSlotMonitor(slot);
-	PORT_Free(ciphertext);
-	PK11_FreeSlot(slot);
-	printf ("Decrypting with the recovered key failed.\n");
-	return 513;
-    }
-    bytes_decrypted = KNOWN_MESSAGE_LENGTH;
-    crv = PK11_GETTAB(slot)->C_Decrypt(unwrappedPrivKey->pkcs11Slot->session,
-				       ciphertext, 
-				       bytes_encrypted, plaintext,
-				       &bytes_decrypted);
-    SECKEY_DestroyPrivateKey(unwrappedPrivKey);
-    PK11_ExitSlotMonitor(slot);
-    PORT_Free(ciphertext);
-    if (crv != CKR_OK) {
-        PK11_FreeSlot(slot);
-	printf ("Decrypting the ciphertext with recovered key failed.\n");
-	return 514;
-    }
-    if ((bytes_decrypted != KNOWN_MESSAGE_LENGTH) || 
-	(PORT_Memcmp(plaintext, known_message, KNOWN_MESSAGE_LENGTH) != 0)) {
-        PK11_FreeSlot(slot);
-	printf ("The recovered plaintext does not equal the known message:\n"
-		"\tKnown message:       %s\n"
-		"\tRecovered plaintext: %s\n", known_message, plaintext);
-	return 515;
-    }
-#endif
-    return 0;
-}
-
-int
-DoChallengeResponse(SECKEYPrivateKey *privKey,
-		    SECKEYPublicKey *pubKey)
-{
-    CMMFPOPODecKeyChallContent *chalContent = NULL;
-    CMMFPOPODecKeyRespContent  *respContent = NULL;
-    CERTCertificate            *myCert      = NULL;
-    CERTGeneralName            *myGenName   = NULL;
-    PRArenaPool                *poolp       = NULL;
-    PRFileDesc                 *fileDesc;
-    SECItem                    *publicValue;
-    SECItem                    *keyID;
-    SECKEYPrivateKey           *foundPrivKey;
-    long                       *randomNums;
-    int                         numChallengesFound   = 0;
-    int                         numChallengesSet     = 1;
-    int                         i;
-    long                        retrieved;
-    SECStatus                   rv;
-    SECItem                     DecKeyChallBits;
-    char                        filePath[PATH_LEN];
-
-    chalContent = CMMF_CreatePOPODecKeyChallContent();
-    myCert = CERT_FindCertByNickname(db, personalCert);
-    if (myCert == NULL) {
-        printf ("Could not find the certificate for %s\n", personalCert);
-        return 900;
-    }
-    poolp = PORT_NewArena(1024);
-    if (poolp == NULL) {
-        printf("Could no allocate a new arena in DoChallengeResponse\n");
-	return 901;
-    }
-    myGenName = CERT_GetCertificateNames(myCert, poolp);
-    if (myGenName == NULL) {
-        printf ("Could not get the general names for %s certificate\n", 
-		personalCert);
-	return 902;
-    }
-    randomNums = PORT_ArenaNewArray(poolp,long, numChallengesSet);
-    PK11_GenerateRandom((unsigned char *)randomNums, 
-                        numChallengesSet * sizeof(long));
-    for (i=0; i<numChallengesSet; i++) {
-	rv = CMMF_POPODecKeyChallContentSetNextChallenge(chalContent,
-							 randomNums[i],
-							 myGenName,
-							 pubKey,
-							 &pwdata);
-	if (rv != SECSuccess) {
-	    printf ("Could not set the challenge in DoChallengeResponse\n");
-	    return 903;
-	}
-    }
-    PR_snprintf(filePath, PATH_LEN, "%s/POPODecKeyChallContent.der", 
-		configdir);
-    fileDesc = PR_Open(filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
-		       0666);
-    if (fileDesc == NULL) {
-        printf ("Could not open file %s\n", filePath);
-	return 904;
-    }
-    rv = CMMF_EncodePOPODecKeyChallContent(chalContent,WriteItOut, 
-					   (void*)fileDesc);
-    PR_Close(fileDesc);
-    CMMF_DestroyPOPODecKeyChallContent(chalContent);
-    if (rv != SECSuccess) {
-        printf ("Could not encode the POPODecKeyChallContent.\n");
-	return 905;
-    }
-    GetBitsFromFile(filePath, &DecKeyChallBits);
-    chalContent = CMMF_CreatePOPODecKeyChallContentFromDER
-		      ((const char*)DecKeyChallBits.data, DecKeyChallBits.len);
-    SECITEM_FreeItem(&DecKeyChallBits, PR_FALSE);
-    if (chalContent == NULL) {
-        printf ("Could not create the POPODecKeyChallContent from DER\n");
-	return 906;
-    }
-    numChallengesFound = 
-	    CMMF_POPODecKeyChallContentGetNumChallenges(chalContent);
-    if (numChallengesFound != numChallengesSet) {
-        printf ("Number of Challenges Found (%d) does not equal the number "
-		"set (%d)\n", numChallengesFound, numChallengesSet);
-	return 907;
-    }
-    for (i=0; i<numChallengesSet; i++) {
-        publicValue = CMMF_POPODecKeyChallContentGetPublicValue(chalContent, i);
-	if (publicValue == NULL) {
-	  printf("Could not get the public value for challenge at index %d\n",
-		 i);
-	  return 908;
-	}
-	keyID = PK11_MakeIDFromPubKey(publicValue);
-	if (keyID == NULL) {
-	    printf ("Could not make the keyID from the public value\n");
-	    return 909;
-	}
-	foundPrivKey = PK11_FindKeyByKeyID(privKey->pkcs11Slot, keyID, &pwdata);
-	if (foundPrivKey == NULL) {
-	    printf ("Could not find the private key corresponding to the public"
-		    " value.\n");
-	    return 910;
-	}
-	rv = CMMF_POPODecKeyChallContDecryptChallenge(chalContent, i, 
-						      foundPrivKey);
-	if (rv != SECSuccess) {
-	    printf ("Could not decrypt the challenge at index %d\n", i);
-	    return 911;
-	}
-	rv = CMMF_POPODecKeyChallContentGetRandomNumber(chalContent, i, 
-							&retrieved);
-	if (rv != SECSuccess) {
-	    printf ("Could not get the random number from the challenge at "
-		    "index %d\n", i);
-	    return 912;
-	}
-	if (retrieved != randomNums[i]) {
-	    printf ("Retrieved the number (%ld), expected (%ld)\n", retrieved,
-		    randomNums[i]);
-	    return 913;
-	}
-    }
-    CMMF_DestroyPOPODecKeyChallContent(chalContent);
-    PR_snprintf(filePath, PATH_LEN, "%s/POPODecKeyRespContent.der", 
-		configdir);
-    fileDesc = PR_Open(filePath, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
-		       0666);
-    if (fileDesc == NULL) {
-        printf ("Could not open file %s\n", filePath);
-	return 914;
-    }
-    rv = CMMF_EncodePOPODecKeyRespContent(randomNums, numChallengesSet,
-					  WriteItOut, fileDesc);
-    PR_Close(fileDesc);
-    if (rv != 0) {
-        printf ("Could not encode the POPODecKeyRespContent\n");
-	return 915;
-    }
-    GetBitsFromFile(filePath, &DecKeyChallBits);
-    respContent = 
-     CMMF_CreatePOPODecKeyRespContentFromDER((const char*)DecKeyChallBits.data,
-					     DecKeyChallBits.len);
-    if (respContent == NULL) {
-        printf ("Could not decode the contents of the file %s\n", filePath);
-	return 916;
-    }
-    numChallengesFound = 
-         CMMF_POPODecKeyRespContentGetNumResponses(respContent);
-    if (numChallengesFound != numChallengesSet) {
-        printf ("Number of responses found (%d) does not match the number "
-		"of challenges set (%d)\n",
-		numChallengesFound, numChallengesSet);
-	return 917;
-    }
-    for (i=0; i<numChallengesSet; i++) {
-        rv = CMMF_POPODecKeyRespContentGetResponse(respContent, i, &retrieved);
-	if (rv != SECSuccess) {
-	    printf ("Could not retrieve the response at index %d\n", i);
-	    return 918;
-	}
-	if (retrieved != randomNums[i]) {
-	    printf ("Retrieved the number (%ld), expected (%ld)\n", retrieved,
-		    randomNums[i]);
-	    return 919;
-	}
-							  
-    }
-    CMMF_DestroyPOPODecKeyRespContent(respContent);
-    return 0;
-}
-
-int
-MakeCertRequest(TESTKeyPair *pair, CRMFPOPChoice inPOPChoice, long inRequestID)
-{
-    int               irv;
-
-    /* Generate a key pair and a cert request for it. */
-    irv = CreateCertRequest(pair, inRequestID);
-    if (irv != 0 || pair->certReq == NULL) {
-        goto loser;
-    }
-
-    pair->certReqMsg = CRMF_CreateCertReqMsg();
-    if (!pair->certReqMsg) {
-    	irv = 999;
-	goto loser;
-    }
-    /* copy certReq into certReqMsg */
-    CRMF_CertReqMsgSetCertRequest(pair->certReqMsg, pair->certReq);
-    irv = AddProofOfPossession(pair, inPOPChoice);
-loser:
-    return irv;
-}
-
-int
-DestroyPairReqAndMsg(TESTKeyPair *pair)
-{
-    SECStatus rv  = SECSuccess;
-    int       irv = 0;
-
-    if (pair->certReq) {
-	rv = CRMF_DestroyCertRequest(pair->certReq);
-	pair->certReq = NULL;
-	if (rv != SECSuccess) {
-	    printf ("Error when destroying cert request.\n");
-	    irv = 100;
-	}
-    }
-    if (pair->certReqMsg) {
-	rv = CRMF_DestroyCertReqMsg(pair->certReqMsg);
-	pair->certReqMsg = NULL;
-	if (rv != SECSuccess) {
-	    printf ("Error when destroying cert request msg.\n");
-	    if (!irv)
-		irv = 101;
-	}
-    }
-    return irv;
-}
-
-int
-DestroyPair(TESTKeyPair *pair)
-{
-    int       irv = 0;
-
-    if (pair->pubKey) {
-	SECKEY_DestroyPublicKey(pair->pubKey);
-	pair->pubKey = NULL;
-    }
-    if (pair->privKey) {
-	SECKEY_DestroyPrivateKey(pair->privKey);
-	pair->privKey = NULL;
-    }
-    DestroyPairReqAndMsg(pair);
-    return irv;
-}
-
-int
-DoCRMFRequest(TESTKeyPair *signPair, TESTKeyPair *cryptPair)
-{
-    int irv, tirv = 0;
-
-    /* Generate a key pair and a cert request for it. */
-    irv = MakeCertRequest(signPair, crmfSignature, 0x0f020304);
-    if (irv != 0 || signPair->certReq == NULL) {
-        goto loser;
-    }
-
-    if (!doingDSA) {
-	irv = MakeCertRequest(cryptPair, crmfKeyAgreement, 0x0f050607);
-	if (irv != 0 || cryptPair->certReq == NULL) {
-	    goto loser;
-	}
-    }
-
-    /* encode the cert request messages into a unified request message.
-    ** leave it in a file with a fixed name.  :(
-    */
-    irv = Encode(signPair->certReqMsg, cryptPair->certReqMsg);
-
-loser:
-    if (signPair->certReq) {
-	tirv = DestroyPairReqAndMsg(signPair);
-	if (tirv && !irv)
-    	    irv = tirv;
-    }
-    if (cryptPair->certReq) {
-	tirv = DestroyPairReqAndMsg(cryptPair);
-	if (tirv && !irv)
-    	    irv = tirv;
-    }
-    return irv;
-}
-
-void
-Usage (void)
-{
-    printf ("Usage:\n"
-	    "\tcrmftest -d [Database Directory] -p [Personal Cert]\n"
-	    "\t         -e [Encrypter] -s [CA Certificate] [-P password]\n\n"
-	    "\t         [crmf] [dsa] [decode] [cmmf] [recover] [challenge]\n"
-	    "\t         [-f password_file]\n"
-	    "Database Directory\n"
-	    "\tThis is the directory where the key3.db, cert7.db, and\n"
-	    "\tsecmod.db files are located.  This is also the directory\n"
-	    "\twhere the program will place CRMF/CMMF der files\n"
-	    "Personal Cert\n"
-	    "\tThis is the certificate that already exists in the cert\n"
-	    "\tdatabase to use while encoding the response.  The private\n"
-	    "\tkey associated with the certificate must also exist in the\n"
-	    "\tkey database.\n"
-	    "Encrypter\n"
-	    "\tThis is the certificate to use when encrypting the the \n"
-	    "\tkey recovery response.  The private key for this cert\n"
-	    "\tmust also be present in the key database.\n"
-	    "CA Certificate\n"
-	    "\tThis is the nickname of the certificate to use as the\n"
-	    "\tCA when doing all of the encoding.\n");
-}
-
-#define TEST_MAKE_CRMF_REQ      0x0001  
-#define TEST_USE_DSA            0x0002  
-#define TEST_DECODE_CRMF_REQ    0x0004  
-#define TEST_DO_CMMF_STUFF      0x0008  
-#define TEST_KEY_RECOVERY       0x0010  
-#define TEST_CHALLENGE_RESPONSE 0x0020  
-
-SECStatus
-parsePositionalParam(const char * arg, PRUint32 *flags)
-{
-    if (!strcmp(arg, "crmf")) {
-    	*flags |= TEST_MAKE_CRMF_REQ;
-    } else if (!strcmp(arg, "dsa")) {
-    	*flags |= TEST_MAKE_CRMF_REQ | TEST_USE_DSA;
-	doingDSA = PR_TRUE;
-    } else if (!strcmp(arg, "decode")) {
-    	*flags |= TEST_DECODE_CRMF_REQ;
-    } else if (!strcmp(arg, "cmmf")) {
-    	*flags |= TEST_DO_CMMF_STUFF;
-    } else if (!strcmp(arg, "recover")) {
-    	*flags |= TEST_KEY_RECOVERY;
-    } else if (!strcmp(arg, "challenge")) {
-    	*flags |= TEST_CHALLENGE_RESPONSE;
-    } else {
-	printf("unknown positional paremeter: %s\n", arg);
-    	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* it's not clear, in some cases, whether the desired key is from 
-** the sign pair or the crypt pair, so we're guessing in some places.  
-** This define serves to remind us of the places where we're guessing.
-*/
-#define WHICH_KEY cryptPair
-
-int
-main(int argc, char **argv) 
-{
-    TESTKeyPair       signPair, cryptPair;
-    PLOptState       *optstate;
-    PLOptStatus       status;
-    char             *password = NULL;
-    char             *pwfile = NULL;
-    int               irv     = 0;
-    PRUint32          flags   = 0;
-    SECStatus         rv;
-    PRBool            nssInit = PR_FALSE;
-    PRBool            pArg    = PR_FALSE;
-    PRBool            eArg    = PR_FALSE;
-    PRBool            sArg    = PR_FALSE;
-    PRBool            PArg    = PR_FALSE;
-
-    memset( &signPair,  0, sizeof signPair);
-    memset( &cryptPair, 0, sizeof cryptPair);
-    printf ("\ncrmftest v1.0\n");
-    optstate = PL_CreateOptState(argc, argv, "d:p:e:s:P:f:");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	case 'd':
-	    configdir = PORT_Strdup(optstate->value);
-	    rv = NSS_Init(configdir);
-	    if (rv != SECSuccess) {
-	        printf ("NSS_Init (-d) failed\n");
-		return 101;
-	    }	      
-	    nssInit = PR_TRUE;
-	    break;
-	case 'p':
-	    personalCert = PORT_Strdup(optstate->value);
-	    if (personalCert == NULL) {
-	        printf ("-p  failed\n");
-	        return 603;
-	    }
-	    pArg = PR_TRUE;
-	    break;
-	case 'e':
-	    recoveryEncrypter = PORT_Strdup(optstate->value);
-	    if (recoveryEncrypter == NULL) {
-	        printf ("-e  failed\n");
-	        return 602;
-	    }
-	    eArg = PR_TRUE;
-	    break;
-	case 's':
-	    caCertName = PORT_Strdup(optstate->value);
-	    if (caCertName == NULL) {
-	        printf ("-s  failed\n");
-	        return 604;
-	    }
-	    sArg = PR_TRUE;
-	    break;
-	case 'P':
-	    password = PORT_Strdup(optstate->value);
-	    if (password == NULL) {
-	        printf ("-P  failed\n");
-	        return 606;
-	    }
-            pwdata.source = PW_PLAINTEXT;
-            pwdata.data = password;
-	    PArg = PR_TRUE;
-	    break;
-        case 'f':
-	    pwfile = PORT_Strdup(optstate->value);
-	    if (pwfile == NULL) {
-	        printf ("-f  failed\n");
-	        return 607;
-	    }
-            pwdata.source = PW_FROMFILE;
-            pwdata.data = pwfile;
-            break;
-	case 0:  /* positional parameter */
-	    rv = parsePositionalParam(optstate->value, &flags);
-	    if (rv) {
-	        printf ("bad positional parameter.\n");
-	        return 605;
-	    }
-	    break;
-	default:
-	    Usage();
-	    return 601;
-	}
-    }
-    PL_DestroyOptState(optstate);
-    if (status == PL_OPT_BAD || !nssInit) {
-        Usage();
-	return 600;
-    }
-    if (!flags) 
-    	flags = ~ TEST_USE_DSA;
-    db = CERT_GetDefaultCertDB();
-    InitPKCS11();
-
-    if (flags & TEST_MAKE_CRMF_REQ) {
-	printf("Generating CRMF request\n");
-    	irv = DoCRMFRequest(&signPair, &cryptPair);
-	if (irv)
-	    goto loser;
-    }
-
-    if (flags & TEST_DECODE_CRMF_REQ) {
-	printf("Decoding CRMF request\n");
-	irv = Decode();
-	if (irv != 0) {
-	    printf("Error while decoding\n");
-	    goto loser;
-	}
-    }
-
-    if (flags & TEST_DO_CMMF_STUFF) {
-	printf("Doing CMMF Stuff\n");
-	if ((irv = DoCMMFStuff()) != 0) {
-	    printf ("CMMF tests failed.\n");
-	    goto loser;
-	}
-    }
-
-    if (flags & TEST_KEY_RECOVERY) {
-	/* Requires some other options be set.
-	** Once we know exactly what hey are, test for them here. 
-	*/
-	printf("Doing Key Recovery\n");
-	irv = DoKeyRecovery(WHICH_KEY.privKey);
-	if (irv != 0) {
-	    printf ("Error doing key recovery\n");
-	    goto loser;
-	}
-    }
-
-    if (flags & TEST_CHALLENGE_RESPONSE) {
-	printf("Doing Challenge / Response\n");
-	irv = DoChallengeResponse(WHICH_KEY.privKey, WHICH_KEY.pubKey);
-	if (irv != 0) {
-	    printf ("Error doing challenge-response\n");
-	    goto loser;
-	}
-    }
-    printf ("Exiting successfully!!!\n\n");
-    irv = 0;
-
- loser:
-    DestroyPair(&signPair);
-    DestroyPair(&cryptPair);
-    rv = NSS_Shutdown();
-    if (rv) {
-    	printf("NSS_Shutdown did not shutdown cleanly!\n");
-    }
-    PORT_Free(configdir);
-    if (irv)
-	printf("crmftest returning %d\n", irv);
-    return irv;
-}
diff --git a/security/nss/cmd/dbck/Makefile b/security/nss/cmd/dbck/Makefile
deleted file mode 100644
index b9915d5e2..000000000
--- a/security/nss/cmd/dbck/Makefile
+++ /dev/null
@@ -1,79 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-INCLUDES += -I ../../lib/softoken
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
- 
diff --git a/security/nss/cmd/dbck/dbck.c b/security/nss/cmd/dbck/dbck.c
deleted file mode 100644
index a1bba5b0e..000000000
--- a/security/nss/cmd/dbck/dbck.c
+++ /dev/null
@@ -1,1385 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-** dbck.c
-**
-** utility for fixing corrupt cert databases
-**
-*/
-#include <stdio.h>
-#include <string.h>
-
-#include "secutil.h"
-#include "cdbhdl.h"
-#include "certdb.h"
-#include "cert.h"
-#include "nspr.h"
-#include "prtypes.h"
-#include "prtime.h"
-#include "prlong.h"
-#include "pcert.h"
-#include "nss.h"
-
-static char *progName;
-
-/* placeholders for pointer error types */
-static void *WrongEntry;
-static void *NoNickname;
-static void *NoSMime;
-
-typedef enum {
-/* 0*/ NoSubjectForCert = 0,
-/* 1*/ SubjectHasNoKeyForCert,
-/* 2*/ NoNicknameOrSMimeForSubject,
-/* 3*/ WrongNicknameForSubject,
-/* 4*/ NoNicknameEntry,
-/* 5*/ WrongSMimeForSubject,
-/* 6*/ NoSMimeEntry,
-/* 7*/ NoSubjectForNickname,
-/* 8*/ NoSubjectForSMime,
-/* 9*/ NicknameAndSMimeEntries,
-    NUM_ERROR_TYPES
-} dbErrorType;
-
-static char *dbErrorString[NUM_ERROR_TYPES] = {
-/* 0*/ "<CERT ENTRY>\nDid not find a subject entry for this certificate.",
-/* 1*/ "<SUBJECT ENTRY>\nSubject has certKey which is not in db.",
-/* 2*/ "<SUBJECT ENTRY>\nSubject does not have a nickname or email address.",
-/* 3*/ "<SUBJECT ENTRY>\nUsing this subject's nickname, found a nickname entry for a different subject.",
-/* 4*/ "<SUBJECT ENTRY>\nDid not find a nickname entry for this subject.",
-/* 5*/ "<SUBJECT ENTRY>\nUsing this subject's email, found an S/MIME entry for a different subject.",
-/* 6*/ "<SUBJECT ENTRY>\nDid not find an S/MIME entry for this subject.",
-/* 7*/ "<NICKNAME ENTRY>\nDid not find a subject entry for this nickname.",
-/* 8*/ "<S/MIME ENTRY>\nDid not find a subject entry for this S/MIME profile.",
-};
-
-static char *errResult[NUM_ERROR_TYPES] = {
-    "Certificate entries that had no subject entry.", 
-    "Subject entries with no corresponding Certificate entries.", 
-    "Subject entries that had no nickname or S/MIME entries.",
-    "Redundant nicknames (subjects with the same nickname).",
-    "Subject entries that had no nickname entry.",
-    "Redundant email addresses (subjects with the same email address).",
-    "Subject entries that had no S/MIME entry.",
-    "Nickname entries that had no subject entry.", 
-    "S/MIME entries that had no subject entry.",
-    "Subject entries with BOTH nickname and S/MIME entries."
-};
-
-
-enum {
-    GOBOTH = 0,
-    GORIGHT,
-    GOLEFT
-};
-
-typedef struct
-{
-    PRBool verbose;
-    PRBool dograph;
-    PRFileDesc *out;
-    PRFileDesc *graphfile;
-    int dbErrors[NUM_ERROR_TYPES];
-} dbDebugInfo;
-
-struct certDBEntryListNodeStr {
-    PRCList link;
-    certDBEntry entry;
-    void *appData;
-};
-typedef struct certDBEntryListNodeStr  certDBEntryListNode;
-
-/*
- * A list node for a cert db entry.  The index is a unique identifier
- * to use for creating generic maps of a db.  This struct handles
- * the cert, nickname, and smime db entry types, as all three have a
- * single handle to a subject entry.
- * This structure is pointed to by certDBEntryListNode->appData.
- */
-typedef struct 
-{
-    PRArenaPool *arena;
-    int index;
-    certDBEntryListNode *pSubject;
-} certDBEntryMap;
-
-/*
- * Subject entry is special case, it has bidirectional handles.  One
- * subject entry can point to several certs (using the same DN), and
- * a nickname and/or smime entry.
- * This structure is pointed to by certDBEntryListNode->appData.
- */
-typedef struct
-{
-    PRArenaPool *arena;
-    int index;
-    int numCerts;
-    certDBEntryListNode **pCerts;
-    certDBEntryListNode *pNickname;
-    certDBEntryListNode *pSMime;
-} certDBSubjectEntryMap;
-
-/*
- * A map of a certdb.
- */
-typedef struct
-{
-    int numCerts;
-    int numSubjects;
-    int numNicknames;
-    int numSMime;
-    int numRevocation;
-    certDBEntryListNode certs;      /* pointer to head of cert list */
-    certDBEntryListNode subjects;   /* pointer to head of subject list */
-    certDBEntryListNode nicknames;  /* pointer to head of nickname list */
-    certDBEntryListNode smime;      /* pointer to head of smime list */
-    certDBEntryListNode revocation; /* pointer to head of revocation list */
-} certDBArray;
-
-/* Cast list to the base element, a certDBEntryListNode. */
-#define LISTNODE_CAST(node) \
-    ((certDBEntryListNode *)(node))
-
-static void 
-Usage(char *progName)
-{
-#define FPS fprintf(stderr, 
-    FPS "Type %s -H for more detailed descriptions\n", progName);
-    FPS "Usage:  %s -D [-d certdir] [-m] [-v [-f dumpfile]]\n", 
-	progName);
-#ifdef DORECOVER
-    FPS "        %s -R -o newdbname [-d certdir] [-aprsx] [-v [-f dumpfile]]\n", 
-	progName);
-#endif
-    exit(-1);
-}
-
-static void
-LongUsage(char *progName)
-{
-    FPS "%-15s Display this help message.\n",
-	"-H");
-    FPS "%-15s Dump analysis.  No changes will be made to the database.\n",
-	"-D");
-    FPS "%-15s Cert database directory (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-15s Put database graph in ./mailfile (default is stdout).\n",
-	"   -m");
-    FPS "%-15s Verbose mode.  Dumps the entire contents of your cert8.db.\n",
-	"   -v");
-    FPS "%-15s File to dump verbose output into. (default is stdout)\n",
-	"   -f dumpfile");
-#ifdef DORECOVER
-    FPS "%-15s Repair the database.  The program will look for broken\n",
-	"-R");
-    FPS "%-15s dependencies between subject entries and certificates,\n",
-        "");
-    FPS "%-15s between nickname entries and subjects, and between SMIME\n",
-        "");
-    FPS "%-15s profiles and subjects.  Any duplicate entries will be\n",
-        "");
-    FPS "%-15s removed, any missing entries will be created.\n",
-        "");
-    FPS "%-15s File to store new database in (default is new_cert8.db)\n",
-	"   -o newdbname");
-    FPS "%-15s Cert database directory (default is ~/.netscape)\n",
-	"   -d certdir");
-    FPS "%-15s Prompt before removing any certificates.\n",
-        "   -p");
-    FPS "%-15s Keep all possible certificates.  Only remove certificates\n",
-	"   -a");
-    FPS "%-15s which prevent creation of a consistent database.  Thus any\n",
-	"");
-    FPS "%-15s expired or redundant entries will be kept.\n",
-	"");
-    FPS "%-15s Keep redundant nickname/email entries.  It is possible\n",
-	"   -r");
-    FPS "%-15s only one such entry will be usable.\n",
-	"");
-    FPS "%-15s Don't require an S/MIME profile in order to keep an S/MIME\n",
-	"   -s");
-    FPS "%-15s cert.  An empty profile will be created.\n",
-	"");
-    FPS "%-15s Keep expired certificates.\n",
-	"   -x");
-    FPS "%-15s Verbose mode - report all activity while recovering db.\n",
-	"   -v");
-    FPS "%-15s File to dump verbose output into.\n",
-	"   -f dumpfile");
-    FPS "\n");
-#endif
-    exit(-1);
-#undef FPS
-}
-
-/*******************************************************************
- *
- *  Functions for dbck.
- *
- ******************************************************************/
-
-void
-printHexString(PRFileDesc *out, SECItem *hexval)
-{
-    unsigned int i;
-    for (i = 0; i < hexval->len; i++) {
-	if (i != hexval->len - 1) {
-	    PR_fprintf(out, "%02x:", hexval->data[i]);
-	} else {
-	    PR_fprintf(out, "%02x", hexval->data[i]);
-	}
-    }
-    PR_fprintf(out, "\n");
-}
-
-
-SECStatus
-dumpCertificate(CERTCertificate *cert, int num, PRFileDesc *outfile)
-{
-    int userCert = 0;
-    CERTCertTrust *trust = cert->trust;
-    userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
-               (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
-               (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
-    if (num >= 0) {
-	PR_fprintf(outfile, "Certificate: %3d\n", num);
-    } else {
-	PR_fprintf(outfile, "Certificate:\n");
-    }
-    PR_fprintf(outfile, "----------------\n");
-    if (userCert)
-	PR_fprintf(outfile, "(User Cert)\n");
-    PR_fprintf(outfile, "## SUBJECT:  %s\n", cert->subjectName);
-    PR_fprintf(outfile, "## ISSUER:  %s\n", cert->issuerName);
-    PR_fprintf(outfile, "## SERIAL NUMBER:  ");
-    printHexString(outfile, &cert->serialNumber);
-    {  /*  XXX should be separate function.  */
-	int64 timeBefore, timeAfter;
-	PRExplodedTime beforePrintable, afterPrintable;
-	char *beforestr, *afterstr;
-	DER_DecodeTimeChoice(&timeBefore, &cert->validity.notBefore);
-	DER_DecodeTimeChoice(&timeAfter, &cert->validity.notAfter);
-	PR_ExplodeTime(timeBefore, PR_GMTParameters, &beforePrintable);
-	PR_ExplodeTime(timeAfter, PR_GMTParameters, &afterPrintable);
-	beforestr = PORT_Alloc(100);
-	afterstr = PORT_Alloc(100);
-	PR_FormatTime(beforestr, 100, "%a %b %d %H:%M:%S %Y", &beforePrintable);
-	PR_FormatTime(afterstr, 100, "%a %b %d %H:%M:%S %Y", &afterPrintable);
-	PR_fprintf(outfile, "## VALIDITY:  %s to %s\n", beforestr, afterstr);
-    }
-    PR_fprintf(outfile, "\n");
-    return SECSuccess;
-}
-
-SECStatus
-dumpCertEntry(certDBEntryCert *entry, int num, PRFileDesc *outfile)
-{
-#if 0
-    NSSLOWCERTCertificate *cert;
-    /* should we check for existing duplicates? */
-    cert = nsslowcert_DecodeDERCertificate(&entry->cert.derCert, 
-					    entry->cert.nickname);
-#else
-    CERTCertificate *cert;
-    cert = CERT_DecodeDERCertificate(&entry->derCert, PR_FALSE, NULL);
-#endif
-    if (!cert) {
-	fprintf(stderr, "Failed to decode certificate.\n");
-	return SECFailure;
-    }
-    cert->trust = (CERTCertTrust *)&entry->trust;
-    dumpCertificate(cert, num, outfile);
-    CERT_DestroyCertificate(cert);
-    return SECSuccess;
-}
-
-SECStatus
-dumpSubjectEntry(certDBEntrySubject *entry, int num, PRFileDesc *outfile)
-{
-    char *subjectName = CERT_DerNameToAscii(&entry->derSubject);
-
-    PR_fprintf(outfile, "Subject: %3d\n", num);
-    PR_fprintf(outfile, "------------\n");
-    PR_fprintf(outfile, "## %s\n", subjectName);
-    if (entry->nickname)
-	PR_fprintf(outfile, "## Subject nickname:  %s\n", entry->nickname);
-    if (entry->emailAddrs) {
-	unsigned int n;
-	for (n = 0; n < entry->nemailAddrs && entry->emailAddrs[n]; ++n) {
-	    char * emailAddr = entry->emailAddrs[n];
-	    if (emailAddr[0]) {
-		PR_fprintf(outfile, "## Subject email address:  %s\n", 
-	           emailAddr);
-	    }
-	}
-    }
-    PR_fprintf(outfile, "## This subject has %d cert(s).\n", entry->ncerts);
-    PR_fprintf(outfile, "\n");
-    PORT_Free(subjectName);
-    return SECSuccess;
-}
-
-SECStatus
-dumpNicknameEntry(certDBEntryNickname *entry, int num, PRFileDesc *outfile)
-{
-    PR_fprintf(outfile, "Nickname: %3d\n", num);
-    PR_fprintf(outfile, "-------------\n");
-    PR_fprintf(outfile, "##  \"%s\"\n\n", entry->nickname);
-    return SECSuccess;
-}
-
-SECStatus
-dumpSMimeEntry(certDBEntrySMime *entry, int num, PRFileDesc *outfile)
-{
-    PR_fprintf(outfile, "S/MIME Profile: %3d\n", num);
-    PR_fprintf(outfile, "-------------------\n");
-    PR_fprintf(outfile, "##  \"%s\"\n", entry->emailAddr);
-#ifdef OLDWAY
-    PR_fprintf(outfile, "##  OPTIONS:  ");
-    printHexString(outfile, &entry->smimeOptions);
-    PR_fprintf(outfile, "##  TIMESTAMP:  ");
-    printHexString(outfile, &entry->optionsDate);
-#else
-    SECU_PrintAny(stdout, &entry->smimeOptions, "##  OPTIONS  ", 0);
-    fflush(stdout);
-    if (entry->optionsDate.len && entry->optionsDate.data)
-	PR_fprintf(outfile, "##  TIMESTAMP: %.*s\n", 
-	           entry->optionsDate.len, entry->optionsDate.data);
-#endif
-    PR_fprintf(outfile, "\n");
-    return SECSuccess;
-}
-
-SECStatus
-mapCertEntries(certDBArray *dbArray)
-{
-    certDBEntryCert *certEntry;
-    certDBEntrySubject *subjectEntry;
-    certDBEntryListNode *certNode, *subjNode;
-    certDBSubjectEntryMap *smap;
-    certDBEntryMap *map;
-    PRArenaPool *tmparena;
-    SECItem derSubject;
-    SECItem certKey;
-    PRCList *cElem, *sElem;
-
-    /* Arena for decoded entries */
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (tmparena == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    /* Iterate over cert entries and map them to subject entries. 
-     * NOTE: mapSubjectEntries must be called first to alloc memory
-     * for array of subject->cert map.
-     */
-    for (cElem = PR_LIST_HEAD(&dbArray->certs.link); 
-         cElem != &dbArray->certs.link; cElem = PR_NEXT_LINK(cElem)) {
-	certNode = LISTNODE_CAST(cElem);
-	certEntry = (certDBEntryCert *)&certNode->entry;
-	map = (certDBEntryMap *)certNode->appData;
-	CERT_NameFromDERCert(&certEntry->derCert, &derSubject);
-	CERT_KeyFromDERCert(tmparena, &certEntry->derCert, &certKey);
-	/*  Loop over found subjects for cert's DN.  */
-	for (sElem = PR_LIST_HEAD(&dbArray->subjects.link);
-	     sElem != &dbArray->subjects.link; sElem = PR_NEXT_LINK(sElem)) {
-	    subjNode = LISTNODE_CAST(sElem);
-	    subjectEntry = (certDBEntrySubject *)&subjNode->entry;
-	    if (SECITEM_ItemsAreEqual(&derSubject, &subjectEntry->derSubject)) {
-		unsigned int i;
-		/*  Found matching subject name, create link.  */
-		map->pSubject = subjNode;
-		/*  Make sure subject entry has cert's key.  */
-		for (i=0; i<subjectEntry->ncerts; i++) {
-		    if (SECITEM_ItemsAreEqual(&certKey,
-		                              &subjectEntry->certKeys[i])) {
-			/*  Found matching cert key.  */
-			smap = (certDBSubjectEntryMap *)subjNode->appData;
-			smap->pCerts[i] = certNode;
-			break;
-		    }
-		}
-	    }
-	}
-    }
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return SECSuccess;
-}
-
-SECStatus
-mapSubjectEntries(certDBArray *dbArray)
-{
-    certDBEntrySubject *subjectEntry;
-    certDBEntryListNode *subjNode;
-    certDBSubjectEntryMap *subjMap;
-    PRCList *sElem;
-
-    for (sElem = PR_LIST_HEAD(&dbArray->subjects.link);
-         sElem != &dbArray->subjects.link; sElem = PR_NEXT_LINK(sElem)) {
-	/* Iterate over subject entries and map subjects to nickname
-	 * and smime entries.  The cert<->subject map will be handled
-	 * by a subsequent call to mapCertEntries.
-	 */
-	subjNode = LISTNODE_CAST(sElem);
-	subjectEntry = (certDBEntrySubject *)&subjNode->entry;
-	subjMap = (certDBSubjectEntryMap *)subjNode->appData;
-	/* need to alloc memory here for array of matching certs. */
-	subjMap->pCerts = PORT_ArenaAlloc(subjMap->arena, 
-	                                  subjectEntry->ncerts*sizeof(int));
-	subjMap->numCerts = subjectEntry->ncerts;
-	subjMap->pNickname = NoNickname;
-	subjMap->pSMime = NoSMime;
-
-	if (subjectEntry->nickname) {
-	    /* Subject should have a nickname entry, so create a link. */
-	    PRCList *nElem;
-	    for (nElem = PR_LIST_HEAD(&dbArray->nicknames.link);
-	         nElem != &dbArray->nicknames.link; 
-	         nElem = PR_NEXT_LINK(nElem)) {
-		certDBEntryListNode *nickNode;
-		certDBEntryNickname *nicknameEntry;
-		/*  Look for subject's nickname in nickname entries.  */
-		nickNode = LISTNODE_CAST(nElem);
-		nicknameEntry = (certDBEntryNickname *)&nickNode->entry;
-		if (PL_strcmp(subjectEntry->nickname, 
-		              nicknameEntry->nickname) == 0) {
-		    /*  Found a nickname entry for subject's nickname.  */
-		    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
-		                              &nicknameEntry->subjectName)) {
-			certDBEntryMap *nickMap;
-			nickMap = (certDBEntryMap *)nickNode->appData;
-			/*  Nickname and subject match.  */
-			subjMap->pNickname = nickNode;
-			nickMap->pSubject = subjNode;
-		    } else if (subjMap->pNickname == NoNickname) {
-			/*  Nickname entry found is for diff. subject.  */
-			subjMap->pNickname = WrongEntry;
-		    }
-		}
-	    }
-	}
-	if (subjectEntry->emailAddrs) {
-	    unsigned int n;
-	    for (n = 0; n < subjectEntry->nemailAddrs && 
-	                subjectEntry->emailAddrs[n]; ++n) {
-		char * emailAddr = subjectEntry->emailAddrs[n];
-		if (emailAddr[0]) {
-		    PRCList *mElem;
-		    /* Subject should have an smime entry, so create a link. */
-		    for (mElem = PR_LIST_HEAD(&dbArray->smime.link);
-			 mElem != &dbArray->smime.link; 
-			 mElem = PR_NEXT_LINK(mElem)) {
-			certDBEntryListNode *smimeNode;
-			certDBEntrySMime *smimeEntry;
-			/*  Look for subject's email in S/MIME entries.  */
-			smimeNode = LISTNODE_CAST(mElem);
-			smimeEntry = (certDBEntrySMime *)&smimeNode->entry;
-			if (PL_strcmp(emailAddr, 
-				      smimeEntry->emailAddr) == 0) {
-			    /*  Found a S/MIME entry for subject's email.  */
-			    if (SECITEM_ItemsAreEqual(
-			    		&subjectEntry->derSubject,
-				        &smimeEntry->subjectName)) {
-				certDBEntryMap *smimeMap;
-				/*  S/MIME entry and subject match.  */
-				subjMap->pSMime = smimeNode;
-				smimeMap = (certDBEntryMap *)smimeNode->appData;
-				smimeMap->pSubject = subjNode;
-			    } else if (subjMap->pSMime == NoSMime) {
-				/*  S/MIME entry found is for diff. subject.  */
-				subjMap->pSMime = WrongEntry;
-			    }
-			}
-		    }   /* end for */
-		}   /* endif (emailAddr[0]) */
-	    }   /* end for */
-	}   /* endif (subjectEntry->emailAddrs) */
-    }
-    return SECSuccess;
-}
-
-void
-printnode(dbDebugInfo *info, const char *str, int num)
-{
-    if (!info->dograph)
-	return;
-    if (num < 0) {
-	PR_fprintf(info->graphfile, str);
-    } else {
-	PR_fprintf(info->graphfile, str, num);
-    }
-}
-
-PRBool
-map_handle_is_ok(dbDebugInfo *info, void *mapPtr, int indent)
-{
-    if (mapPtr == NULL) {
-	if (indent > 0)
-	    printnode(info, "                ", -1);
-	if (indent >= 0)
-	    printnode(info, "******************* ", -1);
-	return PR_FALSE;
-    } else if (mapPtr == WrongEntry) {
-	if (indent > 0)
-	    printnode(info, "                  ", -1);
-	if (indent >= 0)
-	    printnode(info, "??????????????????? ", -1);
-	return PR_FALSE;
-    } else {
-	return PR_TRUE;
-    }
-}
-
-/* these call each other */
-void print_smime_graph(dbDebugInfo *info, certDBEntryMap *smimeMap, 
-                       int direction);
-void print_nickname_graph(dbDebugInfo *info, certDBEntryMap *nickMap, 
-                          int direction);
-void print_subject_graph(dbDebugInfo *info, certDBSubjectEntryMap *subjMap, 
-                         int direction, int optindex, int opttype);
-void print_cert_graph(dbDebugInfo *info, certDBEntryMap *certMap, 
-                      int direction);
-
-/* Given an smime entry, print its unique identifier.  If GOLEFT is 
- * specified, print the cert<-subject<-smime map, else just print
- * the smime entry.
- */
-void
-print_smime_graph(dbDebugInfo *info, certDBEntryMap *smimeMap, int direction)
-{
-    certDBSubjectEntryMap *subjMap;
-    certDBEntryListNode *subjNode;
-    if (direction == GOLEFT) {
-	/* Need to output subject and cert first, see print_subject_graph */
-	subjNode = smimeMap->pSubject;
-	if (map_handle_is_ok(info, (void *)subjNode, 1)) {
-	    subjMap = (certDBSubjectEntryMap *)subjNode->appData; 
-	    print_subject_graph(info, subjMap, GOLEFT,
-	                        smimeMap->index, certDBEntryTypeSMimeProfile);
-	} else {
-	    printnode(info, "<---- S/MIME   %5d   ", smimeMap->index);
-	    info->dbErrors[NoSubjectForSMime]++;
-	}
-    } else {
-	printnode(info, "S/MIME   %5d   ", smimeMap->index);
-    }
-}
-
-/* Given a nickname entry, print its unique identifier.  If GOLEFT is 
- * specified, print the cert<-subject<-nickname map, else just print
- * the nickname entry.
- */
-void
-print_nickname_graph(dbDebugInfo *info, certDBEntryMap *nickMap, int direction)
-{
-    certDBSubjectEntryMap *subjMap;
-    certDBEntryListNode *subjNode;
-    if (direction == GOLEFT) {
-	/* Need to output subject and cert first, see print_subject_graph */
-	subjNode = nickMap->pSubject;
-	if (map_handle_is_ok(info, (void *)subjNode, 1)) {
-	    subjMap = (certDBSubjectEntryMap *)subjNode->appData;
-	    print_subject_graph(info, subjMap, GOLEFT,
-	                        nickMap->index, certDBEntryTypeNickname);
-	} else {
-	    printnode(info, "<---- Nickname %5d   ", nickMap->index);
-	    info->dbErrors[NoSubjectForNickname]++;
-	}
-    } else {
-	printnode(info, "Nickname %5d   ", nickMap->index);
-    }
-}
-
-/* Given a subject entry, if going right print the graph of the nickname|smime
- * that it maps to (by its unique identifier); and if going left
- * print the list of certs that it points to.
- */
-void
-print_subject_graph(dbDebugInfo *info, certDBSubjectEntryMap *subjMap, 
-                    int direction, int optindex, int opttype)
-{
-    certDBEntryMap *map;
-    certDBEntryListNode *node;
-    int i;
-    /* The first line of output always contains the cert id, subject id,
-     * and nickname|smime id.  Subsequent lines may contain additional
-     * cert id's for the subject if going left or both directions.
-     * Ex. of printing the graph for a subject entry:
-     * Cert 3 <- Subject 5 -> Nickname 32
-     * Cert 8 /
-     * Cert 9 /
-     * means subject 5 has 3 certs, 3, 8, and 9, and corresponds
-     * to nickname entry 32.
-     * To accomplish the above, it is required to dump the entire first
-     * line left-to-right, regardless of the input direction, and then
-     * finish up any remaining cert entries.  Hence the code is uglier
-     * than one may expect.
-     */
-    if (direction == GOLEFT || direction == GOBOTH) {
-	/* In this case, nothing should be output until the first cert is
-	 * located and output (cert 3 in the above example).
-	 */
-	if (subjMap->numCerts == 0 || subjMap->pCerts == NULL)
-	    /* XXX uh-oh */
-	    return;
-	/* get the first cert and dump it. */
-	node = subjMap->pCerts[0];
-	if (map_handle_is_ok(info, (void *)node, 0)) {
-	    map = (certDBEntryMap *)node->appData;
-	    /* going left here stops. */
-	    print_cert_graph(info, map, GOLEFT); 
-	} else {
-	    info->dbErrors[SubjectHasNoKeyForCert]++;
-	}
-	/* Now it is safe to output the subject id. */
-	if (direction == GOLEFT)
-	    printnode(info, "Subject  %5d <---- ", subjMap->index);
-	else /* direction == GOBOTH */
-	    printnode(info, "Subject  %5d ----> ", subjMap->index);
-    }
-    if (direction == GORIGHT || direction == GOBOTH) { 
-	/* Okay, now output the nickname|smime for this subject. */
-	if (direction != GOBOTH) /* handled above */
-	   printnode(info, "Subject  %5d ----> ", subjMap->index);
-	if (subjMap->pNickname) {
-	    node = subjMap->pNickname;
-	    if (map_handle_is_ok(info, (void *)node, 0)) {
-		map = (certDBEntryMap *)node->appData;
-		/* going right here stops. */
-		print_nickname_graph(info, map, GORIGHT);
-	    }
-	}
-	if (subjMap->pSMime) {
-	    node = subjMap->pSMime;
-	    if (map_handle_is_ok(info, (void *)node, 0)) {
-		map = (certDBEntryMap *)node->appData;
-		/* going right here stops. */
-		print_smime_graph(info, map, GORIGHT); 
-	    }
-	}
-	if (!subjMap->pNickname && !subjMap->pSMime) {
-	    printnode(info, "******************* ", -1);
-	    info->dbErrors[NoNicknameOrSMimeForSubject]++;
-	}
-	if (subjMap->pNickname && subjMap->pSMime) {
-	    info->dbErrors[NicknameAndSMimeEntries]++;
-	}
-    }
-    if (direction != GORIGHT) { /* going right has only one cert */
-	if (opttype == certDBEntryTypeNickname)
-	    printnode(info, "Nickname %5d   ", optindex);
-	else if (opttype == certDBEntryTypeSMimeProfile)
-	    printnode(info, "S/MIME   %5d   ", optindex);
-	for (i=1 /* 1st one already done */; i<subjMap->numCerts; i++) {
-	    printnode(info, "\n", -1); /* start a new line */
-	    node = subjMap->pCerts[i];
-	    if (map_handle_is_ok(info, (void *)node, 0)) {
-		map = (certDBEntryMap *)node->appData;
-		/* going left here stops. */
-		print_cert_graph(info, map, GOLEFT); 
-		printnode(info, "/", -1);
-	    }
-	}
-    }
-}
-
-/* Given a cert entry, print its unique identifer.  If GORIGHT is specified,
- * print the cert->subject->nickname|smime map, else just print
- * the cert entry.
- */
-void
-print_cert_graph(dbDebugInfo *info, certDBEntryMap *certMap, int direction)
-{
-    certDBSubjectEntryMap *subjMap;
-    certDBEntryListNode *subjNode;
-    if (direction == GOLEFT) {
-	printnode(info, "Cert     %5d <---- ", certMap->index);
-	/* only want cert entry, terminate here. */
-	return;
-    }
-    /* Keep going right then. */
-    printnode(info, "Cert     %5d ----> ", certMap->index);
-    subjNode = certMap->pSubject;
-    if (map_handle_is_ok(info, (void *)subjNode, 0)) {
-	subjMap = (certDBSubjectEntryMap *)subjNode->appData;
-	print_subject_graph(info, subjMap, GORIGHT, -1, -1);
-    } else {
-	info->dbErrors[NoSubjectForCert]++;
-    }
-}
-
-SECStatus
-computeDBGraph(certDBArray *dbArray, dbDebugInfo *info)
-{
-    PRCList *cElem, *sElem, *nElem, *mElem;
-    certDBEntryListNode *node;
-    certDBEntryMap *map;
-    certDBSubjectEntryMap *subjMap;
-
-    /* Graph is of this form:
-     *
-     * certs:
-     * cert ---> subject ---> (nickname|smime)
-     *
-     * subjects:
-     * cert <--- subject ---> (nickname|smime)
-     *
-     * nicknames and smime:
-     * cert <--- subject <--- (nickname|smime)
-     */
-
-    /* Print cert graph. */
-    for (cElem = PR_LIST_HEAD(&dbArray->certs.link);
-         cElem != &dbArray->certs.link; cElem = PR_NEXT_LINK(cElem)) {
-	/* Print graph of everything to right of cert entry. */
-	node = LISTNODE_CAST(cElem);
-	map = (certDBEntryMap *)node->appData;
-	print_cert_graph(info, map, GORIGHT);
-	printnode(info, "\n", -1);
-    }
-    printnode(info, "\n", -1);
-
-    /* Print subject graph. */
-    for (sElem = PR_LIST_HEAD(&dbArray->subjects.link);
-         sElem != &dbArray->subjects.link; sElem = PR_NEXT_LINK(sElem)) {
-	/* Print graph of everything to both sides of subject entry. */
-	node = LISTNODE_CAST(sElem);
-	subjMap = (certDBSubjectEntryMap *)node->appData;
-	print_subject_graph(info, subjMap, GOBOTH, -1, -1);
-	printnode(info, "\n", -1);
-    }
-    printnode(info, "\n", -1);
-
-    /* Print nickname graph. */
-    for (nElem = PR_LIST_HEAD(&dbArray->nicknames.link);
-         nElem != &dbArray->nicknames.link; nElem = PR_NEXT_LINK(nElem)) {
-	/* Print graph of everything to left of nickname entry. */
-	node = LISTNODE_CAST(nElem);
-	map = (certDBEntryMap *)node->appData;
-	print_nickname_graph(info, map, GOLEFT);
-	printnode(info, "\n", -1);
-    }
-    printnode(info, "\n", -1);
-
-    /* Print smime graph. */
-    for (mElem = PR_LIST_HEAD(&dbArray->smime.link);
-         mElem != &dbArray->smime.link; mElem = PR_NEXT_LINK(mElem)) {
-	/* Print graph of everything to left of smime entry. */
-	node = LISTNODE_CAST(mElem);
-	if (node == NULL) break;
-	map = (certDBEntryMap *)node->appData;
-	print_smime_graph(info, map, GOLEFT);
-	printnode(info, "\n", -1);
-    }
-    printnode(info, "\n", -1);
-
-    return SECSuccess;
-}
-
-/*
- * List the entries in the db, showing handles between entry types.
- */
-void
-verboseOutput(certDBArray *dbArray, dbDebugInfo *info)
-{
-    int i, ref;
-    PRCList *elem;
-    certDBEntryListNode *node;
-    certDBEntryMap *map;
-    certDBSubjectEntryMap *smap;
-    certDBEntrySubject *subjectEntry;
-
-    /* List certs */
-    for (elem = PR_LIST_HEAD(&dbArray->certs.link);
-         elem != &dbArray->certs.link; elem = PR_NEXT_LINK(elem)) {
-	node = LISTNODE_CAST(elem);
-	map = (certDBEntryMap *)node->appData;
-	dumpCertEntry((certDBEntryCert*)&node->entry, map->index, info->out);
-	/* walk the cert handle to it's subject entry */
-	if (map_handle_is_ok(info, map->pSubject, -1)) {
-	    smap = (certDBSubjectEntryMap *)map->pSubject->appData;
-	    ref = smap->index;
-	    PR_fprintf(info->out, "-->(subject %d)\n\n\n", ref);
-	} else {
-	    PR_fprintf(info->out, "-->(MISSING SUBJECT ENTRY)\n\n\n");
-	}
-    }
-    /* List subjects */
-    for (elem = PR_LIST_HEAD(&dbArray->subjects.link);
-         elem != &dbArray->subjects.link; elem = PR_NEXT_LINK(elem)) {
-	int refs = 0;
-	node = LISTNODE_CAST(elem);
-	subjectEntry = (certDBEntrySubject *)&node->entry;
-	smap = (certDBSubjectEntryMap *)node->appData;
-	dumpSubjectEntry(subjectEntry, smap->index, info->out);
-	/* iterate over subject's certs */
-	for (i=0; i<smap->numCerts; i++) {
-	    /* walk each subject handle to it's cert entries */
-	    if (map_handle_is_ok(info, smap->pCerts[i], -1)) {
-		ref = ((certDBEntryMap *)smap->pCerts[i]->appData)->index;
-		PR_fprintf(info->out, "-->(%d. certificate %d)\n", i, ref);
-	    } else {
-		PR_fprintf(info->out, "-->(%d. MISSING CERT ENTRY)\n", i);
-	    }
-	}
-	if (subjectEntry->nickname) {
-	    ++refs;
-	    /* walk each subject handle to it's nickname entry */
-	    if (map_handle_is_ok(info, smap->pNickname, -1)) {
-		ref = ((certDBEntryMap *)smap->pNickname->appData)->index;
-		PR_fprintf(info->out, "-->(nickname %d)\n", ref);
-	    } else {
-		PR_fprintf(info->out, "-->(MISSING NICKNAME ENTRY)\n");
-	    }
-	}
-	if (subjectEntry->nemailAddrs && 
-	    subjectEntry->emailAddrs &&
-	    subjectEntry->emailAddrs[0] &&
-	    subjectEntry->emailAddrs[0][0]) {
-	    ++refs;
-	    /* walk each subject handle to it's smime entry */
-	    if (map_handle_is_ok(info, smap->pSMime, -1)) {
-		ref = ((certDBEntryMap *)smap->pSMime->appData)->index;
-		PR_fprintf(info->out, "-->(s/mime %d)\n", ref);
-	    } else {
-		PR_fprintf(info->out, "-->(MISSING S/MIME ENTRY)\n");
-	    }
-	}
-	if (!refs) {
-	    PR_fprintf(info->out, "-->(NO NICKNAME+S/MIME ENTRY)\n");
-	}
-	PR_fprintf(info->out, "\n\n");
-    }
-    for (elem = PR_LIST_HEAD(&dbArray->nicknames.link);
-         elem != &dbArray->nicknames.link; elem = PR_NEXT_LINK(elem)) {
-	node = LISTNODE_CAST(elem);
-	map = (certDBEntryMap *)node->appData;
-	dumpNicknameEntry((certDBEntryNickname*)&node->entry, map->index, 
-	                  info->out);
-	if (map_handle_is_ok(info, map->pSubject, -1)) {
-	    ref = ((certDBEntryMap *)map->pSubject->appData)->index;
-	    PR_fprintf(info->out, "-->(subject %d)\n\n\n", ref);
-	} else {
-	    PR_fprintf(info->out, "-->(MISSING SUBJECT ENTRY)\n\n\n");
-	}
-    }
-    for (elem = PR_LIST_HEAD(&dbArray->smime.link);
-         elem != &dbArray->smime.link; elem = PR_NEXT_LINK(elem)) {
-	node = LISTNODE_CAST(elem);
-	map = (certDBEntryMap *)node->appData;
-	dumpSMimeEntry((certDBEntrySMime*)&node->entry, map->index, info->out);
-	if (map_handle_is_ok(info, map->pSubject, -1)) {
-	    ref = ((certDBEntryMap *)map->pSubject->appData)->index;
-	    PR_fprintf(info->out, "-->(subject %d)\n\n\n", ref);
-	} else {
-	    PR_fprintf(info->out, "-->(MISSING SUBJECT ENTRY)\n\n\n");
-	}
-    }
-    PR_fprintf(info->out, "\n\n");
-}
-
-
-/* A callback function, intended to be called from nsslowcert_TraverseDBEntries
- * Builds a PRCList of DB entries of the specified type.
- */
-SECStatus 
-SEC_GetCertDBEntryList(SECItem *dbdata, SECItem *dbkey, 
-                       certDBEntryType entryType, void *pdata)
-{
-    certDBEntry         * entry;
-    certDBEntryListNode * node;
-    PRCList             * list = (PRCList *)pdata;
-
-    if (!dbdata || !dbkey || !pdata || !dbdata->data || !dbkey->data) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    entry = nsslowcert_DecodeAnyDBEntry(dbdata, dbkey, entryType, NULL);
-    if (!entry) {
-    	return SECSuccess; /* skip it */
-    }
-    node = PORT_ArenaZNew(entry->common.arena, certDBEntryListNode);
-    if (!node) {
-    	/* DestroyDBEntry(entry); */
-	PLArenaPool *arena = entry->common.arena;
-	PORT_Memset(&entry->common, 0, sizeof entry->common);
-	PORT_FreeArena(arena, PR_FALSE);
-	return SECFailure;
-    }
-    node->entry = *entry;  		/* crude but effective. */
-    PR_INIT_CLIST(&node->link);
-    PR_INSERT_BEFORE(&node->link, list);
-    return SECSuccess;
-}
-
-
-int
-fillDBEntryArray(NSSLOWCERTCertDBHandle *handle, certDBEntryType type, 
-                 certDBEntryListNode *list)
-{
-    PRCList *elem;
-    certDBEntryListNode *node;
-    certDBEntryMap *mnode;
-    certDBSubjectEntryMap *smnode;
-    PRArenaPool *arena;
-    int count = 0;
-
-    /* Initialize a dummy entry in the list.  The list head will be the
-     * next element, so this element is skipped by for loops.
-     */
-    PR_INIT_CLIST((PRCList *)list);
-    /* Collect all of the cert db entries for this type into a list. */
-    nsslowcert_TraverseDBEntries(handle, type, SEC_GetCertDBEntryList, list);
-
-    for (elem = PR_LIST_HEAD(&list->link); 
-         elem != &list->link; elem = PR_NEXT_LINK(elem)) {
-	/* Iterate over the entries and ... */
-	node = (certDBEntryListNode *)elem;
-	if (type != certDBEntryTypeSubject) {
-	    arena = PORT_NewArena(sizeof(*mnode));
-	    mnode = PORT_ArenaZNew(arena, certDBEntryMap);
-	    mnode->arena = arena;
-	    /* ... assign a unique index number to each node, and ... */
-	    mnode->index = count;
-	    /* ... set the map pointer for the node. */
-	    node->appData = (void *)mnode;
-	} else {
-	    /* allocate some room for the cert pointers also */
-	    arena = PORT_NewArena(sizeof(*smnode) + 20*sizeof(void *));
-	    smnode = PORT_ArenaZNew(arena, certDBSubjectEntryMap);
-	    smnode->arena = arena;
-	    smnode->index = count;
-	    node->appData = (void *)smnode;
-	}
-	count++;
-    }
-    return count;
-}
-
-void
-freeDBEntryList(PRCList *list)
-{
-    PRCList *next, *elem;
-    certDBEntryListNode *node;
-    certDBEntryMap *map;
-
-    for (elem = PR_LIST_HEAD(list); elem != list;) { 
-	next = PR_NEXT_LINK(elem);
-	node = (certDBEntryListNode *)elem;
-	map = (certDBEntryMap *)node->appData;
-	PR_REMOVE_LINK(&node->link);
-	PORT_FreeArena(map->arena, PR_TRUE);
-	PORT_FreeArena(node->entry.common.arena, PR_TRUE);
-	elem = next;
-    }
-}
-
-void
-DBCK_DebugDB(NSSLOWCERTCertDBHandle *handle, PRFileDesc *out, 
-	     PRFileDesc *mailfile)
-{
-    int i, nCertsFound, nSubjFound, nErr;
-    int nCerts, nSubjects, nSubjCerts, nNicknames, nSMime, nRevocation;
-    PRCList *elem;
-    char c;
-    dbDebugInfo info;
-    certDBArray dbArray;
-
-    PORT_Memset(&dbArray, 0, sizeof(dbArray));
-    PORT_Memset(&info, 0, sizeof(info));
-    info.verbose = (PRBool)(out != NULL);
-    info.dograph = info.verbose;
-    info.out       = (out)    ? out      : PR_STDOUT;
-    info.graphfile = mailfile ? mailfile : PR_STDOUT;
-
-    /*  Fill the array structure with cert/subject/nickname/smime entries.  */
-    dbArray.numCerts     = fillDBEntryArray(handle, certDBEntryTypeCert, 
-                                            &dbArray.certs);
-    dbArray.numSubjects  = fillDBEntryArray(handle, certDBEntryTypeSubject, 
-                                            &dbArray.subjects);
-    dbArray.numNicknames = fillDBEntryArray(handle, certDBEntryTypeNickname, 
-                                            &dbArray.nicknames);
-    dbArray.numSMime     = fillDBEntryArray(handle, certDBEntryTypeSMimeProfile, 
-                                            &dbArray.smime);
-    dbArray.numRevocation= fillDBEntryArray(handle, certDBEntryTypeRevocation, 
-                                            &dbArray.revocation);
-
-    /*  Compute the map between the database entries.  */
-    mapSubjectEntries(&dbArray);
-    mapCertEntries(&dbArray);
-    computeDBGraph(&dbArray, &info);
-
-    /*  Store the totals for later reference.  */
-    nCerts     = dbArray.numCerts;
-    nSubjects  = dbArray.numSubjects;
-    nNicknames = dbArray.numNicknames;
-    nSMime     = dbArray.numSMime;
-    nRevocation= dbArray.numRevocation;
-    nSubjCerts = 0;
-    for (elem = PR_LIST_HEAD(&dbArray.subjects.link);
-         elem != &dbArray.subjects.link; elem = PR_NEXT_LINK(elem)) {
-	certDBSubjectEntryMap *smap;
-	smap = (certDBSubjectEntryMap *)LISTNODE_CAST(elem)->appData;
-	nSubjCerts += smap->numCerts;
-    }
-
-    if (info.verbose) {
-	/*  Dump the database contents.  */
-	verboseOutput(&dbArray, &info);
-    }
-
-    freeDBEntryList(&dbArray.certs.link);
-    freeDBEntryList(&dbArray.subjects.link);
-    freeDBEntryList(&dbArray.nicknames.link);
-    freeDBEntryList(&dbArray.smime.link);
-    freeDBEntryList(&dbArray.revocation.link);
-
-    PR_fprintf(info.out, "\n");
-    PR_fprintf(info.out, "Database statistics:\n");
-    PR_fprintf(info.out, "N0: Found %4d Certificate entries.\n", 
-                          nCerts);
-    PR_fprintf(info.out, "N1: Found %4d Subject entries (unique DN's).\n", 
-                          nSubjects);
-    PR_fprintf(info.out, "N2: Found %4d Cert keys within Subject entries.\n", 
-                          nSubjCerts);
-    PR_fprintf(info.out, "N3: Found %4d Nickname entries.\n", 
-                          nNicknames);
-    PR_fprintf(info.out, "N4: Found %4d S/MIME entries.\n", 
-                          nSMime);
-    PR_fprintf(info.out, "N5: Found %4d CRL entries.\n", 
-                          nRevocation);
-    PR_fprintf(info.out, "\n");
-
-    nErr = 0;
-    for (i=0; i < NUM_ERROR_TYPES; i++) {
-	PR_fprintf(info.out, "E%d: Found %4d %s\n", 
-	           i, info.dbErrors[i], errResult[i]);
-	nErr += info.dbErrors[i];
-    }
-    PR_fprintf(info.out, "--------------\n    Found %4d errors in database.\n", 
-               nErr);
-
-    PR_fprintf(info.out, "\nCertificates:\n");
-    PR_fprintf(info.out, "N0 == N2 + E%d + E%d\n", NoSubjectForCert, 
-                                                   SubjectHasNoKeyForCert);
-    nCertsFound = nSubjCerts +
-                  info.dbErrors[NoSubjectForCert] +
-                  info.dbErrors[SubjectHasNoKeyForCert];
-    c = (nCertsFound == nCerts) ? '=' : '!';
-    PR_fprintf(info.out, "%d %c= %d + %d + %d\n", nCerts, c, nSubjCerts, 
-                  info.dbErrors[NoSubjectForCert],
-                  info.dbErrors[SubjectHasNoKeyForCert]);
-    PR_fprintf(info.out, "\nSubjects:\n");
-    PR_fprintf(info.out, 
-    "N1 == N3 + N4 + E%d + E%d + E%d + E%d + E%d - E%d - E%d - E%d\n",
-                  NoNicknameOrSMimeForSubject, 
-		  WrongNicknameForSubject,
-		  NoNicknameEntry, 
-		  WrongSMimeForSubject, 
-		  NoSMimeEntry,
-		  NoSubjectForNickname, 
-		  NoSubjectForSMime,
-		  NicknameAndSMimeEntries);
-    nSubjFound = nNicknames + nSMime + 
-                 info.dbErrors[NoNicknameOrSMimeForSubject] +
-		 info.dbErrors[WrongNicknameForSubject] +
-		 info.dbErrors[NoNicknameEntry] +
-		 info.dbErrors[WrongSMimeForSubject] +
-                 info.dbErrors[NoSMimeEntry] -
-		 info.dbErrors[NoSubjectForNickname] -
-		 info.dbErrors[NoSubjectForSMime] -
-		 info.dbErrors[NicknameAndSMimeEntries];
-    c = (nSubjFound == nSubjects) ? '=' : '!';
-    PR_fprintf(info.out, 
-    "%2d %c= %2d + %2d + %2d + %2d + %2d + %2d + %2d - %2d - %2d - %2d\n",
-                  nSubjects, c, nNicknames, nSMime,
-                  info.dbErrors[NoNicknameOrSMimeForSubject],
-		  info.dbErrors[WrongNicknameForSubject],
-		  info.dbErrors[NoNicknameEntry],
-		  info.dbErrors[WrongSMimeForSubject],
-                  info.dbErrors[NoSMimeEntry],
-		  info.dbErrors[NoSubjectForNickname],
-		  info.dbErrors[NoSubjectForSMime],
-		  info.dbErrors[NicknameAndSMimeEntries]);
-    PR_fprintf(info.out, "\n");
-}
-
-#ifdef DORECOVER
-#include "dbrecover.c"
-#endif /* DORECOVER */
-
-enum {
-    cmd_Debug = 0,
-    cmd_LongUsage,
-    cmd_Recover
-};
-
-enum {
-    opt_KeepAll = 0,
-    opt_CertDir,
-    opt_Dumpfile,
-    opt_InputDB,
-    opt_OutputDB,
-    opt_Mailfile,
-    opt_Prompt,
-    opt_KeepRedundant,
-    opt_KeepNoSMimeProfile,
-    opt_Verbose,
-    opt_KeepExpired
-};
-
-static secuCommandFlag dbck_commands[] =
-{
-    { /* cmd_Debug,    */  'D', PR_FALSE, 0, PR_FALSE },
-    { /* cmd_LongUsage,*/  'H', PR_FALSE, 0, PR_FALSE },
-    { /* cmd_Recover,  */  'R', PR_FALSE, 0, PR_FALSE }
-};
-
-static secuCommandFlag dbck_options[] =
-{
-    { /* opt_KeepAll,           */  'a', PR_FALSE, 0, PR_FALSE },
-    { /* opt_CertDir,           */  'd', PR_TRUE,  0, PR_FALSE },
-    { /* opt_Dumpfile,          */  'f', PR_TRUE,  0, PR_FALSE },
-    { /* opt_InputDB,           */  'i', PR_TRUE,  0, PR_FALSE },
-    { /* opt_OutputDB,          */  'o', PR_TRUE,  0, PR_FALSE },
-    { /* opt_Mailfile,          */  'm', PR_FALSE, 0, PR_FALSE },
-    { /* opt_Prompt,            */  'p', PR_FALSE, 0, PR_FALSE },
-    { /* opt_KeepRedundant,     */  'r', PR_FALSE, 0, PR_FALSE },
-    { /* opt_KeepNoSMimeProfile,*/  's', PR_FALSE, 0, PR_FALSE },
-    { /* opt_Verbose,           */  'v', PR_FALSE, 0, PR_FALSE },
-    { /* opt_KeepExpired,       */  'x', PR_FALSE, 0, PR_FALSE }
-};
-
-#define CERT_DB_FMT "%s/cert%s.db"
-
-static char *
-dbck_certdb_name_cb(void *arg, int dbVersion)
-{
-    const char *configdir = (const char *)arg;
-    const char *dbver;
-    char *smpname = NULL;
-    char *dbname = NULL;
-
-    switch (dbVersion) {
-      case 8:
-	dbver = "8";
-	break;
-      case 7:
-	dbver = "7";
-	break;
-      case 6:
-	dbver = "6";
-	break;
-      case 5:
-	dbver = "5";
-	break;
-      case 4:
-      default:
-	dbver = "";
-	break;
-    }
-
-    /* make sure we return something allocated with PORT_ so we have properly
-     * matched frees at the end */
-    smpname = PR_smprintf(CERT_DB_FMT, configdir, dbver);
-    if (smpname) {
-	dbname = PORT_Strdup(smpname);
-	PR_smprintf_free(smpname);
-    }
-    return dbname;
-}
-    
-
-int 
-main(int argc, char **argv)
-{
-    NSSLOWCERTCertDBHandle *certHandle;
-
-    PRFileDesc *mailfile = NULL;
-    PRFileDesc *dumpfile = NULL;
-
-    char * pathname     = 0;
-    char * fullname     = 0;
-    char * newdbname    = 0;
-
-    PRBool removeExpired, requireProfile, singleEntry;
-    SECStatus   rv;
-    secuCommand dbck;
-
-    dbck.numCommands = sizeof(dbck_commands) / sizeof(secuCommandFlag);
-    dbck.numOptions = sizeof(dbck_options) / sizeof(secuCommandFlag);
-    dbck.commands = dbck_commands;
-    dbck.options = dbck_options;
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    rv = SECU_ParseCommandLine(argc, argv, progName, &dbck);
-
-    if (rv != SECSuccess)
-	Usage(progName);
-
-    if (dbck.commands[cmd_LongUsage].activated)
-	LongUsage(progName);
-
-    if (!dbck.commands[cmd_Debug].activated &&
-        !dbck.commands[cmd_Recover].activated) {
-	PR_fprintf(PR_STDERR, "Please specify -H, -D or -R.\n");
-	Usage(progName);
-    }
-
-    removeExpired = !(dbck.options[opt_KeepAll].activated ||
-                      dbck.options[opt_KeepExpired].activated);
-
-    requireProfile = !(dbck.options[opt_KeepAll].activated ||
-                    dbck.options[opt_KeepNoSMimeProfile].activated);
-
-    singleEntry = !(dbck.options[opt_KeepAll].activated ||
-                    dbck.options[opt_KeepRedundant].activated);
-
-    if (dbck.options[opt_OutputDB].activated) {
-	newdbname = PL_strdup(dbck.options[opt_OutputDB].arg);
-    } else {
-	newdbname = PL_strdup("new_cert8.db");
-    }
-
-    /*  Create a generic graph of the database.  */
-    if (dbck.options[opt_Mailfile].activated) {
-	mailfile = PR_Open("./mailfile", PR_RDWR | PR_CREATE_FILE, 00660);
-	if (!mailfile) {
-	    fprintf(stderr, "Unable to create mailfile.\n");
-	    return -1;
-	}
-    }
-
-    /*  Dump all debugging info while running.  */
-    if (dbck.options[opt_Verbose].activated) {
-	if (dbck.options[opt_Dumpfile].activated) {
-	    dumpfile = PR_Open(dbck.options[opt_Dumpfile].arg,
-	                       PR_RDWR | PR_CREATE_FILE, 00660);
-	    if (!dumpfile) {
-		fprintf(stderr, "Unable to create dumpfile.\n");
-		return -1;
-	    }
-	} else {
-	    dumpfile = PR_STDOUT;
-	}
-    }
-
-    /*  Set the cert database directory.  */
-    if (dbck.options[opt_CertDir].activated) {
-	SECU_ConfigDirectory(dbck.options[opt_CertDir].arg);
-    }
-
-    pathname = SECU_ConfigDirectory(NULL);
-
-    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-    rv = NSS_NoDB_Init(pathname);
-    if (rv != SECSuccess) {
-	fprintf(stderr, "NSS_NoDB_Init failed\n");
-	return -1;
-    }
-
-    certHandle = PORT_ZNew(NSSLOWCERTCertDBHandle);
-    if (!certHandle) {
-	SECU_PrintError(progName, "unable to get database handle");
-	return -1;
-    }
-    certHandle->ref = 1;
-
-#ifdef NOTYET
-    /*  Open the possibly corrupt database.  */
-    if (dbck.options[opt_InputDB].activated) {
-	PRFileInfo fileInfo;
-	fullname = PR_smprintf("%s/%s", pathname, 
-	                                dbck.options[opt_InputDB].arg);
-	if (PR_GetFileInfo(fullname, &fileInfo) != PR_SUCCESS) {
-	    fprintf(stderr, "Unable to read file \"%s\".\n", fullname);
-	    return -1;
-	}
-	rv = CERT_OpenCertDBFilename(certHandle, fullname, PR_TRUE);
-    } else 
-#endif
-    {
-	/*  Use the default.  */
-#ifdef NOTYET
-	fullname = SECU_CertDBNameCallback(NULL, CERT_DB_FILE_VERSION);
-	if (PR_GetFileInfo(fullname, &fileInfo) != PR_SUCCESS) {
-	    fprintf(stderr, "Unable to read file \"%s\".\n", fullname);
-	    return -1;
-	}
-#endif
-	rv = nsslowcert_OpenCertDB(certHandle, 
-	                           PR_TRUE, 		    /* readOnly */
-				   NULL,                    /* rdb appName */
-				   "",                      /* rdb prefix */
-	                           dbck_certdb_name_cb,     /* namecb */
-				   pathname, 		    /* configDir */
-				   PR_FALSE);		    /* volatile */
-    }
-
-    if (rv) {
-	SECU_PrintError(progName, "unable to open cert database");
-	return -1;
-    }
-
-    if (dbck.commands[cmd_Debug].activated) {
-	DBCK_DebugDB(certHandle, dumpfile, mailfile);
-	return 0;
-    }
-
-#ifdef DORECOVER
-    if (dbck.commands[cmd_Recover].activated) {
-	DBCK_ReconstructDBFromCerts(certHandle, newdbname,
-	                            dumpfile, removeExpired, 
-	                            requireProfile, singleEntry, 
-	                            dbck.options[opt_Prompt].activated);
-	return 0;
-    }
-#endif
-
-    if (mailfile)
-	PR_Close(mailfile);
-    if (dumpfile)
-	PR_Close(dumpfile);
-    if (certHandle) {
-	nsslowcert_ClosePermCertDB(certHandle);
-	PORT_Free(certHandle);
-    }
-    return -1;
-}
diff --git a/security/nss/cmd/dbck/dbrecover.c b/security/nss/cmd/dbck/dbrecover.c
deleted file mode 100644
index db65d0e5c..000000000
--- a/security/nss/cmd/dbck/dbrecover.c
+++ /dev/null
@@ -1,702 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-enum {
-    dbInvalidCert = 0,
-    dbNoSMimeProfile,
-    dbOlderCert,
-    dbBadCertificate,
-    dbCertNotWrittenToDB
-};
-
-typedef struct dbRestoreInfoStr
-{
-    NSSLOWCERTCertDBHandle *handle;
-    PRBool verbose;
-    PRFileDesc *out;
-    int nCerts;
-    int nOldCerts;
-    int dbErrors[5];
-    PRBool removeType[3];
-    PRBool promptUser[3];
-} dbRestoreInfo;
-
-char *
-IsEmailCert(CERTCertificate *cert)
-{
-    char *email, *tmp1, *tmp2;
-    PRBool isCA;
-    int len;
-
-    if (!cert->subjectName) {
-	return NULL;
-    }
-
-    tmp1 = PORT_Strstr(cert->subjectName, "E=");
-    tmp2 = PORT_Strstr(cert->subjectName, "MAIL=");
-    /* XXX Nelson has cert for KTrilli which does not have either
-     * of above but is email cert (has cert->emailAddr). 
-     */
-    if (!tmp1 && !tmp2 && !(cert->emailAddr && cert->emailAddr[0])) {
-	return NULL;
-    }
-
-    /*  Server or CA cert, not personal email.  */
-    isCA = CERT_IsCACert(cert, NULL);
-    if (isCA)
-	return NULL;
-
-    /*  XXX CERT_IsCACert advertises checking the key usage ext.,
-	but doesn't appear to. */
-    /*  Check the key usage extension.  */
-    if (cert->keyUsagePresent) {
-	/*  Must at least be able to sign or encrypt (not neccesarily
-	 *  both if it is one of a dual cert).  
-	 */
-	if (!((cert->rawKeyUsage & KU_DIGITAL_SIGNATURE) || 
-              (cert->rawKeyUsage & KU_KEY_ENCIPHERMENT)))
-	    return NULL;
-
-	/*  CA cert, not personal email.  */
-	if (cert->rawKeyUsage & (KU_KEY_CERT_SIGN | KU_CRL_SIGN))
-	    return NULL;
-    }
-
-    if (cert->emailAddr && cert->emailAddr[0]) {
-	email = PORT_Strdup(cert->emailAddr);
-    } else {
-	if (tmp1)
-	    tmp1 += 2; /* "E="  */
-	else
-	    tmp1 = tmp2 + 5; /* "MAIL=" */
-	len = strcspn(tmp1, ", ");
-	email = (char*)PORT_Alloc(len+1);
-	PORT_Strncpy(email, tmp1, len);
-	email[len] = '\0';
-    }
-
-    return email;
-}
-
-SECStatus
-deleteit(CERTCertificate *cert, void *arg)
-{
-    return SEC_DeletePermCertificate(cert);
-}
-
-/*  Different than DeleteCertificate - has the added bonus of removing
- *  all certs with the same DN.  
- */
-SECStatus
-deleteAllEntriesForCert(NSSLOWCERTCertDBHandle *handle, CERTCertificate *cert,
-                        PRFileDesc *outfile)
-{
-#if 0
-    certDBEntrySubject *subjectEntry;
-    certDBEntryNickname *nicknameEntry;
-    certDBEntrySMime *smimeEntry;
-    int i;
-#endif
-
-    if (outfile) {
-	PR_fprintf(outfile, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\n");
-	PR_fprintf(outfile, "Deleting redundant certificate:\n");
-	dumpCertificate(cert, -1, outfile);
-    }
-
-    CERT_TraverseCertsForSubject(handle, cert->subjectList, deleteit, NULL);
-#if 0
-    CERT_LockDB(handle);
-    subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject);
-    /*  It had better be there, or created a bad db.  */
-    PORT_Assert(subjectEntry);
-    for (i=0; i<subjectEntry->ncerts; i++) {
-	DeleteDBCertEntry(handle, &subjectEntry->certKeys[i]);
-    }
-    DeleteDBSubjectEntry(handle, &cert->derSubject);
-    if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
-	smimeEntry = ReadDBSMimeEntry(handle, subjectEntry->emailAddr);
-	if (smimeEntry) {
-	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
-	                              &smimeEntry->subjectName))
-		/*  Only delete it if it's for this subject!  */
-		DeleteDBSMimeEntry(handle, subjectEntry->emailAddr);
-	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
-	}
-    }
-    if (subjectEntry->nickname) {
-	nicknameEntry = ReadDBNicknameEntry(handle, subjectEntry->nickname);
-	if (nicknameEntry) {
-	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
-	                              &nicknameEntry->subjectName))
-		/*  Only delete it if it's for this subject!  */
-		DeleteDBNicknameEntry(handle, subjectEntry->nickname);
-	    SEC_DestroyDBEntry((certDBEntry*)nicknameEntry);
-	}
-    }
-    SEC_DestroyDBEntry((certDBEntry*)subjectEntry);
-    CERT_UnlockDB(handle);
-#endif
-    return SECSuccess;
-}
-
-void
-getCertsToDelete(char *numlist, int len, int *certNums, int nCerts)
-{
-    int j, num;
-    char *numstr, *numend, *end;
-
-    numstr = numlist;
-    end = numstr + len - 1;
-    while (numstr != end) {
-	numend = strpbrk(numstr, ", \n");
-	*numend = '\0';
-	if (PORT_Strlen(numstr) == 0)
-	    return;
-	num = PORT_Atoi(numstr);
-	if (numstr == numlist)
-	    certNums[0] = num;
-	for (j=1; j<nCerts+1; j++) {
-	    if (num == certNums[j]) {
-		certNums[j] = -1;
-		break;
-	    }
-	}
-	if (numend == end)
-	    break;
-	numstr = strpbrk(numend+1, "0123456789");
-    }
-}
-
-PRBool
-userSaysDeleteCert(CERTCertificate **certs, int nCerts,
-                   int errtype, dbRestoreInfo *info, int *certNums)
-{
-    char response[32];
-    int32 nb;
-    int i;
-    /*  User wants to remove cert without prompting.  */
-    if (info->promptUser[errtype] == PR_FALSE)
-	return (info->removeType[errtype]);
-    switch (errtype) {
-    case dbInvalidCert:
-	PR_fprintf(PR_STDOUT, "********  Expired ********\n");
-	PR_fprintf(PR_STDOUT, "Cert has expired.\n\n");
-	dumpCertificate(certs[0], -1, PR_STDOUT);
-	PR_fprintf(PR_STDOUT,
-	           "Keep it? (y/n - this one, Y/N - all expired certs) [n] ");
-	break;
-    case dbNoSMimeProfile:
-	PR_fprintf(PR_STDOUT, "********  No Profile ********\n");
-	PR_fprintf(PR_STDOUT, "S/MIME cert has no profile.\n\n");
-	dumpCertificate(certs[0], -1, PR_STDOUT);
-	PR_fprintf(PR_STDOUT,
-	      "Keep it? (y/n - this one, Y/N - all S/MIME w/o profile) [n] ");
-	break;
-    case dbOlderCert:
-	PR_fprintf(PR_STDOUT, "*******  Redundant nickname/email *******\n\n");
-	PR_fprintf(PR_STDOUT, "These certs have the same nickname/email:\n");
-	for (i=0; i<nCerts; i++)
-	    dumpCertificate(certs[i], i, PR_STDOUT);
-	PR_fprintf(PR_STDOUT, 
-	"Enter the certs you would like to keep from those listed above.\n");
-	PR_fprintf(PR_STDOUT, 
-	"Use a comma-separated list of the cert numbers (ex. 0, 8, 12).\n");
-	PR_fprintf(PR_STDOUT, 
-	"The first cert in the list will be the primary cert\n");
-	PR_fprintf(PR_STDOUT, 
-	" accessed by the nickname/email handle.\n");
-	PR_fprintf(PR_STDOUT, 
-	"List cert numbers to keep here, or hit enter\n");
-	PR_fprintf(PR_STDOUT, 
-	" to always keep only the newest cert:  ");
-	break;
-    default:
-    }
-    nb = PR_Read(PR_STDIN, response, sizeof(response));
-    PR_fprintf(PR_STDOUT, "\n\n");
-    if (errtype == dbOlderCert) {
-	if (!isdigit(response[0])) {
-	    info->promptUser[errtype] = PR_FALSE;
-	    info->removeType[errtype] = PR_TRUE;
-	    return PR_TRUE;
-	}
-	getCertsToDelete(response, nb, certNums, nCerts);
-	return PR_TRUE;
-    }
-    /*  User doesn't want to be prompted for this type anymore.  */
-    if (response[0] == 'Y') {
-	info->promptUser[errtype] = PR_FALSE;
-	info->removeType[errtype] = PR_FALSE;
-	return PR_FALSE;
-    } else if (response[0] == 'N') {
-	info->promptUser[errtype] = PR_FALSE;
-	info->removeType[errtype] = PR_TRUE;
-	return PR_TRUE;
-    }
-    return (response[0] != 'y') ? PR_TRUE : PR_FALSE;
-}
-
-SECStatus
-addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info, 
-            NSSLOWCERTCertDBHandle *oldhandle)
-{
-    SECStatus rv = SECSuccess;
-    PRBool allowOverride;
-    PRBool userCert;
-    SECCertTimeValidity validity;
-    CERTCertificate *oldCert = NULL;
-    CERTCertificate *dbCert = NULL;
-    CERTCertificate *newCert = NULL;
-    CERTCertTrust *trust;
-    certDBEntrySMime *smimeEntry = NULL;
-    char *email = NULL;
-    char *nickname = NULL;
-    int nCertsForSubject = 1;
-
-    oldCert = CERT_DecodeDERCertificate(&certEntry->derCert, PR_FALSE,
-                                        certEntry->nickname);
-    if (!oldCert) {
-	info->dbErrors[dbBadCertificate]++;
-	SEC_DestroyDBEntry((certDBEntry*)certEntry);
-	return SECSuccess;
-    }
-
-    oldCert->dbEntry = certEntry;
-    oldCert->trust = &certEntry->trust;
-    oldCert->dbhandle = oldhandle;
-
-    trust = oldCert->trust;
-
-    info->nOldCerts++;
-
-    if (info->verbose)
-	PR_fprintf(info->out, "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n\n");
-
-    if (oldCert->nickname)
-	nickname = PORT_Strdup(oldCert->nickname);
-
-    /*  Always keep user certs.  Skip ahead.  */
-    /*  XXX if someone sends themselves a signed message, it is possible
-	for their cert to be imported as an "other" cert, not a user cert.
-	this mucks with smime entries...  */
-    userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
-               (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
-               (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
-    if (userCert)
-	goto createcert;
-
-    /*  If user chooses so, ignore expired certificates.  */
-    allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) ||
-                         (oldCert->keyUsage == certUsageSSLServerWithStepUp));
-    validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride);
-    /*  If cert expired and user wants to delete it, ignore it. */
-    if ((validity != secCertTimeValid) && 
-	 userSaysDeleteCert(&oldCert, 1, dbInvalidCert, info, 0)) {
-	info->dbErrors[dbInvalidCert]++;
-	if (info->verbose) {
-	    PR_fprintf(info->out, "Deleting expired certificate:\n");
-	    dumpCertificate(oldCert, -1, info->out);
-	}
-	goto cleanup;
-    }
-
-    /*  New database will already have default certs, don't attempt
-	to overwrite them.  */
-    dbCert = CERT_FindCertByDERCert(info->handle, &oldCert->derCert);
-    if (dbCert) {
-	info->nCerts++;
-	if (info->verbose) {
-	    PR_fprintf(info->out, "Added certificate to database:\n");
-	    dumpCertificate(oldCert, -1, info->out);
-	}
-	goto cleanup;
-    }
-    
-    /*  Determine if cert is S/MIME and get its email if so.  */
-    email = IsEmailCert(oldCert);
-
-    /*
-	XXX  Just create empty profiles?
-    if (email) {
-	SECItem *profile = CERT_FindSMimeProfile(oldCert);
-	if (!profile &&
-	    userSaysDeleteCert(&oldCert, 1, dbNoSMimeProfile, info, 0)) {
-	    info->dbErrors[dbNoSMimeProfile]++;
-	    if (info->verbose) {
-		PR_fprintf(info->out, 
-		           "Deleted cert missing S/MIME profile.\n");
-		dumpCertificate(oldCert, -1, info->out);
-	    }
-	    goto cleanup;
-	} else {
-	    SECITEM_FreeItem(profile);
-	}
-    }
-    */
-
-createcert:
-
-    /*  Sometimes happens... */
-    if (!nickname && userCert)
-	nickname = PORT_Strdup(oldCert->subjectName);
-
-    /*  Create a new certificate, copy of the old one.  */
-    newCert = CERT_NewTempCertificate(info->handle, &oldCert->derCert, 
-                                      nickname, PR_FALSE, PR_TRUE);
-    if (!newCert) {
-	PR_fprintf(PR_STDERR, "Unable to create new certificate.\n");
-	dumpCertificate(oldCert, -1, PR_STDERR);
-	info->dbErrors[dbBadCertificate]++;
-	goto cleanup;
-    }
-
-    /*  Add the cert to the new database.  */
-    rv = CERT_AddTempCertToPerm(newCert, nickname, oldCert->trust);
-    if (rv) {
-	PR_fprintf(PR_STDERR, "Failed to write temp cert to perm database.\n");
-	dumpCertificate(oldCert, -1, PR_STDERR);
-	info->dbErrors[dbCertNotWrittenToDB]++;
-	goto cleanup;
-    }
-
-    if (info->verbose) {
-	PR_fprintf(info->out, "Added certificate to database:\n");
-	dumpCertificate(oldCert, -1, info->out);
-    }
-
-    /*  If the cert is an S/MIME cert, and the first with it's subject,
-     *  modify the subject entry to include the email address,
-     *  CERT_AddTempCertToPerm does not do email addresses and S/MIME entries.
-     */
-    if (smimeEntry) { /*&& !userCert && nCertsForSubject == 1) { */
-#if 0
-	UpdateSubjectWithEmailAddr(newCert, email);
-#endif
-	SECItem emailProfile, profileTime;
-	rv = CERT_FindFullSMimeProfile(oldCert, &emailProfile, &profileTime);
-	/*  calls UpdateSubjectWithEmailAddr  */
-	if (rv == SECSuccess)
-	    rv = CERT_SaveSMimeProfile(newCert, &emailProfile, &profileTime);
-    }
-
-    info->nCerts++;
-
-cleanup:
-
-    if (nickname)
-	PORT_Free(nickname);
-    if (email)
-	PORT_Free(email);
-    if (oldCert)
-	CERT_DestroyCertificate(oldCert);
-    if (dbCert)
-	CERT_DestroyCertificate(dbCert);
-    if (newCert)
-	CERT_DestroyCertificate(newCert);
-    if (smimeEntry)
-	SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
-    return SECSuccess;
-}
-
-#if 0
-SECStatus
-copyDBEntry(SECItem *data, SECItem *key, certDBEntryType type, void *pdata)
-{
-    SECStatus rv;
-    NSSLOWCERTCertDBHandle *newdb = (NSSLOWCERTCertDBHandle *)pdata;
-    certDBEntryCommon common;
-    SECItem dbkey;
-
-    common.type = type;
-    common.version = CERT_DB_FILE_VERSION;
-    common.flags = data->data[2];
-    common.arena = NULL;
-
-    dbkey.len = key->len + SEC_DB_KEY_HEADER_LEN;
-    dbkey.data = (unsigned char *)PORT_Alloc(dbkey.len*sizeof(unsigned char));
-    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], key->data, key->len);
-    dbkey.data[0] = type;
-
-    rv = WriteDBEntry(newdb, &common, &dbkey, data);
-
-    PORT_Free(dbkey.data);
-    return rv;
-}
-#endif
-
-int
-certIsOlder(CERTCertificate **cert1, CERTCertificate** cert2)
-{
-    return !CERT_IsNewer(*cert1, *cert2);
-}
-
-int
-findNewestSubjectForEmail(NSSLOWCERTCertDBHandle *handle, int subjectNum,
-                          certDBArray *dbArray, dbRestoreInfo *info,
-                          int *subjectWithSMime, int *smimeForSubject)
-{
-    int newestSubject;
-    int subjectsForEmail[50];
-    int i, j, ns, sNum;
-    certDBEntryListNode *subjects = &dbArray->subjects;
-    certDBEntryListNode *smime = &dbArray->smime;
-    certDBEntrySubject *subjectEntry1, *subjectEntry2;
-    certDBEntrySMime *smimeEntry;
-    CERTCertificate **certs;
-    CERTCertificate *cert;
-    CERTCertTrust *trust;
-    PRBool userCert;
-    int *certNums;
-
-    ns = 0;
-    subjectEntry1 = (certDBEntrySubject*)&subjects.entries[subjectNum];
-    subjectsForEmail[ns++] = subjectNum;
-
-    *subjectWithSMime = -1;
-    *smimeForSubject = -1;
-    newestSubject = subjectNum;
-
-    cert = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
-    if (cert) {
-	trust = cert->trust;
-	userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
-	          (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
-	         (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
-	CERT_DestroyCertificate(cert);
-    }
-
-    /*
-     * XXX Should we make sure that subjectEntry1->emailAddr is not
-     * a null pointer or an empty string before going into the next
-     * two for loops, which pass it to PORT_Strcmp?
-     */
-
-    /*  Loop over the remaining subjects.  */
-    for (i=subjectNum+1; i<subjects.numEntries; i++) {
-	subjectEntry2 = (certDBEntrySubject*)&subjects.entries[i];
-	if (!subjectEntry2)
-	    continue;
-	if (subjectEntry2->emailAddr && subjectEntry2->emailAddr[0] &&
-	     PORT_Strcmp(subjectEntry1->emailAddr, 
-	                 subjectEntry2->emailAddr) == 0) {
-	    /*  Found a subject using the same email address.  */
-	    subjectsForEmail[ns++] = i;
-	}
-    }
-
-    /*  Find the S/MIME entry for this email address.  */
-    for (i=0; i<smime.numEntries; i++) {
-	smimeEntry = (certDBEntrySMime*)&smime.entries[i];
-	if (smimeEntry->common.arena == NULL)
-	    continue;
-	if (smimeEntry->emailAddr && smimeEntry->emailAddr[0] && 
-	    PORT_Strcmp(subjectEntry1->emailAddr, smimeEntry->emailAddr) == 0) {
-	    /*  Find which of the subjects uses this S/MIME entry.  */
-	    for (j=0; j<ns && *subjectWithSMime < 0; j++) {
-		sNum = subjectsForEmail[j];
-		subjectEntry2 = (certDBEntrySubject*)&subjects.entries[sNum];
-		if (SECITEM_ItemsAreEqual(&smimeEntry->subjectName,
-		                          &subjectEntry2->derSubject)) {
-		    /*  Found the subject corresponding to the S/MIME entry. */
-		    *subjectWithSMime = sNum;
-		    *smimeForSubject = i;
-		}
-	    }
-	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
-	    PORT_Memset(smimeEntry, 0, sizeof(certDBEntry));
-	    break;
-	}
-    }
-
-    if (ns <= 1)
-	return subjectNum;
-
-    if (userCert)
-	return *subjectWithSMime;
-
-    /*  Now find which of the subjects has the newest cert.  */
-    certs = (CERTCertificate**)PORT_Alloc(ns*sizeof(CERTCertificate*));
-    certNums = (int*)PORT_Alloc((ns+1)*sizeof(int));
-    certNums[0] = 0;
-    for (i=0; i<ns; i++) {
-	sNum = subjectsForEmail[i];
-	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
-	certs[i] = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
-	certNums[i+1] = i;
-    }
-    /*  Sort the array by validity.  */
-    qsort(certs, ns, sizeof(CERTCertificate*), 
-          (int (*)(const void *, const void *))certIsOlder);
-    newestSubject = -1;
-    for (i=0; i<ns; i++) {
-	sNum = subjectsForEmail[i];
-	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
-	if (SECITEM_ItemsAreEqual(&subjectEntry1->derSubject,
-	                          &certs[0]->derSubject))
-	    newestSubject = sNum;
-	else
-	    SEC_DestroyDBEntry((certDBEntry*)subjectEntry1);
-    }
-    if (info && userSaysDeleteCert(certs, ns, dbOlderCert, info, certNums)) {
-	for (i=1; i<ns+1; i++) {
-	    if (certNums[i] >= 0 && certNums[i] != certNums[0]) {
-		deleteAllEntriesForCert(handle, certs[certNums[i]], info->out);
-		info->dbErrors[dbOlderCert]++;
-	    }
-	}
-    }
-    CERT_DestroyCertArray(certs, ns);
-    return newestSubject;
-}
-
-NSSLOWCERTCertDBHandle *
-DBCK_ReconstructDBFromCerts(NSSLOWCERTCertDBHandle *oldhandle, char *newdbname,
-                            PRFileDesc *outfile, PRBool removeExpired,
-                            PRBool requireProfile, PRBool singleEntry,
-                            PRBool promptUser)
-{
-    SECStatus rv;
-    dbRestoreInfo info;
-    certDBEntryContentVersion *oldContentVersion;
-    certDBArray dbArray;
-    int i;
-
-    PORT_Memset(&dbArray, 0, sizeof(dbArray));
-    PORT_Memset(&info, 0, sizeof(info));
-    info.verbose = (outfile) ? PR_TRUE : PR_FALSE;
-    info.out = (outfile) ? outfile : PR_STDOUT;
-    info.removeType[dbInvalidCert] = removeExpired;
-    info.removeType[dbNoSMimeProfile] = requireProfile;
-    info.removeType[dbOlderCert] = singleEntry;
-    info.promptUser[dbInvalidCert]  = promptUser;
-    info.promptUser[dbNoSMimeProfile]  = promptUser;
-    info.promptUser[dbOlderCert]  = promptUser;
-
-    /*  Allocate a handle to fill with CERT_OpenCertDB below.  */
-    info.handle = PORT_ZNew(NSSLOWCERTCertDBHandle);
-    if (!info.handle) {
-	fprintf(stderr, "unable to get database handle");
-	return NULL;
-    }
-
-    /*  Create a certdb with the most recent set of roots.  */
-    rv = CERT_OpenCertDBFilename(info.handle, newdbname, PR_FALSE);
-
-    if (rv) {
-	fprintf(stderr, "could not open certificate database");
-	goto loser;
-    }
-
-    /*  Create certificate, subject, nickname, and email records.
-     *  mcom_db seems to have a sequential access bug.  Though reads and writes
-     *  should be allowed during traversal, they seem to screw up the sequence.
-     *  So, stuff all the cert entries into an array, and loop over the array
-     *  doing read/writes in the db.
-     */
-    fillDBEntryArray(oldhandle, certDBEntryTypeCert, &dbArray.certs);
-    for (elem = PR_LIST_HEAD(&dbArray->certs.link);
-         elem != &dbArray->certs.link; elem = PR_NEXT_LINK(elem)) {
-	node = LISTNODE_CAST(elem);
-	addCertToDB((certDBEntryCert*)&node->entry, &info, oldhandle);
-	/* entries get destroyed in addCertToDB */
-    }
-#if 0
-    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeSMimeProfile, 
-                               copyDBEntry, info.handle);
-#endif
-
-    /*  Fix up the pointers between (nickname|S/MIME) --> (subject).
-     *  Create S/MIME entries for S/MIME certs.
-     *  Have the S/MIME entry point to the last-expiring cert using
-     *  an email address.
-     */
-#if 0
-    CERT_RedoHandlesForSubjects(info.handle, singleEntry, &info);
-#endif
-
-    freeDBEntryList(&dbArray.certs.link);
-
-    /*  Copy over the version record.  */
-    /*  XXX Already exists - and _must_ be correct... */
-    /*
-    versionEntry = ReadDBVersionEntry(oldhandle);
-    rv = WriteDBVersionEntry(info.handle, versionEntry);
-    */
-
-    /*  Copy over the content version record.  */
-    /*  XXX Can probably get useful info from old content version?
-     *      Was this db created before/after this tool?  etc.
-     */
-#if 0
-    oldContentVersion = ReadDBContentVersionEntry(oldhandle);
-    CERT_SetDBContentVersion(oldContentVersion->contentVersion, info.handle); 
-#endif
-
-#if 0
-    /*  Copy over the CRL & KRL records.  */
-    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeRevocation, 
-                               copyDBEntry, info.handle);
-    /*  XXX Only one KRL, just do db->get? */
-    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeKeyRevocation, 
-                               copyDBEntry, info.handle);
-#endif
-
-    PR_fprintf(info.out, "Database had %d certificates.\n", info.nOldCerts);
-
-    PR_fprintf(info.out, "Reconstructed %d certificates.\n", info.nCerts);
-    PR_fprintf(info.out, "(ax) Rejected %d expired certificates.\n", 
-                       info.dbErrors[dbInvalidCert]);
-    PR_fprintf(info.out, "(as) Rejected %d S/MIME certificates missing a profile.\n", 
-                       info.dbErrors[dbNoSMimeProfile]);
-    PR_fprintf(info.out, "(ar) Rejected %d certificates for which a newer certificate was found.\n", 
-                       info.dbErrors[dbOlderCert]);
-    PR_fprintf(info.out, "     Rejected %d corrupt certificates.\n", 
-                       info.dbErrors[dbBadCertificate]);
-    PR_fprintf(info.out, "     Rejected %d certificates which did not write to the DB.\n", 
-                       info.dbErrors[dbCertNotWrittenToDB]);
-
-    if (rv)
-	goto loser;
-
-    return info.handle;
-
-loser:
-    if (info.handle) 
-	PORT_Free(info.handle);
-    return NULL;
-}
-
diff --git a/security/nss/cmd/dbck/manifest.mn b/security/nss/cmd/dbck/manifest.mn
deleted file mode 100644
index c2405be5f..000000000
--- a/security/nss/cmd/dbck/manifest.mn
+++ /dev/null
@@ -1,54 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-DEFINES += -DNSPR20 
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-CSRCS = \
-	dbck.c \
-	$(NULL)
-
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = dbm seccmd
-
-PROGRAM = dbck
-USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/dbtest/Makefile b/security/nss/cmd/dbtest/Makefile
deleted file mode 100644
index 297114522..000000000
--- a/security/nss/cmd/dbtest/Makefile
+++ /dev/null
@@ -1,78 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-#include ../platlibs.mk
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/dbtest/dbtest.c b/security/nss/cmd/dbtest/dbtest.c
deleted file mode 100644
index fbcd4c53e..000000000
--- a/security/nss/cmd/dbtest/dbtest.c
+++ /dev/null
@@ -1,266 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sonja Mirtitsch Sun Microsystems
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-** dbtest.c
-**
-** QA test for cert and key databases, especially to open
-** database readonly (NSS_INIT_READONLY) and force initializations
-** even if the databases cannot be opened (NSS_INIT_FORCEOPEN)
-**
-*/
-#include <stdio.h>
-#include <string.h>
-
-#if defined(WIN32)
-#include "fcntl.h"
-#include "io.h"
-#endif
-
-#include "secutil.h"
-#include "pk11pub.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#include "nspr.h"
-#include "prtypes.h"
-#include "certdb.h"
-#include "nss.h"
-#include "../modutil/modutil.h"
-
-#include "plgetopt.h"
-
-static char *progName;
-
-char *dbDir  =  NULL;
-
-static char *dbName[]={"secmod.db", "cert8.db", "key3.db"}; 
-static char* dbprefix = "";
-static char* secmodName = "secmod.db";
-static char* userPassword = "";
-PRBool verbose;
-
-static char *
-getPassword(PK11SlotInfo *slot, PRBool retry, void *arg)
-{
-    int *success = (int *)arg;
-
-    if (retry) {
-	*success = 0;
-	return NULL;
-    }
-
-    *success = 1;
-     return PORT_Strdup(userPassword);
-}
-
-
-static void Usage(const char *progName)
-{
-    printf("Usage:  %s [-r] [-f] [-i] [-d dbdir ] \n",
-         progName);
-    printf("%-20s open database readonly (NSS_INIT_READONLY)\n", "-r");
-    printf("%-20s Continue to force initializations even if the\n", "-f");
-    printf("%-20s databases cannot be opened (NSS_INIT_FORCEOPEN)\n", " ");
-    printf("%-20s Try to initialize the database\n", "-i");
-    printf("%-20s Supply a password with which to initialize the db\n", "-p");
-    printf("%-20s Directory with cert database (default is .\n",
-          "-d certdir");
-    exit(1);
-}
-
-int main(int argc, char **argv)
-{
-    PLOptState *optstate;
-    PLOptStatus optstatus;
-
-    PRUint32 flags = 0;
-    Error ret;
-    SECStatus rv;
-    char * dbString = NULL;
-    PRBool doInitTest = PR_FALSE;
-    int i;
-
-    progName = strrchr(argv[0], '/');
-    if (!progName)
-        progName = strrchr(argv[0], '\\');
-    progName = progName ? progName+1 : argv[0];
-
-    optstate = PL_CreateOptState(argc, argv, "rfip:d:h");
-
-    while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-        switch (optstate->option) {
-          case 'h':
-          default : Usage(progName);                    break;
-
-          case 'r': flags |= NSS_INIT_READONLY;         break;
-
-          case 'f': flags |= NSS_INIT_FORCEOPEN;        break;
-
-	  case 'i': doInitTest = PR_TRUE;		break;
-
-	  case 'p':
-		userPassword = PORT_Strdup(optstate->value);
-		break;
-
-          case 'd':
-                dbDir = PORT_Strdup(optstate->value);
-                break;
-
-        }
-    }
-    if (optstatus == PL_OPT_BAD)
-        Usage(progName);
-
-    if (!dbDir) {
-        dbDir = SECU_DefaultSSLDir(); /* Look in $SSL_DIR */
-    }
-    dbDir = SECU_ConfigDirectory(dbDir);
-    PR_fprintf(PR_STDERR, "dbdir selected is %s\n\n", dbDir);
-
-    if( dbDir[0] == '\0') {
-        PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir);
-        ret= DIR_DOESNT_EXIST_ERR;
-        goto loser;
-    }
-
-
-    PR_Init( PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
-
-    /* get the status of the directory and databases and output message */
-    if(PR_Access(dbDir, PR_ACCESS_EXISTS) != PR_SUCCESS) {
-        PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir);
-    } else if(PR_Access(dbDir, PR_ACCESS_READ_OK) != PR_SUCCESS) {
-        PR_fprintf(PR_STDERR, errStrings[DIR_NOT_READABLE_ERR], dbDir);
-    } else {
-        if( !( flags & NSS_INIT_READONLY ) &&
-                PR_Access(dbDir, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
-            PR_fprintf(PR_STDERR, errStrings[DIR_NOT_WRITEABLE_ERR], dbDir);
-        }
-	if (!doInitTest) {
-            for (i=0;i<3;i++) {
-        	dbString=PR_smprintf("%s/%s",dbDir,dbName[i]);
-        	PR_fprintf(PR_STDOUT, "database checked is %s\n",dbString);
-        	if(PR_Access(dbString, PR_ACCESS_EXISTS) != PR_SUCCESS) {
-                    PR_fprintf(PR_STDERR, errStrings[FILE_DOESNT_EXIST_ERR], 
-                                      dbString);
-        	} else if(PR_Access(dbString, PR_ACCESS_READ_OK) != PR_SUCCESS) {
-                    PR_fprintf(PR_STDERR, errStrings[FILE_NOT_READABLE_ERR], 
-                                      dbString);
-        	} else if( !( flags & NSS_INIT_READONLY ) &&
-                       PR_Access(dbString, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
-                    PR_fprintf(PR_STDERR, errStrings[FILE_NOT_WRITEABLE_ERR], 
-                                      dbString);
-        	}
-	    }
-        } 
-    }
-
-
-    rv = NSS_Initialize(SECU_ConfigDirectory(dbDir), dbprefix, dbprefix,
-                   secmodName, flags);
-    if (rv != SECSuccess) {
-        SECU_PrintPRandOSError(progName);
-        ret=NSS_INITIALIZE_FAILED_ERR;
-    } else {
-        ret=SUCCESS;
-	if (doInitTest) {
-	    PK11SlotInfo * slot = PK11_GetInternalKeySlot();
-	    SECStatus rv;
-	    int passwordSuccess = 0;
-	    int type = CKM_DES3_CBC;
-	    SECItem keyid = { 0, NULL, 0 };
-	    unsigned char keyIdData[] = { 0xff, 0xfe };
-	    PK11SymKey *key = NULL;
-
-	    keyid.data = keyIdData;
-	    keyid.len = sizeof(keyIdData);
-
-	    PK11_SetPasswordFunc(getPassword);
-	    rv = PK11_InitPin(slot, (char *)NULL, userPassword);
-	    if (rv != SECSuccess) {
-		PR_fprintf(PR_STDERR, "Failed to Init DB: %s\n", 
-					SECU_Strerror(PORT_GetError()));
-		ret = CHANGEPW_FAILED_ERR;
-	    }
-	    if (*userPassword && !PK11_IsLoggedIn(slot, &passwordSuccess)) {
-                PR_fprintf(PR_STDERR, "New DB did not log in after init\n");
-		ret = AUTHENTICATION_FAILED_ERR;
-	    }
-	    /* generate a symetric key */
-	    key = PK11_TokenKeyGen(slot, type, NULL, 0, &keyid,
-				    PR_TRUE, &passwordSuccess);
-
-	    if (!key) {
-		PR_fprintf(PR_STDERR, "Could not generated symetric key: %s\n",
-				SECU_Strerror(PORT_GetError()));
-		exit (UNSPECIFIED_ERR);
-	    }
-	    PK11_FreeSymKey(key);
-	    PK11_Logout(slot);
-
-	    PK11_Authenticate(slot, PR_TRUE, &passwordSuccess);
-
-	    if (*userPassword && !passwordSuccess) {
-		PR_fprintf(PR_STDERR, "New DB Did not initalize\n");
-		ret = AUTHENTICATION_FAILED_ERR;
-	    }
-	    key = PK11_FindFixedKey(slot, type, &keyid, &passwordSuccess);
-
-	    if (!key) {
-		PR_fprintf(PR_STDERR, "Could not find generated key: %s\n",
-				SECU_Strerror(PORT_GetError()));
-		ret = UNSPECIFIED_ERR;
-	    } else {
-		PK11_FreeSymKey(key);
-	    }
- 	    PK11_FreeSlot(slot);
-	}
-	     
-        if (NSS_Shutdown() != SECSuccess) {
-	    PR_fprintf(PR_STDERR, "Could not find generated key: %s\n",
-				SECU_Strerror(PORT_GetError()));
-            exit(1);
-        }
-    }
-
-loser:
-    return ret;
-}
-
diff --git a/security/nss/cmd/dbtest/manifest.mn b/security/nss/cmd/dbtest/manifest.mn
deleted file mode 100644
index 0e3ba6c99..000000000
--- a/security/nss/cmd/dbtest/manifest.mn
+++ /dev/null
@@ -1,54 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = seccmd dbm 
-
-# DIRS = 
-
-CSRCS	= dbtest.c  
-
-PROGRAM	= dbtest
-
diff --git a/security/nss/cmd/derdump/Makefile b/security/nss/cmd/derdump/Makefile
deleted file mode 100644
index 140b4191f..000000000
--- a/security/nss/cmd/derdump/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/derdump/derdump.c b/security/nss/cmd/derdump/derdump.c
deleted file mode 100644
index 7103eef2c..000000000
--- a/security/nss/cmd/derdump/derdump.c
+++ /dev/null
@@ -1,137 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secutil.h"
-#include "nss.h"
-#include <errno.h>
-
-#if defined(XP_WIN) || (defined(__sun) && !defined(SVR4))
-#if !defined(WIN32)
-extern int fprintf(FILE *, char *, ...);
-#endif
-#endif
-#include "plgetopt.h"
-
-static void Usage(char *progName)
-{
-    fprintf(stderr,
-	    "Usage: %s [-r] [-i input] [-o output]\n",
-	    progName);
-    fprintf(stderr, "%-20s For formatted items, dump raw bytes as well\n",
-	    "-r");
-    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
-	    "-i input");
-    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
-	    "-o output");
-    exit(-1);
-}
-
-int main(int argc, char **argv)
-{
-    char *progName;
-    FILE *outFile;
-    PRFileDesc *inFile;
-    SECItem der;
-    SECStatus rv;
-    int16 xp_error;
-    PRBool raw = PR_FALSE;
-    PLOptState *optstate;
-    PLOptStatus status;
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    /* Parse command line arguments */
-    inFile = 0;
-    outFile = 0;
-    optstate = PL_CreateOptState(argc, argv, "i:o:r");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case 'i':
-	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
-	    if (!inFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 'o':
-	    outFile = fopen(optstate->value, "w");
-	    if (!outFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 'r':
-	    raw = PR_TRUE;
-	    break;
-
-	  default:
-	    Usage(progName);
-	    break;
-	}
-    }
-	if (status == PL_OPT_BAD)
-		Usage(progName);
-
-    if (!inFile) inFile = PR_STDIN;
-    if (!outFile) outFile = stdout;
-
-    rv = NSS_NoDB_Init(NULL);	/* XXX */
-    if (rv != SECSuccess) {
-	SECU_PrintPRandOSError(progName);
-	return -1;
-    }
-
-	rv = SECU_ReadDERFromFile(&der, inFile, PR_FALSE);
-    if (rv == SECSuccess) {
-	rv = DER_PrettyPrint(outFile, &der, raw);
-	if (rv == SECSuccess)
-	    return 0;
-    }
-
-    xp_error = PORT_GetError();
-    if (xp_error) {
-	SECU_PrintError(progName, "error %d", xp_error);
-    }
-    if (errno) {
-	SECU_PrintSystemError(progName, "errno=%d", errno);
-    }
-    return 1;
-}
diff --git a/security/nss/cmd/derdump/manifest.mn b/security/nss/cmd/derdump/manifest.mn
deleted file mode 100644
index f9299f0de..000000000
--- a/security/nss/cmd/derdump/manifest.mn
+++ /dev/null
@@ -1,53 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH	= ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = seccmd dbm 
-
-DEFINES = -DNSPR20
-
-CSRCS = derdump.c
-
-PROGRAM	= derdump
diff --git a/security/nss/cmd/digest/Makefile b/security/nss/cmd/digest/Makefile
deleted file mode 100644
index 140b4191f..000000000
--- a/security/nss/cmd/digest/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/digest/digest.c b/security/nss/cmd/digest/digest.c
deleted file mode 100644
index 7a37856d9..000000000
--- a/security/nss/cmd/digest/digest.c
+++ /dev/null
@@ -1,256 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secutil.h"
-#include "pk11func.h"
-#include "secoid.h"
-
-#if defined(XP_WIN) || (defined(__sun) && !defined(SVR4))
-#if !defined(WIN32)
-extern int fread(char *, size_t, size_t, FILE*);
-extern int fwrite(char *, size_t, size_t, FILE*);
-extern int fprintf(FILE *, char *, ...);
-#endif
-#endif
-
-#include "plgetopt.h"
-
-static SECOidData *
-HashTypeToOID(HASH_HashType hashtype)
-{
-    SECOidTag hashtag;
-
-    if (hashtype <= HASH_AlgNULL || hashtype >= HASH_AlgTOTAL)
-	return NULL;
-
-    switch (hashtype) {
-      case HASH_AlgMD2:
-	hashtag = SEC_OID_MD2;
-	break;
-      case HASH_AlgMD5:
-	hashtag = SEC_OID_MD5;
-	break;
-      case HASH_AlgSHA1:
-	hashtag = SEC_OID_SHA1;
-	break;
-      default:
-	fprintf(stderr, "A new hash type has been added to HASH_HashType.\n");
-	fprintf(stderr, "This program needs to be updated!\n");
-	return NULL;
-    }
-
-    return SECOID_FindOIDByTag(hashtag);
-}
-
-static SECOidData *
-HashNameToOID(const char *hashName)
-{
-    HASH_HashType htype;
-    SECOidData *hashOID;
-
-    for (htype = HASH_AlgNULL + 1; htype < HASH_AlgTOTAL; htype++) {
-	hashOID = HashTypeToOID(htype);
-	if (PORT_Strcasecmp(hashName, hashOID->desc) == 0)
-	    break;
-    }
-
-    if (htype == HASH_AlgTOTAL)
-	return NULL;
-
-    return hashOID;
-}
-
-static void
-Usage(char *progName)
-{
-    HASH_HashType htype;
-
-    fprintf(stderr,
-	    "Usage:  %s -t type [-i input] [-o output]\n",
-	    progName);
-    fprintf(stderr, "%-20s Specify the digest method (must be one of\n",
-	    "-t type");
-    fprintf(stderr, "%-20s ", "");
-    for (htype = HASH_AlgNULL + 1; htype < HASH_AlgTOTAL; htype++) {
-	fprintf(stderr, HashTypeToOID(htype)->desc);
-	if (htype == (HASH_AlgTOTAL - 2))
-	    fprintf(stderr, " or ");
-	else if (htype != (HASH_AlgTOTAL - 1))
-	    fprintf(stderr, ", ");
-    }
-    fprintf(stderr, " (case ignored))\n");
-    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
-	    "-i input");
-    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
-	    "-o output");
-    exit(-1);
-}
-
-static int
-DigestFile(FILE *outFile, FILE *inFile, SECOidData *hashOID)
-{
-    int nb;
-    unsigned char ibuf[4096], digest[32];
-    PK11Context *hashcx;
-    unsigned int len;
-    SECStatus rv;
-
-    hashcx = PK11_CreateDigestContext(hashOID->offset);
-    if (hashcx == NULL) {
-	return -1;
-    }
-    PK11_DigestBegin(hashcx);
-
-
-    for (;;) {
-	if (feof(inFile)) break;
-	nb = fread(ibuf, 1, sizeof(ibuf), inFile);
-	if (nb != sizeof(ibuf)) {
-	    if (nb == 0) {
-		if (ferror(inFile)) {
-		    PORT_SetError(SEC_ERROR_IO);
-		    PK11_DestroyContext(hashcx,PR_TRUE);
-		    return -1;
-		}
-		/* eof */
-		break;
-	    }
-	}
-	rv = PK11_DigestOp(hashcx, ibuf, nb);
-	if (rv != SECSuccess) {
-	   PK11_DestroyContext(hashcx, PR_TRUE);
-	   return -1;
-	}
-    }
-
-    rv = PK11_DigestFinal(hashcx, digest, &len, 32);
-    PK11_DestroyContext(hashcx, PR_TRUE);
-
-    if (rv != SECSuccess) return -1;
-
-    nb = fwrite(digest, 1, len, outFile);
-    if (nb != len) {
-	PORT_SetError(SEC_ERROR_IO);
-	return -1;
-    }
-
-    return 0;
-}
-
-#include "nss.h"
-
-int
-main(int argc, char **argv)
-{
-    char *progName;
-    FILE *inFile, *outFile;
-    char *hashName;
-    SECOidData *hashOID;
-    PLOptState *optstate;
-    PLOptStatus status;
-    SECStatus   rv;
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    inFile = NULL;
-    outFile = NULL;
-    hashName = NULL;
-
-    rv = NSS_Init("/tmp");
-    if (rv != SECSuccess) {
-    	fprintf(stderr, "%s: NSS_Init failed in directory %s\n",
-	        progName, "/tmp");
-        return -1;
-    }
-
-    /*
-     * Parse command line arguments
-     */
-    optstate = PL_CreateOptState(argc, argv, "t:i:o:");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case '?':
-	    Usage(progName);
-	    break;
-
-	  case 'i':
-	    inFile = fopen(optstate->value, "r");
-	    if (!inFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 'o':
-	    outFile = fopen(optstate->value, "w");
-	    if (!outFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 't':
-	    hashName = strdup(optstate->value);
-	    break;
-	}
-    }
-
-    if (!hashName) Usage(progName);
-
-    if (!inFile) inFile = stdin;
-    if (!outFile) outFile = stdout;
-
-    hashOID = HashNameToOID(hashName);
-    if (hashOID == NULL) {
-	fprintf(stderr, "%s: invalid digest type\n", progName);
-	Usage(progName);
-    }
-
-    if (DigestFile(outFile, inFile, hashOID)) {
-	fprintf(stderr, "%s: problem digesting data (%s)\n",
-		progName, SECU_Strerror(PORT_GetError()));
-	return -1;
-    }
-
-    if (NSS_Shutdown() != SECSuccess) {
-        exit(1);
-    } 
-    
-    return 0;
-}
diff --git a/security/nss/cmd/digest/manifest.mn b/security/nss/cmd/digest/manifest.mn
deleted file mode 100644
index e4c9193be..000000000
--- a/security/nss/cmd/digest/manifest.mn
+++ /dev/null
@@ -1,54 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH	= ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = seccmd dbm 
-
-DEFINES = -DNSPR20
-
-CSRCS	= digest.c  
-
-PROGRAM	= digest
-
diff --git a/security/nss/cmd/ecperf/Makefile b/security/nss/cmd/ecperf/Makefile
deleted file mode 100644
index 7df60581b..000000000
--- a/security/nss/cmd/ecperf/Makefile
+++ /dev/null
@@ -1,78 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/ecperf/ecperf.c b/security/nss/cmd/ecperf/ecperf.c
deleted file mode 100644
index 6750373fd..000000000
--- a/security/nss/cmd/ecperf/ecperf.c
+++ /dev/null
@@ -1,760 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "blapi.h"
-#include "ec.h"
-#include "ecl-curve.h"
-#include "nss.h"
-#include "secutil.h"
-#include "pkcs11.h"
-#include <nspr.h>
-#include <stdio.h>
-#include <strings.h>
-#include <assert.h>
-
-#include <time.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-
-#define __PASTE(x,y)    x##y
-
-/*
- * Get the NSS specific PKCS #11 function names.
- */
-#undef CK_PKCS11_FUNCTION_INFO
-#undef CK_NEED_ARG_LIST
-
-#define CK_EXTERN extern
-#define CK_PKCS11_FUNCTION_INFO(func) \
-		CK_RV __PASTE(NS,func)
-#define CK_NEED_ARG_LIST	1
-
-#include "pkcs11f.h"
-
-
-
-/* mapping between ECCurveName enum and pointers to ECCurveParams */
-static SECOidTag ecCurve_oid_map[] = {
-    SEC_OID_UNKNOWN,	/* ECCurve_noName */
-    SEC_OID_ANSIX962_EC_PRIME192V1,    /* ECCurve_NIST_P192 */
-    SEC_OID_SECG_EC_SECP224R1,    /* ECCurve_NIST_P224 */
-    SEC_OID_ANSIX962_EC_PRIME256V1,    /* ECCurve_NIST_P256 */
-    SEC_OID_SECG_EC_SECP384R1,    /* ECCurve_NIST_P384 */
-    SEC_OID_SECG_EC_SECP521R1,    /* ECCurve_NIST_P521 */
-    SEC_OID_SECG_EC_SECT163K1,    /* ECCurve_NIST_K163 */
-    SEC_OID_SECG_EC_SECT163R1,    /* ECCurve_NIST_B163 */
-    SEC_OID_SECG_EC_SECT233K1,    /* ECCurve_NIST_K233 */
-    SEC_OID_SECG_EC_SECT233R1,    /* ECCurve_NIST_B233 */
-    SEC_OID_SECG_EC_SECT283K1,    /* ECCurve_NIST_K283 */
-    SEC_OID_SECG_EC_SECT283R1,    /* ECCurve_NIST_B283 */
-    SEC_OID_SECG_EC_SECT409K1,    /* ECCurve_NIST_K409 */
-    SEC_OID_SECG_EC_SECT409R1,    /* ECCurve_NIST_B409 */
-    SEC_OID_SECG_EC_SECT571K1,    /* ECCurve_NIST_K571 */
-    SEC_OID_SECG_EC_SECT571R1,    /* ECCurve_NIST_B571 */
-    SEC_OID_ANSIX962_EC_PRIME192V2,    
-    SEC_OID_ANSIX962_EC_PRIME192V3,
-    SEC_OID_ANSIX962_EC_PRIME239V1,
-    SEC_OID_ANSIX962_EC_PRIME239V2,
-    SEC_OID_ANSIX962_EC_PRIME239V3,
-	SEC_OID_ANSIX962_EC_C2PNB163V1,
-	SEC_OID_ANSIX962_EC_C2PNB163V2,
-	SEC_OID_ANSIX962_EC_C2PNB163V3,
-    SEC_OID_ANSIX962_EC_C2PNB176V1,
-    SEC_OID_ANSIX962_EC_C2TNB191V1,
-    SEC_OID_ANSIX962_EC_C2TNB191V2,
-    SEC_OID_ANSIX962_EC_C2TNB191V3,
-    SEC_OID_ANSIX962_EC_C2PNB208W1,
-    SEC_OID_ANSIX962_EC_C2TNB239V1,
-    SEC_OID_ANSIX962_EC_C2TNB239V2,
-    SEC_OID_ANSIX962_EC_C2TNB239V3,
-    SEC_OID_ANSIX962_EC_C2PNB272W1,
-    SEC_OID_ANSIX962_EC_C2PNB304W1,
-    SEC_OID_ANSIX962_EC_C2TNB359V1,
-    SEC_OID_ANSIX962_EC_C2PNB368W1,
-    SEC_OID_ANSIX962_EC_C2TNB431R1,
-    SEC_OID_SECG_EC_SECP112R1,
-    SEC_OID_SECG_EC_SECP112R2,
-    SEC_OID_SECG_EC_SECP128R1,
-    SEC_OID_SECG_EC_SECP128R2,
-    SEC_OID_SECG_EC_SECP160K1,
-    SEC_OID_SECG_EC_SECP160R1,
-    SEC_OID_SECG_EC_SECP160R2,
-    SEC_OID_SECG_EC_SECP192K1,
-    SEC_OID_SECG_EC_SECP224K1,
-    SEC_OID_SECG_EC_SECP256K1,
-    SEC_OID_SECG_EC_SECT113R1,
-    SEC_OID_SECG_EC_SECT113R2,
-    SEC_OID_SECG_EC_SECT131R1,
-    SEC_OID_SECG_EC_SECT131R2,
-    SEC_OID_SECG_EC_SECT163R1,
-    SEC_OID_SECG_EC_SECT193R1,
-    SEC_OID_SECG_EC_SECT193R2,
-    SEC_OID_SECG_EC_SECT239K1,
-    SEC_OID_UNKNOWN	    /* ECCurve_pastLastCurve */
-};
-
-typedef SECStatus (*op_func) (void *, void *, void *);
-typedef SECStatus (*pk11_op_func) (CK_SESSION_HANDLE, void *, void *, void *);
-
-typedef struct ThreadDataStr {
-    op_func op;
-    void *p1;
-    void *p2;
-    void *p3;
-    int iters;
-    PRLock *lock;
-    int count;
-    SECStatus status;
-    int isSign;
-} ThreadData;
-
-void PKCS11Thread(void *data)
-{
-    ThreadData *threadData = (ThreadData *)data;
-    pk11_op_func op = (pk11_op_func) threadData->op;
-    int iters = threadData->iters;
-    unsigned char sigData [256];
-    SECItem sig;
-    CK_SESSION_HANDLE session;
-    CK_RV crv;
-
-    threadData->status = SECSuccess;
-    threadData->count = 0;
-
-    /* get our thread's session */
-    PR_Lock(threadData->lock);
-    crv = NSC_OpenSession(1, CKF_SERIAL_SESSION, NULL, 0, &session);
-    PR_Unlock(threadData->lock);
-
-    if (threadData->isSign) {
-    sig.data = sigData;
-    sig.len = sizeof(sigData);
-    threadData->p2 = (void *)&sig;
-    }
- 
-    while (iters --) {
-    threadData->status = (*op)(session, threadData->p1, 
-	       threadData->p2, threadData->p3);
-    if (threadData->status != SECSuccess) {
-	break;
-    }
-    threadData->count++;
-    }
-    return;
-}
-
-void genericThread(void *data)
-{
-    ThreadData *threadData = (ThreadData *)data;
-    int iters = threadData->iters;
-    unsigned char sigData [256];
-    SECItem sig;
-
-    threadData->status = SECSuccess;
-    threadData->count = 0;
-
-    if (threadData->isSign) {
-    sig.data = sigData;
-    sig.len = sizeof(sigData);
-    threadData->p2 = (void *)&sig;
-    }
- 
-    while (iters --) {
-    threadData->status = (*threadData->op)(threadData->p1, 
-	       threadData->p2, threadData->p3);
-    if (threadData->status != SECSuccess) {
-	break;
-    }
-    threadData->count++;
-    }
-    return;
-}
-
-
-/* Time iter repetitions of operation op. */
-SECStatus
-M_TimeOperation(void (*threadFunc)(void *), 
-	op_func opfunc, char *op, void *param1, void *param2, 
-	void *param3, int iters, int numThreads, PRLock *lock, 
-	CK_SESSION_HANDLE session, int isSign, double *rate)
-{
-    double dUserTime;
-    int i, total;
-    PRIntervalTime startTime, totalTime;
-    PRThread **threadIDs;
-    ThreadData *threadData;
-    pk11_op_func pk11_op = (pk11_op_func) opfunc;
-    SECStatus rv;
-
-    /* verify operation works before testing performance */
-    if (session) {
-	rv = (*pk11_op)(session, param1, param2, param3);
-    } else {
-	rv = (*opfunc)(param1, param2, param3);
-    }
-    if (rv != SECSuccess) {
-	SECU_PrintError("Error:", op); 
-	return rv;
-    }
-
-    /* get Data structures */
-    threadIDs = (PRThread **)PORT_Alloc(numThreads*sizeof(PRThread *)); 
-    threadData = (ThreadData *)PORT_Alloc(numThreads*sizeof(ThreadData));
-
-    startTime = PR_Now();
-    if (numThreads == 1) {
-    for (i=0; i < iters; i++) {
-	if (session) {
-	    rv = (*pk11_op)(session, param1, param2, param3);
-	} else {
-	    rv = (*opfunc)(param1, param2, param3);
-	}
-    }
-	total = iters;
-    } else {
-	for (i = 0; i < numThreads; i++) {
-	    threadData[i].op = opfunc; 
-	    threadData[i].p1 = (void *)param1;
-	    threadData[i].p2 = (void *)param2;
-	    threadData[i].p3 = (void *)param3;
-	    threadData[i].iters = iters;
-	    threadData[i].lock = lock;
-	    threadData[i].isSign = isSign;
-	    threadIDs[i] = PR_CreateThread(PR_USER_THREAD, threadFunc,
-	                   (void *)&threadData[i], PR_PRIORITY_NORMAL,
-	                   PR_GLOBAL_THREAD, PR_JOINABLE_THREAD, 0);
-	} 
-
-	total = 0;
-	for (i = 0; i < numThreads; i++) {
-	    PR_JoinThread(threadIDs[i]);
-	    /* check the status */
-	    total += threadData[i].count;
-	}
-
-	PORT_Free(threadIDs);
-	PORT_Free(threadData);
-    }
-
-    totalTime = PR_Now()- startTime; 
-    /* SecondsToInterval seems to be broken here ... */
-    dUserTime = (double)totalTime/(double)1000000;
-    if (dUserTime) {
-	printf("    %-15s count:%4d sec: %3.2f op/sec: %6.2f\n", 
-	    op, total, dUserTime, (double)total/dUserTime); 
-	if (rate) {
-	   *rate = ((double)total)/dUserTime;
-	}
-    }
-    return SECSuccess;
-}
-
-#define GFP_POPULATE(params,name_v) \
-    params.name = name_v; \
-    if ((params.name < ECCurve_noName) || \
-	    (params.name > ECCurve_pastLastCurve)) goto cleanup; \
-    params.type = ec_params_named; \
-    params.curveOID.data = NULL; \
-    params.curveOID.len = 0; \
-    params.curve.seed.data = NULL; \
-    params.curve.seed.len = 0; \
-    params.DEREncoding.data = NULL; \
-    params.DEREncoding.len = 0; \
-    params.arena = NULL; \
-    params.fieldID.size = ecCurve_map[name_v]->size; \
-    params.fieldID.type = ec_field_GFp; \
-    hexString2SECItem(params.arena, &params.fieldID.u.prime, \
-	    ecCurve_map[name_v]->irr); \
-    hexString2SECItem(params.arena, &params.curve.a, \
-	    ecCurve_map[name_v]->curvea); \
-    hexString2SECItem(params.arena, &params.curve.b, \
-	    ecCurve_map[name_v]->curveb); \
-    genenc[0] = '0'; \
-    genenc[1] = '4'; \
-    genenc[2] = '\0'; \
-    strcat(genenc, ecCurve_map[name_v]->genx); \
-    strcat(genenc, ecCurve_map[name_v]->geny); \
-    hexString2SECItem(params.arena, &params.base, \
-	    genenc); \
-    hexString2SECItem(params.arena, &params.order, \
-	    ecCurve_map[name_v]->order); \
-    params.cofactor = ecCurve_map[name_v]->cofactor;
-
-
-/* Test curve using specific field arithmetic. */
-#define ECTEST_NAMED_GFP(name_c, name_v) \
-    if (usefreebl) { \
-	printf("Testing %s using freebl implementation...\n", name_c); \
-	rv = ectest_curve_freebl(name_v, iterations, numThreads); \
-	    if (rv != SECSuccess) goto cleanup; \
-	printf("... okay.\n"); \
-	} \
-    if (usepkcs11) { \
-	printf("Testing %s using pkcs11 implementation...\n", name_c); \
-	rv = ectest_curve_pkcs11(name_v, iterations, numThreads); \
-	    if (rv != SECSuccess) goto cleanup; \
-	printf("... okay.\n"); \
-     }
-
-/*
- * Initializes a SECItem from a hexadecimal string
- *
- * Warning: This function ignores leading 00's, so any leading 00's
- * in the hexadecimal string must be optional.
- */
-static SECItem *
-hexString2SECItem(PRArenaPool *arena, SECItem *item, const char *str)
-{
-    int i = 0;
-    int byteval = 0;
-    int tmp = PORT_Strlen(str);
-
-    if ((tmp % 2) != 0) return NULL;
-    
-    /* skip leading 00's unless the hex string is "00" */
-    while ((tmp > 2) && (str[0] == '0') && (str[1] == '0')) {
-	str += 2;
-	tmp -= 2;
-    }
-
-    item->data = (unsigned char *) PORT_Alloc( tmp/2);
-    if (item->data == NULL) return NULL;
-    item->len = tmp/2;
-
-    while (str[i]) {
-	if ((str[i] >= '0') && (str[i] <= '9'))
-	    tmp = str[i] - '0';
-	else if ((str[i] >= 'a') && (str[i] <= 'f'))
-	    tmp = str[i] - 'a' + 10;
-	else if ((str[i] >= 'A') && (str[i] <= 'F'))
-	    tmp = str[i] - 'A' + 10;
-	else
-	    return NULL;
-
-	byteval = byteval * 16 + tmp;
-	if ((i % 2) != 0) {
-	    item->data[i/2] = byteval;
-	    byteval = 0;
-	}
-	i++;
-    }
-
-    return item;
-}
-
-#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
-		(x)->pValue=(v); (x)->ulValueLen = (l);
-
-
-SECStatus
-PKCS11_Derive(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hKey, 
-	  CK_MECHANISM *pMech , int *dummy)
-{
-    CK_RV crv;
-    CK_OBJECT_HANDLE newKey;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
-    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
-    CK_ATTRIBUTE keyTemplate[3];
-    CK_ATTRIBUTE *attrs = keyTemplate;
-
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
-    attrs++;
-    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
-    attrs++;
-    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, 1); attrs++;
-
-
-   crv = NSC_DeriveKey(session, pMech, *hKey, keyTemplate, 3, &newKey);
-   if (crv != CKR_OK) {
-	printf("Derive Failed CK_RV=0x%x\n", (int)crv);
-	return SECFailure;
-   }
-   return SECSuccess;
-}
-
-SECStatus
-PKCS11_Sign(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hKey, 
-	SECItem *sig, SECItem *digest)
-{
-   CK_RV crv;
-   CK_MECHANISM mech;
-
-   mech.mechanism = CKM_ECDSA;
-   mech.pParameter = NULL;
-   mech.ulParameterLen = 0;
-
-   crv = NSC_SignInit(session, &mech, *hKey);
-   if (crv != CKR_OK) {
-    printf("Sign Failed CK_RV=0x%x\n", (int)crv);
-    return SECFailure;
-   }
-   crv = NSC_Sign(session, digest->data, digest->len, sig->data, 
-	(CK_ULONG_PTR)&sig->len);
-   if (crv != CKR_OK) {
-    printf("Sign Failed CK_RV=0x%x\n", (int)crv);
-    return SECFailure;
-   }
-   return SECSuccess;
-}
-
-SECStatus
-PKCS11_Verify(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hKey, 
-	SECItem *sig, SECItem *digest)
-{
-   CK_RV crv;
-   CK_MECHANISM mech;
-
-   mech.mechanism = CKM_ECDSA;
-   mech.pParameter = NULL;
-   mech.ulParameterLen = 0;
-
-   crv = NSC_VerifyInit(session, &mech, *hKey);
-   if (crv != CKR_OK) {
-    printf("Verify Failed CK_RV=0x%x\n", (int)crv);
-    return SECFailure;
-   }
-   crv = NSC_Verify(session, digest->data, digest->len, sig->data, sig->len);
-   if (crv != CKR_OK) {
-    printf("Verify Failed CK_RV=0x%x\n", (int)crv);
-    return SECFailure;
-   }
-   return SECSuccess;
-}
-
-static SECStatus
-ecName2params(ECCurveName curve, SECKEYECParams * params)
-{
-    SECOidData *oidData = NULL;
-
-    if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve) ||
-	((oidData = SECOID_FindOIDByTag(ecCurve_oid_map[curve])) == NULL)) {
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-	return SECFailure;
-    }
-
-    SECITEM_AllocItem(NULL, params, (2 + oidData->oid.len));
-    /*
-     * params->data needs to contain the ASN encoding of an object ID (OID)
-     * representing the named curve. The actual OID is in
-     * oidData->oid.data so we simply prepend 0x06 and OID length
-     */
-    params->data[0] = SEC_ASN1_OBJECT_ID;
-    params->data[1] = oidData->oid.len;
-    memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
-
-    return SECSuccess;
-}
-
-
-
-/* Performs basic tests of elliptic curve cryptography over prime fields.
- * If tests fail, then it prints an error message, aborts, and returns an
- * error code. Otherwise, returns 0. */
-SECStatus
-ectest_curve_pkcs11(ECCurveName curve, int iterations, int numThreads)
-{
-    CK_OBJECT_HANDLE ecPriv;
-    CK_OBJECT_HANDLE ecPub;
-    CK_SESSION_HANDLE session;
-    SECItem sig;
-    SECItem digest;
-    SECKEYECParams ecParams;
-    CK_MECHANISM mech;
-    CK_ECDH1_DERIVE_PARAMS ecdh_params;
-    unsigned char sigData [256];
-    unsigned char digestData[20];
-    unsigned char pubKeyData[256];
-    PRLock *lock = NULL;
-    double signRate, deriveRate;
-    CK_ATTRIBUTE template;
-    SECStatus rv;
-    CK_RV crv;
-
-    ecParams.data = NULL;
-    ecParams.len = 0;
-    rv = ecName2params(curve, &ecParams);
-    if (rv != SECSuccess) {
-    goto cleanup;
-    }
-
-    crv = NSC_OpenSession(1, CKF_SERIAL_SESSION, NULL, 0, &session);
-    if (crv != CKR_OK) {
-    printf("OpenSession Failed CK_RV=0x%x\n", (int)crv);
-    return SECFailure;
-    }
-
-    PORT_Memset(digestData, 0xa5, sizeof(digestData));
-    digest.data = digestData;
-    digest.len = sizeof(digestData);
-    sig.data = sigData;
-    sig.len = sizeof(sigData);
-
-    template.type = CKA_EC_PARAMS;
-    template.pValue = ecParams.data;
-    template.ulValueLen = ecParams.len;
-    mech.mechanism = CKM_EC_KEY_PAIR_GEN;
-    mech.pParameter = NULL;
-    mech.ulParameterLen = 0;
-    crv = NSC_GenerateKeyPair(session, &mech, 
-		  &template, 1, NULL, 0, &ecPub, &ecPriv);
-    if (crv != CKR_OK) {
-    printf("GenerateKeyPair Failed CK_RV=0x%x\n", (int)crv);
-    return SECFailure;
-    }
-
-    template.type = CKA_EC_POINT;
-    template.pValue = pubKeyData;
-    template.ulValueLen = sizeof(pubKeyData);
-    crv = NSC_GetAttributeValue(session, ecPub, &template, 1);
-    if (crv != CKR_OK) {
-    printf("GenerateKeyPair Failed CK_RV=0x%x\n", (int)crv);
-    return SECFailure;
-    }
-
-    ecdh_params.kdf = CKD_NULL;
-    ecdh_params.ulSharedDataLen = 0;
-    ecdh_params.pSharedData = NULL;
-    ecdh_params.ulPublicDataLen = template.ulValueLen;
-    ecdh_params.pPublicData = template.pValue;
-
-    mech.mechanism = CKM_ECDH1_DERIVE;
-    mech.pParameter = (void *)&ecdh_params;
-    mech.ulParameterLen = sizeof(ecdh_params);
-
-    lock = PR_NewLock();
-
-    rv = M_TimeOperation(PKCS11Thread, (op_func)PKCS11_Derive, "ECDH_Derive",
-	    &ecPriv, &mech,  NULL, iterations, numThreads, 
-	    lock, session, 0, &deriveRate);
-    if (rv != SECSuccess) goto cleanup;
-    rv = M_TimeOperation(PKCS11Thread, (op_func)PKCS11_Sign, "ECDSA_Sign",
-	    (void *)&ecPriv, &sig, &digest, iterations, numThreads,
-	    lock, session, 1, &signRate);
-    if (rv != SECSuccess) goto cleanup;
-    printf("        ECDHE max rate = %.2f\n", (deriveRate+signRate)/4.0);
-    /* get a signature */
-    rv = PKCS11_Sign(session, &ecPriv, &sig, &digest);
-    if (rv != SECSuccess) goto cleanup;
-    rv = M_TimeOperation(PKCS11Thread, (op_func)PKCS11_Verify, "ECDSA_Verify",
-	    (void *)&ecPub, &sig, &digest, iterations, numThreads,
-	    lock, session, 0, NULL);
-    if (rv != SECSuccess) goto cleanup;
-
-cleanup:
-    if (lock) {
-    PR_DestroyLock(lock);
-    }
-    return rv;
-}
-
-SECStatus
-ECDH_DeriveWrap(ECPrivateKey *priv, ECPublicKey *pub, int *dummy)
-{
-    SECItem secret;
-    unsigned char secretData[256];
-    SECStatus rv;
-
-    secret.data = secretData;
-    secret.len = sizeof(secretData);
-
-    rv = ECDH_Derive(&pub->publicValue, &pub->ecParams, 
-	&priv->privateValue, 0, &secret);
-#ifdef notdef
-    if (rv == SECSuccess) {
-    PORT_Free(secret.data);
-    }
-#endif
-    return rv;
-}
-
-/* Performs basic tests of elliptic curve cryptography over prime fields.
- * If tests fail, then it prints an error message, aborts, and returns an
- * error code. Otherwise, returns 0. */
-SECStatus
-ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads)
-{
-    ECParams      ecParams;
-    ECPrivateKey *ecPriv = NULL;
-    ECPublicKey ecPub;
-    SECItem sig;
-    SECItem digest;
-    unsigned char sigData [256];
-    unsigned char digestData[20];
-    double signRate, deriveRate;
-    char genenc[3 + 2 * 2 * MAX_ECKEY_LEN];
-    SECStatus rv;
-
-
-    GFP_POPULATE(ecParams, curve);
-
-    PORT_Memset(digestData, 0xa5, sizeof(digestData));
-    digest.data = digestData;
-    digest.len = sizeof(digestData);
-    sig.data = sigData;
-    sig.len = sizeof(sigData);
-
-    rv = EC_NewKey(&ecParams, &ecPriv);
-    if (rv != SECSuccess) {
-    return SECFailure;
-    }
-    ecPub.ecParams = ecParams;
-    ecPub.publicValue = ecPriv->publicValue;
-
-    M_TimeOperation(genericThread, (op_func) ECDH_DeriveWrap, "ECDH_Derive",
-	    ecPriv, &ecPub, NULL, iterations, numThreads, 0, 0, 0, &deriveRate);
-    if (rv != SECSuccess) goto cleanup;
-    M_TimeOperation(genericThread, (op_func) ECDSA_SignDigest, "ECDSA_Sign",
-	    ecPriv, &sig, &digest, iterations, numThreads, 0, 0, 1, &signRate);
-    if (rv != SECSuccess) goto cleanup;
-    printf("        ECDHE max rate = %.2f\n", (deriveRate+signRate)/4.0);
-    rv = ECDSA_SignDigest(ecPriv, &sig, &digest);
-    if (rv != SECSuccess) goto cleanup;
-    M_TimeOperation(genericThread, (op_func) ECDSA_VerifyDigest, "ECDSA_Verify",
-	    &ecPub, &sig, &digest, iterations, numThreads, 0, 0, 0, NULL);
-    if (rv != SECSuccess) goto cleanup;
-
-cleanup:
-    return rv;
-}
-
-/* Prints help information. */
-void
-printUsage(char *prog)
-{
-    printf("Usage: %s [-i iterations] [-t threads ] [-ans] [-fp] [-A]\n",prog);
-}
-
-/* Performs tests of elliptic curve cryptography over prime fields If
- * tests fail, then it prints an error message, aborts, and returns an
- * error code. Otherwise, returns 0. */
-int
-main(int argv, char **argc)
-{
-    int ansi = 0;
-    int nist = 0;
-    int secp = 0;
-    int usefreebl = 0;
-    int usepkcs11 = 0;
-    int i;
-    SECStatus rv = SECSuccess;
-    int iterations = 100;
-    int numThreads = 1;
-
-    /* read command-line arguments */
-    for (i = 1; i < argv; i++) {
-	if (strcasecmp(argc[i], "-i") == 0) {
-	    i++;
-	    iterations = atoi(argc[i]);
-	} else if (strcasecmp(argc[i], "-t") == 0) {
-	    i++;
-	    numThreads = atoi(argc[i]);
-	} else if (strcasecmp(argc[i], "-A") == 0) {
-	    ansi = nist = secp = 1;
-	    usepkcs11 = usefreebl = 1;
-	} else if (strcasecmp(argc[i], "-a") == 0) {
-	    ansi = 1;
-	} else if (strcasecmp(argc[i], "-n") == 0) {
-	    nist = 1;
-	} else if (strcasecmp(argc[i], "-s") == 0) {
-	    secp = 1;
-	} else if (strcasecmp(argc[i], "-p") == 0) {
-	    usepkcs11 = 1;
-	} else if (strcasecmp(argc[i], "-f") == 0) {
-	    usefreebl = 1;
-	} else {
-	    printUsage(argc[0]);
-	    return 0;
-	}
-    }
-
-    if ((ansi | nist | secp) == 0) {
-	nist = 1;
-    }
-    if ((usepkcs11|usefreebl) == 0) {
-	usefreebl = 1;
-    }
-
-    rv = NSS_NoDB_Init(NULL);
-    if (rv != SECSuccess) {
-	SECU_PrintError("Error:", "NSS_NoDB_Init"); 
-	goto cleanup;
-    }
-
-    /* specific arithmetic tests */
-    if (nist) {
-        ECTEST_NAMED_GFP("SECP-160K1", ECCurve_SECG_PRIME_160K1);
-        ECTEST_NAMED_GFP("NIST-P192", ECCurve_NIST_P192);
-        ECTEST_NAMED_GFP("NIST-P224", ECCurve_NIST_P224);
-        ECTEST_NAMED_GFP("NIST-P256", ECCurve_NIST_P256);
-        ECTEST_NAMED_GFP("NIST-P384", ECCurve_NIST_P384);
-        ECTEST_NAMED_GFP("NIST-P521", ECCurve_NIST_P521);
-    }
-    if (ansi) {
-        ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v1", ECCurve_X9_62_PRIME_192V1);
-        ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v2", ECCurve_X9_62_PRIME_192V2);
-        ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v3", ECCurve_X9_62_PRIME_192V3);
-        ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v1", ECCurve_X9_62_PRIME_239V1);
-        ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v2", ECCurve_X9_62_PRIME_239V2);
-        ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v3", ECCurve_X9_62_PRIME_239V3);
-        ECTEST_NAMED_GFP("ANSI X9.62 PRIME256v1", ECCurve_X9_62_PRIME_256V1);
-    }
-    if (secp) {
-        ECTEST_NAMED_GFP("SECP-112R1", ECCurve_SECG_PRIME_112R1);
-        ECTEST_NAMED_GFP("SECP-112R2", ECCurve_SECG_PRIME_112R2);
-        ECTEST_NAMED_GFP("SECP-128R1", ECCurve_SECG_PRIME_128R1);
-        ECTEST_NAMED_GFP("SECP-128R2", ECCurve_SECG_PRIME_128R2);
-        ECTEST_NAMED_GFP("SECP-160K1", ECCurve_SECG_PRIME_160K1);
-        ECTEST_NAMED_GFP("SECP-160R1", ECCurve_SECG_PRIME_160R1);
-        ECTEST_NAMED_GFP("SECP-160R2", ECCurve_SECG_PRIME_160R2);
-        ECTEST_NAMED_GFP("SECP-192K1", ECCurve_SECG_PRIME_192K1);
-        ECTEST_NAMED_GFP("SECP-192R1", ECCurve_SECG_PRIME_192R1);
-        ECTEST_NAMED_GFP("SECP-224K1", ECCurve_SECG_PRIME_224K1);
-        ECTEST_NAMED_GFP("SECP-224R1", ECCurve_SECG_PRIME_224R1);
-        ECTEST_NAMED_GFP("SECP-256K1", ECCurve_SECG_PRIME_256K1);
-        ECTEST_NAMED_GFP("SECP-256R1", ECCurve_SECG_PRIME_256R1);
-        ECTEST_NAMED_GFP("SECP-384R1", ECCurve_SECG_PRIME_384R1);
-        ECTEST_NAMED_GFP("SECP-521R1", ECCurve_SECG_PRIME_521R1);
-    }
-
-  cleanup:
-    if (rv != SECSuccess) {
-	printf("Error: exiting with error value\n");
-    }
-    return rv;
-}
diff --git a/security/nss/cmd/ecperf/manifest.mn b/security/nss/cmd/ecperf/manifest.mn
deleted file mode 100755
index 0e02089cc..000000000
--- a/security/nss/cmd/ecperf/manifest.mn
+++ /dev/null
@@ -1,56 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-DEPTH	= ../../..
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-INCLUDES += -I$(CORE_DEPTH)/nss/lib/softoken
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-REQUIRES = dbm seccmd 
-
-# DIRS = 
-
-CSRCS	= ecperf.c 
-
-PROGRAM	= ecperf
-
-USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/fipstest/Makefile b/security/nss/cmd/fipstest/Makefile
deleted file mode 100755
index a54a124ed..000000000
--- a/security/nss/cmd/fipstest/Makefile
+++ /dev/null
@@ -1,81 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-#MKPROG = purify -cache-dir=/u/mcgreer/pcache -best-effort \
-#	-always-use-cache-dir $(CC)
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include ../platrules.mk
diff --git a/security/nss/cmd/fipstest/aes.sh b/security/nss/cmd/fipstest/aes.sh
deleted file mode 100644
index 09ed494bf..000000000
--- a/security/nss/cmd/fipstest/aes.sh
+++ /dev/null
@@ -1,94 +0,0 @@
-#!/bin/sh
-#
-# A Bourne shell script for running the NIST AES Algorithm Validation Suite
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-
-cbc_kat_requests="
-CBCGFSbox128.req
-CBCGFSbox192.req
-CBCGFSbox256.req
-CBCKeySbox128.req
-CBCKeySbox192.req
-CBCKeySbox256.req
-CBCVarKey128.req
-CBCVarKey192.req
-CBCVarKey256.req
-CBCVarTxt128.req
-CBCVarTxt192.req
-CBCVarTxt256.req
-"
-
-cbc_mct_requests="
-CBCMCT128.req
-CBCMCT192.req
-CBCMCT256.req
-"
-
-cbc_mmt_requests="
-CBCMMT128.req
-CBCMMT192.req
-CBCMMT256.req
-"
-
-ecb_kat_requests="
-ECBGFSbox128.req
-ECBGFSbox192.req
-ECBGFSbox256.req
-ECBKeySbox128.req
-ECBKeySbox192.req
-ECBKeySbox256.req
-ECBVarKey128.req
-ECBVarKey192.req
-ECBVarKey256.req
-ECBVarTxt128.req
-ECBVarTxt192.req
-ECBVarTxt256.req
-"
-
-ecb_mct_requests="
-ECBMCT128.req
-ECBMCT192.req
-ECBMCT256.req
-"
-
-ecb_mmt_requests="
-ECBMMT128.req
-ECBMMT192.req
-ECBMMT256.req
-"
-
-for request in $ecb_kat_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes kat ecb $request > $response
-done
-for request in $ecb_mmt_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes mmt ecb $request > $response
-done
-for request in $ecb_mct_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes mct ecb $request > $response
-done
-for request in $cbc_kat_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes kat cbc $request > $response
-done
-for request in $cbc_mmt_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes mmt cbc $request > $response
-done
-for request in $cbc_mct_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes mct cbc $request > $response
-done
diff --git a/security/nss/cmd/fipstest/dsa.sh b/security/nss/cmd/fipstest/dsa.sh
deleted file mode 100755
index 50dd20d4a..000000000
--- a/security/nss/cmd/fipstest/dsa.sh
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/sh
-#
-# A Bourne shell script for running the NIST DSA Validation System
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-
-request=KeyPair.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa keypair $request > $response
-
-request=PQGGen.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa pqggen $request > $response
-
-request=PQGVer.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa pqgver $request > $response
-
-request=SigGen.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa siggen $request > $response
-
-request=SigVer.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa sigver $request > $response
diff --git a/security/nss/cmd/fipstest/ecdsa.sh b/security/nss/cmd/fipstest/ecdsa.sh
deleted file mode 100644
index 306c8650f..000000000
--- a/security/nss/cmd/fipstest/ecdsa.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/sh
-#
-# A Bourne shell script for running the NIST ECDSA Validation System
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-
-request=KeyPair.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest ecdsa keypair $request > $response
-
-request=PKV.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest ecdsa pkv $request > $response
-
-request=SigGen.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest ecdsa siggen $request > $response
-
-request=SigVer.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest ecdsa sigver $request > $response
diff --git a/security/nss/cmd/fipstest/fipstest.c b/security/nss/cmd/fipstest/fipstest.c
deleted file mode 100644
index 85bb8cfc6..000000000
--- a/security/nss/cmd/fipstest/fipstest.c
+++ /dev/null
@@ -1,5044 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-
-#include "secitem.h"
-#include "blapi.h"
-#include "nss.h"
-#include "secerr.h"
-#include "secder.h"
-#include "secdig.h"
-#include "keythi.h"
-#include "ec.h"
-#include "hasht.h"
-#include "lowkeyi.h"
-#include "softoken.h"
-
-#if 0
-#include "../../lib/freebl/mpi/mpi.h"
-#endif
-
-#ifdef NSS_ENABLE_ECC
-extern SECStatus
-EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams);
-extern SECStatus
-EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
-              const ECParams *srcParams);
-#endif
-
-#define ENCRYPT 1
-#define DECRYPT 0
-#define BYTE unsigned char
-#define DEFAULT_RSA_PUBLIC_EXPONENT   0x10001
-#define RSA_MAX_TEST_MODULUS_BITS     4096
-#define RSA_MAX_TEST_MODULUS_BYTES    RSA_MAX_TEST_MODULUS_BITS/8
-#define RSA_MAX_TEST_EXPONENT_BYTES   8
-#define PQG_TEST_SEED_BYTES           20
-
-SECStatus
-hex_to_byteval(const char *c2, unsigned char *byteval)
-{
-    int i;
-    unsigned char offset;
-    *byteval = 0;
-    for (i=0; i<2; i++) {
-	if (c2[i] >= '0' && c2[i] <= '9') {
-	    offset = c2[i] - '0';
-	    *byteval |= offset << 4*(1-i);
-	} else if (c2[i] >= 'a' && c2[i] <= 'f') {
-	    offset = c2[i] - 'a';
-	    *byteval |= (offset + 10) << 4*(1-i);
-	} else if (c2[i] >= 'A' && c2[i] <= 'F') {
-	    offset = c2[i] - 'A';
-	    *byteval |= (offset + 10) << 4*(1-i);
-	} else {
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-byteval_to_hex(unsigned char byteval, char *c2, char a)
-{
-    int i;
-    unsigned char offset;
-    for (i=0; i<2; i++) {
-	offset = (byteval >> 4*(1-i)) & 0x0f;
-	if (offset < 10) {
-	    c2[i] = '0' + offset;
-	} else {
-	    c2[i] = a + offset - 10;
-	}
-    }
-    return SECSuccess;
-}
-
-void
-to_hex_str(char *str, const unsigned char *buf, unsigned int len)
-{
-    unsigned int i;
-    for (i=0; i<len; i++) {
-	byteval_to_hex(buf[i], &str[2*i], 'a');
-    }
-    str[2*len] = '\0';
-}
-
-void
-to_hex_str_cap(char *str, const unsigned char *buf, unsigned int len)
-{
-    unsigned int i;
-    for (i=0; i<len; i++) {
-	byteval_to_hex(buf[i], &str[2*i], 'A');
-    }
-    str[2*len] = '\0';
-}
-
-/*
- * Convert a string of hex digits (str) to an array (buf) of len bytes.
- * Return PR_TRUE if the hex string can fit in the byte array.  Return
- * PR_FALSE if the hex string is empty or is too long.
- */
-PRBool
-from_hex_str(unsigned char *buf, unsigned int len, const char *str)
-{
-    unsigned int nxdigit;  /* number of hex digits in str */
-    unsigned int i;  /* index into buf */
-    unsigned int j;  /* index into str */
-
-    /* count the hex digits */
-    nxdigit = 0;
-    for (nxdigit = 0; isxdigit(str[nxdigit]); nxdigit++) {
-	/* empty body */
-    }
-    if (nxdigit == 0) {
-	return PR_FALSE;
-    }
-    if (nxdigit > 2*len) {
-	/*
-	 * The input hex string is too long, but we allow it if the
-	 * extra digits are leading 0's.
-	 */
-	for (j = 0; j < nxdigit-2*len; j++) {
-	    if (str[j] != '0') {
-		return PR_FALSE;
-	    }
-	}
-	/* skip leading 0's */
-	str += nxdigit-2*len;
-	nxdigit = 2*len;
-    }
-    for (i=0, j=0; i< len; i++) {
-	if (2*i < 2*len-nxdigit) {
-	    /* Handle a short input as if we padded it with leading 0's. */
-	    if (2*i+1 < 2*len-nxdigit) {
-		buf[i] = 0;
-	    } else {
-		char tmp[2];
-		tmp[0] = '0';
-		tmp[1] = str[j];
-		hex_to_byteval(tmp, &buf[i]);
-		j++;
-	    }
-	} else {
-	    hex_to_byteval(&str[j], &buf[i]);
-	    j += 2;
-	}
-    }
-    return PR_TRUE;
-}
-
-SECStatus
-tdea_encrypt_buf(
-    int mode,
-    const unsigned char *key, 
-    const unsigned char *iv,
-    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
-    const unsigned char *input, unsigned int inputlen)
-{
-    SECStatus rv = SECFailure;
-    DESContext *cx;
-    unsigned char doublecheck[8*20];  /* 1 to 20 blocks */
-    unsigned int doublechecklen = 0;
-
-    cx = DES_CreateContext(key, iv, mode, PR_TRUE);
-    if (cx == NULL) {
-        goto loser;
-    }
-    rv = DES_Encrypt(cx, output, outputlen, maxoutputlen, input, inputlen);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (*outputlen != inputlen) {
-        goto loser;
-    }
-    DES_DestroyContext(cx, PR_TRUE);
-    cx = NULL;
-
-    /*
-     * Doublecheck our result by decrypting the ciphertext and
-     * compare the output with the input plaintext.
-     */
-    cx = DES_CreateContext(key, iv, mode, PR_FALSE);
-    if (cx == NULL) {
-        goto loser;
-    }
-    rv = DES_Decrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
-                    output, *outputlen);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (doublechecklen != *outputlen) {
-        goto loser;
-    }
-    DES_DestroyContext(cx, PR_TRUE);
-    cx = NULL;
-    if (memcmp(doublecheck, input, inputlen) != 0) {
-        goto loser;
-    }
-    rv = SECSuccess;
-
-loser:
-    if (cx != NULL) {
-        DES_DestroyContext(cx, PR_TRUE);
-    }
-    return rv;
-}
-
-SECStatus
-tdea_decrypt_buf(
-    int mode,
-    const unsigned char *key, 
-    const unsigned char *iv,
-    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
-    const unsigned char *input, unsigned int inputlen)
-{
-    SECStatus rv = SECFailure;
-    DESContext *cx;
-    unsigned char doublecheck[8*20];  /* 1 to 20 blocks */
-    unsigned int doublechecklen = 0;
-
-    cx = DES_CreateContext(key, iv, mode, PR_FALSE);
-    if (cx == NULL) {
-        goto loser;
-    }
-    rv = DES_Decrypt(cx, output, outputlen, maxoutputlen,
-                    input, inputlen);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (*outputlen != inputlen) {
-        goto loser;
-    }
-    DES_DestroyContext(cx, PR_TRUE);
-    cx = NULL;
-
-    /*
-     * Doublecheck our result by encrypting the plaintext and
-     * compare the output with the input ciphertext.
-     */
-    cx = DES_CreateContext(key, iv, mode, PR_TRUE);
-    if (cx == NULL) {
-        goto loser;
-    }
-    rv = DES_Encrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
-        output, *outputlen);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (doublechecklen != *outputlen) {
-        goto loser;
-    }
-    DES_DestroyContext(cx, PR_TRUE);
-    cx = NULL;
-    if (memcmp(doublecheck, input, inputlen) != 0) {
-        goto loser;
-    }
-    rv = SECSuccess;
-
-loser:
-    if (cx != NULL) {
-        DES_DestroyContext(cx, PR_TRUE);
-    }
-    return rv;
-}
-
-/*
- * Perform the TDEA Known Answer Test (KAT) or Multi-block Message
- * Test (MMT) in ECB or CBC mode.  The KAT (there are five types)
- * and MMT have the same structure: given the key and IV (CBC mode
- * only), encrypt the given plaintext or decrypt the given ciphertext.
- * So we can handle them the same way.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-tdea_kat_mmt(char *reqfn)
-{
-    char buf[180];      /* holds one line from the input REQUEST file.
-                         * needs to be large enough to hold the longest
-                         * line "CIPHERTEXT = <180 hex digits>\n".
-                         */
-    FILE *req;       /* input stream from the REQUEST file */
-    FILE *resp;      /* output stream to the RESPONSE file */
-    int i, j;
-    int mode;           /* NSS_DES_EDE3 (ECB) or NSS_DES_EDE3_CBC */
-    int crypt = DECRYPT;    /* 1 means encrypt, 0 means decrypt */
-    unsigned char key[24];              /* TDEA 3 key bundle */
-    unsigned int numKeys = 0;
-    unsigned char iv[8];		/* for all modes except ECB */
-    unsigned char plaintext[8*20];     /* 1 to 20 blocks */
-    unsigned int plaintextlen;
-    unsigned char ciphertext[8*20];   /* 1 to 20 blocks */  
-    unsigned int ciphertextlen;
-    SECStatus rv;
-
-    req = fopen(reqfn, "r");
-    resp = stdout;
-    while (fgets(buf, sizeof buf, req) != NULL) {
-        /* a comment or blank line */
-        if (buf[0] == '#' || buf[0] == '\n') {
-            fputs(buf, resp);
-            continue;
-        }
-        /* [ENCRYPT] or [DECRYPT] */
-        if (buf[0] == '[') {
-            if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
-                crypt = ENCRYPT;
-            } else {
-                crypt = DECRYPT;
-            }
-            fputs(buf, resp);
-            continue;
-        }
-        /* NumKeys */
-        if (strncmp(&buf[0], "NumKeys", 7) == 0) {
-            i = 7;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            numKeys = buf[i];
-            fputs(buf, resp);
-            continue;
-        }
-        /* "COUNT = x" begins a new data set */
-        if (strncmp(buf, "COUNT", 5) == 0) {
-            /* mode defaults to ECB, if dataset has IV mode will be set CBC */
-            mode = NSS_DES_EDE3;
-            /* zeroize the variables for the test with this data set */
-            memset(key, 0, sizeof key);
-            memset(iv, 0, sizeof iv);
-            memset(plaintext, 0, sizeof plaintext);
-            plaintextlen = 0;
-            memset(ciphertext, 0, sizeof ciphertext);
-            ciphertextlen = 0;
-            fputs(buf, resp);
-            continue;
-        }
-        if (numKeys == 0) {
-            if (strncmp(buf, "KEYs", 4) == 0) {
-                i = 4;
-                while (isspace(buf[i]) || buf[i] == '=') {
-                    i++;
-                }
-                for (j=0; isxdigit(buf[i]); i+=2,j++) {
-                    hex_to_byteval(&buf[i], &key[j]);
-                    key[j+8] = key[j];
-                    key[j+16] = key[j];
-                }
-                fputs(buf, resp);
-                continue;
-            }
-        } else {
-            /* KEY1 = ... */
-            if (strncmp(buf, "KEY1", 4) == 0) {
-                i = 4;
-                while (isspace(buf[i]) || buf[i] == '=') {
-                    i++;
-                }
-                for (j=0; isxdigit(buf[i]); i+=2,j++) {
-                    hex_to_byteval(&buf[i], &key[j]);
-                }
-                fputs(buf, resp);
-                continue;
-            }
-            /* KEY2 = ... */
-            if (strncmp(buf, "KEY2", 4) == 0) {
-                i = 4;
-                while (isspace(buf[i]) || buf[i] == '=') {
-                    i++;
-                }
-                for (j=8; isxdigit(buf[i]); i+=2,j++) {
-                    hex_to_byteval(&buf[i], &key[j]);
-                }
-                fputs(buf, resp);
-                continue;
-            }
-            /* KEY3 = ... */
-            if (strncmp(buf, "KEY3", 4) == 0) {
-                i = 4;
-                while (isspace(buf[i]) || buf[i] == '=') {
-                    i++;
-                }
-                for (j=16; isxdigit(buf[i]); i+=2,j++) {
-                    hex_to_byteval(&buf[i], &key[j]);
-                }
-                fputs(buf, resp);
-                continue;
-            }
-        }
-
-        /* IV = ... */
-        if (strncmp(buf, "IV", 2) == 0) {
-            mode = NSS_DES_EDE3_CBC;
-            i = 2;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; j<sizeof iv; i+=2,j++) {
-                hex_to_byteval(&buf[i], &iv[j]);
-            }
-            fputs(buf, resp);
-            continue;
-        }
-
-        /* PLAINTEXT = ... */
-        if (strncmp(buf, "PLAINTEXT", 9) == 0) {
-            /* sanity check */
-            if (crypt != ENCRYPT) {
-                goto loser;
-            }
-            i = 9;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; isxdigit(buf[i]); i+=2,j++) {
-                hex_to_byteval(&buf[i], &plaintext[j]);
-            }
-            plaintextlen = j;
-            rv = tdea_encrypt_buf(mode, key,
-                            (mode == NSS_DES_EDE3) ? NULL : iv,
-                            ciphertext, &ciphertextlen, sizeof ciphertext,
-                            plaintext, plaintextlen);
-            if (rv != SECSuccess) {
-                goto loser;
-            }
-    
-            fputs(buf, resp);
-            fputs("CIPHERTEXT = ", resp);
-            to_hex_str(buf, ciphertext, ciphertextlen);
-            fputs(buf, resp);
-            fputc('\n', resp);
-            continue;
-        }
-        /* CIPHERTEXT = ... */
-        if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
-            /* sanity check */
-            if (crypt != DECRYPT) {
-                goto loser;
-            }
- 
-            i = 10;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; isxdigit(buf[i]); i+=2,j++) {
-                hex_to_byteval(&buf[i], &ciphertext[j]);
-            }
-            ciphertextlen = j;
- 
-            rv = tdea_decrypt_buf(mode, key,
-                            (mode == NSS_DES_EDE3) ? NULL : iv,
-                            plaintext, &plaintextlen, sizeof plaintext,
-                            ciphertext, ciphertextlen);
-            if (rv != SECSuccess) {
-                goto loser;
-            }
- 
-            fputs(buf, resp);
-            fputs("PLAINTEXT = ", resp);
-            to_hex_str(buf, plaintext, plaintextlen);
-            fputs(buf, resp);
-            fputc('\n', resp);
-            continue;
-        }
-    }
-
-loser:
-    fclose(req);
-}
-
-/*
-* Set the parity bit for the given byte
-*/
-BYTE odd_parity( BYTE in)
-{
-    BYTE out = in;
-    in ^= in >> 4;
-    in ^= in >> 2;
-    in ^= in >> 1;
-    return (BYTE)(out ^ !(in & 1));
-}
-
-/*
- * Generate Keys [i+1] from Key[i], PT/CT[j-2], PT/CT[j-1], and PT/CT[j] 
- * for TDEA Monte Carlo Test (MCT) in ECB and CBC modes.
- */
-void
-tdea_mct_next_keys(unsigned char *key,
-    const unsigned char *text_2, const unsigned char *text_1, 
-    const unsigned char *text, unsigned int numKeys)
-{
-    int k;
-
-    /* key1[i+1] = key1[i] xor PT/CT[j] */
-    for (k=0; k<8; k++) {
-        key[k] ^= text[k];
-    }
-    /* key2 */
-    if (numKeys == 2 || numKeys == 3)  {
-        /* key2 independent */
-        for (k=8; k<16; k++) {
-            /* key2[i+1] = KEY2[i] xor PT/CT[j-1] */
-            key[k] ^= text_1[k-8];
-        }
-    } else {
-        /* key2 == key 1 */
-        for (k=8; k<16; k++) {
-            /* key2[i+1] = KEY2[i] xor PT/CT[j] */
-            key[k] = key[k-8];
-        }
-    }
-    /* key3 */
-    if (numKeys == 1 || numKeys == 2) {
-        /* key3 == key 1 */
-        for (k=16; k<24; k++) {
-            /* key3[i+1] = KEY3[i] xor PT/CT[j] */
-            key[k] = key[k-16];
-        }
-    } else {
-        /* key3 independent */ 
-        for (k=16; k<24; k++) {
-            /* key3[i+1] = KEY3[i] xor PT/CT[j-2] */
-            key[k] ^= text_2[k-16];
-        }
-    }
-    /* set the parity bits */            
-    for (k=0; k<24; k++) {
-        key[k] = odd_parity(key[k]);
-    }
-}
-
-/*
- * Perform the Monte Carlo Test
- *
- * mode = NSS_DES_EDE3 or NSS_DES_EDE3_CBC
- * crypt = ENCRYPT || DECRYPT
- * inputtext = plaintext or Cyphertext depending on the value of crypt
- * inputlength is expected to be size 8 bytes 
- * iv = needs to be set for NSS_DES_EDE3_CBC mode
- * resp = is the output response file. 
- */
- void                                                       
-tdea_mct_test(int mode, unsigned char* key, unsigned int numKeys, 
-              unsigned int crypt, unsigned char* inputtext, 
-              unsigned int inputlength, unsigned char* iv, FILE *resp) { 
-
-    int i, j;
-    unsigned char outputtext_1[8];      /* PT/CT[j-1] */
-    unsigned char outputtext_2[8];      /* PT/CT[j-2] */
-    char buf[80];       /* holds one line from the input REQUEST file. */
-    unsigned int outputlen;
-    unsigned char outputtext[8];
-    
-        
-    SECStatus rv;
-
-    if (mode == NSS_DES_EDE3 && iv != NULL) {
-        printf("IV must be NULL for NSS_DES_EDE3 mode");
-        goto loser;
-    } else if (mode == NSS_DES_EDE3_CBC && iv == NULL) {
-        printf("IV must not be NULL for NSS_DES_EDE3_CBC mode");
-        goto loser;
-    }
-
-    /* loop 400 times */
-    for (i=0; i<400; i++) {
-        /* if i == 0 CV[0] = IV  not necessary */        
-        /* record the count and key values and plainText */
-        sprintf(buf, "COUNT = %d\n", i);
-        fputs(buf, resp);
-        /* Output KEY1[i] */
-        fputs("KEY1 = ", resp);
-        to_hex_str(buf, key, 8);
-        fputs(buf, resp);
-        fputc('\n', resp);
-        /* Output KEY2[i] */
-        fputs("KEY2 = ", resp);
-        to_hex_str(buf, &key[8], 8);
-        fputs(buf, resp);
-        fputc('\n', resp);
-        /* Output KEY3[i] */
-        fputs("KEY3 = ", resp);
-        to_hex_str(buf, &key[16], 8);
-        fputs(buf, resp);
-        fputc('\n', resp);
-        if (mode == NSS_DES_EDE3_CBC) {
-            /* Output CV[i] */
-            fputs("IV = ", resp);
-            to_hex_str(buf, iv, 8);
-            fputs(buf, resp);
-            fputc('\n', resp);
-        }
-        if (crypt == ENCRYPT) {
-            /* Output PT[0] */
-            fputs("PLAINTEXT = ", resp);
-        } else {
-            /* Output CT[0] */
-            fputs("CIPHERTEXT = ", resp);
-        }
-
-        to_hex_str(buf, inputtext, inputlength);
-        fputs(buf, resp);
-        fputc('\n', resp);
-
-        /* loop 10,000 times */
-        for (j=0; j<10000; j++) {
-
-            outputlen = 0;
-            if (crypt == ENCRYPT) {
-                /* inputtext == ciphertext outputtext == plaintext*/
-                rv = tdea_encrypt_buf(mode, key,
-                            (mode == NSS_DES_EDE3) ? NULL : iv,
-                            outputtext, &outputlen, 8,
-                            inputtext, 8);
-            } else {
-                /* inputtext == plaintext outputtext == ciphertext */
-                rv = tdea_decrypt_buf(mode, key,
-                            (mode == NSS_DES_EDE3) ? NULL : iv,
-                            outputtext, &outputlen, 8,
-                            inputtext, 8);
-            }
-
-            if (rv != SECSuccess) {
-                goto loser;
-            }
-            if (outputlen != inputlength) {
-                goto loser;
-            }
-
-            if (mode == NSS_DES_EDE3_CBC) {
-                if (crypt == ENCRYPT) {
-                    if (j == 0) {
-                        /*P[j+1] = CV[0] */
-                        memcpy(inputtext, iv, 8);
-                    } else {
-                        /* p[j+1] = C[j-1] */
-                        memcpy(inputtext, outputtext_1, 8);
-                    }
-                    /* CV[j+1] = C[j] */
-                    memcpy(iv, outputtext, 8);
-                    if (j != 9999) {
-                        /* save C[j-1] */
-                        memcpy(outputtext_1, outputtext, 8);
-                    }
-                } else { /* DECRYPT */
-                    /* CV[j+1] = C[j] */
-                    memcpy(iv, inputtext, 8);
-                    /* C[j+1] = P[j] */
-                    memcpy(inputtext, outputtext, 8);
-                }
-            } else {
-                /* ECB mode PT/CT[j+1] = CT/PT[j] */
-                memcpy(inputtext, outputtext, 8);
-            }
-
-            /* Save PT/CT[j-2] and PT/CT[j-1] */
-            if (j==9997) memcpy(outputtext_2, outputtext, 8);
-            if (j==9998) memcpy(outputtext_1, outputtext, 8);
-            /* done at the end of the for(j) loop */
-        }
-
-
-        if (crypt == ENCRYPT) {
-            /* Output CT[j] */
-            fputs("CIPHERTEXT = ", resp);
-        } else {
-            /* Output PT[j] */
-            fputs("PLAINTEXT = ", resp);
-        }
-        to_hex_str(buf, outputtext, 8);
-        fputs(buf, resp);
-        fputc('\n', resp);
-
-        /* Key[i+1] = Key[i] xor ...  outputtext_2 == PT/CT[j-2] 
-         *  outputtext_1 == PT/CT[j-1] outputtext == PT/CT[j] 
-         */
-        tdea_mct_next_keys(key, outputtext_2, 
-                           outputtext_1, outputtext, numKeys);
-
-        if (mode == NSS_DES_EDE3_CBC) {
-            /* taken care of in the j=9999 iteration */
-            if (crypt == ENCRYPT) {
-                /* P[i] = C[j-1] */
-                /* CV[i] = C[j] */
-            } else {
-                /* taken care of in the j=9999 iteration */
-                /* CV[i] = C[j] */
-                /* C[i] = P[j]  */
-            }
-        } else {
-            /* ECB PT/CT[i] = PT/CT[j]  */
-            memcpy(inputtext, outputtext, 8);
-        }
-        /* done at the end of the for(i) loop */
-        fputc('\n', resp);
-    }
-
-loser:
-    return;
-}
-
-/*
- * Perform the TDEA Monte Carlo Test (MCT) in ECB/CBC modes.
- * by gathering the input from the request file, and then 
- * calling tdea_mct_test.
- *
- * reqfn is the pathname of the input REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-tdea_mct(int mode, char *reqfn)
-{
-    int i, j;
-    char buf[80];    /* holds one line from the input REQUEST file. */
-    FILE *req;       /* input stream from the REQUEST file */
-    FILE *resp;      /* output stream to the RESPONSE file */
-    unsigned int crypt = 0;    /* 1 means encrypt, 0 means decrypt */
-    unsigned char key[24];              /* TDEA 3 key bundle */
-    unsigned int numKeys = 0;
-    unsigned char plaintext[8];        /* PT[j] */
-    unsigned char ciphertext[8];       /* CT[j] */
-    unsigned char iv[8];
-
-    /* zeroize the variables for the test with this data set */
-    memset(key, 0, sizeof key);
-    memset(plaintext, 0, sizeof plaintext);
-    memset(ciphertext, 0, sizeof ciphertext);
-    memset(iv, 0, sizeof iv);
-
-    req = fopen(reqfn, "r");
-    resp = stdout;
-    while (fgets(buf, sizeof buf, req) != NULL) {
-        /* a comment or blank line */
-        if (buf[0] == '#' || buf[0] == '\n') {
-            fputs(buf, resp);
-            continue;
-        }
-        /* [ENCRYPT] or [DECRYPT] */
-        if (buf[0] == '[') {
-            if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
-                crypt = ENCRYPT;
-            } else {
-                crypt = DECRYPT;
-           }
-           fputs(buf, resp);
-           continue;
-        }
-        /* NumKeys */
-        if (strncmp(&buf[0], "NumKeys", 7) == 0) {
-            i = 7;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            numKeys = atoi(&buf[i]);
-            continue;
-        }
-        /* KEY1 = ... */
-        if (strncmp(buf, "KEY1", 4) == 0) {
-            i = 4;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; isxdigit(buf[i]); i+=2,j++) {
-                hex_to_byteval(&buf[i], &key[j]);
-            }
-            continue;
-        }
-        /* KEY2 = ... */
-        if (strncmp(buf, "KEY2", 4) == 0) {
-            i = 4;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=8; isxdigit(buf[i]); i+=2,j++) {
-                hex_to_byteval(&buf[i], &key[j]);
-            }
-            continue;
-        }
-        /* KEY3 = ... */
-        if (strncmp(buf, "KEY3", 4) == 0) {
-            i = 4;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=16; isxdigit(buf[i]); i+=2,j++) {
-                hex_to_byteval(&buf[i], &key[j]);
-            }
-            continue;
-        }
-
-        /* IV = ... */
-        if (strncmp(buf, "IV", 2) == 0) {
-            i = 2;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; j<sizeof iv; i+=2,j++) {
-                hex_to_byteval(&buf[i], &iv[j]);
-            }
-            continue;
-        }
-
-       /* PLAINTEXT = ... */
-       if (strncmp(buf, "PLAINTEXT", 9) == 0) {
-
-            /* sanity check */
-            if (crypt != ENCRYPT) {
-                goto loser;
-            }
-            /* PT[0] = PT */
-            i = 9;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; j<sizeof plaintext; i+=2,j++) {
-                hex_to_byteval(&buf[i], &plaintext[j]);
-            }                                     
-
-            /* do the Monte Carlo test */
-            if (mode==NSS_DES_EDE3) {
-                tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, plaintext, sizeof plaintext, NULL, resp);
-            } else {
-                tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, plaintext, sizeof plaintext, iv, resp);
-            }
-            continue;
-        }
-        /* CIPHERTEXT = ... */
-        if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
-            /* sanity check */
-            if (crypt != DECRYPT) {
-                goto loser;
-            }
-            /* CT[0] = CT */
-            i = 10;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; isxdigit(buf[i]); i+=2,j++) {
-                hex_to_byteval(&buf[i], &ciphertext[j]);
-            }
-            
-            /* do the Monte Carlo test */
-            if (mode==NSS_DES_EDE3) {
-                tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, ciphertext, sizeof ciphertext, NULL, resp); 
-            } else {
-                tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, ciphertext, sizeof ciphertext, iv, resp); 
-            }
-            continue;
-        }
-    }
-
-loser:
-    fclose(req);
-}
-
-
-SECStatus
-aes_encrypt_buf(
-    int mode,
-    const unsigned char *key, unsigned int keysize,
-    const unsigned char *iv,
-    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
-    const unsigned char *input, unsigned int inputlen)
-{
-    SECStatus rv = SECFailure;
-    AESContext *cx;
-    unsigned char doublecheck[10*16];  /* 1 to 10 blocks */
-    unsigned int doublechecklen = 0;
-
-    cx = AES_CreateContext(key, iv, mode, PR_TRUE, keysize, 16);
-    if (cx == NULL) {
-	goto loser;
-    }
-    rv = AES_Encrypt(cx, output, outputlen, maxoutputlen, input, inputlen);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    if (*outputlen != inputlen) {
-	goto loser;
-    }
-    AES_DestroyContext(cx, PR_TRUE);
-    cx = NULL;
-
-    /*
-     * Doublecheck our result by decrypting the ciphertext and
-     * compare the output with the input plaintext.
-     */
-    cx = AES_CreateContext(key, iv, mode, PR_FALSE, keysize, 16);
-    if (cx == NULL) {
-	goto loser;
-    }
-    rv = AES_Decrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
-	output, *outputlen);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    if (doublechecklen != *outputlen) {
-	goto loser;
-    }
-    AES_DestroyContext(cx, PR_TRUE);
-    cx = NULL;
-    if (memcmp(doublecheck, input, inputlen) != 0) {
-	goto loser;
-    }
-    rv = SECSuccess;
-
-loser:
-    if (cx != NULL) {
-	AES_DestroyContext(cx, PR_TRUE);
-    }
-    return rv;
-}
-
-SECStatus
-aes_decrypt_buf(
-    int mode,
-    const unsigned char *key, unsigned int keysize,
-    const unsigned char *iv,
-    unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen,
-    const unsigned char *input, unsigned int inputlen)
-{
-    SECStatus rv = SECFailure;
-    AESContext *cx;
-    unsigned char doublecheck[10*16];  /* 1 to 10 blocks */
-    unsigned int doublechecklen = 0;
-
-    cx = AES_CreateContext(key, iv, mode, PR_FALSE, keysize, 16);
-    if (cx == NULL) {
-	goto loser;
-    }
-    rv = AES_Decrypt(cx, output, outputlen, maxoutputlen,
-	input, inputlen);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    if (*outputlen != inputlen) {
-	goto loser;
-    }
-    AES_DestroyContext(cx, PR_TRUE);
-    cx = NULL;
-
-    /*
-     * Doublecheck our result by encrypting the plaintext and
-     * compare the output with the input ciphertext.
-     */
-    cx = AES_CreateContext(key, iv, mode, PR_TRUE, keysize, 16);
-    if (cx == NULL) {
-	goto loser;
-    }
-    rv = AES_Encrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck,
-	output, *outputlen);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    if (doublechecklen != *outputlen) {
-	goto loser;
-    }
-    AES_DestroyContext(cx, PR_TRUE);
-    cx = NULL;
-    if (memcmp(doublecheck, input, inputlen) != 0) {
-	goto loser;
-    }
-    rv = SECSuccess;
-
-loser:
-    if (cx != NULL) {
-	AES_DestroyContext(cx, PR_TRUE);
-    }
-    return rv;
-}
-
-/*
- * Perform the AES Known Answer Test (KAT) or Multi-block Message
- * Test (MMT) in ECB or CBC mode.  The KAT (there are four types)
- * and MMT have the same structure: given the key and IV (CBC mode
- * only), encrypt the given plaintext or decrypt the given ciphertext.
- * So we can handle them the same way.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-aes_kat_mmt(char *reqfn)
-{
-    char buf[512];      /* holds one line from the input REQUEST file.
-                         * needs to be large enough to hold the longest
-                         * line "CIPHERTEXT = <320 hex digits>\n".
-                         */
-    FILE *aesreq;       /* input stream from the REQUEST file */
-    FILE *aesresp;      /* output stream to the RESPONSE file */
-    int i, j;
-    int mode;           /* NSS_AES (ECB) or NSS_AES_CBC */
-    int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
-    unsigned char key[32];              /* 128, 192, or 256 bits */
-    unsigned int keysize;
-    unsigned char iv[16];		/* for all modes except ECB */
-    unsigned char plaintext[10*16];     /* 1 to 10 blocks */
-    unsigned int plaintextlen;
-    unsigned char ciphertext[10*16];    /* 1 to 10 blocks */
-    unsigned int ciphertextlen;
-    SECStatus rv;
-
-    aesreq = fopen(reqfn, "r");
-    aesresp = stdout;
-    while (fgets(buf, sizeof buf, aesreq) != NULL) {
-	/* a comment or blank line */
-	if (buf[0] == '#' || buf[0] == '\n') {
-	    fputs(buf, aesresp);
-	    continue;
-	}
-	/* [ENCRYPT] or [DECRYPT] */
-	if (buf[0] == '[') {
-	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
-		encrypt = 1;
-	    } else {
-		encrypt = 0;
-	    }
-	    fputs(buf, aesresp);
-	    continue;
-	}
-	/* "COUNT = x" begins a new data set */
-	if (strncmp(buf, "COUNT", 5) == 0) {
-	    mode = NSS_AES;
-	    /* zeroize the variables for the test with this data set */
-	    memset(key, 0, sizeof key);
-	    keysize = 0;
-	    memset(iv, 0, sizeof iv);
-	    memset(plaintext, 0, sizeof plaintext);
-	    plaintextlen = 0;
-	    memset(ciphertext, 0, sizeof ciphertext);
-	    ciphertextlen = 0;
-	    fputs(buf, aesresp);
-	    continue;
-	}
-	/* KEY = ... */
-	if (strncmp(buf, "KEY", 3) == 0) {
-	    i = 3;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
-		hex_to_byteval(&buf[i], &key[j]);
-	    }
-	    keysize = j;
-	    fputs(buf, aesresp);
-	    continue;
-	}
-	/* IV = ... */
-	if (strncmp(buf, "IV", 2) == 0) {
-	    mode = NSS_AES_CBC;
-	    i = 2;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; j<sizeof iv; i+=2,j++) {
-		hex_to_byteval(&buf[i], &iv[j]);
-	    }
-	    fputs(buf, aesresp);
-	    continue;
-	}
-	/* PLAINTEXT = ... */
-	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
-	    /* sanity check */
-	    if (!encrypt) {
-		goto loser;
-	    }
-
-	    i = 9;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
-		hex_to_byteval(&buf[i], &plaintext[j]);
-	    }
-	    plaintextlen = j;
-
-	    rv = aes_encrypt_buf(mode, key, keysize,
-		(mode == NSS_AES) ? NULL : iv,
-		ciphertext, &ciphertextlen, sizeof ciphertext,
-		plaintext, plaintextlen);
-	    if (rv != SECSuccess) {
-		goto loser;
-	    }
-
-	    fputs(buf, aesresp);
-	    fputs("CIPHERTEXT = ", aesresp);
-	    to_hex_str(buf, ciphertext, ciphertextlen);
-	    fputs(buf, aesresp);
-	    fputc('\n', aesresp);
-	    continue;
-	}
-	/* CIPHERTEXT = ... */
-	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
-	    /* sanity check */
-	    if (encrypt) {
-		goto loser;
-	    }
-
-	    i = 10;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
-		hex_to_byteval(&buf[i], &ciphertext[j]);
-	    }
-	    ciphertextlen = j;
-
-	    rv = aes_decrypt_buf(mode, key, keysize,
-		(mode == NSS_AES) ? NULL : iv,
-		plaintext, &plaintextlen, sizeof plaintext,
-		ciphertext, ciphertextlen);
-	    if (rv != SECSuccess) {
-		goto loser;
-	    }
-
-	    fputs(buf, aesresp);
-	    fputs("PLAINTEXT = ", aesresp);
-	    to_hex_str(buf, plaintext, plaintextlen);
-	    fputs(buf, aesresp);
-	    fputc('\n', aesresp);
-	    continue;
-	}
-    }
-loser:
-    fclose(aesreq);
-}
-
-/*
- * Generate Key[i+1] from Key[i], CT[j-1], and CT[j] for AES Monte Carlo
- * Test (MCT) in ECB and CBC modes.
- */
-void
-aes_mct_next_key(unsigned char *key, unsigned int keysize,
-    const unsigned char *ciphertext_1, const unsigned char *ciphertext)
-{
-    int k;
-
-    switch (keysize) {
-    case 16:  /* 128-bit key */
-	/* Key[i+1] = Key[i] xor CT[j] */
-	for (k=0; k<16; k++) {
-	    key[k] ^= ciphertext[k];
-	}
-	break;
-    case 24:  /* 192-bit key */
-	/*
-	 * Key[i+1] = Key[i] xor (last 64-bits of
-	 *            CT[j-1] || CT[j])
-	 */
-	for (k=0; k<8; k++) {
-	    key[k] ^= ciphertext_1[k+8];
-	}
-	for (k=8; k<24; k++) {
-	    key[k] ^= ciphertext[k-8];
-	}
-	break;
-    case 32:  /* 256-bit key */
-	/* Key[i+1] = Key[i] xor (CT[j-1] || CT[j]) */
-	for (k=0; k<16; k++) {
-	    key[k] ^= ciphertext_1[k];
-	}
-	for (k=16; k<32; k++) {
-	    key[k] ^= ciphertext[k-16];
-	}
-	break;
-    }
-}
-
-/*
- * Perform the AES Monte Carlo Test (MCT) in ECB mode.  MCT exercises
- * our AES code in streaming mode because the plaintext or ciphertext
- * is generated block by block as we go, so we can't collect all the
- * plaintext or ciphertext in one buffer and encrypt or decrypt it in
- * one shot.
- *
- * reqfn is the pathname of the input REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-aes_ecb_mct(char *reqfn)
-{
-    char buf[80];       /* holds one line from the input REQUEST file.
-                         * needs to be large enough to hold the longest
-                         * line "KEY = <64 hex digits>\n".
-                         */
-    FILE *aesreq;       /* input stream from the REQUEST file */
-    FILE *aesresp;      /* output stream to the RESPONSE file */
-    int i, j;
-    int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
-    unsigned char key[32];              /* 128, 192, or 256 bits */
-    unsigned int keysize;
-    unsigned char plaintext[16];        /* PT[j] */
-    unsigned char plaintext_1[16];      /* PT[j-1] */
-    unsigned char ciphertext[16];       /* CT[j] */
-    unsigned char ciphertext_1[16];     /* CT[j-1] */
-    unsigned char doublecheck[16];
-    unsigned int outputlen;
-    AESContext *cx = NULL;	/* the operation being tested */
-    AESContext *cx2 = NULL;     /* the inverse operation done in parallel
-                                 * to doublecheck our result.
-                                 */
-    SECStatus rv;
-
-    aesreq = fopen(reqfn, "r");
-    aesresp = stdout;
-    while (fgets(buf, sizeof buf, aesreq) != NULL) {
-	/* a comment or blank line */
-	if (buf[0] == '#' || buf[0] == '\n') {
-	    fputs(buf, aesresp);
-	    continue;
-	}
-	/* [ENCRYPT] or [DECRYPT] */
-	if (buf[0] == '[') {
-	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
-		encrypt = 1;
-	    } else {
-		encrypt = 0;
-	    }
-	    fputs(buf, aesresp);
-	    continue;
-	}
-	/* "COUNT = x" begins a new data set */
-	if (strncmp(buf, "COUNT", 5) == 0) {
-	    /* zeroize the variables for the test with this data set */
-	    memset(key, 0, sizeof key);
-	    keysize = 0;
-	    memset(plaintext, 0, sizeof plaintext);
-	    memset(ciphertext, 0, sizeof ciphertext);
-	    continue;
-	}
-	/* KEY = ... */
-	if (strncmp(buf, "KEY", 3) == 0) {
-	    /* Key[0] = Key */
-	    i = 3;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
-		hex_to_byteval(&buf[i], &key[j]);
-	    }
-	    keysize = j;
-	    continue;
-	}
-	/* PLAINTEXT = ... */
-	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
-	    /* sanity check */
-	    if (!encrypt) {
-		goto loser;
-	    }
-	    /* PT[0] = PT */
-	    i = 9;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; j<sizeof plaintext; i+=2,j++) {
-		hex_to_byteval(&buf[i], &plaintext[j]);
-	    }
-
-	    for (i=0; i<100; i++) {
-		sprintf(buf, "COUNT = %d\n", i);
-	        fputs(buf, aesresp);
-		/* Output Key[i] */
-		fputs("KEY = ", aesresp);
-		to_hex_str(buf, key, keysize);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-		/* Output PT[0] */
-		fputs("PLAINTEXT = ", aesresp);
-		to_hex_str(buf, plaintext, sizeof plaintext);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-
-		cx = AES_CreateContext(key, NULL, NSS_AES,
-		    PR_TRUE, keysize, 16);
-		if (cx == NULL) {
-		    goto loser;
-		}
-		/*
-		 * doublecheck our result by decrypting the result
-		 * and comparing the output with the plaintext.
-		 */
-		cx2 = AES_CreateContext(key, NULL, NSS_AES,
-		    PR_FALSE, keysize, 16);
-		if (cx2 == NULL) {
-		    goto loser;
-		}
-		for (j=0; j<1000; j++) {
-		    /* Save CT[j-1] */
-		    memcpy(ciphertext_1, ciphertext, sizeof ciphertext);
-
-		    /* CT[j] = AES(Key[i], PT[j]) */
-		    outputlen = 0;
-		    rv = AES_Encrypt(cx,
-			ciphertext, &outputlen, sizeof ciphertext,
-			plaintext, sizeof plaintext);
-		    if (rv != SECSuccess) {
-			goto loser;
-		    }
-		    if (outputlen != sizeof plaintext) {
-			goto loser;
-		    }
-
-		    /* doublecheck our result */
-		    outputlen = 0;
-		    rv = AES_Decrypt(cx2,
-			doublecheck, &outputlen, sizeof doublecheck,
-			ciphertext, sizeof ciphertext);
-		    if (rv != SECSuccess) {
-			goto loser;
-		    }
-		    if (outputlen != sizeof ciphertext) {
-			goto loser;
-		    }
-		    if (memcmp(doublecheck, plaintext, sizeof plaintext)) {
-			goto loser;
-		    }
-
-		    /* PT[j+1] = CT[j] */
-		    memcpy(plaintext, ciphertext, sizeof plaintext);
-		}
-		AES_DestroyContext(cx, PR_TRUE);
-		cx = NULL;
-		AES_DestroyContext(cx2, PR_TRUE);
-		cx2 = NULL;
-
-		/* Output CT[j] */
-		fputs("CIPHERTEXT = ", aesresp);
-		to_hex_str(buf, ciphertext, sizeof ciphertext);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-
-		/* Key[i+1] = Key[i] xor ... */
-		aes_mct_next_key(key, keysize, ciphertext_1, ciphertext);
-		/* PT[0] = CT[j] */
-		/* done at the end of the for(j) loop */
-
-		fputc('\n', aesresp);
-	    }
-
-	    continue;
-	}
-	/* CIPHERTEXT = ... */
-	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
-	    /* sanity check */
-	    if (encrypt) {
-		goto loser;
-	    }
-	    /* CT[0] = CT */
-	    i = 10;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
-		hex_to_byteval(&buf[i], &ciphertext[j]);
-	    }
-
-	    for (i=0; i<100; i++) {
-		sprintf(buf, "COUNT = %d\n", i);
-	        fputs(buf, aesresp);
-		/* Output Key[i] */
-		fputs("KEY = ", aesresp);
-		to_hex_str(buf, key, keysize);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-		/* Output CT[0] */
-		fputs("CIPHERTEXT = ", aesresp);
-		to_hex_str(buf, ciphertext, sizeof ciphertext);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-
-		cx = AES_CreateContext(key, NULL, NSS_AES,
-		    PR_FALSE, keysize, 16);
-		if (cx == NULL) {
-		    goto loser;
-		}
-		/*
-		 * doublecheck our result by encrypting the result
-		 * and comparing the output with the ciphertext.
-		 */
-		cx2 = AES_CreateContext(key, NULL, NSS_AES,
-		    PR_TRUE, keysize, 16);
-		if (cx2 == NULL) {
-		    goto loser;
-		}
-		for (j=0; j<1000; j++) {
-		    /* Save PT[j-1] */
-		    memcpy(plaintext_1, plaintext, sizeof plaintext);
-
-		    /* PT[j] = AES(Key[i], CT[j]) */
-		    outputlen = 0;
-		    rv = AES_Decrypt(cx,
-			plaintext, &outputlen, sizeof plaintext,
-			ciphertext, sizeof ciphertext);
-		    if (rv != SECSuccess) {
-			goto loser;
-		    }
-		    if (outputlen != sizeof ciphertext) {
-			goto loser;
-		    }
-
-		    /* doublecheck our result */
-		    outputlen = 0;
-		    rv = AES_Encrypt(cx2,
-			doublecheck, &outputlen, sizeof doublecheck,
-			plaintext, sizeof plaintext);
-		    if (rv != SECSuccess) {
-			goto loser;
-		    }
-		    if (outputlen != sizeof plaintext) {
-			goto loser;
-		    }
-		    if (memcmp(doublecheck, ciphertext, sizeof ciphertext)) {
-			goto loser;
-		    }
-
-		    /* CT[j+1] = PT[j] */
-		    memcpy(ciphertext, plaintext, sizeof ciphertext);
-		}
-		AES_DestroyContext(cx, PR_TRUE);
-		cx = NULL;
-		AES_DestroyContext(cx2, PR_TRUE);
-		cx2 = NULL;
-
-		/* Output PT[j] */
-		fputs("PLAINTEXT = ", aesresp);
-		to_hex_str(buf, plaintext, sizeof plaintext);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-
-		/* Key[i+1] = Key[i] xor ... */
-		aes_mct_next_key(key, keysize, plaintext_1, plaintext);
-		/* CT[0] = PT[j] */
-		/* done at the end of the for(j) loop */
-
-		fputc('\n', aesresp);
-	    }
-
-	    continue;
-	}
-    }
-loser:
-    if (cx != NULL) {
-	AES_DestroyContext(cx, PR_TRUE);
-    }
-    if (cx2 != NULL) {
-	AES_DestroyContext(cx2, PR_TRUE);
-    }
-    fclose(aesreq);
-}
-
-/*
- * Perform the AES Monte Carlo Test (MCT) in CBC mode.  MCT exercises
- * our AES code in streaming mode because the plaintext or ciphertext
- * is generated block by block as we go, so we can't collect all the
- * plaintext or ciphertext in one buffer and encrypt or decrypt it in
- * one shot.
- *
- * reqfn is the pathname of the input REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-aes_cbc_mct(char *reqfn)
-{
-    char buf[80];       /* holds one line from the input REQUEST file.
-                         * needs to be large enough to hold the longest
-                         * line "KEY = <64 hex digits>\n".
-                         */
-    FILE *aesreq;       /* input stream from the REQUEST file */
-    FILE *aesresp;      /* output stream to the RESPONSE file */
-    int i, j;
-    int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
-    unsigned char key[32];              /* 128, 192, or 256 bits */
-    unsigned int keysize;
-    unsigned char iv[16];
-    unsigned char plaintext[16];        /* PT[j] */
-    unsigned char plaintext_1[16];      /* PT[j-1] */
-    unsigned char ciphertext[16];       /* CT[j] */
-    unsigned char ciphertext_1[16];     /* CT[j-1] */
-    unsigned char doublecheck[16];
-    unsigned int outputlen;
-    AESContext *cx = NULL;	/* the operation being tested */
-    AESContext *cx2 = NULL;     /* the inverse operation done in parallel
-                                 * to doublecheck our result.
-                                 */
-    SECStatus rv;
-
-    aesreq = fopen(reqfn, "r");
-    aesresp = stdout;
-    while (fgets(buf, sizeof buf, aesreq) != NULL) {
-	/* a comment or blank line */
-	if (buf[0] == '#' || buf[0] == '\n') {
-	    fputs(buf, aesresp);
-	    continue;
-	}
-	/* [ENCRYPT] or [DECRYPT] */
-	if (buf[0] == '[') {
-	    if (strncmp(&buf[1], "ENCRYPT", 7) == 0) {
-		encrypt = 1;
-	    } else {
-		encrypt = 0;
-	    }
-	    fputs(buf, aesresp);
-	    continue;
-	}
-	/* "COUNT = x" begins a new data set */
-	if (strncmp(buf, "COUNT", 5) == 0) {
-	    /* zeroize the variables for the test with this data set */
-	    memset(key, 0, sizeof key);
-	    keysize = 0;
-	    memset(iv, 0, sizeof iv);
-	    memset(plaintext, 0, sizeof plaintext);
-	    memset(ciphertext, 0, sizeof ciphertext);
-	    continue;
-	}
-	/* KEY = ... */
-	if (strncmp(buf, "KEY", 3) == 0) {
-	    /* Key[0] = Key */
-	    i = 3;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
-		hex_to_byteval(&buf[i], &key[j]);
-	    }
-	    keysize = j;
-	    continue;
-	}
-	/* IV = ... */
-	if (strncmp(buf, "IV", 2) == 0) {
-	    /* IV[0] = IV */
-	    i = 2;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; j<sizeof iv; i+=2,j++) {
-		hex_to_byteval(&buf[i], &iv[j]);
-	    }
-	    continue;
-	}
-	/* PLAINTEXT = ... */
-	if (strncmp(buf, "PLAINTEXT", 9) == 0) {
-	    /* sanity check */
-	    if (!encrypt) {
-		goto loser;
-	    }
-	    /* PT[0] = PT */
-	    i = 9;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; j<sizeof plaintext; i+=2,j++) {
-		hex_to_byteval(&buf[i], &plaintext[j]);
-	    }
-
-	    for (i=0; i<100; i++) {
-		sprintf(buf, "COUNT = %d\n", i);
-	        fputs(buf, aesresp);
-		/* Output Key[i] */
-		fputs("KEY = ", aesresp);
-		to_hex_str(buf, key, keysize);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-		/* Output IV[i] */
-		fputs("IV = ", aesresp);
-		to_hex_str(buf, iv, sizeof iv);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-		/* Output PT[0] */
-		fputs("PLAINTEXT = ", aesresp);
-		to_hex_str(buf, plaintext, sizeof plaintext);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-
-		cx = AES_CreateContext(key, iv, NSS_AES_CBC,
-		    PR_TRUE, keysize, 16);
-		if (cx == NULL) {
-		    goto loser;
-		}
-		/*
-		 * doublecheck our result by decrypting the result
-		 * and comparing the output with the plaintext.
-		 */
-		cx2 = AES_CreateContext(key, iv, NSS_AES_CBC,
-		    PR_FALSE, keysize, 16);
-		if (cx2 == NULL) {
-		    goto loser;
-		}
-		/* CT[-1] = IV[i] */
-		memcpy(ciphertext, iv, sizeof ciphertext);
-		for (j=0; j<1000; j++) {
-		    /* Save CT[j-1] */
-		    memcpy(ciphertext_1, ciphertext, sizeof ciphertext);
-		    /*
-		     * If ( j=0 )
-		     *      CT[j] = AES(Key[i], IV[i], PT[j])
-		     *      PT[j+1] = IV[i] (= CT[j-1])
-		     * Else
-		     *      CT[j] = AES(Key[i], PT[j])
-		     *      PT[j+1] = CT[j-1]
-		     */
-		    outputlen = 0;
-		    rv = AES_Encrypt(cx,
-			ciphertext, &outputlen, sizeof ciphertext,
-			plaintext, sizeof plaintext);
-		    if (rv != SECSuccess) {
-			goto loser;
-		    }
-		    if (outputlen != sizeof plaintext) {
-			goto loser;
-		    }
-
-		    /* doublecheck our result */
-		    outputlen = 0;
-		    rv = AES_Decrypt(cx2,
-			doublecheck, &outputlen, sizeof doublecheck,
-			ciphertext, sizeof ciphertext);
-		    if (rv != SECSuccess) {
-			goto loser;
-		    }
-		    if (outputlen != sizeof ciphertext) {
-			goto loser;
-		    }
-		    if (memcmp(doublecheck, plaintext, sizeof plaintext)) {
-			goto loser;
-		    }
-
-		    memcpy(plaintext, ciphertext_1, sizeof plaintext);
-		}
-		AES_DestroyContext(cx, PR_TRUE);
-		cx = NULL;
-		AES_DestroyContext(cx2, PR_TRUE);
-		cx2 = NULL;
-
-		/* Output CT[j] */
-		fputs("CIPHERTEXT = ", aesresp);
-		to_hex_str(buf, ciphertext, sizeof ciphertext);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-
-		/* Key[i+1] = Key[i] xor ... */
-		aes_mct_next_key(key, keysize, ciphertext_1, ciphertext);
-		/* IV[i+1] = CT[j] */
-		memcpy(iv, ciphertext, sizeof iv);
-		/* PT[0] = CT[j-1] */
-		/* done at the end of the for(j) loop */
-
-		fputc('\n', aesresp);
-	    }
-
-	    continue;
-	}
-	/* CIPHERTEXT = ... */
-	if (strncmp(buf, "CIPHERTEXT", 10) == 0) {
-	    /* sanity check */
-	    if (encrypt) {
-		goto loser;
-	    }
-	    /* CT[0] = CT */
-	    i = 10;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
-		hex_to_byteval(&buf[i], &ciphertext[j]);
-	    }
-
-	    for (i=0; i<100; i++) {
-		sprintf(buf, "COUNT = %d\n", i);
-	        fputs(buf, aesresp);
-		/* Output Key[i] */
-		fputs("KEY = ", aesresp);
-		to_hex_str(buf, key, keysize);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-		/* Output IV[i] */
-		fputs("IV = ", aesresp);
-		to_hex_str(buf, iv, sizeof iv);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-		/* Output CT[0] */
-		fputs("CIPHERTEXT = ", aesresp);
-		to_hex_str(buf, ciphertext, sizeof ciphertext);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-
-		cx = AES_CreateContext(key, iv, NSS_AES_CBC,
-		    PR_FALSE, keysize, 16);
-		if (cx == NULL) {
-		    goto loser;
-		}
-		/*
-		 * doublecheck our result by encrypting the result
-		 * and comparing the output with the ciphertext.
-		 */
-		cx2 = AES_CreateContext(key, iv, NSS_AES_CBC,
-		    PR_TRUE, keysize, 16);
-		if (cx2 == NULL) {
-		    goto loser;
-		}
-		/* PT[-1] = IV[i] */
-		memcpy(plaintext, iv, sizeof plaintext);
-		for (j=0; j<1000; j++) {
-		    /* Save PT[j-1] */
-		    memcpy(plaintext_1, plaintext, sizeof plaintext);
-		    /*
-		     * If ( j=0 )
-		     *      PT[j] = AES(Key[i], IV[i], CT[j])
-		     *      CT[j+1] = IV[i] (= PT[j-1])
-		     * Else
-		     *      PT[j] = AES(Key[i], CT[j])
-		     *      CT[j+1] = PT[j-1]
-		     */
-		    outputlen = 0;
-		    rv = AES_Decrypt(cx,
-			plaintext, &outputlen, sizeof plaintext,
-			ciphertext, sizeof ciphertext);
-		    if (rv != SECSuccess) {
-			goto loser;
-		    }
-		    if (outputlen != sizeof ciphertext) {
-			goto loser;
-		    }
-
-		    /* doublecheck our result */
-		    outputlen = 0;
-		    rv = AES_Encrypt(cx2,
-			doublecheck, &outputlen, sizeof doublecheck,
-			plaintext, sizeof plaintext);
-		    if (rv != SECSuccess) {
-			goto loser;
-		    }
-		    if (outputlen != sizeof plaintext) {
-			goto loser;
-		    }
-		    if (memcmp(doublecheck, ciphertext, sizeof ciphertext)) {
-			goto loser;
-		    }
-
-		    memcpy(ciphertext, plaintext_1, sizeof ciphertext);
-		}
-		AES_DestroyContext(cx, PR_TRUE);
-		cx = NULL;
-		AES_DestroyContext(cx2, PR_TRUE);
-		cx2 = NULL;
-
-		/* Output PT[j] */
-		fputs("PLAINTEXT = ", aesresp);
-		to_hex_str(buf, plaintext, sizeof plaintext);
-		fputs(buf, aesresp);
-		fputc('\n', aesresp);
-
-		/* Key[i+1] = Key[i] xor ... */
-		aes_mct_next_key(key, keysize, plaintext_1, plaintext);
-		/* IV[i+1] = PT[j] */
-		memcpy(iv, plaintext, sizeof iv);
-		/* CT[0] = PT[j-1] */
-		/* done at the end of the for(j) loop */
-
-		fputc('\n', aesresp);
-	    }
-
-	    continue;
-	}
-    }
-loser:
-    if (cx != NULL) {
-	AES_DestroyContext(cx, PR_TRUE);
-    }
-    if (cx2 != NULL) {
-	AES_DestroyContext(cx2, PR_TRUE);
-    }
-    fclose(aesreq);
-}
-
-void write_compact_string(FILE *out, unsigned char *hash, unsigned int len)
-{
-    unsigned int i;
-    int j, count = 0, last = -1, z = 0;
-    long start = ftell(out);
-    for (i=0; i<len; i++) {
-	for (j=7; j>=0; j--) {
-	    if (last < 0) {
-		last = (hash[i] & (1 << j)) ? 1 : 0;
-		fprintf(out, "%d ", last);
-		count = 1;
-	    } else if (hash[i] & (1 << j)) {
-		if (last) {
-		    count++; 
-		} else { 
-		    last = 0;
-		    fprintf(out, "%d ", count);
-		    count = 1;
-		    z++;
-		}
-	    } else {
-		if (!last) {
-		    count++; 
-		} else { 
-		    last = 1;
-		    fprintf(out, "%d ", count);
-		    count = 1;
-		    z++;
-		}
-	    }
-	}
-    }
-    fprintf(out, "^\n");
-    fseek(out, start, SEEK_SET);
-    fprintf(out, "%d ", z);
-    fseek(out, 0, SEEK_END);
-}
-
-int get_next_line(FILE *req, char *key, char *val, FILE *rsp)
-{
-    int ignore = 0;
-    char *writeto = key;
-    int w = 0;
-    int c;
-    while ((c = fgetc(req)) != EOF) {
-	if (ignore) {
-	    fprintf(rsp, "%c", c);
-	    if (c == '\n') return ignore;
-	} else if (c == '\n') {
-	    break;
-	} else if (c == '#') {
-	    ignore = 1;
-	    fprintf(rsp, "%c", c);
-	} else if (c == '=') {
-	    writeto[w] = '\0';
-	    w = 0;
-	    writeto = val;
-	} else if (c == ' ' || c == '[' || c == ']') {
-	    continue;
-	} else {
-	    writeto[w++] = c;
-	}
-    }
-    writeto[w] = '\0';
-    return (c == EOF) ? -1 : ignore;
-}
-
-#ifdef NSS_ENABLE_ECC
-typedef struct curveNameTagPairStr {
-    char *curveName;
-    SECOidTag curveOidTag;
-} CurveNameTagPair;
-
-#define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP192R1
-/* #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP160R1 */
-
-static CurveNameTagPair nameTagPair[] =
-{ 
-  { "sect163k1", SEC_OID_SECG_EC_SECT163K1},
-  { "nistk163", SEC_OID_SECG_EC_SECT163K1},
-  { "sect163r1", SEC_OID_SECG_EC_SECT163R1},
-  { "sect163r2", SEC_OID_SECG_EC_SECT163R2},
-  { "nistb163", SEC_OID_SECG_EC_SECT163R2},
-  { "sect193r1", SEC_OID_SECG_EC_SECT193R1},
-  { "sect193r2", SEC_OID_SECG_EC_SECT193R2},
-  { "sect233k1", SEC_OID_SECG_EC_SECT233K1},
-  { "nistk233", SEC_OID_SECG_EC_SECT233K1},
-  { "sect233r1", SEC_OID_SECG_EC_SECT233R1},
-  { "nistb233", SEC_OID_SECG_EC_SECT233R1},
-  { "sect239k1", SEC_OID_SECG_EC_SECT239K1},
-  { "sect283k1", SEC_OID_SECG_EC_SECT283K1},
-  { "nistk283", SEC_OID_SECG_EC_SECT283K1},
-  { "sect283r1", SEC_OID_SECG_EC_SECT283R1},
-  { "nistb283", SEC_OID_SECG_EC_SECT283R1},
-  { "sect409k1", SEC_OID_SECG_EC_SECT409K1},
-  { "nistk409", SEC_OID_SECG_EC_SECT409K1},
-  { "sect409r1", SEC_OID_SECG_EC_SECT409R1},
-  { "nistb409", SEC_OID_SECG_EC_SECT409R1},
-  { "sect571k1", SEC_OID_SECG_EC_SECT571K1},
-  { "nistk571", SEC_OID_SECG_EC_SECT571K1},
-  { "sect571r1", SEC_OID_SECG_EC_SECT571R1},
-  { "nistb571", SEC_OID_SECG_EC_SECT571R1},
-  { "secp160k1", SEC_OID_SECG_EC_SECP160K1},
-  { "secp160r1", SEC_OID_SECG_EC_SECP160R1},
-  { "secp160r2", SEC_OID_SECG_EC_SECP160R2},
-  { "secp192k1", SEC_OID_SECG_EC_SECP192K1},
-  { "secp192r1", SEC_OID_SECG_EC_SECP192R1},
-  { "nistp192", SEC_OID_SECG_EC_SECP192R1},
-  { "secp224k1", SEC_OID_SECG_EC_SECP224K1},
-  { "secp224r1", SEC_OID_SECG_EC_SECP224R1},
-  { "nistp224", SEC_OID_SECG_EC_SECP224R1},
-  { "secp256k1", SEC_OID_SECG_EC_SECP256K1},
-  { "secp256r1", SEC_OID_SECG_EC_SECP256R1},
-  { "nistp256", SEC_OID_SECG_EC_SECP256R1},
-  { "secp384r1", SEC_OID_SECG_EC_SECP384R1},
-  { "nistp384", SEC_OID_SECG_EC_SECP384R1},
-  { "secp521r1", SEC_OID_SECG_EC_SECP521R1},
-  { "nistp521", SEC_OID_SECG_EC_SECP521R1},
-
-  { "prime192v1", SEC_OID_ANSIX962_EC_PRIME192V1 },
-  { "prime192v2", SEC_OID_ANSIX962_EC_PRIME192V2 },
-  { "prime192v3", SEC_OID_ANSIX962_EC_PRIME192V3 },
-  { "prime239v1", SEC_OID_ANSIX962_EC_PRIME239V1 },
-  { "prime239v2", SEC_OID_ANSIX962_EC_PRIME239V2 },
-  { "prime239v3", SEC_OID_ANSIX962_EC_PRIME239V3 },
-
-  { "c2pnb163v1", SEC_OID_ANSIX962_EC_C2PNB163V1 },
-  { "c2pnb163v2", SEC_OID_ANSIX962_EC_C2PNB163V2 },
-  { "c2pnb163v3", SEC_OID_ANSIX962_EC_C2PNB163V3 },
-  { "c2pnb176v1", SEC_OID_ANSIX962_EC_C2PNB176V1 },
-  { "c2tnb191v1", SEC_OID_ANSIX962_EC_C2TNB191V1 },
-  { "c2tnb191v2", SEC_OID_ANSIX962_EC_C2TNB191V2 },
-  { "c2tnb191v3", SEC_OID_ANSIX962_EC_C2TNB191V3 },
-  { "c2onb191v4", SEC_OID_ANSIX962_EC_C2ONB191V4 },
-  { "c2onb191v5", SEC_OID_ANSIX962_EC_C2ONB191V5 },
-  { "c2pnb208w1", SEC_OID_ANSIX962_EC_C2PNB208W1 },
-  { "c2tnb239v1", SEC_OID_ANSIX962_EC_C2TNB239V1 },
-  { "c2tnb239v2", SEC_OID_ANSIX962_EC_C2TNB239V2 },
-  { "c2tnb239v3", SEC_OID_ANSIX962_EC_C2TNB239V3 },
-  { "c2onb239v4", SEC_OID_ANSIX962_EC_C2ONB239V4 },
-  { "c2onb239v5", SEC_OID_ANSIX962_EC_C2ONB239V5 },
-  { "c2pnb272w1", SEC_OID_ANSIX962_EC_C2PNB272W1 },
-  { "c2pnb304w1", SEC_OID_ANSIX962_EC_C2PNB304W1 },
-  { "c2tnb359v1", SEC_OID_ANSIX962_EC_C2TNB359V1 },
-  { "c2pnb368w1", SEC_OID_ANSIX962_EC_C2PNB368W1 },
-  { "c2tnb431r1", SEC_OID_ANSIX962_EC_C2TNB431R1 },
-
-  { "secp112r1", SEC_OID_SECG_EC_SECP112R1},
-  { "secp112r2", SEC_OID_SECG_EC_SECP112R2},
-  { "secp128r1", SEC_OID_SECG_EC_SECP128R1},
-  { "secp128r2", SEC_OID_SECG_EC_SECP128R2},
-
-  { "sect113r1", SEC_OID_SECG_EC_SECT113R1},
-  { "sect113r2", SEC_OID_SECG_EC_SECT113R2},
-  { "sect131r1", SEC_OID_SECG_EC_SECT131R1},
-  { "sect131r2", SEC_OID_SECG_EC_SECT131R2},
-};
-
-static SECKEYECParams * 
-getECParams(const char *curve)
-{
-    SECKEYECParams *ecparams;
-    SECOidData *oidData = NULL;
-    SECOidTag curveOidTag = SEC_OID_UNKNOWN; /* default */
-    int i, numCurves;
-
-    if (curve != NULL) {
-        numCurves = sizeof(nameTagPair)/sizeof(CurveNameTagPair);
-	for (i = 0; ((i < numCurves) && (curveOidTag == SEC_OID_UNKNOWN)); 
-	     i++) {
-	    if (PL_strcmp(curve, nameTagPair[i].curveName) == 0)
-	        curveOidTag = nameTagPair[i].curveOidTag;
-	}
-    }
-
-    /* Return NULL if curve name is not recognized */
-    if ((curveOidTag == SEC_OID_UNKNOWN) || 
-	(oidData = SECOID_FindOIDByTag(curveOidTag)) == NULL) {
-        fprintf(stderr, "Unrecognized elliptic curve %s\n", curve);
-	return NULL;
-    }
-
-    ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
-
-    /* 
-     * ecparams->data needs to contain the ASN encoding of an object ID (OID)
-     * representing the named curve. The actual OID is in 
-     * oidData->oid.data so we simply prepend 0x06 and OID length
-     */
-    ecparams->data[0] = SEC_ASN1_OBJECT_ID;
-    ecparams->data[1] = oidData->oid.len;
-    memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
-
-    return ecparams;
-}
-
-/*
- * Perform the ECDSA Key Pair Generation Test.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-ecdsa_keypair_test(char *reqfn)
-{
-    char buf[256];      /* holds one line from the input REQUEST file
-                         * or to the output RESPONSE file.
-                         * needs to be large enough to hold the longest
-                         * line "Qx = <144 hex digits>\n".
-                         */
-    FILE *ecdsareq;     /* input stream from the REQUEST file */
-    FILE *ecdsaresp;    /* output stream to the RESPONSE file */
-    char curve[16];     /* "nistxddd" */
-    ECParams *ecparams;
-    int N;
-    int i;
-    unsigned int len;
-
-    ecdsareq = fopen(reqfn, "r");
-    ecdsaresp = stdout;
-    strcpy(curve, "nist");
-    while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
-	/* a comment or blank line */
-	if (buf[0] == '#' || buf[0] == '\n') {
-	    fputs(buf, ecdsaresp);
-	    continue;
-	}
-	/* [X-ddd] */
-	if (buf[0] == '[') {
-	    const char *src;
-	    char *dst;
-	    SECKEYECParams *encodedparams;
-
-	    src = &buf[1];
-	    dst = &curve[4];
-	    *dst++ = tolower(*src);
-	    src += 2;  /* skip the hyphen */
-	    *dst++ = *src++;
-	    *dst++ = *src++;
-	    *dst++ = *src++;
-	    *dst = '\0';
-	    encodedparams = getECParams(curve);
-	    if (encodedparams == NULL) {
-		goto loser;
-	    }
-	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
-		goto loser;
-	    }
-	    SECITEM_FreeItem(encodedparams, PR_TRUE);
-	    fputs(buf, ecdsaresp);
-	    continue;
-	}
-	/* N = x */
-	if (buf[0] == 'N') {
-	    if (sscanf(buf, "N = %d", &N) != 1) {
-		goto loser;
-	    }
-	    for (i = 0; i < N; i++) {
-		ECPrivateKey *ecpriv;
-
-		if (EC_NewKey(ecparams, &ecpriv) != SECSuccess) {
-		    goto loser;
-		}
-		fputs("d = ", ecdsaresp);
-		to_hex_str(buf, ecpriv->privateValue.data,
-			   ecpriv->privateValue.len);
-		fputs(buf, ecdsaresp);
-		fputc('\n', ecdsaresp);
-		if (EC_ValidatePublicKey(ecparams, &ecpriv->publicValue)
-		    != SECSuccess) {
-		    goto loser;
-		}
-		len = ecpriv->publicValue.len;
-		if (len%2 == 0) {
-		    goto loser;
-		}
-		len = (len-1)/2;
-		if (ecpriv->publicValue.data[0]
-		    != EC_POINT_FORM_UNCOMPRESSED) {
-		    goto loser;
-		}
-		fputs("Qx = ", ecdsaresp);
-		to_hex_str(buf, &ecpriv->publicValue.data[1], len);
-		fputs(buf, ecdsaresp);
-		fputc('\n', ecdsaresp);
-		fputs("Qy = ", ecdsaresp);
-		to_hex_str(buf, &ecpriv->publicValue.data[1+len], len);
-		fputs(buf, ecdsaresp);
-		fputc('\n', ecdsaresp);
-		fputc('\n', ecdsaresp);
-		PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
-	    }
-	    PORT_FreeArena(ecparams->arena, PR_FALSE);
-	    continue;
-	}
-    }
-loser:
-    fclose(ecdsareq);
-}
-
-/*
- * Perform the ECDSA Public Key Validation Test.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-ecdsa_pkv_test(char *reqfn)
-{
-    char buf[256];      /* holds one line from the input REQUEST file.
-                         * needs to be large enough to hold the longest
-                         * line "Qx = <144 hex digits>\n".
-                         */
-    FILE *ecdsareq;     /* input stream from the REQUEST file */
-    FILE *ecdsaresp;    /* output stream to the RESPONSE file */
-    char curve[16];     /* "nistxddd" */
-    ECParams *ecparams = NULL;
-    SECItem pubkey;
-    unsigned int i;
-    unsigned int len;
-    PRBool keyvalid = PR_TRUE;
-
-    ecdsareq = fopen(reqfn, "r");
-    ecdsaresp = stdout;
-    strcpy(curve, "nist");
-    pubkey.data = NULL;
-    while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
-	/* a comment or blank line */
-	if (buf[0] == '#' || buf[0] == '\n') {
-	    fputs(buf, ecdsaresp);
-	    continue;
-	}
-	/* [X-ddd] */
-	if (buf[0] == '[') {
-	    const char *src;
-	    char *dst;
-	    SECKEYECParams *encodedparams;
-
-	    src = &buf[1];
-	    dst = &curve[4];
-	    *dst++ = tolower(*src);
-	    src += 2;  /* skip the hyphen */
-	    *dst++ = *src++;
-	    *dst++ = *src++;
-	    *dst++ = *src++;
-	    *dst = '\0';
-	    if (ecparams != NULL) {
-		PORT_FreeArena(ecparams->arena, PR_FALSE);
-		ecparams = NULL;
-	    }
-	    encodedparams = getECParams(curve);
-	    if (encodedparams == NULL) {
-		goto loser;
-	    }
-	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
-		goto loser;
-	    }
-	    SECITEM_FreeItem(encodedparams, PR_TRUE);
-	    len = (ecparams->fieldID.size + 7) >> 3;
-	    if (pubkey.data != NULL) {
-		PORT_Free(pubkey.data);
-		pubkey.data = NULL;
-	    }
-	    SECITEM_AllocItem(NULL, &pubkey, 2*len+1);
-	    if (pubkey.data == NULL) {
-		goto loser;
-	    }
-	    pubkey.data[0] = EC_POINT_FORM_UNCOMPRESSED;
-	    fputs(buf, ecdsaresp);
-	    continue;
-	}
-	/* Qx = ... */
-	if (strncmp(buf, "Qx", 2) == 0) {
-	    fputs(buf, ecdsaresp);
-	    i = 2;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    keyvalid = from_hex_str(&pubkey.data[1], len, &buf[i]);
-	    continue;
-	}
-	/* Qy = ... */
-	if (strncmp(buf, "Qy", 2) == 0) {
-	    fputs(buf, ecdsaresp);
-	    if (!keyvalid) {
-		fputs("Result = F\n", ecdsaresp);
-		continue;
-	    }
-	    i = 2;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    keyvalid = from_hex_str(&pubkey.data[1+len], len, &buf[i]);
-	    if (!keyvalid) {
-		fputs("Result = F\n", ecdsaresp);
-		continue;
-	    }
-	    if (EC_ValidatePublicKey(ecparams, &pubkey) == SECSuccess) {
-		fputs("Result = P\n", ecdsaresp);
-	    } else if (PORT_GetError() == SEC_ERROR_BAD_KEY) {
-		fputs("Result = F\n", ecdsaresp);
-	    } else {
-		goto loser;
-	    }
-	    continue;
-	}
-    }
-loser:
-    if (ecparams != NULL) {
-	PORT_FreeArena(ecparams->arena, PR_FALSE);
-    }
-    if (pubkey.data != NULL) {
-	PORT_Free(pubkey.data);
-    }
-    fclose(ecdsareq);
-}
-
-/*
- * Perform the ECDSA Signature Generation Test.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-ecdsa_siggen_test(char *reqfn)
-{
-    char buf[1024];     /* holds one line from the input REQUEST file
-                         * or to the output RESPONSE file.
-                         * needs to be large enough to hold the longest
-                         * line "Msg = <256 hex digits>\n".
-                         */
-    FILE *ecdsareq;     /* input stream from the REQUEST file */
-    FILE *ecdsaresp;    /* output stream to the RESPONSE file */
-    char curve[16];     /* "nistxddd" */
-    ECParams *ecparams = NULL;
-    int i, j;
-    unsigned int len;
-    unsigned char msg[512];  /* message to be signed (<= 128 bytes) */
-    unsigned int msglen;
-    unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
-    unsigned char sig[2*MAX_ECKEY_LEN];
-    SECItem signature, digest;
-
-    ecdsareq = fopen(reqfn, "r");
-    ecdsaresp = stdout;
-    strcpy(curve, "nist");
-    while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
-	/* a comment or blank line */
-	if (buf[0] == '#' || buf[0] == '\n') {
-	    fputs(buf, ecdsaresp);
-	    continue;
-	}
-	/* [X-ddd] */
-	if (buf[0] == '[') {
-	    const char *src;
-	    char *dst;
-	    SECKEYECParams *encodedparams;
-
-	    src = &buf[1];
-	    dst = &curve[4];
-	    *dst++ = tolower(*src);
-	    src += 2;  /* skip the hyphen */
-	    *dst++ = *src++;
-	    *dst++ = *src++;
-	    *dst++ = *src++;
-	    *dst = '\0';
-	    if (ecparams != NULL) {
-		PORT_FreeArena(ecparams->arena, PR_FALSE);
-		ecparams = NULL;
-	    }
-	    encodedparams = getECParams(curve);
-	    if (encodedparams == NULL) {
-		goto loser;
-	    }
-	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
-		goto loser;
-	    }
-	    SECITEM_FreeItem(encodedparams, PR_TRUE);
-	    fputs(buf, ecdsaresp);
-	    continue;
-	}
-	/* Msg = ... */
-	if (strncmp(buf, "Msg", 3) == 0) {
-	    ECPrivateKey *ecpriv;
-
-	    i = 3;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
-		hex_to_byteval(&buf[i], &msg[j]);
-	    }
-	    msglen = j;
-	    if (SHA1_HashBuf(sha1, msg, msglen) != SECSuccess) {
-		goto loser;
-	    }
-	    fputs(buf, ecdsaresp);
-
-	    if (EC_NewKey(ecparams, &ecpriv) != SECSuccess) {
-		goto loser;
-	    }
-	    if (EC_ValidatePublicKey(ecparams, &ecpriv->publicValue)
-		!= SECSuccess) {
-		goto loser;
-	    }
-	    len = ecpriv->publicValue.len;
-	    if (len%2 == 0) {
-		goto loser;
-	    }
-	    len = (len-1)/2;
-	    if (ecpriv->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
-		goto loser;
-	    }
-	    fputs("Qx = ", ecdsaresp);
-	    to_hex_str(buf, &ecpriv->publicValue.data[1], len);
-	    fputs(buf, ecdsaresp);
-	    fputc('\n', ecdsaresp);
-	    fputs("Qy = ", ecdsaresp);
-	    to_hex_str(buf, &ecpriv->publicValue.data[1+len], len);
-	    fputs(buf, ecdsaresp);
-	    fputc('\n', ecdsaresp);
-
-	    digest.type = siBuffer;
-	    digest.data = sha1;
-	    digest.len = sizeof sha1;
-	    signature.type = siBuffer;
-	    signature.data = sig;
-	    signature.len = sizeof sig;
-	    if (ECDSA_SignDigest(ecpriv, &signature, &digest) != SECSuccess) {
-		goto loser;
-	    }
-	    len = signature.len;
-	    if (len%2 != 0) {
-		goto loser;
-	    }
-	    len = len/2;
-	    fputs("R = ", ecdsaresp);
-	    to_hex_str(buf, &signature.data[0], len);
-	    fputs(buf, ecdsaresp);
-	    fputc('\n', ecdsaresp);
-	    fputs("S = ", ecdsaresp);
-	    to_hex_str(buf, &signature.data[len], len);
-	    fputs(buf, ecdsaresp);
-	    fputc('\n', ecdsaresp);
-
-	    PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
-	    continue;
-	}
-    }
-loser:
-    if (ecparams != NULL) {
-	PORT_FreeArena(ecparams->arena, PR_FALSE);
-    }
-    fclose(ecdsareq);
-}
-
-/*
- * Perform the ECDSA Signature Verification Test.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-ecdsa_sigver_test(char *reqfn)
-{
-    char buf[1024];     /* holds one line from the input REQUEST file.
-                         * needs to be large enough to hold the longest
-                         * line "Msg = <256 hex digits>\n".
-                         */
-    FILE *ecdsareq;     /* input stream from the REQUEST file */
-    FILE *ecdsaresp;    /* output stream to the RESPONSE file */
-    char curve[16];     /* "nistxddd" */
-    ECPublicKey ecpub;
-    unsigned int i, j;
-    unsigned int flen;  /* length in bytes of the field size */
-    unsigned int olen;  /* length in bytes of the base point order */
-    unsigned char msg[512];  /* message that was signed (<= 128 bytes) */
-    unsigned int msglen;
-    unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
-    unsigned char sig[2*MAX_ECKEY_LEN];
-    SECItem signature, digest;
-    PRBool keyvalid = PR_TRUE;
-    PRBool sigvalid = PR_TRUE;
-
-    ecdsareq = fopen(reqfn, "r");
-    ecdsaresp = stdout;
-    ecpub.ecParams.arena = NULL;
-    strcpy(curve, "nist");
-    while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
-	/* a comment or blank line */
-	if (buf[0] == '#' || buf[0] == '\n') {
-	    fputs(buf, ecdsaresp);
-	    continue;
-	}
-	/* [X-ddd] */
-	if (buf[0] == '[') {
-	    const char *src;
-	    char *dst;
-	    SECKEYECParams *encodedparams;
-	    ECParams *ecparams;
-
-	    src = &buf[1];
-	    dst = &curve[4];
-	    *dst++ = tolower(*src);
-	    src += 2;  /* skip the hyphen */
-	    *dst++ = *src++;
-	    *dst++ = *src++;
-	    *dst++ = *src++;
-	    *dst = '\0';
-	    encodedparams = getECParams(curve);
-	    if (encodedparams == NULL) {
-		goto loser;
-	    }
-	    if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) {
-		goto loser;
-	    }
-	    SECITEM_FreeItem(encodedparams, PR_TRUE);
-	    if (ecpub.ecParams.arena != NULL) {
-		PORT_FreeArena(ecpub.ecParams.arena, PR_FALSE);
-	    }
-	    ecpub.ecParams.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	    if (ecpub.ecParams.arena == NULL) {
-		goto loser;
-	    }
-	    if (EC_CopyParams(ecpub.ecParams.arena, &ecpub.ecParams, ecparams)
-		!= SECSuccess) {
-		goto loser;
-	    }
-	    PORT_FreeArena(ecparams->arena, PR_FALSE);
-	    flen = (ecpub.ecParams.fieldID.size + 7) >> 3;
-	    olen = ecpub.ecParams.order.len;
-	    if (2*olen > sizeof sig) {
-		goto loser;
-	    }
-	    ecpub.publicValue.type = siBuffer;
-	    ecpub.publicValue.data = NULL;
-	    ecpub.publicValue.len = 0;
-	    SECITEM_AllocItem(ecpub.ecParams.arena,
-			      &ecpub.publicValue, 2*flen+1);
-	    if (ecpub.publicValue.data == NULL) {
-		goto loser;
-	    }
-	    ecpub.publicValue.data[0] = EC_POINT_FORM_UNCOMPRESSED;
-	    fputs(buf, ecdsaresp);
-	    continue;
-	}
-	/* Msg = ... */
-	if (strncmp(buf, "Msg", 3) == 0) {
-	    i = 3;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; isxdigit(buf[i]); i+=2,j++) {
-		hex_to_byteval(&buf[i], &msg[j]);
-	    }
-	    msglen = j;
-	    if (SHA1_HashBuf(sha1, msg, msglen) != SECSuccess) {
-		goto loser;
-	    }
-	    fputs(buf, ecdsaresp);
-
-	    digest.type = siBuffer;
-	    digest.data = sha1;
-	    digest.len = sizeof sha1;
-
-	    continue;
-	}
-	/* Qx = ... */
-	if (strncmp(buf, "Qx", 2) == 0) {
-	    fputs(buf, ecdsaresp);
-	    i = 2;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    keyvalid = from_hex_str(&ecpub.publicValue.data[1], flen,
-				    &buf[i]);
-	    continue;
-	}
-	/* Qy = ... */
-	if (strncmp(buf, "Qy", 2) == 0) {
-	    fputs(buf, ecdsaresp);
-	    if (!keyvalid) {
-		continue;
-	    }
-	    i = 2;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    keyvalid = from_hex_str(&ecpub.publicValue.data[1+flen], flen,
-				    &buf[i]);
-	    if (!keyvalid) {
-		continue;
-	    }
-	    if (EC_ValidatePublicKey(&ecpub.ecParams, &ecpub.publicValue)
-		!= SECSuccess) {
-		if (PORT_GetError() == SEC_ERROR_BAD_KEY) {
-		    keyvalid = PR_FALSE;
-		} else {
-		    goto loser;
-		}
-	    }
-	    continue;
-	}
-	/* R = ... */
-	if (buf[0] == 'R') {
-	    fputs(buf, ecdsaresp);
-	    i = 1;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    sigvalid = from_hex_str(sig, olen, &buf[i]);
-	    continue;
-	}
-	/* S = ... */
-	if (buf[0] == 'S') {
-	    fputs(buf, ecdsaresp);
-	    i = 1;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    if (sigvalid) {
-		sigvalid = from_hex_str(&sig[olen], olen, &buf[i]);
-	    }
-	    signature.type = siBuffer;
-	    signature.data = sig;
-	    signature.len = 2*olen;
-
-	    if (!keyvalid || !sigvalid) {
-		fputs("Result = F\n", ecdsaresp);
-	    } else if (ECDSA_VerifyDigest(&ecpub, &signature, &digest)
-		== SECSuccess) {
-		fputs("Result = P\n", ecdsaresp);
-	    } else {
-		fputs("Result = F\n", ecdsaresp);
-	    }
-	    continue;
-	}
-    }
-loser:
-    if (ecpub.ecParams.arena != NULL) {
-	PORT_FreeArena(ecpub.ecParams.arena, PR_FALSE);
-    }
-    fclose(ecdsareq);
-}
-#endif /* NSS_ENABLE_ECC */
-
-
-/*
- * Read a value from the test and allocate the result.
- */
-static unsigned char *
-alloc_value(char *buf, int *len)
-{
-    unsigned char * value;
-    int i, count;
-
-    if (strncmp(buf, "<None>", 6) == 0) {
-	*len = 0;
-	return NULL;
-    }
-
-    /* find the length of the number */
-    for (count = 0; isxdigit(buf[count]); count++);
-    *len = count/2;
-
-    if (*len == 0) {
-	return NULL;
-    }
-
-    value = PORT_Alloc(*len);
-    if (!value) {
-	*len = 0;
-	return NULL;
-    }
-	
-    for (i=0; i<*len; buf+=2 , i++) {
-	hex_to_byteval(buf, &value[i]);
-    }
-    
-
-    return value;
-}
-
-PRBool
-isblankline(char *b)
-{
-   while (isspace(*b)) b++;
-   if ((*b == '\n') || (*b == 0)) {
-	return PR_TRUE;
-   }
-   return PR_FALSE;
-}
-
-static int debug = 0;
-
-/*
- * Perform the Hash_DRBG (CAVS) for the RNG algorithm
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-drbg(char *reqfn)
-{
-    char buf[2000];   /* test case has some very long lines, returned bits
-     * as high as 800 bytes (6400 bits). That 1600 byte
-     * plus a tag */
-    char buf2[2000]; 
-    FILE *rngreq;       /* input stream from the REQUEST file */
-    FILE *rngresp;      /* output stream to the RESPONSE file */
-    
-    unsigned int i, j;
-    PRBool predictionResistance = PR_FALSE;
-    unsigned char *nonce =  NULL;
-    int nonceLen = 0;
-    unsigned char *personalizationString =  NULL;
-    int personalizationStringLen = 0;
-    unsigned char *additionalInput =  NULL;
-    int additionalInputLen = 0;
-    unsigned char *entropyInput = NULL;
-    int entropyInputLen = 0;
-    unsigned char predictedreturn_bytes[SHA256_LENGTH];
-    unsigned char return_bytes[SHA256_LENGTH];
-    int return_bytes_len = SHA256_LENGTH;
-    enum { NONE, INSTANTIATE, GENERATE, RESEED, RESULT } command =
-    NONE;
-    PRBool genResult = PR_FALSE;
-    SECStatus rv;
-    
-    rngreq = fopen(reqfn, "r");
-    rngresp = stdout;
-    while (fgets(buf, sizeof buf, rngreq) != NULL) {
-       switch (command) {
-            case INSTANTIATE:
-		if (debug) {
-		    fputs("# PRNGTEST_Instantiate(",rngresp);
-		    to_hex_str(buf2,entropyInput, entropyInputLen);
-		    fputs(buf2,rngresp);
-		    fprintf(rngresp,",%d,",entropyInputLen);
-		    to_hex_str(buf2,nonce, nonceLen);
-		    fputs(buf2,rngresp);
-		    fprintf(rngresp,",%d,",nonceLen);
-		    to_hex_str(buf2,personalizationString, 
-					personalizationStringLen);
-		    fputs(buf2,rngresp);
-		    fprintf(rngresp,",%d)\n", personalizationStringLen);
-		}
-                rv = PRNGTEST_Instantiate(entropyInput, entropyInputLen,
-                                          nonce, nonceLen,
-                                          personalizationString, 
-				          personalizationStringLen);
-                if (rv != SECSuccess) {
-                    goto loser;
-                }
-                break;
-                    
-            case GENERATE:
-            case RESULT:
-                memset(return_bytes, 0, return_bytes_len);
-		if (debug) {
-		    fputs("# PRNGTEST_Generate(returnbytes",rngresp);
-		    fprintf(rngresp,",%d,", return_bytes_len);
-		    to_hex_str(buf2,additionalInput, additionalInputLen);
-		    fputs(buf2,rngresp);
-		    fprintf(rngresp,",%d)\n",additionalInputLen);
-		}
-                rv = PRNGTEST_Generate((PRUint8 *) return_bytes, 
-					return_bytes_len,
-                                       (PRUint8 *) additionalInput, 
-					additionalInputLen);
-                if (rv != SECSuccess) {
-                    goto loser;
-                }
-                    
-                if (command == RESULT) {
-                    fputs("ReturnedBits = ", rngresp);
-                    to_hex_str(buf2, return_bytes, return_bytes_len);
-                    fputs(buf2, rngresp);
-                    fputc('\n', rngresp);
-		    if (debug) {
-			fputs("# PRNGTEST_Uninstantiate()\n",rngresp);
-		    }
-                    rv = PRNGTEST_Uninstantiate();
-                    if (rv != SECSuccess) {
-                        goto loser;
-                    }
-                } else if (debug) {
-                    fputs("#ReturnedBits = ", rngresp);
-                    to_hex_str(buf2, return_bytes, return_bytes_len);
-                    fputs(buf2, rngresp);
-                    fputc('\n', rngresp);
-		}
-                    
-                memset(additionalInput, 0, additionalInputLen);
-                break;
-                    
-            case RESEED:
-                if (entropyInput || additionalInput) {
-		    if (debug) {
-			fputs("# PRNGTEST_Reseed(",rngresp);
-			fprintf(rngresp,",%d,", return_bytes_len);
-			to_hex_str(buf2,entropyInput, entropyInputLen);
-			fputs(buf2,rngresp);
-			fprintf(rngresp,",%d,", entropyInputLen);
-			to_hex_str(buf2,additionalInput, additionalInputLen);
-			fputs(buf2,rngresp);
-			fprintf(rngresp,",%d)\n",additionalInputLen);
-		    }	
-                    rv = PRNGTEST_Reseed(entropyInput, entropyInputLen,
-                                             additionalInput, additionalInputLen);
-                    if (rv != SECSuccess) {
-                        goto loser;
-                    }
-                }
-                memset(entropyInput, 0, entropyInputLen);
-                memset(additionalInput, 0, additionalInputLen);
-                break;
-            case NONE:
-                break;
-                    
-        } 
-        command = NONE;
-        
-        /* a comment or blank line */
-        if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r' ) {
-            fputs(buf, rngresp);
-            continue;
-        }
-        
-        /* [Hash - SHA256] */
-        if (strncmp(buf, "[SHA-256]", 9) == 0) {
-            fputs(buf, rngresp);
-            continue;
-        }
-        
-        if (strncmp(buf, "[PredictionResistance", 21)  == 0) {
-            i = 21;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }    
-            if (strncmp(buf, "False", 5) == 0) {
-                predictionResistance = PR_FALSE;
-            } else {
-                predictionResistance = PR_TRUE;
-            }
-            
-            fputs(buf, rngresp);
-            continue;
-        }
-        
-        if (strncmp(buf, "[EntropyInputLen", 16)  == 0) {
-            if (entropyInput) {
-                PORT_ZFree(entropyInput, entropyInputLen);
-                entropyInput = NULL;
-                entropyInputLen = 0;
-            }
-            if (sscanf(buf, "[EntropyInputLen = %d]", &entropyInputLen) != 1) {
-                goto loser;
-            }
-	    entropyInputLen = entropyInputLen/8;
-            if (entropyInputLen > 0) {
-                entropyInput = PORT_Alloc(entropyInputLen);
-            }
-            fputs(buf, rngresp);
-            continue;
-        }
-        
-        if (strncmp(buf, "[NonceLen", 9)  == 0) {
-            if (nonce) {
-                PORT_ZFree(nonce, nonceLen);
-                nonce = NULL;
-                nonceLen = 0;
-            }
-            
-            if (sscanf(buf, "[NonceLen = %d]", &nonceLen) != 1) {
-                goto loser;
-            }
-	    nonceLen = nonceLen/8;
-            if (nonceLen > 0) {
-                nonce = PORT_Alloc(nonceLen);
-            }               
-            fputs(buf, rngresp);
-            continue;
-        }
-        
-        if (strncmp(buf, "[PersonalizationStringLen", 16)  == 0) {
-            if (personalizationString) {
-                PORT_ZFree(personalizationString, personalizationStringLen);
-                personalizationString = NULL;
-                personalizationStringLen = 0;
-            }
-            
-            if (sscanf(buf, "[PersonalizationStringLen = %d]", &personalizationStringLen) != 1) {
-                goto loser;
-            }
-	    personalizationStringLen = personalizationStringLen / 8;
-            if (personalizationStringLen > 0) {
-                personalizationString = PORT_Alloc(personalizationStringLen);
-            }
-            fputs(buf, rngresp);
-            
-            continue;
-        }
-        
-        if (strncmp(buf, "[AdditionalInputLen", 16)  == 0) {
-            if (additionalInput) {
-                PORT_ZFree(additionalInput, additionalInputLen);
-                additionalInput = NULL;
-                additionalInputLen = 0;
-            }
-            
-            if (sscanf(buf, "[AdditionalInputLen = %d]", &additionalInputLen) != 1) {
-                goto loser;
-            }
-	    additionalInputLen = additionalInputLen/8;
-            if (additionalInputLen > 0) {
-                additionalInput = PORT_Alloc(additionalInputLen);
-            }
-            fputs(buf, rngresp);
-            continue;
-        }
-        
-        if (strncmp(buf, "COUNT", 5) == 0) {
-            /* zeroize the variables for the test with this data set */
-            if (entropyInput) {
-                memset(entropyInput, 0, entropyInputLen);
-            }
-            if (nonce) {
-                memset(nonce, 0, nonceLen);        
-            }
-            if (personalizationString) {
-                memset(personalizationString, 0, personalizationStringLen);
-            }
-            if (additionalInput) {
-                memset(additionalInput, 0, additionalInputLen);
-            }
-            genResult = PR_FALSE;
-            
-            fputs(buf, rngresp);
-            continue;
-        }
-        
-        /* EntropyInputReseed = ... */
-        if (strncmp(buf, "EntropyInputReseed", 18) == 0) {
-            if (entropyInput) {
-                memset(entropyInput, 0, entropyInputLen);
-                i = 18;
-                while (isspace(buf[i]) || buf[i] == '=') {
-                    i++;
-                }            
-                
-                for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<entropyInputLen*/
-                    hex_to_byteval(&buf[i], &entropyInput[j]);
-                }           
-            }
-            fputs(buf, rngresp);
-            continue;
-        }
-        
-        /* AttionalInputReseed  = ... */
-        if (strncmp(buf, "AdditionalInputReseed", 21) == 0) {
-            if (additionalInput) {
-                memset(additionalInput, 0, additionalInputLen);
-                i = 21;
-                while (isspace(buf[i]) || buf[i] == '=') {
-                    i++;
-                }
-                for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<additionalInputLen*/
-                    hex_to_byteval(&buf[i], &additionalInput[j]);
-                }    
-            }
-            command = RESEED;
-            fputs(buf, rngresp);
-            continue;
-        }
-        
-        /* Entropy input = ... */
-        if (strncmp(buf, "EntropyInput", 12) == 0) {
-            i = 12;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<entropyInputLen*/
-                hex_to_byteval(&buf[i], &entropyInput[j]);
-            }  
-            fputs(buf, rngresp);
-            continue;
-        }
-        
-        /* nouce = ... */
-        if (strncmp(buf, "Nonce", 5) == 0) {
-            i = 5;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<nonceLen*/
-                hex_to_byteval(&buf[i], &nonce[j]);
-            }  
-            fputs(buf, rngresp);
-            continue;
-        }
-        
-        /* Personalization string = ... */
-        if (strncmp(buf, "PersonalizationString", 21) == 0) {
-            if (personalizationString) {
-                i = 21;
-                while (isspace(buf[i]) || buf[i] == '=') {
-                    i++;
-                }
-                for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<personalizationStringLen*/
-                    hex_to_byteval(&buf[i], &personalizationString[j]);
-                }
-            }
-            fputs(buf, rngresp);
-            command = INSTANTIATE;
-            continue;
-        }
-        
-        /* Additional input = ... */
-        if (strncmp(buf, "AdditionalInput", 15) == 0) {
-            if (additionalInput) {
-                i = 15;
-                while (isspace(buf[i]) || buf[i] == '=') {
-                    i++;
-                }
-                for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<additionalInputLen*/
-                    hex_to_byteval(&buf[i], &additionalInput[j]);
-                } 
-            }
-            if (genResult) {
-                command = RESULT;
-            } else {
-                command = GENERATE;
-                genResult = PR_TRUE; /* next time generate result */
-            }
-            fputs(buf, rngresp);
-            continue;
-        }
-        
-        /* Returned bits = ... */
-        if (strncmp(buf, "ReturnedBits", 12) == 0) {
-            i = 12;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; isxdigit(buf[i]); i+=2,j++) { /*j<additionalInputLen*/
-                hex_to_byteval(&buf[i], &predictedreturn_bytes[j]);
-            }          
-
-            if (memcmp(return_bytes, 
-                       predictedreturn_bytes, return_bytes_len) != 0) {
-		if (debug) {
-                fprintf(rngresp, "# Generate failed:\n");
-                fputs(  "#   predicted=", rngresp);
-                to_hex_str(buf, predictedreturn_bytes, 
-                           return_bytes_len);
-                fputs(buf, rngresp);
-                fputs("\n#   actual  = ", rngresp);
-                fputs(buf2, rngresp);
-                fputc('\n', rngresp);
-
-		} else {
-                fprintf(stderr, "Generate failed:\n");
-                fputs(  "   predicted=", stderr);
-                to_hex_str(buf, predictedreturn_bytes, 
-                           return_bytes_len);
-                fputs(buf, stderr);
-                fputs("\n   actual  = ", stderr);
-                fputs(buf2, stderr);
-                fputc('\n', stderr);
-		}
-            }
-            memset(predictedreturn_bytes, 0 , sizeof predictedreturn_bytes);
-
-            continue;
-        }
-    }
-loser:
-    fclose(rngreq);
-}
-
-/*
- * Perform the RNG Variable Seed Test (VST) for the RNG algorithm
- * "DSA - Generation of X", used both as specified and as a generic
- * purpose RNG.  The presence of "Q = ..." in the REQUEST file
- * indicates we are using the algorithm as specified.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-rng_vst(char *reqfn)
-{
-    char buf[256];      /* holds one line from the input REQUEST file.
-                         * needs to be large enough to hold the longest
-                         * line "XSeed = <128 hex digits>\n".
-                         */
-    FILE *rngreq;       /* input stream from the REQUEST file */
-    FILE *rngresp;      /* output stream to the RESPONSE file */
-    unsigned int i, j;
-    unsigned char Q[DSA_SUBPRIME_LEN];
-    PRBool hasQ = PR_FALSE;
-    unsigned int b;  /* 160 <= b <= 512, b is a multiple of 8 */
-    unsigned char XKey[512/8];
-    unsigned char XSeed[512/8];
-    unsigned char GENX[2*SHA1_LENGTH];
-    unsigned char DSAX[DSA_SUBPRIME_LEN];
-    SECStatus rv;
-
-    rngreq = fopen(reqfn, "r");
-    rngresp = stdout;
-    while (fgets(buf, sizeof buf, rngreq) != NULL) {
-	/* a comment or blank line */
-	if (buf[0] == '#' || buf[0] == '\n') {
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* [Xchange - SHA1] */
-	if (buf[0] == '[') {
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* Q = ... */
-	if (buf[0] == 'Q') {
-	    i = 1;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; j<sizeof Q; i+=2,j++) {
-		hex_to_byteval(&buf[i], &Q[j]);
-	    }
-	    fputs(buf, rngresp);
-	    hasQ = PR_TRUE;
-	    continue;
-	}
-	/* "COUNT = x" begins a new data set */
-	if (strncmp(buf, "COUNT", 5) == 0) {
-	    /* zeroize the variables for the test with this data set */
-	    b = 0;
-	    memset(XKey, 0, sizeof XKey);
-	    memset(XSeed, 0, sizeof XSeed);
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* b = ... */
-	if (buf[0] == 'b') {
-	    i = 1;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    b = atoi(&buf[i]);
-	    if (b < 160 || b > 512 || b%8 != 0) {
-		goto loser;
-	    }
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* XKey = ... */
-	if (strncmp(buf, "XKey", 4) == 0) {
-	    i = 4;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; j<b/8; i+=2,j++) {
-		hex_to_byteval(&buf[i], &XKey[j]);
-	    }
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* XSeed = ... */
-	if (strncmp(buf, "XSeed", 5) == 0) {
-	    i = 5;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; j<b/8; i+=2,j++) {
-		hex_to_byteval(&buf[i], &XSeed[j]);
-	    }
-	    fputs(buf, rngresp);
-
-	    rv = FIPS186Change_GenerateX(XKey, XSeed, GENX);
-	    if (rv != SECSuccess) {
-		goto loser;
-	    }
-	    fputs("X = ", rngresp);
-	    if (hasQ) {
-		rv = FIPS186Change_ReduceModQForDSA(GENX, Q, DSAX);
-		if (rv != SECSuccess) {
-		    goto loser;
-		}
-		to_hex_str(buf, DSAX, sizeof DSAX);
-	    } else {
-		to_hex_str(buf, GENX, sizeof GENX);
-	    }
-	    fputs(buf, rngresp);
-	    fputc('\n', rngresp);
-	    continue;
-	}
-    }
-loser:
-    fclose(rngreq);
-}
-
-/*
- * Perform the RNG Monte Carlo Test (MCT) for the RNG algorithm
- * "DSA - Generation of X", used both as specified and as a generic
- * purpose RNG.  The presence of "Q = ..." in the REQUEST file
- * indicates we are using the algorithm as specified.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-rng_mct(char *reqfn)
-{
-    char buf[256];      /* holds one line from the input REQUEST file.
-                         * needs to be large enough to hold the longest
-                         * line "XSeed = <128 hex digits>\n".
-                         */
-    FILE *rngreq;       /* input stream from the REQUEST file */
-    FILE *rngresp;      /* output stream to the RESPONSE file */
-    unsigned int i, j;
-    unsigned char Q[DSA_SUBPRIME_LEN];
-    PRBool hasQ = PR_FALSE;
-    unsigned int b;  /* 160 <= b <= 512, b is a multiple of 8 */
-    unsigned char XKey[512/8];
-    unsigned char XSeed[512/8];
-    unsigned char GENX[2*SHA1_LENGTH];
-    unsigned char DSAX[DSA_SUBPRIME_LEN];
-    SECStatus rv;
-
-    rngreq = fopen(reqfn, "r");
-    rngresp = stdout;
-    while (fgets(buf, sizeof buf, rngreq) != NULL) {
-	/* a comment or blank line */
-	if (buf[0] == '#' || buf[0] == '\n') {
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* [Xchange - SHA1] */
-	if (buf[0] == '[') {
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* Q = ... */
-	if (buf[0] == 'Q') {
-	    i = 1;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; j<sizeof Q; i+=2,j++) {
-		hex_to_byteval(&buf[i], &Q[j]);
-	    }
-	    fputs(buf, rngresp);
-	    hasQ = PR_TRUE;
-	    continue;
-	}
-	/* "COUNT = x" begins a new data set */
-	if (strncmp(buf, "COUNT", 5) == 0) {
-	    /* zeroize the variables for the test with this data set */
-	    b = 0;
-	    memset(XKey, 0, sizeof XKey);
-	    memset(XSeed, 0, sizeof XSeed);
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* b = ... */
-	if (buf[0] == 'b') {
-	    i = 1;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    b = atoi(&buf[i]);
-	    if (b < 160 || b > 512 || b%8 != 0) {
-		goto loser;
-	    }
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* XKey = ... */
-	if (strncmp(buf, "XKey", 4) == 0) {
-	    i = 4;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; j<b/8; i+=2,j++) {
-		hex_to_byteval(&buf[i], &XKey[j]);
-	    }
-	    fputs(buf, rngresp);
-	    continue;
-	}
-	/* XSeed = ... */
-	if (strncmp(buf, "XSeed", 5) == 0) {
-	    unsigned int k;
-	    i = 5;
-	    while (isspace(buf[i]) || buf[i] == '=') {
-		i++;
-	    }
-	    for (j=0; j<b/8; i+=2,j++) {
-		hex_to_byteval(&buf[i], &XSeed[j]);
-	    }
-	    fputs(buf, rngresp);
-
-	    for (k = 0; k < 10000; k++) {
-		rv = FIPS186Change_GenerateX(XKey, XSeed, GENX);
-		if (rv != SECSuccess) {
-		    goto loser;
-		}
-	    }
-	    fputs("X = ", rngresp);
-	    if (hasQ) {
-		rv = FIPS186Change_ReduceModQForDSA(GENX, Q, DSAX);
-		if (rv != SECSuccess) {
-		    goto loser;
-		}
-		to_hex_str(buf, DSAX, sizeof DSAX);
-	    } else {
-		to_hex_str(buf, GENX, sizeof GENX);
-	    }
-	    fputs(buf, rngresp);
-	    fputc('\n', rngresp);
-	    continue;
-	}
-    }
-loser:
-    fclose(rngreq);
-}
-
-/*
- * Calculate the SHA Message Digest 
- *
- * MD = Message digest 
- * MDLen = length of Message Digest and SHA_Type
- * msg = message to digest 
- * msgLen = length of message to digest
- */
-SECStatus sha_calcMD(unsigned char *MD, unsigned int MDLen, unsigned char *msg, unsigned int msgLen) 
-{    
-    SECStatus   sha_status = SECFailure;
-
-    if (MDLen == SHA1_LENGTH) {
-        sha_status = SHA1_HashBuf(MD, msg, msgLen);
-    } else if (MDLen == SHA256_LENGTH) {
-        sha_status = SHA256_HashBuf(MD, msg, msgLen);
-    } else if (MDLen == SHA384_LENGTH) {
-        sha_status = SHA384_HashBuf(MD, msg, msgLen);
-    } else if (MDLen == SHA512_LENGTH) {
-        sha_status = SHA512_HashBuf(MD, msg, msgLen);
-    }
-
-    return sha_status;
-}
-
-/*
- * Perform the SHA Monte Carlo Test
- *
- * MDLen = length of Message Digest and SHA_Type
- * seed = input seed value
- * resp = is the output response file. 
- */
-SECStatus sha_mct_test(unsigned int MDLen, unsigned char *seed, FILE *resp) 
-{
-    int i, j;
-    unsigned int msgLen = MDLen*3;
-    unsigned char MD_i3[HASH_LENGTH_MAX];  /* MD[i-3] */
-    unsigned char MD_i2[HASH_LENGTH_MAX];  /* MD[i-2] */
-    unsigned char MD_i1[HASH_LENGTH_MAX];  /* MD[i-1] */
-    unsigned char MD_i[HASH_LENGTH_MAX];   /* MD[i] */
-    unsigned char msg[HASH_LENGTH_MAX*3];
-    char buf[HASH_LENGTH_MAX*2 + 1];  /* MAX buf MD_i as a hex string */
-
-    for (j=0; j<100; j++) {
-        /* MD_0 = MD_1 = MD_2 = seed */
-        memcpy(MD_i3, seed, MDLen);
-        memcpy(MD_i2, seed, MDLen);
-        memcpy(MD_i1, seed, MDLen);
-
-        for (i=3; i < 1003; i++) {
-            /* Mi = MD[i-3] || MD [i-2] || MD [i-1] */
-            memcpy(msg, MD_i3, MDLen);
-            memcpy(&msg[MDLen], MD_i2, MDLen);
-            memcpy(&msg[MDLen*2], MD_i1,MDLen); 
-
-            /* MDi = SHA(Msg) */
-            if (sha_calcMD(MD_i, MDLen,   
-                           msg, msgLen) != SECSuccess) {
-                return SECFailure;
-            }
-
-            /* save MD[i-3] MD[i-2]  MD[i-1] */
-            memcpy(MD_i3, MD_i2, MDLen);
-            memcpy(MD_i2, MD_i1, MDLen);
-            memcpy(MD_i1, MD_i, MDLen);
-
-        }
-
-        /* seed = MD_i */
-        memcpy(seed, MD_i, MDLen);
-
-        sprintf(buf, "COUNT = %d\n", j);
-        fputs(buf, resp);
-
-        /* output MD_i */
-        fputs("MD = ", resp);
-        to_hex_str(buf, MD_i, MDLen);
-        fputs(buf, resp);
-        fputc('\n', resp);
-    }
-
-    return SECSuccess;
-}
-
-/*
- * Perform the SHA Tests.
- *
- * reqfn is the pathname of the input REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void sha_test(char *reqfn) 
-{
-    unsigned int i, j;
-    unsigned int MDlen;   /* the length of the Message Digest in Bytes  */
-    unsigned int msgLen;  /* the length of the input Message in Bytes */
-    unsigned char *msg = NULL; /* holds the message to digest.*/
-    size_t bufSize = 25608; /*MAX buffer size */
-    char *buf = NULL;      /* holds one line from the input REQUEST file.*/
-    unsigned char seed[HASH_LENGTH_MAX];   /* max size of seed 64 bytes */
-    unsigned char MD[HASH_LENGTH_MAX];     /* message digest */
-
-    FILE *req = NULL;  /* input stream from the REQUEST file */
-    FILE *resp;        /* output stream to the RESPONSE file */
-
-    buf = PORT_ZAlloc(bufSize);
-    if (buf == NULL) {
-        goto loser;
-    }      
-
-    /* zeroize the variables for the test with this data set */
-    memset(seed, 0, sizeof seed);
-
-    req = fopen(reqfn, "r");
-    resp = stdout;
-    while (fgets(buf, bufSize, req) != NULL) {
-
-        /* a comment or blank line */
-        if (buf[0] == '#' || buf[0] == '\n') {
-            fputs(buf, resp);
-            continue;
-        }
-        /* [L = Length of the Message Digest and sha_type */
-        if (buf[0] == '[') {
-            if (strncmp(&buf[1], "L ", 1) == 0) {
-                i = 2;
-                while (isspace(buf[i]) || buf[i] == '=') {
-                    i++;
-                }
-                MDlen = atoi(&buf[i]);
-                fputs(buf, resp);
-                continue;
-            }
-        }
-        /* Len = Length of the Input Message Length  ... */
-        if (strncmp(buf, "Len", 3) == 0) {
-            i = 3;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            if (msg) {
-                PORT_ZFree(msg,msgLen);
-                msg = NULL;
-            }
-            msgLen = atoi(&buf[i]); /* in bits */
-            if (msgLen%8 != 0) {
-                fprintf(stderr, "SHA tests are incorrectly configured for "
-                    "BIT oriented implementations\n");
-                goto loser;
-            }
-            msgLen = msgLen/8; /* convert to bytes */
-            fputs(buf, resp);
-            msg = PORT_ZAlloc(msgLen);
-            if (msg == NULL && msgLen != 0) {
-                goto loser;
-            } 
-            continue;
-        }
-        /* MSG = ... */
-        if (strncmp(buf, "Msg", 3) == 0) {
-            i = 3;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; j< msgLen; i+=2,j++) {
-                hex_to_byteval(&buf[i], &msg[j]);
-            }
-           fputs(buf, resp);
-           /* calculate the Message Digest */ 
-           memset(MD, 0, sizeof MD);
-           if (sha_calcMD(MD, MDlen,   
-                          msg, msgLen) != SECSuccess) {
-               goto loser;
-           }
-
-           fputs("MD = ", resp);
-           to_hex_str(buf, MD, MDlen);
-           fputs(buf, resp);
-           fputc('\n', resp);
-
-           continue;
-        }
-        /* Seed = ... */
-        if (strncmp(buf, "Seed", 4) == 0) {
-            i = 4;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; j<sizeof seed; i+=2,j++) {
-                hex_to_byteval(&buf[i], &seed[j]);
-            }                                     
-
-            fputs(buf, resp);
-            fputc('\n', resp);
-
-            /* do the Monte Carlo test */
-            if (sha_mct_test(MDlen, seed, resp) != SECSuccess) {
-                goto loser; 
-            }
-
-            continue;
-        }
-    }
-loser:
-    if (req) {
-        fclose(req);
-    }  
-    if (buf) {
-        PORT_ZFree(buf, bufSize);
-    }
-    if (msg) {
-        PORT_ZFree(msg, msgLen);
-    }
-}
-
-/****************************************************/
-/* HMAC SHA-X calc                                  */
-/* hmac_computed - the computed HMAC                */
-/* hmac_length - the length of the computed HMAC    */
-/* secret_key - secret key to HMAC                  */
-/* secret_key_length - length of secret key,        */
-/* message - message to HMAC                        */
-/* message_length - length ofthe message            */
-/****************************************************/
-static SECStatus
-hmac_calc(unsigned char *hmac_computed,
-          const unsigned int hmac_length,
-          const unsigned char *secret_key,
-          const unsigned int secret_key_length,
-          const unsigned char *message,
-          const unsigned int message_length,
-          const HASH_HashType hashAlg )
-{
-    SECStatus hmac_status = SECFailure;
-    HMACContext *cx = NULL;
-    SECHashObject *hashObj = NULL;
-    unsigned int bytes_hashed = 0;
-
-    hashObj = (SECHashObject *) HASH_GetRawHashObject(hashAlg);
- 
-    if (!hashObj) 
-        return( SECFailure );
-
-    cx = HMAC_Create(hashObj, secret_key, 
-                     secret_key_length, 
-                     PR_TRUE);  /* PR_TRUE for in FIPS mode */
-
-    if (cx == NULL) 
-        return( SECFailure );
-
-    HMAC_Begin(cx);
-    HMAC_Update(cx, message, message_length);
-    hmac_status = HMAC_Finish(cx, hmac_computed, &bytes_hashed, 
-                              hmac_length);
-
-    HMAC_Destroy(cx, PR_TRUE);
-
-    return( hmac_status );
-}
-
-/*
- * Perform the HMAC Tests.
- *
- * reqfn is the pathname of the input REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void hmac_test(char *reqfn) 
-{
-    unsigned int i, j;
-    size_t bufSize =      288;    /* MAX buffer size */
-    char *buf = NULL;  /* holds one line from the input REQUEST file.*/
-    unsigned int keyLen;          /* Key Length */  
-    unsigned char key[140];       /* key MAX size = 140 */
-    unsigned int msgLen = 128;    /* the length of the input  */
-                                  /*  Message is always 128 Bytes */
-    unsigned char *msg = NULL;    /* holds the message to digest.*/
-    unsigned int HMACLen;         /* the length of the HMAC Bytes  */
-    unsigned char HMAC[HASH_LENGTH_MAX];  /* computed HMAC */
-    HASH_HashType hash_alg;       /* HMAC type */
-
-    FILE *req = NULL;  /* input stream from the REQUEST file */
-    FILE *resp;        /* output stream to the RESPONSE file */
-
-    buf = PORT_ZAlloc(bufSize);
-    if (buf == NULL) {
-        goto loser;
-    }      
-    msg = PORT_ZAlloc(msgLen);
-    memset(msg, 0, msgLen);
-    if (msg == NULL) {
-        goto loser;
-    } 
-
-    req = fopen(reqfn, "r");
-    resp = stdout;
-    while (fgets(buf, bufSize, req) != NULL) {
-
-        /* a comment or blank line */
-        if (buf[0] == '#' || buf[0] == '\n') {
-            fputs(buf, resp);
-            continue;
-        }
-        /* [L = Length of the MAC and HASH_type */
-        if (buf[0] == '[') {
-            if (strncmp(&buf[1], "L ", 1) == 0) {
-                i = 2;
-                while (isspace(buf[i]) || buf[i] == '=') {
-                    i++;
-                }
-                /* HMACLen will get reused for Tlen */
-                HMACLen = atoi(&buf[i]);
-                /* set the HASH algorithm for HMAC */
-                if (HMACLen == SHA1_LENGTH) {
-                    hash_alg = HASH_AlgSHA1;
-                } else if (HMACLen == SHA256_LENGTH) {
-                    hash_alg = HASH_AlgSHA256;
-                } else if (HMACLen == SHA384_LENGTH) {
-                    hash_alg = HASH_AlgSHA384;
-                } else if (HMACLen == SHA512_LENGTH) {
-                    hash_alg = HASH_AlgSHA512;
-                } else {
-                    goto loser;
-                }
-                fputs(buf, resp);
-                continue;
-            }
-        }
-        /* Count = test iteration number*/
-        if (strncmp(buf, "Count ", 5) == 0) {    
-            /* count can just be put into resp file */
-            fputs(buf, resp);
-            /* zeroize the variables for the test with this data set */
-            keyLen = 0; 
-            HMACLen = 0;
-            memset(key, 0, sizeof key);     
-            memset(msg, 0, sizeof msg);  
-            memset(HMAC, 0, sizeof HMAC);
-            continue;
-        }
-        /* KLen = Length of the Input Secret Key ... */
-        if (strncmp(buf, "Klen", 4) == 0) {
-            i = 4;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            keyLen = atoi(&buf[i]); /* in bytes */
-            fputs(buf, resp);
-            continue;
-        }
-        /* key = the secret key for the key to MAC */
-        if (strncmp(buf, "Key", 3) == 0) {
-            i = 3;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; j< keyLen; i+=2,j++) {
-                hex_to_byteval(&buf[i], &key[j]);
-            }
-           fputs(buf, resp);
-        }
-        /* TLen = Length of the calculated HMAC */
-        if (strncmp(buf, "Tlen", 4) == 0) {
-            i = 4;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            HMACLen = atoi(&buf[i]); /* in bytes */
-            fputs(buf, resp);
-            continue;
-        }
-        /* MSG = to HMAC always 128 bytes for these tests */
-        if (strncmp(buf, "Msg", 3) == 0) {
-            i = 3;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; j< msgLen; i+=2,j++) {
-                hex_to_byteval(&buf[i], &msg[j]);
-            }
-           fputs(buf, resp);
-           /* calculate the HMAC and output */ 
-           if (hmac_calc(HMAC, HMACLen, key, keyLen,   
-                         msg, msgLen, hash_alg) != SECSuccess) {
-               goto loser;
-           }
-           fputs("MAC = ", resp);
-           to_hex_str(buf, HMAC, HMACLen);
-           fputs(buf, resp);
-           fputc('\n', resp);
-           continue;
-        }
-    }
-loser:
-    if (req) {
-        fclose(req);
-    }
-    if (buf) {
-        PORT_ZFree(buf, bufSize);
-    }
-    if (msg) {
-        PORT_ZFree(msg, msgLen);
-    }
-}
-
-/*
- * Perform the DSA Key Pair Generation Test.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-dsa_keypair_test(char *reqfn)
-{
-    char buf[260];       /* holds one line from the input REQUEST file
-                         * or to the output RESPONSE file.
-                         * 257 to hold (128 public key (x2 for HEX) + 1'\n'
-                         */
-    FILE *dsareq;     /* input stream from the REQUEST file */
-    FILE *dsaresp;    /* output stream to the RESPONSE file */
-    int N;            /* number of time to generate key pair */
-    int modulus;
-    int i;
-    PQGParams *pqg = NULL;
-    PQGVerify *vfy = NULL;
-    int keySizeIndex;   /* index for valid key sizes */
-
-    dsareq = fopen(reqfn, "r");
-    dsaresp = stdout;
-    while (fgets(buf, sizeof buf, dsareq) != NULL) {
-        /* a comment or blank line */
-        if (buf[0] == '#' || buf[0] == '\n') {
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* [Mod = x] */
-        if (buf[0] == '[') {
-            if(pqg!=NULL) {
-                PQG_DestroyParams(pqg);
-                pqg = NULL;
-            }
-            if(vfy!=NULL) {
-                PQG_DestroyVerify(vfy);
-                vfy = NULL;
-            }
-
-            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
-                goto loser;
-            }
-            fputs(buf, dsaresp);
-            fputc('\n', dsaresp);
-
-            /*****************************************************************
-             * PQG_ParamGenSeedLen doesn't take a key size, it takes an index
-             * that points to a valid key size.
-             */
-            keySizeIndex = PQG_PBITS_TO_INDEX(modulus);
-            if(keySizeIndex == -1 || modulus<512 || modulus>1024) {
-               fprintf(dsaresp,
-                    "DSA key size must be a multiple of 64 between 512 "
-                    "and 1024, inclusive");
-                goto loser;
-            }
-
-            /* Generate the parameters P, Q, and G */
-            if (PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
-                &pqg, &vfy) != SECSuccess) {
-                fprintf(dsaresp, "ERROR: Unable to generate PQG parameters");
-                goto loser;
-            }
-
-            /* output P, Q, and G */
-            to_hex_str(buf, pqg->prime.data, pqg->prime.len);
-            fprintf(dsaresp, "P = %s\n", buf);
-            to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
-            fprintf(dsaresp, "Q = %s\n", buf);
-            to_hex_str(buf, pqg->base.data, pqg->base.len);
-            fprintf(dsaresp, "G = %s\n\n", buf);
-            continue;
-        }
-        /* N = ...*/
-        if (buf[0] == 'N') {
-
-            if (sscanf(buf, "N = %d", &N) != 1) {
-                goto loser;
-            }
-            /* Generate a DSA key, and output the key pair for N times */
-            for (i = 0; i < N; i++) {
-                DSAPrivateKey *dsakey = NULL;
-                if (DSA_NewKey(pqg, &dsakey) != SECSuccess) {
-                    fprintf(dsaresp, "ERROR: Unable to generate DSA key");
-                    goto loser;
-                }
-                to_hex_str(buf, dsakey->privateValue.data,
-                           dsakey->privateValue.len);
-                fprintf(dsaresp, "X = %s\n", buf);
-                to_hex_str(buf, dsakey->publicValue.data,
-                           dsakey->publicValue.len);
-                fprintf(dsaresp, "Y = %s\n\n", buf);
-                PORT_FreeArena(dsakey->params.arena, PR_TRUE);
-                dsakey = NULL;
-            }
-            continue;
-        }
-
-    }
-loser:
-    fclose(dsareq);
-}
-
-/*
- * Perform the DSA Domain Parameter Validation Test.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-dsa_pqgver_test(char *reqfn)
-{
-    char buf[263];      /* holds one line from the input REQUEST file
-                         * or to the output RESPONSE file.
-                         * 260 to hold (128 public key (x2 for HEX) + P = ...
-                         */
-    FILE *dsareq;     /* input stream from the REQUEST file */
-    FILE *dsaresp;    /* output stream to the RESPONSE file */
-    int modulus; 
-    unsigned int i, j;
-    PQGParams pqg;
-    PQGVerify vfy;
-    unsigned int pghSize;        /* size for p, g, and h */
-
-    dsareq = fopen(reqfn, "r");
-    dsaresp = stdout;
-    memset(&pqg, 0, sizeof(pqg));
-    memset(&vfy, 0, sizeof(vfy));
-
-    while (fgets(buf, sizeof buf, dsareq) != NULL) {
-        /* a comment or blank line */
-        if (buf[0] == '#' || buf[0] == '\n') {
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* [Mod = x] */
-        if (buf[0] == '[') {
-
-            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
-                goto loser;
-            }
-
-            if (pqg.prime.data) { /* P */
-                SECITEM_ZfreeItem(&pqg.prime, PR_FALSE);
-            }
-            if (pqg.subPrime.data) { /* Q */
-                SECITEM_ZfreeItem(&pqg.subPrime, PR_FALSE);
-            }
-            if (pqg.base.data) {    /* G */
-                SECITEM_ZfreeItem(&pqg.base, PR_FALSE);
-            }
-            if (vfy.seed.data) {   /* seed */
-                SECITEM_ZfreeItem(&vfy.seed, PR_FALSE);
-            }
-            if (vfy.h.data) {     /* H */
-                SECITEM_ZfreeItem(&vfy.h, PR_FALSE);
-            }
-
-            fputs(buf, dsaresp);
-
-            /*calculate the size of p, g, and h then allocate items  */
-            pghSize = modulus/8;
-            SECITEM_AllocItem(NULL, &pqg.prime, pghSize);
-            SECITEM_AllocItem(NULL, &pqg.base, pghSize);
-            SECITEM_AllocItem(NULL, &vfy.h, pghSize);
-            pqg.prime.len = pqg.base.len = vfy.h.len = pghSize;
-            /* seed and q are always 20 bytes */
-            SECITEM_AllocItem(NULL, &vfy.seed, 20);
-            SECITEM_AllocItem(NULL, &pqg.subPrime, 20);
-            vfy.seed.len = pqg.subPrime.len = 20;
-            vfy.counter = 0;
-
-            continue;
-        }
-        /* P = ... */
-        if (buf[0] == 'P') {
-            i = 1;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; j< pqg.prime.len; i+=2,j++) {
-                hex_to_byteval(&buf[i], &pqg.prime.data[j]);
-            }
-
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* Q = ... */
-        if (buf[0] == 'Q') {
-            i = 1;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; j< pqg.subPrime.len; i+=2,j++) {
-                hex_to_byteval(&buf[i], &pqg.subPrime.data[j]);
-            }
-
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* G = ... */
-        if (buf[0] == 'G') {
-            i = 1;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; j< pqg.base.len; i+=2,j++) {
-                hex_to_byteval(&buf[i], &pqg.base.data[j]);
-            }
-
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* Seed = ... */
-        if (strncmp(buf, "Seed", 4) == 0) {
-            i = 4;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; j< vfy.seed.len; i+=2,j++) {
-                hex_to_byteval(&buf[i], &vfy.seed.data[j]);
-            }
-
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* c = ... */
-        if (buf[0] == 'c') {
-
-            if (sscanf(buf, "c = %u", &vfy.counter) != 1) {
-                goto loser;
-            }
-
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* H = ... */
-        if (buf[0] == 'H') {
-            SECStatus rv, result = SECFailure;
-
-            i = 1;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; j< vfy.h.len; i+=2,j++) {
-                hex_to_byteval(&buf[i], &vfy.h.data[j]);
-            }
-            fputs(buf, dsaresp);
-
-            /* Verify the Parameters */
-            rv = PQG_VerifyParams(&pqg, &vfy, &result);
-            if (rv != SECSuccess) {
-                goto loser;
-            }
-            if (result == SECSuccess) {
-                fprintf(dsaresp, "Result = P\n");
-            } else {
-                fprintf(dsaresp, "Result = F\n");
-            }
-            continue;
-        }
-    }
-loser:
-    fclose(dsareq);
-    if (pqg.prime.data) { /* P */
-        SECITEM_ZfreeItem(&pqg.prime, PR_FALSE);
-    }
-    if (pqg.subPrime.data) { /* Q */
-        SECITEM_ZfreeItem(&pqg.subPrime, PR_FALSE);
-    }
-    if (pqg.base.data) {    /* G */
-        SECITEM_ZfreeItem(&pqg.base, PR_FALSE);
-    }
-    if (vfy.seed.data) {   /* seed */
-        SECITEM_ZfreeItem(&vfy.seed, PR_FALSE);
-    }
-    if (vfy.h.data) {     /* H */
-        SECITEM_ZfreeItem(&vfy.h, PR_FALSE);
-    }
-
-}
-
-/*
- * Perform the DSA Public Key Validation Test.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-dsa_pqggen_test(char *reqfn)
-{
-    char buf[263];      /* holds one line from the input REQUEST file
-                         * or to the output RESPONSE file.
-                         * 263 to hold seed = (128 public key (x2 for HEX)
-                         */
-    FILE *dsareq;     /* input stream from the REQUEST file */
-    FILE *dsaresp;    /* output stream to the RESPONSE file */
-    int N;            /* number of times to generate parameters */
-    int modulus; 
-    int i;
-    unsigned int j;
-    PQGParams *pqg = NULL;
-    PQGVerify *vfy = NULL;
-    unsigned int keySizeIndex;
-
-    dsareq = fopen(reqfn, "r");
-    dsaresp = stdout;
-    while (fgets(buf, sizeof buf, dsareq) != NULL) {
-        /* a comment or blank line */
-        if (buf[0] == '#' || buf[0] == '\n') {
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* [Mod = ... ] */
-        if (buf[0] == '[') {
-
-            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
-                goto loser;
-            }
-
-            fputs(buf, dsaresp);
-            fputc('\n', dsaresp);
-
-            /****************************************************************
-             * PQG_ParamGenSeedLen doesn't take a key size, it takes an index
-             * that points to a valid key size.
-             */
-            keySizeIndex = PQG_PBITS_TO_INDEX(modulus);
-            if(keySizeIndex == -1 || modulus<512 || modulus>1024) {
-               fprintf(dsaresp,
-                    "DSA key size must be a multiple of 64 between 512 "
-                    "and 1024, inclusive");
-                goto loser;
-            }
-
-            continue;
-        }
-        /* N = ... */
-        if (buf[0] == 'N') {
-
-            if (sscanf(buf, "N = %d", &N) != 1) {
-                goto loser;
-            }
-            for (i = 0; i < N; i++) {
-                if (PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
-                    &pqg, &vfy) != SECSuccess) {
-                    fprintf(dsaresp,
-                            "ERROR: Unable to generate PQG parameters");
-                    goto loser;
-                }
-                to_hex_str(buf, pqg->prime.data, pqg->prime.len);
-                fprintf(dsaresp, "P = %s\n", buf);
-                to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
-                fprintf(dsaresp, "Q = %s\n", buf);
-                to_hex_str(buf, pqg->base.data, pqg->base.len);
-                fprintf(dsaresp, "G = %s\n", buf);
-                to_hex_str(buf, vfy->seed.data, vfy->seed.len);
-                fprintf(dsaresp, "Seed = %s\n", buf);
-                fprintf(dsaresp, "c = %d\n", vfy->counter);
-                to_hex_str(buf, vfy->h.data, vfy->h.len);
-                fputs("H = ", dsaresp);
-                for (j=vfy->h.len; j<pqg->prime.len; j++) {
-                    fprintf(dsaresp, "00");
-                }
-                fprintf(dsaresp, "%s\n", buf);
-                fputc('\n', dsaresp);
-                if(pqg!=NULL) {
-                    PQG_DestroyParams(pqg);
-                    pqg = NULL;
-                }
-                if(vfy!=NULL) {
-                    PQG_DestroyVerify(vfy);
-                    vfy = NULL;
-                }
-            }
-
-            continue;
-        }
-
-    }
-loser:
-    fclose(dsareq);
-    if(pqg!=NULL) {
-        PQG_DestroyParams(pqg);
-    }
-    if(vfy!=NULL) {
-        PQG_DestroyVerify(vfy);
-    }
-}
-
-/*
- * Perform the DSA Signature Generation Test.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-dsa_siggen_test(char *reqfn)
-{
-    char buf[263];       /* holds one line from the input REQUEST file
-                         * or to the output RESPONSE file.
-                         * max for Msg = ....
-                         */
-    FILE *dsareq;     /* input stream from the REQUEST file */
-    FILE *dsaresp;    /* output stream to the RESPONSE file */
-    int modulus;          
-    int i, j;
-    PQGParams *pqg = NULL;
-    PQGVerify *vfy = NULL;
-    DSAPrivateKey *dsakey = NULL;
-    int keySizeIndex;     /* index for valid key sizes */
-    unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
-    unsigned char sig[DSA_SIGNATURE_LEN];
-    SECItem digest, signature;
-
-    dsareq = fopen(reqfn, "r");
-    dsaresp = stdout;
-
-    while (fgets(buf, sizeof buf, dsareq) != NULL) {
-        /* a comment or blank line */
-        if (buf[0] == '#' || buf[0] == '\n') {
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* [Mod = x] */
-        if (buf[0] == '[') {
-            if(pqg!=NULL) {
-                PQG_DestroyParams(pqg);
-                pqg = NULL;
-            }
-            if(vfy!=NULL) {
-                PQG_DestroyVerify(vfy);
-                vfy = NULL;
-            }
-            if (dsakey != NULL) {
-                    PORT_FreeArena(dsakey->params.arena, PR_TRUE);
-                    dsakey = NULL;
-            }
-
-            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
-                goto loser;
-            }
-            fputs(buf, dsaresp);
-            fputc('\n', dsaresp);
-
-            /****************************************************************
-            * PQG_ParamGenSeedLen doesn't take a key size, it takes an index
-            * that points to a valid key size.
-            */
-            keySizeIndex = PQG_PBITS_TO_INDEX(modulus);
-            if(keySizeIndex == -1 || modulus<512 || modulus>1024) {
-                fprintf(dsaresp,
-                    "DSA key size must be a multiple of 64 between 512 "
-                    "and 1024, inclusive");
-                goto loser;
-            }
-
-            /* Generate PQG and output PQG */
-            if (PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
-                &pqg, &vfy) != SECSuccess) {
-                fprintf(dsaresp, "ERROR: Unable to generate PQG parameters");
-                goto loser;
-            }
-            to_hex_str(buf, pqg->prime.data, pqg->prime.len);
-            fprintf(dsaresp, "P = %s\n", buf);
-            to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
-            fprintf(dsaresp, "Q = %s\n", buf);
-            to_hex_str(buf, pqg->base.data, pqg->base.len);
-            fprintf(dsaresp, "G = %s\n", buf);
-
-            /* create DSA Key */
-            if (DSA_NewKey(pqg, &dsakey) != SECSuccess) {
-                fprintf(dsaresp, "ERROR: Unable to generate DSA key");
-                goto loser;
-            }
-            continue;
-        }
-
-        /* Msg = ... */
-        if (strncmp(buf, "Msg", 3) == 0) {
-            unsigned char msg[128]; /* MAX msg 128 */
-            unsigned int len = 0;
-
-            memset(sha1, 0, sizeof sha1);
-            memset(sig,  0, sizeof sig);
-
-            i = 3;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; isxdigit(buf[i]); i+=2,j++) {
-                hex_to_byteval(&buf[i], &msg[j]);
-            }
-            if (SHA1_HashBuf(sha1, msg, j) != SECSuccess) {
-                 fprintf(dsaresp, "ERROR: Unable to generate SHA1 digest");
-                 goto loser;
-            }
-
-            digest.type = siBuffer;
-            digest.data = sha1;
-            digest.len = sizeof sha1;
-            signature.type = siBuffer;
-            signature.data = sig;
-            signature.len = sizeof sig;
-
-            if (DSA_SignDigest(dsakey, &signature, &digest) != SECSuccess) {
-                fprintf(dsaresp, "ERROR: Unable to generate DSA signature");
-                goto loser;
-            }
-            len = signature.len;
-            if (len%2 != 0) {
-                goto loser;
-            }
-            len = len/2;
-
-            /* output the orginal Msg, and generated Y, R, and S */
-            fputs(buf, dsaresp);
-            fputc('\n', dsaresp);
-            to_hex_str(buf, dsakey->publicValue.data,
-                       dsakey->publicValue.len);
-            fprintf(dsaresp, "Y = %s\n", buf);
-            to_hex_str(buf, &signature.data[0], len);
-            fprintf(dsaresp, "R = %s\n", buf);
-            to_hex_str(buf, &signature.data[len], len);
-            fprintf(dsaresp, "S = %s\n", buf);
-            continue;
-        }
-
-    }
-loser:
-    fclose(dsareq);
-    if(pqg != NULL) {
-        PQG_DestroyParams(pqg);
-        pqg = NULL;
-    }
-    if(vfy != NULL) {
-        PQG_DestroyVerify(vfy);
-        vfy = NULL;
-    }
-    if (dsaKey) {
-        PORT_FreeArena(dsakey->params.arena, PR_TRUE);
-        dsakey = NULL;
-    }
-}
-
- /*
- * Perform the DSA Signature Verification Test.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-dsa_sigver_test(char *reqfn)
-{
-    char buf[263];       /* holds one line from the input REQUEST file
-                         * or to the output RESPONSE file.
-                         * max for Msg = ....
-                         */
-    FILE *dsareq;     /* input stream from the REQUEST file */
-    FILE *dsaresp;    /* output stream to the RESPONSE file */
-    int modulus;  
-    unsigned int i, j;
-    SECItem digest, signature;
-    DSAPublicKey pubkey;
-    unsigned int pgySize;        /* size for p, g, and y */
-    unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
-    unsigned char sig[DSA_SIGNATURE_LEN];
-
-    dsareq = fopen(reqfn, "r");
-    dsaresp = stdout;
-    memset(&pubkey, 0, sizeof(pubkey));
-
-    while (fgets(buf, sizeof buf, dsareq) != NULL) {
-        /* a comment or blank line */
-        if (buf[0] == '#' || buf[0] == '\n') {
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* [Mod = x] */
-        if (buf[0] == '[') {
-
-            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
-                goto loser;
-            }
-
-            if (pubkey.params.prime.data) { /* P */
-                SECITEM_ZfreeItem(&pubkey.params.prime, PR_FALSE);
-            }
-            if (pubkey.params.subPrime.data) { /* Q */
-                SECITEM_ZfreeItem(&pubkey.params.subPrime, PR_FALSE);
-            }
-            if (pubkey.params.base.data) {    /* G */
-                SECITEM_ZfreeItem(&pubkey.params.base, PR_FALSE);
-            }
-            if (pubkey.publicValue.data) {    /* Y */
-                SECITEM_ZfreeItem(&pubkey.publicValue, PR_FALSE);
-            }
-            fputs(buf, dsaresp);
-
-            /* calculate the size of p, g, and y then allocate items */
-            pgySize = modulus/8;
-            SECITEM_AllocItem(NULL, &pubkey.params.prime, pgySize);
-            SECITEM_AllocItem(NULL, &pubkey.params.base, pgySize);
-            SECITEM_AllocItem(NULL, &pubkey.publicValue, pgySize);
-            pubkey.params.prime.len = pubkey.params.base.len = pgySize;
-            pubkey.publicValue.len = pgySize;
-
-            /* q always 20 bytes */
-            SECITEM_AllocItem(NULL, &pubkey.params.subPrime, 20);
-            pubkey.params.subPrime.len = 20;
-
-            continue;
-        }
-        /* P = ... */
-        if (buf[0] == 'P') {
-            i = 1;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            memset(pubkey.params.prime.data, 0, pubkey.params.prime.len);
-            for (j=0; j< pubkey.params.prime.len; i+=2,j++) {
-                hex_to_byteval(&buf[i], &pubkey.params.prime.data[j]);
-            }
-
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* Q = ... */
-        if (buf[0] == 'Q') {
-            i = 1;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            memset(pubkey.params.subPrime.data, 0, pubkey.params.subPrime.len);
-            for (j=0; j< pubkey.params.subPrime.len; i+=2,j++) {
-                hex_to_byteval(&buf[i], &pubkey.params.subPrime.data[j]);
-            }
-
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* G = ... */
-        if (buf[0] == 'G') {
-            i = 1;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            memset(pubkey.params.base.data, 0, pubkey.params.base.len);
-            for (j=0; j< pubkey.params.base.len; i+=2,j++) {
-                hex_to_byteval(&buf[i], &pubkey.params.base.data[j]);
-            }
-
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* Msg = ... */
-        if (strncmp(buf, "Msg", 3) == 0) {
-            unsigned char msg[128]; /* MAX msg 128 */
-            memset(sha1, 0, sizeof sha1);
-
-            i = 3;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; isxdigit(buf[i]); i+=2,j++) {
-                hex_to_byteval(&buf[i], &msg[j]);
-            }
-            if (SHA1_HashBuf(sha1, msg, j) != SECSuccess) {
-                fprintf(dsaresp, "ERROR: Unable to generate SHA1 digest");
-                goto loser;
-            }
-
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* Y = ... */
-        if (buf[0] == 'Y') {
-            i = 1;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            memset(pubkey.publicValue.data, 0, pubkey.params.subPrime.len);
-            for (j=0; j< pubkey.publicValue.len; i+=2,j++) {
-                hex_to_byteval(&buf[i], &pubkey.publicValue.data[j]);
-            }
-
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* R = ... */
-        if (buf[0] == 'R') {
-            memset(sig,  0, sizeof sig);
-            i = 1;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; j< DSA_SUBPRIME_LEN; i+=2,j++) {
-                hex_to_byteval(&buf[i], &sig[j]);
-            }
-
-            fputs(buf, dsaresp);
-            continue;
-        }
-
-        /* S = ... */
-        if (buf[0] == 'S') {
-            i = 1;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=DSA_SUBPRIME_LEN; j< DSA_SIGNATURE_LEN; i+=2,j++) {
-                hex_to_byteval(&buf[i], &sig[j]);
-            }
-            fputs(buf, dsaresp);
-
-            digest.type = siBuffer;
-            digest.data = sha1;
-            digest.len = sizeof sha1;
-            signature.type = siBuffer;
-            signature.data = sig;
-            signature.len = sizeof sig;
-
-            if (DSA_VerifyDigest(&pubkey, &signature, &digest) == SECSuccess) {
-                fprintf(dsaresp, "Result = P\n");
-            } else {
-                fprintf(dsaresp, "Result = F\n");
-            }
-            continue;
-        }
-    }
-loser:
-    fclose(dsareq);
-    if (pubkey.params.prime.data) { /* P */
-        SECITEM_ZfreeItem(&pubkey.params.prime, PR_FALSE);
-    }
-    if (pubkey.params.subPrime.data) { /* Q */
-        SECITEM_ZfreeItem(&pubkey.params.subPrime, PR_FALSE);
-    }
-    if (pubkey.params.base.data) {    /* G */
-        SECITEM_ZfreeItem(&pubkey.params.base, PR_FALSE);
-    }
-    if (pubkey.publicValue.data) {    /* Y */
-        SECITEM_ZfreeItem(&pubkey.publicValue, PR_FALSE);
-    }
-}
-
-/*
- * Perform the RSA Signature Generation Test.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-rsa_siggen_test(char *reqfn)
-{
-    char buf[2*RSA_MAX_TEST_MODULUS_BYTES+1];
-                        /* buf holds one line from the input REQUEST file
-                         * or to the output RESPONSE file.
-                         * 2x for HEX output + 1 for \n
-                         */
-    FILE *rsareq;     /* input stream from the REQUEST file */
-    FILE *rsaresp;    /* output stream to the RESPONSE file */
-    int i, j;
-    unsigned char  sha[HASH_LENGTH_MAX];    /* SHA digest */
-    unsigned int   shaLength = 0;           /* length of SHA */
-    HASH_HashType  shaAlg = HASH_AlgNULL;   /* type of SHA Alg */
-    SECOidTag      shaOid = SEC_OID_UNKNOWN;
-    int modulus;                                /* the Modulus size */
-    int  publicExponent  = DEFAULT_RSA_PUBLIC_EXPONENT;
-    SECItem pe = {0, 0, 0 };
-    unsigned char pubEx[4];
-    int peCount = 0;
-
-    RSAPrivateKey  *rsaBlapiPrivKey = NULL;   /* holds RSA private and
-                                              * public keys */
-    RSAPublicKey   *rsaBlapiPublicKey = NULL; /* hold RSA public key */
-
-    rsareq = fopen(reqfn, "r");
-    rsaresp = stdout;
-
-    /* calculate the exponent */
-    for (i=0; i < 4; i++) {
-        if (peCount || (publicExponent &
-                ((unsigned long)0xff000000L >> (i*8)))) {
-            pubEx[peCount] =
-                (unsigned char)((publicExponent >> (3-i)*8) & 0xff);
-            peCount++;
-        }
-    }
-    pe.len = peCount;
-    pe.data = &pubEx[0];
-    pe.type = siBuffer;
-
-    while (fgets(buf, sizeof buf, rsareq) != NULL) {
-        /* a comment or blank line */
-        if (buf[0] == '#' || buf[0] == '\n') {
-            fputs(buf, rsaresp);
-            continue;
-        }
-
-        /* [mod = ...] */
-        if (buf[0] == '[') {
-
-            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
-                goto loser;
-            }
-            if (modulus > RSA_MAX_TEST_MODULUS_BITS) {
-                fprintf(rsaresp,"ERROR: modulus greater than test maximum\n");
-                goto loser;
-            }
-
-            fputs(buf, rsaresp);
-
-            if (rsaBlapiPrivKey != NULL) {
-                PORT_FreeArena(rsaBlapiPrivKey->arena, PR_TRUE);
-                rsaBlapiPrivKey = NULL;
-                rsaBlapiPublicKey = NULL;
-            }
-
-            rsaBlapiPrivKey = RSA_NewKey(modulus, &pe);
-            if (rsaBlapiPrivKey == NULL) {
-                fprintf(rsaresp, "Error unable to create RSA key\n");
-                goto loser;
-            }
-
-            to_hex_str(buf, rsaBlapiPrivKey->modulus.data,
-                       rsaBlapiPrivKey->modulus.len);
-            fprintf(rsaresp, "\nn = %s\n\n", buf);
-            to_hex_str(buf, rsaBlapiPrivKey->publicExponent.data,
-                       rsaBlapiPrivKey->publicExponent.len);
-            fprintf(rsaresp, "e = %s\n", buf);
-            /* convert private key to public key.  Memory
-             * is freed with private key's arena  */
-            rsaBlapiPublicKey = (RSAPublicKey *)PORT_ArenaAlloc(
-                                                  rsaBlapiPrivKey->arena,
-                                                  sizeof(RSAPublicKey));
-
-            rsaBlapiPublicKey->modulus.len = rsaBlapiPrivKey->modulus.len;
-            rsaBlapiPublicKey->modulus.data = rsaBlapiPrivKey->modulus.data;
-            rsaBlapiPublicKey->publicExponent.len =
-                rsaBlapiPrivKey->publicExponent.len;
-            rsaBlapiPublicKey->publicExponent.data =
-                rsaBlapiPrivKey->publicExponent.data;
-            continue;
-        }
-
-        /* SHAAlg = ... */
-        if (strncmp(buf, "SHAAlg", 6) == 0) {
-           i = 6;
-           while (isspace(buf[i]) || buf[i] == '=') {
-               i++;
-           }
-           /* set the SHA Algorithm */
-           if (strncmp(&buf[i], "SHA1", 4) == 0) {
-                shaAlg = HASH_AlgSHA1;
-           } else if (strncmp(&buf[i], "SHA256", 6) == 0) {
-                shaAlg = HASH_AlgSHA256;
-           } else if (strncmp(&buf[i], "SHA384", 6)== 0) {
-               shaAlg = HASH_AlgSHA384;
-           } else if (strncmp(&buf[i], "SHA512", 6) == 0) {
-               shaAlg = HASH_AlgSHA512;
-           } else {
-               fprintf(rsaresp, "ERROR: Unable to find SHAAlg type");
-               goto loser;
-           }
-           fputs(buf, rsaresp);
-           continue;
-
-        }
-        /* Msg = ... */
-        if (strncmp(buf, "Msg", 3) == 0) {
-
-            unsigned char msg[128]; /* MAX msg 128 */
-            unsigned int rsa_bytes_signed;
-            unsigned char rsa_computed_signature[RSA_MAX_TEST_MODULUS_BYTES];
-            SECStatus       rv = SECFailure;
-            NSSLOWKEYPublicKey  * rsa_public_key;
-            NSSLOWKEYPrivateKey * rsa_private_key;
-            NSSLOWKEYPrivateKey   low_RSA_private_key = { NULL,
-                                                NSSLOWKEYRSAKey, };
-            NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
-                                                NSSLOWKEYRSAKey, };
-
-            low_RSA_private_key.u.rsa = *rsaBlapiPrivKey;
-            low_RSA_public_key.u.rsa = *rsaBlapiPublicKey;
-
-            rsa_private_key = &low_RSA_private_key;
-            rsa_public_key = &low_RSA_public_key;
-
-            memset(sha, 0, sizeof sha);
-            memset(msg, 0, sizeof msg);
-            rsa_bytes_signed = 0;
-            memset(rsa_computed_signature, 0, sizeof rsa_computed_signature);
-
-            i = 3;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            for (j=0; isxdigit(buf[i]) && j < sizeof(msg); i+=2,j++) {
-                hex_to_byteval(&buf[i], &msg[j]);
-            }
-
-            if (shaAlg == HASH_AlgSHA1) {
-                if (SHA1_HashBuf(sha, msg, j) != SECSuccess) {
-                     fprintf(rsaresp, "ERROR: Unable to generate SHA1");
-                     goto loser;
-                }
-                shaLength = SHA1_LENGTH;
-                shaOid = SEC_OID_SHA1;
-            } else if (shaAlg == HASH_AlgSHA256) {
-                if (SHA256_HashBuf(sha, msg, j) != SECSuccess) {
-                     fprintf(rsaresp, "ERROR: Unable to generate SHA256");
-                     goto loser;
-                }
-                shaLength = SHA256_LENGTH;
-                shaOid = SEC_OID_SHA256;
-            } else if (shaAlg == HASH_AlgSHA384) {
-                if (SHA384_HashBuf(sha, msg, j) != SECSuccess) {
-                     fprintf(rsaresp, "ERROR: Unable to generate SHA384");
-                     goto loser;
-                }
-                shaLength = SHA384_LENGTH;
-                shaOid = SEC_OID_SHA384;
-            } else if (shaAlg == HASH_AlgSHA512) {
-                if (SHA512_HashBuf(sha, msg, j) != SECSuccess) {
-                     fprintf(rsaresp, "ERROR: Unable to generate SHA512");
-                     goto loser;
-                }
-                shaLength = SHA512_LENGTH;
-                shaOid = SEC_OID_SHA512;
-            } else {
-                fprintf(rsaresp, "ERROR: SHAAlg not defined.");
-                goto loser;
-            }
-
-            /* Perform RSA signature with the RSA private key. */
-            rv = RSA_HashSign( shaOid,
-                               rsa_private_key,
-                               rsa_computed_signature,
-                               &rsa_bytes_signed,
-                               nsslowkey_PrivateModulusLen(rsa_private_key),
-                               sha,
-                               shaLength);
-
-            if( rv != SECSuccess ) {
-                 fprintf(rsaresp, "ERROR: RSA_HashSign failed");
-                 goto loser;
-            }
-
-            /* Output the signature */
-            fputs(buf, rsaresp);
-            to_hex_str(buf, rsa_computed_signature, rsa_bytes_signed);
-            fprintf(rsaresp, "S = %s\n", buf);
-
-            /* Perform RSA verification with the RSA public key. */
-            rv = RSA_HashCheckSign( shaOid,
-                                    rsa_public_key,
-                                    rsa_computed_signature,
-                                    rsa_bytes_signed,
-                                    sha,
-                                    shaLength);
-            if( rv != SECSuccess ) {
-                 fprintf(rsaresp, "ERROR: RSA_HashCheckSign failed");
-                 goto loser;
-            }
-            continue;
-        }
-    }
-loser:
-    fclose(rsareq);
-
-    if (rsaBlapiPrivKey != NULL) {
-        /* frees private and public key */
-        PORT_FreeArena(rsaBlapiPrivKey->arena, PR_TRUE);
-        rsaBlapiPrivKey = NULL;
-        rsaBlapiPublicKey = NULL;
-    }
-
-}
-/*
- * Perform the RSA Signature Verification Test.
- *
- * reqfn is the pathname of the REQUEST file.
- *
- * The output RESPONSE file is written to stdout.
- */
-void
-rsa_sigver_test(char *reqfn)
-{
-    char buf[2*RSA_MAX_TEST_MODULUS_BYTES+7];
-                        /* buf holds one line from the input REQUEST file
-                         * or to the output RESPONSE file.
-                         * s = 2x for HEX output + 1 for \n
-                         */
-    FILE *rsareq;     /* input stream from the REQUEST file */
-    FILE *rsaresp;    /* output stream to the RESPONSE file */
-    int i, j;
-    unsigned char   sha[HASH_LENGTH_MAX];   /* SHA digest */
-    unsigned int    shaLength = 0;              /* actual length of the digest */
-    HASH_HashType   shaAlg = HASH_AlgNULL;
-    SECOidTag       shaOid = SEC_OID_UNKNOWN;
-    int modulus = 0;                            /* the Modulus size */
-    unsigned char   signature[513];    /* largest signature size + '\n' */
-    unsigned int    signatureLength = 0;   /* actual length of the signature */
-    PRBool keyvalid = PR_TRUE;
-
-    RSAPublicKey   rsaBlapiPublicKey; /* hold RSA public key */
-
-    rsareq = fopen(reqfn, "r");
-    rsaresp = stdout;
-    memset(&rsaBlapiPublicKey, 0, sizeof(RSAPublicKey));
-
-    while (fgets(buf, sizeof buf, rsareq) != NULL) {
-        /* a comment or blank line */
-        if (buf[0] == '#' || buf[0] == '\n') {
-            fputs(buf, rsaresp);
-            continue;
-        }
-
-        /* [Mod = ...] */
-        if (buf[0] == '[') {
-            unsigned int flen;  /* length in bytes of the field size */
-
-            if (rsaBlapiPublicKey.modulus.data) { /* n */
-                SECITEM_ZfreeItem(&rsaBlapiPublicKey.modulus, PR_FALSE);
-            }
-            if (sscanf(buf, "[mod = %d]", &modulus) != 1) {
-                goto loser;
-            }
-
-            if (modulus > RSA_MAX_TEST_MODULUS_BITS) {
-                fprintf(rsaresp,"ERROR: modulus greater than test maximum\n");
-                goto loser;
-            }
-
-            fputs(buf, rsaresp);
-
-            signatureLength = flen = modulus/8;
-
-            SECITEM_AllocItem(NULL, &rsaBlapiPublicKey.modulus, flen);
-            if (rsaBlapiPublicKey.modulus.data == NULL) {
-                goto loser;
-            }
-            continue;
-        }
-
-        /* n = ... modulus */
-        if (buf[0] == 'n') {
-            i = 1;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            keyvalid = from_hex_str(&rsaBlapiPublicKey.modulus.data[0],
-                                    rsaBlapiPublicKey.modulus.len,
-                                    &buf[i]);
-
-            if (!keyvalid) {
-                fprintf(rsaresp, "ERROR: rsa_sigver n not valid.\n");
-                                 goto loser;
-            }
-            fputs(buf, rsaresp);
-            continue;
-        }
-
-        /* SHAAlg = ... */
-        if (strncmp(buf, "SHAAlg", 6) == 0) {
-           i = 6;
-           while (isspace(buf[i]) || buf[i] == '=') {
-               i++;
-           }
-           /* set the SHA Algorithm */
-           if (strncmp(&buf[i], "SHA1", 4) == 0) {
-                shaAlg = HASH_AlgSHA1;
-           } else if (strncmp(&buf[i], "SHA256", 6) == 0) {
-                shaAlg = HASH_AlgSHA256;
-           } else if (strncmp(&buf[i], "SHA384", 6) == 0) {
-               shaAlg = HASH_AlgSHA384;
-           } else if (strncmp(&buf[i], "SHA512", 6) == 0) {
-               shaAlg = HASH_AlgSHA512;
-           } else {
-               fprintf(rsaresp, "ERROR: Unable to find SHAAlg type");
-               goto loser;
-           }
-           fputs(buf, rsaresp);
-           continue;
-        }
-
-        /* e = ... public Key */
-        if (buf[0] == 'e') {
-            unsigned char data[RSA_MAX_TEST_EXPONENT_BYTES];
-            unsigned char t;
-
-            memset(data, 0, sizeof data);
-
-            if (rsaBlapiPublicKey.publicExponent.data) { /* e */
-                SECITEM_ZfreeItem(&rsaBlapiPublicKey.publicExponent, PR_FALSE);
-            }
-
-            i = 1;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-            /* skip leading zero's */
-            while (isxdigit(buf[i])) {
-                hex_to_byteval(&buf[i], &t);
-                if (t == 0) {
-                    i+=2;
-                } else break;
-            }
-        
-            /* get the exponent */
-            for (j=0; isxdigit(buf[i]) && j < sizeof data; i+=2,j++) {
-                hex_to_byteval(&buf[i], &data[j]);
-            }
-
-            if (j == 0) { j = 1; }  /* to handle 1 byte length exponents */
-
-            SECITEM_AllocItem(NULL, &rsaBlapiPublicKey.publicExponent,  j);
-            if (rsaBlapiPublicKey.publicExponent.data == NULL) {
-                goto loser;
-            }
-
-            for (i=0; i < j; i++) {
-                rsaBlapiPublicKey.publicExponent.data[i] = data[i];
-            }
-
-            fputs(buf, rsaresp);
-            continue;
-        }
-
-        /* Msg = ... */
-        if (strncmp(buf, "Msg", 3) == 0) {
-            unsigned char msg[128]; /* MAX msg 128 */
-
-            memset(sha, 0, sizeof sha);
-            memset(msg, 0, sizeof msg);
-
-            i = 3;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-
-            for (j=0; isxdigit(buf[i]) && j < sizeof msg; i+=2,j++) {
-                hex_to_byteval(&buf[i], &msg[j]);
-            }
-
-            if (shaAlg == HASH_AlgSHA1) {
-                if (SHA1_HashBuf(sha, msg, j) != SECSuccess) {
-                     fprintf(rsaresp, "ERROR: Unable to generate SHA1");
-                     goto loser;
-                }
-                shaLength = SHA1_LENGTH;
-                shaOid = SEC_OID_SHA1;
-            } else if (shaAlg == HASH_AlgSHA256) {
-                if (SHA256_HashBuf(sha, msg, j) != SECSuccess) {
-                     fprintf(rsaresp, "ERROR: Unable to generate SHA256");
-                     goto loser;
-                }
-                shaLength = SHA256_LENGTH;
-                shaOid = SEC_OID_SHA256;
-            } else if (shaAlg == HASH_AlgSHA384) {
-                if (SHA384_HashBuf(sha, msg, j) != SECSuccess) {
-                     fprintf(rsaresp, "ERROR: Unable to generate SHA384");
-                     goto loser;
-                }
-                shaLength = SHA384_LENGTH;
-                shaOid = SEC_OID_SHA384;
-            } else if (shaAlg == HASH_AlgSHA512) {
-                if (SHA512_HashBuf(sha, msg, j) != SECSuccess) {
-                     fprintf(rsaresp, "ERROR: Unable to generate SHA512");
-                     goto loser;
-                }
-                shaLength = SHA512_LENGTH;
-                shaOid = SEC_OID_SHA512;
-            } else {
-                fprintf(rsaresp, "ERROR: SHAAlg not defined.");
-                goto loser;
-            }
-
-            fputs(buf, rsaresp);
-            continue;
-
-        }
-
-        /* S = ... */
-        if (buf[0] == 'S') {
-            SECStatus rv = SECFailure;
-            NSSLOWKEYPublicKey  * rsa_public_key;
-            NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
-                                                  NSSLOWKEYRSAKey, };
-
-            /* convert to a low RSA public key */
-            low_RSA_public_key.u.rsa = rsaBlapiPublicKey;
-            rsa_public_key = &low_RSA_public_key;
-
-            memset(signature, 0, sizeof(signature));
-            i = 1;
-            while (isspace(buf[i]) || buf[i] == '=') {
-                i++;
-            }
-
-            for (j=0; isxdigit(buf[i]) && j < sizeof signature; i+=2,j++) {
-                hex_to_byteval(&buf[i], &signature[j]);
-            }
-
-            signatureLength = j;
-            fputs(buf, rsaresp);
-
-            /* Perform RSA verification with the RSA public key. */
-            rv = RSA_HashCheckSign( shaOid,
-                                    rsa_public_key,
-                                    signature,
-                                    signatureLength,
-                                    sha,
-                                    shaLength);
-            if( rv == SECSuccess ) {
-                fputs("Result = P\n", rsaresp);
-            } else {
-                fputs("Result = F\n", rsaresp);
-            }
-            continue;
-        }
-    }
-loser:
-    fclose(rsareq);
-    if (rsaBlapiPublicKey.modulus.data) { /* n */
-        SECITEM_ZfreeItem(&rsaBlapiPublicKey.modulus, PR_FALSE);
-    }
-    if (rsaBlapiPublicKey.publicExponent.data) { /* e */
-        SECITEM_ZfreeItem(&rsaBlapiPublicKey.publicExponent, PR_FALSE);
-    }
-}
-
-int main(int argc, char **argv)
-{
-    if (argc < 2) exit (-1);
-    NSS_NoDB_Init(NULL);
-    /*************/
-    /*   TDEA    */
-    /*************/
-    if (strcmp(argv[1], "tdea") == 0) {
-        /* argv[2]=kat|mmt|mct argv[3]=ecb|cbc argv[4]=<test name>.req */
-        if (strcmp(argv[2], "kat") == 0) {
-            /* Known Answer Test (KAT) */
-            tdea_kat_mmt(argv[4]);     
-        } else if (strcmp(argv[2], "mmt") == 0) {
-            /* Multi-block Message Test (MMT) */
-                tdea_kat_mmt(argv[4]);
-        } else if (strcmp(argv[2], "mct") == 0) {
-                /* Monte Carlo Test (MCT) */
-                if (strcmp(argv[3], "ecb") == 0) {
-                    /* ECB mode */
-                    tdea_mct(NSS_DES_EDE3, argv[4]); 
-                } else if (strcmp(argv[3], "cbc") == 0) {
-                    /* CBC mode */
-                    tdea_mct(NSS_DES_EDE3_CBC, argv[4]);
-                }
-        }
-    /*************/
-    /*   AES     */
-    /*************/
-    } else if (strcmp(argv[1], "aes") == 0) {
-	/* argv[2]=kat|mmt|mct argv[3]=ecb|cbc argv[4]=<test name>.req */
-	if (       strcmp(argv[2], "kat") == 0) {
-	    /* Known Answer Test (KAT) */
-	    aes_kat_mmt(argv[4]);
-	} else if (strcmp(argv[2], "mmt") == 0) {
-	    /* Multi-block Message Test (MMT) */
-	    aes_kat_mmt(argv[4]);
-	} else if (strcmp(argv[2], "mct") == 0) {
-	    /* Monte Carlo Test (MCT) */
-	    if (       strcmp(argv[3], "ecb") == 0) {
-		/* ECB mode */
-		aes_ecb_mct(argv[4]);
-	    } else if (strcmp(argv[3], "cbc") == 0) {
-		/* CBC mode */
-		aes_cbc_mct(argv[4]);
-	    }
-	}
-    /*************/
-    /*   SHA     */
-    /*************/
-    } else if (strcmp(argv[1], "sha") == 0) {
-        sha_test(argv[2]);
-    /*************/
-    /*   RSA     */
-    /*************/
-    } else if (strcmp(argv[1], "rsa") == 0) {
-        /* argv[2]=siggen|sigver */
-        /* argv[3]=<test name>.req */
-        if (strcmp(argv[2], "siggen") == 0) {
-            /* Signature Generation Test */
-            rsa_siggen_test(argv[3]);
-        } else if (strcmp(argv[2], "sigver") == 0) {
-            /* Signature Verification Test */
-            rsa_sigver_test(argv[3]);
-        }
-    /*************/
-    /*   HMAC    */
-    /*************/
-    } else if (strcmp(argv[1], "hmac") == 0) {
-        hmac_test(argv[2]);
-    /*************/
-    /*   DSA     */
-    /*************/
-    } else if (strcmp(argv[1], "dsa") == 0) {
-        /* argv[2]=keypair|pqggen|pqgver|siggen|sigver */
-        /* argv[3]=<test name>.req */
-        if (strcmp(argv[2], "keypair") == 0) {
-            /* Key Pair Generation Test */
-            dsa_keypair_test(argv[3]);
-        } else if (strcmp(argv[2], "pqggen") == 0) {
-        /* Domain Parameter Generation Test */
-            dsa_pqggen_test(argv[3]);
-        } else if (strcmp(argv[2], "pqgver") == 0) {
-                /* Domain Parameter Validation Test */
-            dsa_pqgver_test(argv[3]);
-        } else if (strcmp(argv[2], "siggen") == 0) {
-            /* Signature Generation Test */
-            dsa_siggen_test(argv[3]);
-        } else if (strcmp(argv[2], "sigver") == 0) {
-            /* Signature Verification Test */
-            dsa_sigver_test(argv[3]);
-        }
-#ifdef NSS_ENABLE_ECC
-    /*************/
-    /*   ECDSA   */
-    /*************/
-    } else if (strcmp(argv[1], "ecdsa") == 0) {
-	/* argv[2]=keypair|pkv|siggen|sigver argv[3]=<test name>.req */
-	if (       strcmp(argv[2], "keypair") == 0) {
-	    /* Key Pair Generation Test */
-	    ecdsa_keypair_test(argv[3]);
-	} else if (strcmp(argv[2], "pkv") == 0) {
-	    /* Public Key Validation Test */
-	    ecdsa_pkv_test(argv[3]);
-	} else if (strcmp(argv[2], "siggen") == 0) {
-	    /* Signature Generation Test */
-	    ecdsa_siggen_test(argv[3]);
-	} else if (strcmp(argv[2], "sigver") == 0) {
-	    /* Signature Verification Test */
-	    ecdsa_sigver_test(argv[3]);
-	}
-#endif /* NSS_ENABLE_ECC */
-    /*************/
-    /*   RNG     */
-    /*************/
-    } else if (strcmp(argv[1], "rng") == 0) {
-	/* argv[2]=vst|mct argv[3]=<test name>.req */
-	if (       strcmp(argv[2], "vst") == 0) {
-	    /* Variable Seed Test */
-	    rng_vst(argv[3]);
-	} else if (strcmp(argv[2], "mct") == 0) {
-	    /* Monte Carlo Test */
-	    rng_mct(argv[3]);
-	}
-    } else if (strcmp(argv[1], "drbg") == 0) {
-	/* Variable Seed Test */
-	drbg(argv[2]);
-    } else if (strcmp(argv[1], "ddrbg") == 0) {
-	debug = 1;
-	drbg(argv[2]);
-    }
-    return 0;
-}
diff --git a/security/nss/cmd/fipstest/hmac.sh b/security/nss/cmd/fipstest/hmac.sh
deleted file mode 100755
index ace988c7f..000000000
--- a/security/nss/cmd/fipstest/hmac.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/sh
-#
-# A Bourne shell script for running the NIST HMAC Algorithm Validation Suite
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-                               
-hmac_requests="
-HMAC.req
-"
-
-for request in $hmac_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest hmac $request > $response
-done
-
diff --git a/security/nss/cmd/fipstest/manifest.mn b/security/nss/cmd/fipstest/manifest.mn
deleted file mode 100644
index ba3b1a448..000000000
--- a/security/nss/cmd/fipstest/manifest.mn
+++ /dev/null
@@ -1,55 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-PROGRAM = fipstest
-
-USE_STATIC_LIBS = 1
-
-EXPORTS = \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	$(NULL)
-
-CSRCS = \
-	fipstest.c \
-	$(NULL)
-
diff --git a/security/nss/cmd/fipstest/rng.sh b/security/nss/cmd/fipstest/rng.sh
deleted file mode 100644
index a041706c2..000000000
--- a/security/nss/cmd/fipstest/rng.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh
-#
-# A Bourne shell script for running the NIST RNG Validation Suite
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-
-drbg_requests="
-SHA256_DRBG.req
-"
-
-for request in $drbg_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest drbg $request > $response
-done
diff --git a/security/nss/cmd/fipstest/rsa.sh b/security/nss/cmd/fipstest/rsa.sh
deleted file mode 100644
index 4b68a58bc..000000000
--- a/security/nss/cmd/fipstest/rsa.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/sh
-#
-# A Bourne shell script for running the NIST RSA Validation System
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-
-
-request=SigGen15.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest rsa siggen $request > $response
-
-request=SigVer15.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest rsa sigver $request > $response
diff --git a/security/nss/cmd/fipstest/sha.sh b/security/nss/cmd/fipstest/sha.sh
deleted file mode 100644
index 685a41b00..000000000
--- a/security/nss/cmd/fipstest/sha.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/sh
-#
-# A Bourne shell script for running the NIST SHA Algorithm Validation Suite
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-                               
-sha_ShortMsg_requests="
-SHA1ShortMsg.req
-SHA256ShortMsg.req
-SHA384ShortMsg.req
-SHA512ShortMsg.req
-"
-
-sha_LongMsg_requests="
-SHA1LongMsg.req
-SHA256LongMsg.req
-SHA384LongMsg.req
-SHA512LongMsg.req
-"
-
-sha_Monte_requests="
-SHA1Monte.req
-SHA256Monte.req
-SHA384Monte.req
-SHA512Monte.req
-"
-for request in $sha_ShortMsg_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest sha $request > $response
-done
-for request in $sha_LongMsg_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest sha $request > $response
-done
-for request in $sha_Monte_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest sha $request > $response
-done
-
diff --git a/security/nss/cmd/fipstest/tdea.sh b/security/nss/cmd/fipstest/tdea.sh
deleted file mode 100644
index 505478039..000000000
--- a/security/nss/cmd/fipstest/tdea.sh
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/bin/sh
-#
-# A Bourne shell script for running the NIST tdea Algorithm Validation Suite
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-
-#CBC_Known_Answer_tests
-#Initial Permutation KAT  
-#Permutation Operation KAT 
-#Subsitution Table KAT    
-#Variable Key KAT         
-#Variable PlainText KAT   
-cbc_kat_requests="
-TCBCinvperm.req   
-TCBCpermop.req    
-TCBCsubtab.req    
-TCBCvarkey.req    
-TCBCvartext.req   
-"
-
-#CBC Monte Carlo KATs
-cbc_monte_requests="
-TCBCMonte1.req
-TCBCMonte2.req
-TCBCMonte3.req
-"
-#Multi-block Message KATs
-cbc_mmt_requests="
-TCBCMMT1.req
-TCBCMMT2.req
-TCBCMMT3.req
-"
-
-ecb_kat_requests="
-TECBinvperm.req   
-TECBpermop.req    
-TECBsubtab.req    
-TECBvarkey.req    
-TECBvartext.req   
-"
-
-ecb_monte_requests="
-TECBMonte1.req
-TECBMonte2.req
-TECBMonte3.req
-"
-
-ecb_mmt_requests="
-TECBMMT1.req
-TECBMMT2.req
-TECBMMT3.req
-"
-
-for request in $ecb_mmt_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest tdea mmt ecb $request > $response
-done
-for request in $ecb_kat_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest tdea kat ecb $request > $response
-done
-for request in $ecb_monte_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest tdea mct ecb $request > $response
-done
-for request in $cbc_mmt_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest tdea mmt cbc $request > $response
-done
-for request in $cbc_kat_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest tdea kat cbc $request > $response
-done
-for request in $cbc_monte_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest tdea mct cbc $request > $response
-done
diff --git a/security/nss/cmd/lib/Makefile b/security/nss/cmd/lib/Makefile
deleted file mode 100644
index 54ef29fdf..000000000
--- a/security/nss/cmd/lib/Makefile
+++ /dev/null
@@ -1,82 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
-$(OBJDIR)/secerror$(OBJ_SUFFIX): NSPRerrs.h SECerrs.h SSLerrs.h 
-
diff --git a/security/nss/cmd/lib/NSPRerrs.h b/security/nss/cmd/lib/NSPRerrs.h
deleted file mode 100644
index b11169847..000000000
--- a/security/nss/cmd/lib/NSPRerrs.h
+++ /dev/null
@@ -1,153 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* General NSPR 2.0 errors */
-/* Caller must #include "prerror.h" */
-
-ER2( PR_OUT_OF_MEMORY_ERROR, 	"Memory allocation attempt failed." )
-ER2( PR_BAD_DESCRIPTOR_ERROR, 	"Invalid file descriptor." )
-ER2( PR_WOULD_BLOCK_ERROR, 	"The operation would have blocked." )
-ER2( PR_ACCESS_FAULT_ERROR, 	"Invalid memory address argument." )
-ER2( PR_INVALID_METHOD_ERROR, 	"Invalid function for file type." )
-ER2( PR_ILLEGAL_ACCESS_ERROR, 	"Invalid memory address argument." )
-ER2( PR_UNKNOWN_ERROR, 		"Some unknown error has occurred." )
-ER2( PR_PENDING_INTERRUPT_ERROR,"Operation interrupted by another thread." )
-ER2( PR_NOT_IMPLEMENTED_ERROR, 	"function not implemented." )
-ER2( PR_IO_ERROR, 		"I/O function error." )
-ER2( PR_IO_TIMEOUT_ERROR, 	"I/O operation timed out." )
-ER2( PR_IO_PENDING_ERROR, 	"I/O operation on busy file descriptor." )
-ER2( PR_DIRECTORY_OPEN_ERROR, 	"The directory could not be opened." )
-ER2( PR_INVALID_ARGUMENT_ERROR, "Invalid function argument." )
-ER2( PR_ADDRESS_NOT_AVAILABLE_ERROR, "Network address not available (in use?)." )
-ER2( PR_ADDRESS_NOT_SUPPORTED_ERROR, "Network address type not supported." )
-ER2( PR_IS_CONNECTED_ERROR, 	"Already connected." )
-ER2( PR_BAD_ADDRESS_ERROR, 	"Network address is invalid." )
-ER2( PR_ADDRESS_IN_USE_ERROR, 	"Local Network address is in use." )
-ER2( PR_CONNECT_REFUSED_ERROR, 	"Connection refused by peer." )
-ER2( PR_NETWORK_UNREACHABLE_ERROR, "Network address is presently unreachable." )
-ER2( PR_CONNECT_TIMEOUT_ERROR, 	"Connection attempt timed out." )
-ER2( PR_NOT_CONNECTED_ERROR, 	"Network file descriptor is not connected." )
-ER2( PR_LOAD_LIBRARY_ERROR, 	"Failure to load dynamic library." )
-ER2( PR_UNLOAD_LIBRARY_ERROR, 	"Failure to unload dynamic library." )
-ER2( PR_FIND_SYMBOL_ERROR, 	
-"Symbol not found in any of the loaded dynamic libraries." )
-ER2( PR_INSUFFICIENT_RESOURCES_ERROR, "Insufficient system resources." )
-ER2( PR_DIRECTORY_LOOKUP_ERROR, 	
-"A directory lookup on a network address has failed." )
-ER2( PR_TPD_RANGE_ERROR, 		
-"Attempt to access a TPD key that is out of range." )
-ER2( PR_PROC_DESC_TABLE_FULL_ERROR, "Process open FD table is full." )
-ER2( PR_SYS_DESC_TABLE_FULL_ERROR, "System open FD table is full." )
-ER2( PR_NOT_SOCKET_ERROR, 	
-"Network operation attempted on non-network file descriptor." )
-ER2( PR_NOT_TCP_SOCKET_ERROR, 	
-"TCP-specific function attempted on a non-TCP file descriptor." )
-ER2( PR_SOCKET_ADDRESS_IS_BOUND_ERROR, "TCP file descriptor is already bound." )
-ER2( PR_NO_ACCESS_RIGHTS_ERROR, "Access Denied." )
-ER2( PR_OPERATION_NOT_SUPPORTED_ERROR, 
-"The requested operation is not supported by the platform." )
-ER2( PR_PROTOCOL_NOT_SUPPORTED_ERROR, 
-"The host operating system does not support the protocol requested." )
-ER2( PR_REMOTE_FILE_ERROR, 	"Access to the remote file has been severed." )
-ER2( PR_BUFFER_OVERFLOW_ERROR, 	
-"The value requested is too large to be stored in the data buffer provided." )
-ER2( PR_CONNECT_RESET_ERROR, 	"TCP connection reset by peer." )
-ER2( PR_RANGE_ERROR, 		"Unused." )
-ER2( PR_DEADLOCK_ERROR, 	"The operation would have deadlocked." )
-ER2( PR_FILE_IS_LOCKED_ERROR, 	"The file is already locked." )
-ER2( PR_FILE_TOO_BIG_ERROR, 	
-"Write would result in file larger than the system allows." )
-ER2( PR_NO_DEVICE_SPACE_ERROR, 	"The device for storing the file is full." )
-ER2( PR_PIPE_ERROR, 		"Unused." )
-ER2( PR_NO_SEEK_DEVICE_ERROR, 	"Unused." )
-ER2( PR_IS_DIRECTORY_ERROR, 	
-"Cannot perform a normal file operation on a directory." )
-ER2( PR_LOOP_ERROR, 		"Symbolic link loop." )
-ER2( PR_NAME_TOO_LONG_ERROR, 	"File name is too long." )
-ER2( PR_FILE_NOT_FOUND_ERROR, 	"File not found." )
-ER2( PR_NOT_DIRECTORY_ERROR, 	
-"Cannot perform directory operation on a normal file." )
-ER2( PR_READ_ONLY_FILESYSTEM_ERROR, 
-"Cannot write to a read-only file system." )
-ER2( PR_DIRECTORY_NOT_EMPTY_ERROR, 
-"Cannot delete a directory that is not empty." )
-ER2( PR_FILESYSTEM_MOUNTED_ERROR, 
-"Cannot delete or rename a file object while the file system is busy." )
-ER2( PR_NOT_SAME_DEVICE_ERROR, 	
-"Cannot rename a file to a file system on another device." )
-ER2( PR_DIRECTORY_CORRUPTED_ERROR, 
-"The directory object in the file system is corrupted." )
-ER2( PR_FILE_EXISTS_ERROR, 	
-"Cannot create or rename a filename that already exists." )
-ER2( PR_MAX_DIRECTORY_ENTRIES_ERROR, 
-"Directory is full.  No additional filenames may be added." )
-ER2( PR_INVALID_DEVICE_STATE_ERROR, 
-"The required device was in an invalid state." )
-ER2( PR_DEVICE_IS_LOCKED_ERROR, "The device is locked." )
-ER2( PR_NO_MORE_FILES_ERROR, 	"No more entries in the directory." )
-ER2( PR_END_OF_FILE_ERROR, 	"Encountered end of file." )
-ER2( PR_FILE_SEEK_ERROR, 	"Seek error." )
-ER2( PR_FILE_IS_BUSY_ERROR, 	"The file is busy." )
-ER2( PR_IN_PROGRESS_ERROR,
-"Operation is still in progress (probably a non-blocking connect)." )
-ER2( PR_ALREADY_INITIATED_ERROR,
-"Operation has already been initiated (probably a non-blocking connect)." )
-
-#ifdef PR_GROUP_EMPTY_ERROR
-ER2( PR_GROUP_EMPTY_ERROR, 	"The wait group is empty." )
-#endif
-
-#ifdef PR_INVALID_STATE_ERROR
-ER2( PR_INVALID_STATE_ERROR, 	"Object state improper for request." )
-#endif
-
-#ifdef PR_NETWORK_DOWN_ERROR
-ER2( PR_NETWORK_DOWN_ERROR,	"Network is down." )
-#endif
-
-#ifdef PR_SOCKET_SHUTDOWN_ERROR
-ER2( PR_SOCKET_SHUTDOWN_ERROR,	"The socket was previously shut down." )
-#endif
-
-#ifdef PR_CONNECT_ABORTED_ERROR
-ER2( PR_CONNECT_ABORTED_ERROR,	"TCP Connection aborted." )
-#endif
-
-#ifdef PR_HOST_UNREACHABLE_ERROR
-ER2( PR_HOST_UNREACHABLE_ERROR,	"Host is unreachable." )
-#endif
-
-/* always last */
-ER2( PR_MAX_ERROR, 		"Placeholder for the end of the list" )
diff --git a/security/nss/cmd/lib/SECerrs.h b/security/nss/cmd/lib/SECerrs.h
deleted file mode 100644
index d00eefd10..000000000
--- a/security/nss/cmd/lib/SECerrs.h
+++ /dev/null
@@ -1,564 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* General security error codes  */
-/* Caller must #include "secerr.h" */
-
-ER3(SEC_ERROR_IO,				SEC_ERROR_BASE + 0,
-"An I/O error occurred during security authorization.")
-
-ER3(SEC_ERROR_LIBRARY_FAILURE,			SEC_ERROR_BASE + 1,
-"security library failure.")
-
-ER3(SEC_ERROR_BAD_DATA,				SEC_ERROR_BASE + 2,
-"security library: received bad data.")
-
-ER3(SEC_ERROR_OUTPUT_LEN,			SEC_ERROR_BASE + 3,
-"security library: output length error.")
-
-ER3(SEC_ERROR_INPUT_LEN,			SEC_ERROR_BASE + 4,
-"security library has experienced an input length error.")
-
-ER3(SEC_ERROR_INVALID_ARGS,			SEC_ERROR_BASE + 5,
-"security library: invalid arguments.")
-
-ER3(SEC_ERROR_INVALID_ALGORITHM,		SEC_ERROR_BASE + 6,
-"security library: invalid algorithm.")
-
-ER3(SEC_ERROR_INVALID_AVA,			SEC_ERROR_BASE + 7,
-"security library: invalid AVA.")
-
-ER3(SEC_ERROR_INVALID_TIME,			SEC_ERROR_BASE + 8,
-"Improperly formatted time string.")
-
-ER3(SEC_ERROR_BAD_DER,				SEC_ERROR_BASE + 9,
-"security library: improperly formatted DER-encoded message.")
-
-ER3(SEC_ERROR_BAD_SIGNATURE,			SEC_ERROR_BASE + 10,
-"Peer's certificate has an invalid signature.")
-
-ER3(SEC_ERROR_EXPIRED_CERTIFICATE,		SEC_ERROR_BASE + 11,
-"Peer's Certificate has expired.")
-
-ER3(SEC_ERROR_REVOKED_CERTIFICATE,		SEC_ERROR_BASE + 12,
-"Peer's Certificate has been revoked.")
-
-ER3(SEC_ERROR_UNKNOWN_ISSUER,			SEC_ERROR_BASE + 13,
-"Peer's Certificate issuer is not recognized.")
-
-ER3(SEC_ERROR_BAD_KEY,				SEC_ERROR_BASE + 14,
-"Peer's public key is invalid.")
-
-ER3(SEC_ERROR_BAD_PASSWORD,			SEC_ERROR_BASE + 15,
-"The security password entered is incorrect.")
-
-ER3(SEC_ERROR_RETRY_PASSWORD,			SEC_ERROR_BASE + 16,
-"New password entered incorrectly.  Please try again.")
-
-ER3(SEC_ERROR_NO_NODELOCK,			SEC_ERROR_BASE + 17,
-"security library: no nodelock.")
-
-ER3(SEC_ERROR_BAD_DATABASE,			SEC_ERROR_BASE + 18,
-"security library: bad database.")
-
-ER3(SEC_ERROR_NO_MEMORY,			SEC_ERROR_BASE + 19,
-"security library: memory allocation failure.")
-
-ER3(SEC_ERROR_UNTRUSTED_ISSUER,			SEC_ERROR_BASE + 20,
-"Peer's certificate issuer has been marked as not trusted by the user.")
-
-ER3(SEC_ERROR_UNTRUSTED_CERT,			SEC_ERROR_BASE + 21,
-"Peer's certificate has been marked as not trusted by the user.")
-
-ER3(SEC_ERROR_DUPLICATE_CERT,			(SEC_ERROR_BASE + 22),
-"Certificate already exists in your database.")
-
-ER3(SEC_ERROR_DUPLICATE_CERT_NAME,		(SEC_ERROR_BASE + 23),
-"Downloaded certificate's name duplicates one already in your database.")
-
-ER3(SEC_ERROR_ADDING_CERT,			(SEC_ERROR_BASE + 24),
-"Error adding certificate to database.")
-
-ER3(SEC_ERROR_FILING_KEY,			(SEC_ERROR_BASE + 25),
-"Error refiling the key for this certificate.")
-
-ER3(SEC_ERROR_NO_KEY,				(SEC_ERROR_BASE + 26),
-"The private key for this certificate cannot be found in key database")
-
-ER3(SEC_ERROR_CERT_VALID,			(SEC_ERROR_BASE + 27),
-"This certificate is valid.")
-
-ER3(SEC_ERROR_CERT_NOT_VALID,			(SEC_ERROR_BASE + 28),
-"This certificate is not valid.")
-
-ER3(SEC_ERROR_CERT_NO_RESPONSE,			(SEC_ERROR_BASE + 29),
-"Cert Library: No Response")
-
-ER3(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE,	(SEC_ERROR_BASE + 30),
-"The certificate issuer's certificate has expired.  Check your system date and time.")
-
-ER3(SEC_ERROR_CRL_EXPIRED,			(SEC_ERROR_BASE + 31),
-"The CRL for the certificate's issuer has expired.  Update it or check your system date and time.")
-
-ER3(SEC_ERROR_CRL_BAD_SIGNATURE,		(SEC_ERROR_BASE + 32),
-"The CRL for the certificate's issuer has an invalid signature.")
-
-ER3(SEC_ERROR_CRL_INVALID,			(SEC_ERROR_BASE + 33),
-"New CRL has an invalid format.")
-
-ER3(SEC_ERROR_EXTENSION_VALUE_INVALID,		(SEC_ERROR_BASE + 34),
-"Certificate extension value is invalid.")
-
-ER3(SEC_ERROR_EXTENSION_NOT_FOUND,		(SEC_ERROR_BASE + 35),
-"Certificate extension not found.")
-
-ER3(SEC_ERROR_CA_CERT_INVALID,			(SEC_ERROR_BASE + 36),
-"Issuer certificate is invalid.")
-   
-ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID,	(SEC_ERROR_BASE + 37),
-"Certificate path length constraint is invalid.")
-
-ER3(SEC_ERROR_CERT_USAGES_INVALID,		(SEC_ERROR_BASE + 38),
-"Certificate usages field is invalid.")
-
-ER3(SEC_INTERNAL_ONLY,				(SEC_ERROR_BASE + 39),
-"**Internal ONLY module**")
-
-ER3(SEC_ERROR_INVALID_KEY,			(SEC_ERROR_BASE + 40),
-"The key does not support the requested operation.")
-
-ER3(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION,	(SEC_ERROR_BASE + 41),
-"Certificate contains unknown critical extension.")
-
-ER3(SEC_ERROR_OLD_CRL,				(SEC_ERROR_BASE + 42),
-"New CRL is not later than the current one.")
-
-ER3(SEC_ERROR_NO_EMAIL_CERT,			(SEC_ERROR_BASE + 43),
-"Not encrypted or signed: you do not yet have an email certificate.")
-
-ER3(SEC_ERROR_NO_RECIPIENT_CERTS_QUERY,		(SEC_ERROR_BASE + 44),
-"Not encrypted: you do not have certificates for each of the recipients.")
-
-ER3(SEC_ERROR_NOT_A_RECIPIENT,			(SEC_ERROR_BASE + 45),
-"Cannot decrypt: you are not a recipient, or matching certificate and \
-private key not found.")
-
-ER3(SEC_ERROR_PKCS7_KEYALG_MISMATCH,		(SEC_ERROR_BASE + 46),
-"Cannot decrypt: key encryption algorithm does not match your certificate.")
-
-ER3(SEC_ERROR_PKCS7_BAD_SIGNATURE,		(SEC_ERROR_BASE + 47),
-"Signature verification failed: no signer found, too many signers found, \
-or improper or corrupted data.")
-
-ER3(SEC_ERROR_UNSUPPORTED_KEYALG,		(SEC_ERROR_BASE + 48),
-"Unsupported or unknown key algorithm.")
-
-ER3(SEC_ERROR_DECRYPTION_DISALLOWED,		(SEC_ERROR_BASE + 49),
-"Cannot decrypt: encrypted using a disallowed algorithm or key size.")
-
-
-/* Fortezza Alerts */
-ER3(XP_SEC_FORTEZZA_BAD_CARD,			(SEC_ERROR_BASE + 50),
-"Fortezza card has not been properly initialized.  \
-Please remove it and return it to your issuer.")
-
-ER3(XP_SEC_FORTEZZA_NO_CARD,			(SEC_ERROR_BASE + 51),
-"No Fortezza cards Found")
-
-ER3(XP_SEC_FORTEZZA_NONE_SELECTED,		(SEC_ERROR_BASE + 52),
-"No Fortezza card selected")
-
-ER3(XP_SEC_FORTEZZA_MORE_INFO,			(SEC_ERROR_BASE + 53),
-"Please select a personality to get more info on")
-
-ER3(XP_SEC_FORTEZZA_PERSON_NOT_FOUND,		(SEC_ERROR_BASE + 54),
-"Personality not found")
-
-ER3(XP_SEC_FORTEZZA_NO_MORE_INFO,		(SEC_ERROR_BASE + 55),
-"No more information on that Personality")
-
-ER3(XP_SEC_FORTEZZA_BAD_PIN,			(SEC_ERROR_BASE + 56),
-"Invalid Pin")
-
-ER3(XP_SEC_FORTEZZA_PERSON_ERROR,		(SEC_ERROR_BASE + 57),
-"Couldn't initialize Fortezza personalities.")
-/* end fortezza alerts. */
-
-ER3(SEC_ERROR_NO_KRL,				(SEC_ERROR_BASE + 58),
-"No KRL for this site's certificate has been found.")
-
-ER3(SEC_ERROR_KRL_EXPIRED,			(SEC_ERROR_BASE + 59),
-"The KRL for this site's certificate has expired.")
-
-ER3(SEC_ERROR_KRL_BAD_SIGNATURE,		(SEC_ERROR_BASE + 60),
-"The KRL for this site's certificate has an invalid signature.")
-
-ER3(SEC_ERROR_REVOKED_KEY,			(SEC_ERROR_BASE + 61),
-"The key for this site's certificate has been revoked.")
-
-ER3(SEC_ERROR_KRL_INVALID,			(SEC_ERROR_BASE + 62),
-"New KRL has an invalid format.")
-
-ER3(SEC_ERROR_NEED_RANDOM,			(SEC_ERROR_BASE + 63),
-"security library: need random data.")
-
-ER3(SEC_ERROR_NO_MODULE,			(SEC_ERROR_BASE + 64),
-"security library: no security module can perform the requested operation.")
-
-ER3(SEC_ERROR_NO_TOKEN,				(SEC_ERROR_BASE + 65),
-"The security card or token does not exist, needs to be initialized, or has been removed.")
-
-ER3(SEC_ERROR_READ_ONLY,			(SEC_ERROR_BASE + 66),
-"security library: read-only database.")
-
-ER3(SEC_ERROR_NO_SLOT_SELECTED,			(SEC_ERROR_BASE + 67),
-"No slot or token was selected.")
-
-ER3(SEC_ERROR_CERT_NICKNAME_COLLISION,		(SEC_ERROR_BASE + 68),
-"A certificate with the same nickname already exists.")
-
-ER3(SEC_ERROR_KEY_NICKNAME_COLLISION,		(SEC_ERROR_BASE + 69),
-"A key with the same nickname already exists.")
-
-ER3(SEC_ERROR_SAFE_NOT_CREATED,			(SEC_ERROR_BASE + 70),
-"error while creating safe object")
-
-ER3(SEC_ERROR_BAGGAGE_NOT_CREATED,		(SEC_ERROR_BASE + 71),
-"error while creating baggage object")
-
-ER3(XP_JAVA_REMOVE_PRINCIPAL_ERROR,		(SEC_ERROR_BASE + 72),
-"Couldn't remove the principal")
-
-ER3(XP_JAVA_DELETE_PRIVILEGE_ERROR,		(SEC_ERROR_BASE + 73),
-"Couldn't delete the privilege")
-
-ER3(XP_JAVA_CERT_NOT_EXISTS_ERROR,		(SEC_ERROR_BASE + 74),
-"This principal doesn't have a certificate")
-
-ER3(SEC_ERROR_BAD_EXPORT_ALGORITHM,		(SEC_ERROR_BASE + 75),
-"Required algorithm is not allowed.")
-
-ER3(SEC_ERROR_EXPORTING_CERTIFICATES,		(SEC_ERROR_BASE + 76),
-"Error attempting to export certificates.")
-
-ER3(SEC_ERROR_IMPORTING_CERTIFICATES,		(SEC_ERROR_BASE + 77),
-"Error attempting to import certificates.")
-
-ER3(SEC_ERROR_PKCS12_DECODING_PFX,		(SEC_ERROR_BASE + 78),
-"Unable to import.  Decoding error.  File not valid.")
-
-ER3(SEC_ERROR_PKCS12_INVALID_MAC,		(SEC_ERROR_BASE + 79),
-"Unable to import.  Invalid MAC.  Incorrect password or corrupt file.")
-
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM,	(SEC_ERROR_BASE + 80),
-"Unable to import.  MAC algorithm not supported.")
-
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE,(SEC_ERROR_BASE + 81),
-"Unable to import.  Only password integrity and privacy modes supported.")
-
-ER3(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE,	(SEC_ERROR_BASE + 82),
-"Unable to import.  File structure is corrupt.")
-
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM, (SEC_ERROR_BASE + 83),
-"Unable to import.  Encryption algorithm not supported.")
-
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION,	(SEC_ERROR_BASE + 84),
-"Unable to import.  File version not supported.")
-
-ER3(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT,(SEC_ERROR_BASE + 85),
-"Unable to import.  Incorrect privacy password.")
-
-ER3(SEC_ERROR_PKCS12_CERT_COLLISION,		(SEC_ERROR_BASE + 86),
-"Unable to import.  Same nickname already exists in database.")
-
-ER3(SEC_ERROR_USER_CANCELLED,			(SEC_ERROR_BASE + 87),
-"The user pressed cancel.")
-
-ER3(SEC_ERROR_PKCS12_DUPLICATE_DATA,		(SEC_ERROR_BASE + 88),
-"Not imported, already in database.")
-
-ER3(SEC_ERROR_MESSAGE_SEND_ABORTED,		(SEC_ERROR_BASE + 89),
-"Message not sent.")
-
-ER3(SEC_ERROR_INADEQUATE_KEY_USAGE,		(SEC_ERROR_BASE + 90),
-"Certificate key usage inadequate for attempted operation.")
-
-ER3(SEC_ERROR_INADEQUATE_CERT_TYPE,		(SEC_ERROR_BASE + 91),
-"Certificate type not approved for application.")
-
-ER3(SEC_ERROR_CERT_ADDR_MISMATCH,		(SEC_ERROR_BASE + 92),
-"Address in signing certificate does not match address in message headers.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY,	(SEC_ERROR_BASE + 93),
-"Unable to import.  Error attempting to import private key.")
-
-ER3(SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN,	(SEC_ERROR_BASE + 94),
-"Unable to import.  Error attempting to import certificate chain.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME, (SEC_ERROR_BASE + 95),
-"Unable to export.  Unable to locate certificate or key by nickname.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY,	(SEC_ERROR_BASE + 96),
-"Unable to export.  Private Key could not be located and exported.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_WRITE, 		(SEC_ERROR_BASE + 97),
-"Unable to export.  Unable to write the export file.")
-
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_READ,		(SEC_ERROR_BASE + 98),
-"Unable to import.  Unable to read the import file.")
-
-ER3(SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED, (SEC_ERROR_BASE + 99),
-"Unable to export.  Key database corrupt or deleted.")
-
-ER3(SEC_ERROR_KEYGEN_FAIL,			(SEC_ERROR_BASE + 100),
-"Unable to generate public/private key pair.")
-
-ER3(SEC_ERROR_INVALID_PASSWORD,			(SEC_ERROR_BASE + 101),
-"Password entered is invalid.  Please pick a different one.")
-
-ER3(SEC_ERROR_RETRY_OLD_PASSWORD,		(SEC_ERROR_BASE + 102),
-"Old password entered incorrectly.  Please try again.")
-
-ER3(SEC_ERROR_BAD_NICKNAME,			(SEC_ERROR_BASE + 103),
-"Certificate nickname already in use.")
-
-ER3(SEC_ERROR_NOT_FORTEZZA_ISSUER,       	(SEC_ERROR_BASE + 104),
-"Peer FORTEZZA chain has a non-FORTEZZA Certificate.")
-
-ER3(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY, 	(SEC_ERROR_BASE + 105),
-"A sensitive key cannot be moved to the slot where it is needed.")
-
-ER3(SEC_ERROR_JS_INVALID_MODULE_NAME, 		(SEC_ERROR_BASE + 106),
-"Invalid module name.")
-
-ER3(SEC_ERROR_JS_INVALID_DLL, 			(SEC_ERROR_BASE + 107),
-"Invalid module path/filename")
-
-ER3(SEC_ERROR_JS_ADD_MOD_FAILURE, 		(SEC_ERROR_BASE + 108),
-"Unable to add module")
-
-ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, 		(SEC_ERROR_BASE + 109),
-"Unable to delete module")
-
-ER3(SEC_ERROR_OLD_KRL,	     			(SEC_ERROR_BASE + 110),
-"New KRL is not later than the current one.")
- 
-ER3(SEC_ERROR_CKL_CONFLICT,	     		(SEC_ERROR_BASE + 111),
-"New CKL has different issuer than current CKL.  Delete current CKL.")
-
-ER3(SEC_ERROR_CERT_NOT_IN_NAME_SPACE, 		(SEC_ERROR_BASE + 112),
-"The Certifying Authority for this certificate is not permitted to issue a \
-certificate with this name.")
-
-ER3(SEC_ERROR_KRL_NOT_YET_VALID,		(SEC_ERROR_BASE + 113),
-"The key revocation list for this certificate is not yet valid.")
-
-ER3(SEC_ERROR_CRL_NOT_YET_VALID,		(SEC_ERROR_BASE + 114),
-"The certificate revocation list for this certificate is not yet valid.")
-
-ER3(SEC_ERROR_UNKNOWN_CERT,			(SEC_ERROR_BASE + 115),
-"The requested certificate could not be found.")
-
-ER3(SEC_ERROR_UNKNOWN_SIGNER,			(SEC_ERROR_BASE + 116),
-"The signer's certificate could not be found.")
-
-ER3(SEC_ERROR_CERT_BAD_ACCESS_LOCATION,		(SEC_ERROR_BASE + 117),
-"The location for the certificate status server has invalid format.")
-
-ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE,	(SEC_ERROR_BASE + 118),
-"The OCSP response cannot be fully decoded; it is of an unknown type.")
-
-ER3(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE,		(SEC_ERROR_BASE + 119),
-"The OCSP server returned unexpected/invalid HTTP data.")
-
-ER3(SEC_ERROR_OCSP_MALFORMED_REQUEST,		(SEC_ERROR_BASE + 120),
-"The OCSP server found the request to be corrupted or improperly formed.")
-
-ER3(SEC_ERROR_OCSP_SERVER_ERROR,		(SEC_ERROR_BASE + 121),
-"The OCSP server experienced an internal error.")
-
-ER3(SEC_ERROR_OCSP_TRY_SERVER_LATER,		(SEC_ERROR_BASE + 122),
-"The OCSP server suggests trying again later.")
-
-ER3(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG,		(SEC_ERROR_BASE + 123),
-"The OCSP server requires a signature on this request.")
-
-ER3(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST,	(SEC_ERROR_BASE + 124),
-"The OCSP server has refused this request as unauthorized.")
-
-ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS,	(SEC_ERROR_BASE + 125),
-"The OCSP server returned an unrecognizable status.")
-
-ER3(SEC_ERROR_OCSP_UNKNOWN_CERT,		(SEC_ERROR_BASE + 126),
-"The OCSP server has no status for the certificate.")
-
-ER3(SEC_ERROR_OCSP_NOT_ENABLED,			(SEC_ERROR_BASE + 127),
-"You must enable OCSP before performing this operation.")
-
-ER3(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER,	(SEC_ERROR_BASE + 128),
-"You must set the OCSP default responder before performing this operation.")
-
-ER3(SEC_ERROR_OCSP_MALFORMED_RESPONSE,		(SEC_ERROR_BASE + 129),
-"The response from the OCSP server was corrupted or improperly formed.")
-
-ER3(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE,	(SEC_ERROR_BASE + 130),
-"The signer of the OCSP response is not authorized to give status for \
-this certificate.")
-
-ER3(SEC_ERROR_OCSP_FUTURE_RESPONSE,		(SEC_ERROR_BASE + 131),
-"The OCSP response is not yet valid (contains a date in the future).")
-
-ER3(SEC_ERROR_OCSP_OLD_RESPONSE,		(SEC_ERROR_BASE + 132),
-"The OCSP response contains out-of-date information.")
-
-ER3(SEC_ERROR_DIGEST_NOT_FOUND,			(SEC_ERROR_BASE + 133),
-"The CMS or PKCS #7 Digest was not found in signed message.")
-
-ER3(SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE,		(SEC_ERROR_BASE + 134),
-"The CMS or PKCS #7 Message type is unsupported.")
-
-ER3(SEC_ERROR_MODULE_STUCK,			(SEC_ERROR_BASE + 135),
-"PKCS #11 module could not be removed because it is still in use.")
-
-ER3(SEC_ERROR_BAD_TEMPLATE,			(SEC_ERROR_BASE + 136),
-"Could not decode ASN.1 data. Specified template was invalid.")
-
-ER3(SEC_ERROR_CRL_NOT_FOUND,			(SEC_ERROR_BASE + 137),
-"No matching CRL was found.")
-
-ER3(SEC_ERROR_REUSED_ISSUER_AND_SERIAL,        (SEC_ERROR_BASE + 138),
-"You are attempting to import a cert with the same issuer/serial as \
-an existing cert, but that is not the same cert.")
-
-ER3(SEC_ERROR_BUSY,				(SEC_ERROR_BASE + 139),
-"NSS could not shutdown. Objects are still in use.")
-
-ER3(SEC_ERROR_EXTRA_INPUT,			(SEC_ERROR_BASE + 140),
-"DER-encoded message contained extra unused data.")
-
-ER3(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE,	(SEC_ERROR_BASE + 141),
-"Unsupported elliptic curve.")
-
-ER3(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM,	(SEC_ERROR_BASE + 142),
-"Unsupported elliptic curve point form.")
-
-ER3(SEC_ERROR_UNRECOGNIZED_OID,			(SEC_ERROR_BASE + 143),
-"Unrecognized Object Identifier.")
-
-ER3(SEC_ERROR_OCSP_INVALID_SIGNING_CERT,	(SEC_ERROR_BASE + 144),
-"Invalid OCSP signing certificate in OCSP response.")
-
-ER3(SEC_ERROR_REVOKED_CERTIFICATE_CRL,          (SEC_ERROR_BASE + 145),
-"Certificate is revoked in issuer's certificate revocation list.")
-
-ER3(SEC_ERROR_REVOKED_CERTIFICATE_OCSP,         (SEC_ERROR_BASE + 146),
-"Issuer's OCSP responder reports certificate is revoked.")
-
-ER3(SEC_ERROR_CRL_INVALID_VERSION,              (SEC_ERROR_BASE + 147),
-"Issuer's Certificate Revocation List has an unknown version number.")
-
-ER3(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION,        (SEC_ERROR_BASE + 148),
-"Issuer's V1 Certificate Revocation List has a critical extension.")
-
-ER3(SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION,   (SEC_ERROR_BASE + 149),
-"Issuer's V2 Certificate Revocation List has an unknown critical extension.")
-
-ER3(SEC_ERROR_UNKNOWN_OBJECT_TYPE,	        (SEC_ERROR_BASE + 150),
-"Unknown object type specified.")
-
-ER3(SEC_ERROR_INCOMPATIBLE_PKCS11,	        (SEC_ERROR_BASE + 151),
-"PKCS #11 driver violates the spec in an incompatible way.")
-
-ER3(SEC_ERROR_NO_EVENT,	        		(SEC_ERROR_BASE + 152),
-"No new slot event is available at this time.")
-
-ER3(SEC_ERROR_CRL_ALREADY_EXISTS,      		(SEC_ERROR_BASE + 153),
-"CRL already exists.")
-
-ER3(SEC_ERROR_NOT_INITIALIZED,      		(SEC_ERROR_BASE + 154),
-"NSS is not initialized.")
-
-ER3(SEC_ERROR_TOKEN_NOT_LOGGED_IN,  		(SEC_ERROR_BASE + 155),
-"The operation failed because the PKCS#11 token is not logged in.")
-
-ER3(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID,  	(SEC_ERROR_BASE + 156),
-"Configured OCSP responder's certificate is invalid.")
-
-ER3(SEC_ERROR_OCSP_BAD_SIGNATURE,      		(SEC_ERROR_BASE + 157),
-"OCSP response has an invalid signature.")
-
-ER3(SEC_ERROR_OUT_OF_SEARCH_LIMITS,      		(SEC_ERROR_BASE + 158),
-"Cert validation search is out of search limits")
-
-ER3(SEC_ERROR_INVALID_POLICY_MAPPING,      		(SEC_ERROR_BASE + 159),
-"Policy mapping contains anypolicy")
-
-ER3(SEC_ERROR_POLICY_VALIDATION_FAILED,    		(SEC_ERROR_BASE + 160),
-"Cert chain fails policy validation")
-
-ER3(SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE,    		(SEC_ERROR_BASE + 161),
-"Unknown location type in cert AIA extension")
-
-ER3(SEC_ERROR_BAD_HTTP_RESPONSE,    		(SEC_ERROR_BASE + 162),
-"Server returned bad HTTP response")
-
-ER3(SEC_ERROR_BAD_LDAP_RESPONSE,    		(SEC_ERROR_BASE + 163),
-"Server returned bad LDAP response")
-
-ER3(SEC_ERROR_FAILED_TO_ENCODE_DATA,    		(SEC_ERROR_BASE + 164),
-"Failed to encode data with ASN1 encoder")
-
-ER3(SEC_ERROR_BAD_INFO_ACCESS_LOCATION,    		(SEC_ERROR_BASE + 165),
-"Bad information access location in cert extension")
-
-ER3(SEC_ERROR_LIBPKIX_INTERNAL,      		(SEC_ERROR_BASE + 166),
-"Libpkix internal error occured during cert validation.")
-
-ER3(SEC_ERROR_PKCS11_GENERAL_ERROR,      		(SEC_ERROR_BASE + 167),
-"A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.")
-
-ER3(SEC_ERROR_PKCS11_FUNCTION_FAILED,      		(SEC_ERROR_BASE + 168),
-"A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed.  Trying the same operation again might succeed.")
-
-ER3(SEC_ERROR_PKCS11_DEVICE_ERROR,      		(SEC_ERROR_BASE + 169),
-"A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.")
-
-ER3(SEC_ERROR_BAD_INFO_ACCESS_METHOD,      		(SEC_ERROR_BASE + 170),
-"Unknown information access method in certificate extension.")
-
-ER3(SEC_ERROR_CRL_IMPORT_FAILED,        		(SEC_ERROR_BASE + 171),
-"Error attempting to import a CRL.")
-
diff --git a/security/nss/cmd/lib/SSLerrs.h b/security/nss/cmd/lib/SSLerrs.h
deleted file mode 100644
index 023524929..000000000
--- a/security/nss/cmd/lib/SSLerrs.h
+++ /dev/null
@@ -1,392 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* SSL-specific security error codes  */
-/* caller must include "sslerr.h" */
-
-ER3(SSL_ERROR_EXPORT_ONLY_SERVER,			SSL_ERROR_BASE + 0,
-"Unable to communicate securely.  Peer does not support high-grade encryption.")
-
-ER3(SSL_ERROR_US_ONLY_SERVER,				SSL_ERROR_BASE + 1,
-"Unable to communicate securely.  Peer requires high-grade encryption which is not supported.")
-
-ER3(SSL_ERROR_NO_CYPHER_OVERLAP,			SSL_ERROR_BASE + 2,
-"Cannot communicate securely with peer: no common encryption algorithm(s).")
-
-ER3(SSL_ERROR_NO_CERTIFICATE,				SSL_ERROR_BASE + 3,
-"Unable to find the certificate or key necessary for authentication.")
-
-ER3(SSL_ERROR_BAD_CERTIFICATE,				SSL_ERROR_BASE + 4,
-"Unable to communicate securely with peer: peers's certificate was rejected.")
-
-/* unused						(SSL_ERROR_BASE + 5),*/
-
-ER3(SSL_ERROR_BAD_CLIENT,				SSL_ERROR_BASE + 6,
-"The server has encountered bad data from the client.")
-
-ER3(SSL_ERROR_BAD_SERVER,				SSL_ERROR_BASE + 7,
-"The client has encountered bad data from the server.")
-
-ER3(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,		SSL_ERROR_BASE + 8,
-"Unsupported certificate type.")
-
-ER3(SSL_ERROR_UNSUPPORTED_VERSION,			SSL_ERROR_BASE + 9,
-"Peer using unsupported version of security protocol.")
-
-/* unused						(SSL_ERROR_BASE + 10),*/
-
-ER3(SSL_ERROR_WRONG_CERTIFICATE,			SSL_ERROR_BASE + 11,
-"Client authentication failed: private key in key database does not match public key in certificate database.")
-
-ER3(SSL_ERROR_BAD_CERT_DOMAIN,				SSL_ERROR_BASE + 12,
-"Unable to communicate securely with peer: requested domain name does not match the server's certificate.")
-
-/* SSL_ERROR_POST_WARNING				(SSL_ERROR_BASE + 13),
-   defined in sslerr.h
-*/
-
-ER3(SSL_ERROR_SSL2_DISABLED,				(SSL_ERROR_BASE + 14),
-"Peer only supports SSL version 2, which is locally disabled.")
-
-
-ER3(SSL_ERROR_BAD_MAC_READ,				(SSL_ERROR_BASE + 15),
-"SSL received a record with an incorrect Message Authentication Code.")
-
-ER3(SSL_ERROR_BAD_MAC_ALERT,				(SSL_ERROR_BASE + 16),
-"SSL peer reports incorrect Message Authentication Code.")
-
-ER3(SSL_ERROR_BAD_CERT_ALERT,				(SSL_ERROR_BASE + 17),
-"SSL peer cannot verify your certificate.")
-
-ER3(SSL_ERROR_REVOKED_CERT_ALERT,			(SSL_ERROR_BASE + 18),
-"SSL peer rejected your certificate as revoked.")
-
-ER3(SSL_ERROR_EXPIRED_CERT_ALERT,			(SSL_ERROR_BASE + 19),
-"SSL peer rejected your certificate as expired.")
-
-ER3(SSL_ERROR_SSL_DISABLED,				(SSL_ERROR_BASE + 20),
-"Cannot connect: SSL is disabled.")
-
-ER3(SSL_ERROR_FORTEZZA_PQG,				(SSL_ERROR_BASE + 21),
-"Cannot connect: SSL peer is in another FORTEZZA domain.")
-
-
-ER3(SSL_ERROR_UNKNOWN_CIPHER_SUITE          , (SSL_ERROR_BASE + 22),
-"An unknown SSL cipher suite has been requested.")
-
-ER3(SSL_ERROR_NO_CIPHERS_SUPPORTED          , (SSL_ERROR_BASE + 23),
-"No cipher suites are present and enabled in this program.")
-
-ER3(SSL_ERROR_BAD_BLOCK_PADDING             , (SSL_ERROR_BASE + 24),
-"SSL received a record with bad block padding.")
-
-ER3(SSL_ERROR_RX_RECORD_TOO_LONG            , (SSL_ERROR_BASE + 25),
-"SSL received a record that exceeded the maximum permissible length.")
-
-ER3(SSL_ERROR_TX_RECORD_TOO_LONG            , (SSL_ERROR_BASE + 26),
-"SSL attempted to send a record that exceeded the maximum permissible length.")
-
-/*
- * Received a malformed (too long or short or invalid content) SSL handshake.
- */
-ER3(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST    , (SSL_ERROR_BASE + 27),
-"SSL received a malformed Hello Request handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO     , (SSL_ERROR_BASE + 28),
-"SSL received a malformed Client Hello handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_SERVER_HELLO     , (SSL_ERROR_BASE + 29),
-"SSL received a malformed Server Hello handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CERTIFICATE      , (SSL_ERROR_BASE + 30),
-"SSL received a malformed Certificate handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH  , (SSL_ERROR_BASE + 31),
-"SSL received a malformed Server Key Exchange handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CERT_REQUEST     , (SSL_ERROR_BASE + 32),
-"SSL received a malformed Certificate Request handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_HELLO_DONE       , (SSL_ERROR_BASE + 33),
-"SSL received a malformed Server Hello Done handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CERT_VERIFY      , (SSL_ERROR_BASE + 34),
-"SSL received a malformed Certificate Verify handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH  , (SSL_ERROR_BASE + 35),
-"SSL received a malformed Client Key Exchange handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_FINISHED         , (SSL_ERROR_BASE + 36),
-"SSL received a malformed Finished handshake message.")
-
-/*
- * Received a malformed (too long or short) SSL record.
- */
-ER3(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER    , (SSL_ERROR_BASE + 37),
-"SSL received a malformed Change Cipher Spec record.")
-
-ER3(SSL_ERROR_RX_MALFORMED_ALERT            , (SSL_ERROR_BASE + 38),
-"SSL received a malformed Alert record.")
-
-ER3(SSL_ERROR_RX_MALFORMED_HANDSHAKE        , (SSL_ERROR_BASE + 39),
-"SSL received a malformed Handshake record.")
-
-ER3(SSL_ERROR_RX_MALFORMED_APPLICATION_DATA , (SSL_ERROR_BASE + 40),
-"SSL received a malformed Application Data record.")
-
-/*
- * Received an SSL handshake that was inappropriate for the state we're in.
- * E.g. Server received message from server, or wrong state in state machine.
- */
-ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST   , (SSL_ERROR_BASE + 41),
-"SSL received an unexpected Hello Request handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO    , (SSL_ERROR_BASE + 42),
-"SSL received an unexpected Client Hello handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO    , (SSL_ERROR_BASE + 43),
-"SSL received an unexpected Server Hello handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE     , (SSL_ERROR_BASE + 44),
-"SSL received an unexpected Certificate handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 45),
-"SSL received an unexpected Server Key Exchange handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST    , (SSL_ERROR_BASE + 46),
-"SSL received an unexpected Certificate Request handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE      , (SSL_ERROR_BASE + 47),
-"SSL received an unexpected Server Hello Done handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY     , (SSL_ERROR_BASE + 48),
-"SSL received an unexpected Certificate Verify handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 49),
-"SSL received an unexpected Client Key Exchange handshake message.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_FINISHED        , (SSL_ERROR_BASE + 50),
-"SSL received an unexpected Finished handshake message.")
-
-/*
- * Received an SSL record that was inappropriate for the state we're in.
- */
-ER3(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER   , (SSL_ERROR_BASE + 51),
-"SSL received an unexpected Change Cipher Spec record.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_ALERT           , (SSL_ERROR_BASE + 52),
-"SSL received an unexpected Alert record.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE       , (SSL_ERROR_BASE + 53),
-"SSL received an unexpected Handshake record.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA, (SSL_ERROR_BASE + 54),
-"SSL received an unexpected Application Data record.")
-
-/*
- * Received record/message with unknown discriminant.
- */
-ER3(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE        , (SSL_ERROR_BASE + 55),
-"SSL received a record with an unknown content type.")
-
-ER3(SSL_ERROR_RX_UNKNOWN_HANDSHAKE          , (SSL_ERROR_BASE + 56),
-"SSL received a handshake message with an unknown message type.")
-
-ER3(SSL_ERROR_RX_UNKNOWN_ALERT              , (SSL_ERROR_BASE + 57),
-"SSL received an alert record with an unknown alert description.")
-
-/*
- * Received an alert reporting what we did wrong.  (more alerts above)
- */
-ER3(SSL_ERROR_CLOSE_NOTIFY_ALERT            , (SSL_ERROR_BASE + 58),
-"SSL peer has closed this connection.")
-
-ER3(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT    , (SSL_ERROR_BASE + 59),
-"SSL peer was not expecting a handshake message it received.")
-
-ER3(SSL_ERROR_DECOMPRESSION_FAILURE_ALERT   , (SSL_ERROR_BASE + 60),
-"SSL peer was unable to successfully decompress an SSL record it received.")
-
-ER3(SSL_ERROR_HANDSHAKE_FAILURE_ALERT       , (SSL_ERROR_BASE + 61),
-"SSL peer was unable to negotiate an acceptable set of security parameters.")
-
-ER3(SSL_ERROR_ILLEGAL_PARAMETER_ALERT       , (SSL_ERROR_BASE + 62),
-"SSL peer rejected a handshake message for unacceptable content.")
-
-ER3(SSL_ERROR_UNSUPPORTED_CERT_ALERT        , (SSL_ERROR_BASE + 63),
-"SSL peer does not support certificates of the type it received.")
-
-ER3(SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT     , (SSL_ERROR_BASE + 64),
-"SSL peer had some unspecified issue with the certificate it received.")
-
-
-ER3(SSL_ERROR_GENERATE_RANDOM_FAILURE       , (SSL_ERROR_BASE + 65),
-"SSL experienced a failure of its random number generator.")
-
-ER3(SSL_ERROR_SIGN_HASHES_FAILURE           , (SSL_ERROR_BASE + 66),
-"Unable to digitally sign data required to verify your certificate.")
-
-ER3(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE    , (SSL_ERROR_BASE + 67),
-"SSL was unable to extract the public key from the peer's certificate.")
-
-ER3(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE   , (SSL_ERROR_BASE + 68),
-"Unspecified failure while processing SSL Server Key Exchange handshake.")
-
-ER3(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE   , (SSL_ERROR_BASE + 69),
-"Unspecified failure while processing SSL Client Key Exchange handshake.")
-
-ER3(SSL_ERROR_ENCRYPTION_FAILURE            , (SSL_ERROR_BASE + 70),
-"Bulk data encryption algorithm failed in selected cipher suite.")
-
-ER3(SSL_ERROR_DECRYPTION_FAILURE            , (SSL_ERROR_BASE + 71),
-"Bulk data decryption algorithm failed in selected cipher suite.")
-
-ER3(SSL_ERROR_SOCKET_WRITE_FAILURE          , (SSL_ERROR_BASE + 72),
-"Attempt to write encrypted data to underlying socket failed.")
-
-ER3(SSL_ERROR_MD5_DIGEST_FAILURE            , (SSL_ERROR_BASE + 73),
-"MD5 digest function failed.")
-
-ER3(SSL_ERROR_SHA_DIGEST_FAILURE            , (SSL_ERROR_BASE + 74),
-"SHA-1 digest function failed.")
-
-ER3(SSL_ERROR_MAC_COMPUTATION_FAILURE       , (SSL_ERROR_BASE + 75),
-"MAC computation failed.")
-
-ER3(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE       , (SSL_ERROR_BASE + 76),
-"Failure to create Symmetric Key context.")
-
-ER3(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE        , (SSL_ERROR_BASE + 77),
-"Failure to unwrap the Symmetric key in Client Key Exchange message.")
-
-ER3(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED   , (SSL_ERROR_BASE + 78),
-"SSL Server attempted to use domestic-grade public key with export cipher suite.")
-
-ER3(SSL_ERROR_IV_PARAM_FAILURE              , (SSL_ERROR_BASE + 79),
-"PKCS11 code failed to translate an IV into a param.")
-
-ER3(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE     , (SSL_ERROR_BASE + 80),
-"Failed to initialize the selected cipher suite.")
-
-ER3(SSL_ERROR_SESSION_KEY_GEN_FAILURE       , (SSL_ERROR_BASE + 81),
-"Client failed to generate session keys for SSL session.")
-
-ER3(SSL_ERROR_NO_SERVER_KEY_FOR_ALG         , (SSL_ERROR_BASE + 82),
-"Server has no key for the attempted key exchange algorithm.")
-
-ER3(SSL_ERROR_TOKEN_INSERTION_REMOVAL       , (SSL_ERROR_BASE + 83),
-"PKCS#11 token was inserted or removed while operation was in progress.")
-
-ER3(SSL_ERROR_TOKEN_SLOT_NOT_FOUND          , (SSL_ERROR_BASE + 84),
-"No PKCS#11 token could be found to do a required operation.")
-
-ER3(SSL_ERROR_NO_COMPRESSION_OVERLAP        , (SSL_ERROR_BASE + 85),
-"Cannot communicate securely with peer: no common compression algorithm(s).")
-
-ER3(SSL_ERROR_HANDSHAKE_NOT_COMPLETED       , (SSL_ERROR_BASE + 86),
-"Cannot initiate another SSL handshake until current handshake is complete.")
-
-ER3(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE      , (SSL_ERROR_BASE + 87),
-"Received incorrect handshakes hash values from peer.")
-
-ER3(SSL_ERROR_CERT_KEA_MISMATCH             , (SSL_ERROR_BASE + 88),
-"The certificate provided cannot be used with the selected key exchange algorithm.")
-
-ER3(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA	, (SSL_ERROR_BASE + 89),
-"No certificate authority is trusted for SSL client authentication.")
-
-ER3(SSL_ERROR_SESSION_NOT_FOUND		, (SSL_ERROR_BASE + 90),
-"Client's SSL session ID not found in server's session cache.")
-
-ER3(SSL_ERROR_DECRYPTION_FAILED_ALERT     , (SSL_ERROR_BASE + 91),
-"Peer was unable to decrypt an SSL record it received.")
-
-ER3(SSL_ERROR_RECORD_OVERFLOW_ALERT       , (SSL_ERROR_BASE + 92),
-"Peer received an SSL record that was longer than is permitted.")
-
-ER3(SSL_ERROR_UNKNOWN_CA_ALERT            , (SSL_ERROR_BASE + 93),
-"Peer does not recognize and trust the CA that issued your certificate.")
-
-ER3(SSL_ERROR_ACCESS_DENIED_ALERT         , (SSL_ERROR_BASE + 94),
-"Peer received a valid certificate, but access was denied.")
-
-ER3(SSL_ERROR_DECODE_ERROR_ALERT          , (SSL_ERROR_BASE + 95),
-"Peer could not decode an SSL handshake message.")
-
-ER3(SSL_ERROR_DECRYPT_ERROR_ALERT         , (SSL_ERROR_BASE + 96),
-"Peer reports failure of signature verification or key exchange.")
-
-ER3(SSL_ERROR_EXPORT_RESTRICTION_ALERT    , (SSL_ERROR_BASE + 97),
-"Peer reports negotiation not in compliance with export regulations.")
-
-ER3(SSL_ERROR_PROTOCOL_VERSION_ALERT      , (SSL_ERROR_BASE + 98),
-"Peer reports incompatible or unsupported protocol version.")
-
-ER3(SSL_ERROR_INSUFFICIENT_SECURITY_ALERT , (SSL_ERROR_BASE + 99),
-"Server requires ciphers more secure than those supported by client.")
-
-ER3(SSL_ERROR_INTERNAL_ERROR_ALERT        , (SSL_ERROR_BASE + 100),
-"Peer reports it experienced an internal error.")
-
-ER3(SSL_ERROR_USER_CANCELED_ALERT         , (SSL_ERROR_BASE + 101),
-"Peer user canceled handshake.")
-
-ER3(SSL_ERROR_NO_RENEGOTIATION_ALERT      , (SSL_ERROR_BASE + 102),
-"Peer does not permit renegotiation of SSL security parameters.")
-
-ER3(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED , (SSL_ERROR_BASE + 103),
-"SSL server cache not configured and not disabled for this socket.")
-
-ER3(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT    , (SSL_ERROR_BASE + 104),
-"SSL peer does not support requested TLS hello extension.")
-
-ER3(SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT , (SSL_ERROR_BASE + 105),
-"SSL peer could not obtain your certificate from the supplied URL.")
-
-ER3(SSL_ERROR_UNRECOGNIZED_NAME_ALERT        , (SSL_ERROR_BASE + 106),
-"SSL peer has no certificate for the requested DNS name.")
-
-ER3(SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT , (SSL_ERROR_BASE + 107),
-"SSL peer was unable to get an OCSP response for its certificate.")
-
-ER3(SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT      , (SSL_ERROR_BASE + 108),
-"SSL peer reported bad certificate hash value.")
-
-ER3(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 109),
-"SSL received an unexpected New Session Ticket handshake message.")
-
-ER3(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 110),
-"SSL received a malformed New Session Ticket handshake message.")
diff --git a/security/nss/cmd/lib/berparse.c b/security/nss/cmd/lib/berparse.c
deleted file mode 100644
index 930d0b7c1..000000000
--- a/security/nss/cmd/lib/berparse.c
+++ /dev/null
@@ -1,407 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "secutil.h"
-
-typedef enum {
-    tagDone, lengthDone, leafDone, compositeDone,
-    notDone,
-    parseError, parseComplete
-} ParseState;
-
-typedef unsigned char Byte;
-typedef void (*ParseProc)(BERParse *h, unsigned char **buf, int *len);
-typedef struct {
-    SECArb arb;
-    int pos;			/* length from global start to item start */
-    SECArb *parent;
-} ParseStackElem;
-
-struct BERParseStr {
-    PRArenaPool *his;
-    PRArenaPool *mine;
-    ParseProc proc;
-    int stackDepth;
-    ParseStackElem *stackPtr;
-    ParseStackElem *stack;
-    int pending;		/* bytes remaining to complete this part */
-    int pos;			/* running length of consumed characters */
-    ParseState state;
-    PRBool keepLeaves;
-    PRBool derOnly;
-    BERFilterProc filter;
-    void *filterArg;
-    BERNotifyProc before;
-    void *beforeArg;
-    BERNotifyProc after;
-    void *afterArg;
-};
-
-#define UNKNOWN -1
-
-static unsigned char NextChar(BERParse *h, unsigned char **buf, int *len)
-{
-    unsigned char c = *(*buf)++;
-    (*len)--;
-    h->pos++;
-    if (h->filter)
-	(*h->filter)(h->filterArg, &c, 1);
-    return c;
-}
-
-static void ParseTag(BERParse *h, unsigned char **buf, int *len)
-{
-    SECArb* arb = &(h->stackPtr->arb);
-    arb->tag = NextChar(h, buf, len);
-
-    PORT_Assert(h->state == notDone);
-
-  /*
-   * NOTE: This does not handle the high-tag-number form
-   */
-    if ((arb->tag & DER_HIGH_TAG_NUMBER) == DER_HIGH_TAG_NUMBER) {
-        PORT_SetError(SEC_ERROR_BAD_DER);
-	h->state = parseError;
-	return;
-    }
-
-    h->pending = UNKNOWN;
-    arb->length = UNKNOWN;
-    if (arb->tag & DER_CONSTRUCTED) {
-	arb->body.cons.numSubs = 0;
-	arb->body.cons.subs = NULL;
-    } else {
-	arb->body.item.len = UNKNOWN;
-	arb->body.item.data = NULL;
-    }
-
-    h->state = tagDone;
-}
-
-static void ParseLength(BERParse *h, unsigned char **buf, int *len)
-{
-    Byte b;
-    SECArb *arb = &(h->stackPtr->arb);
-
-    PORT_Assert(h->state == notDone);
-
-    if (h->pending == UNKNOWN) {
-	b = NextChar(h, buf, len);
-	if ((b & 0x80) == 0) {	/* short form */
-	    arb->length = b;
-	    /*
-	     * if the tag and the length are both zero bytes, then this
-	     * should be the marker showing end of list for the
-	     * indefinite length composite
-	     */
-	    if (arb->length == 0 && arb->tag == 0)
-		h->state = compositeDone;
-	    else
-		h->state = lengthDone;
-	    return;
-	}
-
-	h->pending = b & 0x7f;
-	/* 0 implies this is an indefinite length */
-	if (h->pending > 4) {
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    h->state = parseError;
-	    return;
-	}
-	arb->length = 0;
-    }
-
-    while ((*len > 0) && (h->pending > 0)) {
-	b = NextChar(h, buf, len);
-	arb->length = (arb->length << 8) + b;
-	h->pending--;
-    }
-    if (h->pending == 0) {
-	if (h->derOnly && (arb->length == 0))
-	    h->state = parseError;
-	else
-	    h->state = lengthDone;
-    }
-    return;
-}
-
-static void ParseLeaf(BERParse *h, unsigned char **buf, int *len)
-{
-    int count;
-    SECArb *arb = &(h->stackPtr->arb);
-
-    PORT_Assert(h->state == notDone);
-    PORT_Assert(h->pending >= 0);
-
-    if (*len < h->pending)
-	count = *len;
-    else
-	count = h->pending;
-
-    if (h->keepLeaves)
-	memcpy(arb->body.item.data + arb->body.item.len, *buf, count);
-    if (h->filter)
-	(*h->filter)(h->filterArg, *buf, count);
-    *buf += count;
-    *len -= count;
-    arb->body.item.len += count;
-    h->pending -= count;
-    h->pos += count;
-    if (h->pending == 0) {
-	h->state = leafDone;
-    }
-    return;
-}
-
-static void CreateArbNode(BERParse *h)
-{
-    SECArb *arb = PORT_ArenaAlloc(h->his, sizeof(SECArb));
-
-    *arb = h->stackPtr->arb;
-
-    /* 
-     * Special case closing the root
-     */	
-    if (h->stackPtr == h->stack) {
-	PORT_Assert(arb->tag & DER_CONSTRUCTED);
-	h->state = parseComplete;
-    } else {
-	SECArb *parent = h->stackPtr->parent;
-	parent->body.cons.subs = DS_ArenaGrow(
-	    h->his, parent->body.cons.subs,
-	    (parent->body.cons.numSubs) * sizeof(SECArb*),
-	    (parent->body.cons.numSubs + 1) * sizeof(SECArb*));
-	parent->body.cons.subs[parent->body.cons.numSubs] = arb;
-	parent->body.cons.numSubs++;
-	h->proc = ParseTag;
-	h->state = notDone;
-	h->pending = UNKNOWN;
-    }
-    if (h->after)
-	(*h->after)(h->afterArg, arb, h->stackPtr - h->stack, PR_FALSE);
-}
-
-SECStatus BER_ParseSome(BERParse *h, unsigned char *buf, int len)
-{
-    if (h->state == parseError) return PR_TRUE;
-
-    while (len) {
-        (*h->proc)(h, &buf, &len);
-	if (h->state == parseComplete) {
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    h->state = parseError;
-	    return PR_TRUE;
-	}
-	if (h->state == parseError) return PR_TRUE;
-	PORT_Assert(h->state != parseComplete);
-
-        if (h->state <= compositeDone) {
-	    if (h->proc == ParseTag) {
-		PORT_Assert(h->state == tagDone);
-		h->proc = ParseLength;
-		h->state = notDone;
-	    } else if (h->proc == ParseLength) {
-		SECArb *arb = &(h->stackPtr->arb);
-		PORT_Assert(h->state == lengthDone || h->state == compositeDone);
-
-		if (h->before)
-		    (*h->before)(h->beforeArg, arb,
-				 h->stackPtr - h->stack, PR_TRUE);
-
-		/*
-		 * Check to see if this is the end of an indefinite
-		 * length composite
-		 */
-		if (h->state == compositeDone) {
-		    SECArb *parent = h->stackPtr->parent;
-		    PORT_Assert(parent);
-		    PORT_Assert(parent->tag & DER_CONSTRUCTED);
-		    if (parent->length != 0) {
-			PORT_SetError(SEC_ERROR_BAD_DER);
-			h->state = parseError;
-			return PR_TRUE;
-		    }
-		    /*
-		     * NOTE: This does not check for an indefinite length
-		     * composite being contained inside a definite length
-		     * composite. It is not clear that is legal.
-		     */
-		    h->stackPtr--;
-		    CreateArbNode(h);
-		} else {
-		    h->stackPtr->pos = h->pos;
-
-
-		    if (arb->tag & DER_CONSTRUCTED) {
-			SECArb *parent;
-			/*
-			 * Make sure there is room on the stack before we
-			 * stick anything else there.
-			 */
-			PORT_Assert(h->stackPtr - h->stack < h->stackDepth);
-			if (h->stackPtr - h->stack == h->stackDepth - 1) {
-			    int newDepth = h->stackDepth * 2;
-			    h->stack = DS_ArenaGrow(h->mine, h->stack,
-				sizeof(ParseStackElem) * h->stackDepth,
-				sizeof(ParseStackElem) * newDepth);
-			    h->stackPtr = h->stack + h->stackDepth + 1;
-			    h->stackDepth = newDepth;
-			}
-			parent = &(h->stackPtr->arb);
-			h->stackPtr++;
-			h->stackPtr->parent = parent;
-			h->proc = ParseTag;
-			h->state = notDone;
-			h->pending = UNKNOWN;
-		    } else {
-			if (arb->length < 0) {
-			    PORT_SetError(SEC_ERROR_BAD_DER);
-			    h->state = parseError;
-			    return PR_TRUE;
-			}
-			arb->body.item.len = 0;
-			if (arb->length > 0 && h->keepLeaves) {
-			    arb->body.item.data =
-				PORT_ArenaAlloc(h->his, arb->length);
-			} else {
-			    arb->body.item.data = NULL;
-			}
-			h->proc = ParseLeaf;
-			h->state = notDone;
-			h->pending = arb->length;
-		    }
-		}
-	    } else {
-		ParseStackElem *parent;
-		PORT_Assert(h->state = leafDone);
-		PORT_Assert(h->proc == ParseLeaf);
-
-		for (;;) {
-		    CreateArbNode(h);
-		    if (h->stackPtr == h->stack)
-			break;
-		    parent = (h->stackPtr - 1);
-		    PORT_Assert(parent->arb.tag & DER_CONSTRUCTED);
-		    if (parent->arb.length == 0) /* need explicit end */
-			break;
-		    if (parent->pos + parent->arb.length > h->pos)
-			break;
-		    if (parent->pos + parent->arb.length < h->pos) {
-			PORT_SetError(SEC_ERROR_BAD_DER);
-			h->state = parseError;
-			return PR_TRUE;
-		    }
-		    h->stackPtr = parent;
-		}
-	    }
-
-	}
-    }
-    return PR_FALSE;
-}
-BERParse *BER_ParseInit(PRArenaPool *arena, PRBool derOnly)
-{
-    BERParse *h;
-    PRArenaPool *temp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (temp == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-    h = PORT_ArenaAlloc(temp, sizeof(BERParse));
-    if (h == NULL) {
-	PORT_FreeArena(temp, PR_FALSE);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-    h->his = arena;
-    h->mine = temp;
-    h->proc = ParseTag;
-    h->stackDepth = 20;
-    h->stack = PORT_ArenaZAlloc(h->mine,
-			      sizeof(ParseStackElem) * h->stackDepth);
-    h->stackPtr = h->stack;
-    h->state = notDone;
-    h->pos = 0;
-    h->keepLeaves = PR_TRUE;
-    h->before = NULL;
-    h->after = NULL;
-    h->filter = NULL;
-    h->derOnly = derOnly;
-    return h;
-}
-
-SECArb *BER_ParseFini(BERParse *h)
-{
-    PRArenaPool *myArena = h->mine;
-    SECArb *arb;
-
-    if (h->state != parseComplete) {
-	arb = NULL;
-    } else {
-	arb = PORT_ArenaAlloc(h->his, sizeof(SECArb));
-	*arb = h->stackPtr->arb;
-    }
-
-    PORT_FreeArena(myArena, PR_FALSE);
-
-    return arb;
-}
-
-
-void BER_SetFilter(BERParse *h, BERFilterProc proc, void *instance)
-{
-    h->filter = proc;
-    h->filterArg = instance;
-}
-
-void BER_SetLeafStorage(BERParse *h, PRBool keep)
-{
-    h->keepLeaves = keep;
-}
-
-void BER_SetNotifyProc(BERParse *h, BERNotifyProc proc, void *instance,
-			      PRBool beforeData)
-{
-    if (beforeData) {
-	h->before = proc;
-	h->beforeArg = instance;
-    } else {
-	h->after = proc;
-	h->afterArg = instance;
-    }
-}
-
-
-
diff --git a/security/nss/cmd/lib/config.mk b/security/nss/cmd/lib/config.mk
deleted file mode 100644
index 665828c63..000000000
--- a/security/nss/cmd/lib/config.mk
+++ /dev/null
@@ -1,47 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
diff --git a/security/nss/cmd/lib/derprint.c b/security/nss/cmd/lib/derprint.c
deleted file mode 100644
index 50c6d02e6..000000000
--- a/security/nss/cmd/lib/derprint.c
+++ /dev/null
@@ -1,622 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "secutil.h"
-#include "secoid.h"
-
-#ifdef __sun
-extern int fprintf(FILE *strm, const char *format, .../* args */);
-extern int fflush(FILE *stream);
-#endif
-
-#define RIGHT_MARGIN	24
-/*#define RAW_BYTES 1 */
-
-static int prettyColumn = 0;
-
-static int
-getInteger256(unsigned char *data, unsigned int nb)
-{
-    int val;
-
-    switch (nb) {
-      case 1:
-	val = data[0];
-	break;
-      case 2:
-	val = (data[0] << 8) | data[1];
-	break;
-      case 3:
-	val = (data[0] << 16) | (data[1] << 8) | data[2];
-	break;
-      case 4:
-	val = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
-	break;
-      default:
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return -1;
-    }
-
-    return val;
-}
-
-static int
-prettyNewline(FILE *out)
-{
-    int rv;
-
-    if (prettyColumn != -1) {
-	rv = fprintf(out, "\n");
-	prettyColumn = -1;
-	if (rv < 0) {
-	    PORT_SetError(SEC_ERROR_IO);
-	    return rv;
-	}
-    }
-    return 0;
-}
-
-static int
-prettyIndent(FILE *out, unsigned level)
-{
-    unsigned int i;
-    int rv;
-
-    if (prettyColumn == -1) {
-	prettyColumn = level;
-	for (i = 0; i < level; i++) {
-	    rv = fprintf(out, "   ");
-	    if (rv < 0) {
-		PORT_SetError(SEC_ERROR_IO);
-		return rv;
-	    }
-	}
-    }
-
-    return 0;
-}
-
-static int
-prettyPrintByte(FILE *out, unsigned char item, unsigned int level)
-{
-    int rv;
-
-    rv = prettyIndent(out, level);
-    if (rv < 0)
-	return rv;
-
-    rv = fprintf(out, "%02x ", item);
-    if (rv < 0) {
-	PORT_SetError(SEC_ERROR_IO);
-	return rv;
-    }
-
-    prettyColumn++;
-    if (prettyColumn >= RIGHT_MARGIN) {
-	return prettyNewline(out);
-    }
-
-    return 0;
-}
-
-static int
-prettyPrintLeaf(FILE *out, unsigned char *data,
-		unsigned int len, unsigned int lv)
-{
-    unsigned int i;
-    int rv;
-
-    for (i = 0; i < len; i++) {
-	rv = prettyPrintByte(out, *data++, lv);
-	if (rv < 0)
-	    return rv;
-    }
-    return prettyNewline(out);
-}
-
-static int
-prettyPrintStringStart(FILE *out, unsigned char *str,
-		       unsigned int len, unsigned int level)
-{
-#define BUF_SIZE 100
-    unsigned char buf[BUF_SIZE];
-    int rv;
-
-    if (len >= BUF_SIZE)
-	len = BUF_SIZE - 1;
-
-    rv = prettyNewline(out);
-    if (rv < 0)
-	return rv;
-
-    rv = prettyIndent(out, level);
-    if (rv < 0)
-	return rv;
-
-    memcpy(buf, str, len);
-    buf[len] = '\000';
-
-    rv = fprintf(out, "\"%s\"", buf);
-    if (rv < 0) {
-	PORT_SetError(SEC_ERROR_IO);
-	return rv;
-    }
-
-    return 0;
-#undef BUF_SIZE
-}
-
-static int
-prettyPrintString(FILE *out, unsigned char *str,
-		  unsigned int len, unsigned int level, PRBool raw)
-{
-    int rv;
-
-    rv = prettyPrintStringStart(out, str, len, level);
-    if (rv < 0)
-	return rv;
-
-    rv = prettyNewline(out);
-    if (rv < 0)
-	return rv;
-
-    if (raw) {
-	rv = prettyPrintLeaf(out, str, len, level);
-	if (rv < 0)
-	    return rv;
-    }
-
-    return 0;
-}
-
-static int
-prettyPrintTime(FILE *out, unsigned char *str,
-		unsigned int len, unsigned int level, PRBool raw, PRBool utc)
-{
-    SECItem time_item;
-    int rv;
-
-    rv = prettyPrintStringStart(out, str, len, level);
-    if (rv < 0)
-	return rv;
-
-    time_item.data = str;
-    time_item.len = len;
-
-    rv = fprintf(out, " (");
-    if (rv < 0) {
-	PORT_SetError(SEC_ERROR_IO);
-	return rv;
-    }
-
-    if (utc)
-	SECU_PrintUTCTime(out, &time_item, NULL, 0);
-    else
-	SECU_PrintGeneralizedTime(out, &time_item, NULL, 0);
-
-    rv = fprintf(out, ")");
-    if (rv < 0) {
-	PORT_SetError(SEC_ERROR_IO);
-	return rv;
-    }
-
-    rv = prettyNewline(out);
-    if (rv < 0)
-	return rv;
-
-    if (raw) {
-	rv = prettyPrintLeaf(out, str, len, level);
-	if (rv < 0)
-	    return rv;
-    }
-
-    return 0;
-}
-
-static int
-prettyPrintObjectID(FILE *out, unsigned char *data,
-		    unsigned int len, unsigned int level, PRBool raw)
-{
-    SECOidData *oiddata;
-    SECItem oiditem;
-    unsigned int i;
-    unsigned long val;
-    int rv;
-
-
-    /*
-     * First print the Object Id in numeric format
-     */
-
-    rv = prettyIndent(out, level);
-    if (rv < 0)
-	return rv;
-
-    val = data[0];
-    i   = val % 40;
-    val = val / 40;
-    rv = fprintf(out, "%lu %u ", val, i);
-    if (rv < 0) {
-	PORT_SetError(SEC_ERROR_IO);
-	return rv;
-    }
-
-    val = 0;
-    for (i = 1; i < len; ++i) {
-        unsigned long j;
-
-	j = data[i];
-	val = (val << 7) | (j & 0x7f);
-	if (j & 0x80) 
-	    continue;
-	rv = fprintf(out, "%lu ", val);
-	if (rv < 0) {
-	    PORT_SetError(SEC_ERROR_IO);
-	    return rv;
-	}
-	val = 0;
-    }
-
-    /*
-     * Now try to look it up and print a symbolic version.
-     */
-    oiditem.data = data;
-    oiditem.len = len;
-    oiddata = SECOID_FindOID(&oiditem);
-    if (oiddata != NULL) {
-	i = PORT_Strlen(oiddata->desc);
-	if ((prettyColumn + 1 + (i / 3)) > RIGHT_MARGIN) {
-	    rv = prettyNewline(out);
-	    if (rv < 0)
-		return rv;
-	}
-
-	rv = prettyIndent(out, level);
-	if (rv < 0)
-	    return rv;
-
-	rv = fprintf(out, "(%s)", oiddata->desc);
-	if (rv < 0) {
-	    PORT_SetError(SEC_ERROR_IO);
-	    return rv;
-	}
-    }
-
-    /*
-     * Finally, on a new line, print the raw bytes (if requested).
-     */
-    if (raw) {
-	rv = prettyNewline(out);
-	if (rv < 0) {
-	    PORT_SetError(SEC_ERROR_IO);
-	    return rv;
-	}
-
-	for (i = 0; i < len; i++) {
-	    rv = prettyPrintByte(out, *data++, level);
-	    if (rv < 0)
-		return rv;
-	}
-    }
-
-    return prettyNewline(out);
-}
-
-static char *prettyTagType [32] = {
-  "End of Contents",
-  "Boolean",
-  "Integer",
-  "Bit String",
-  "Octet String",
-  "NULL",
-  "Object Identifier",
-  "0x07",
-  "0x08",
-  "0x09",
-  "Enumerated",
-  "0x0B",
-  "UTF8 String",
-  "0x0D",
-  "0x0E",
-  "0x0F",
-  "Sequence",
-  "Set",
-  "0x12",
-  "Printable String",
-  "T61 String",
-  "0x15",
-  "IA5 String",
-  "UTC Time",
-  "Generalized Time",
-  "0x19",
-  "Visible String",
-  "0x1B",
-  "Universal String",
-  "0x1D",
-  "BMP String",
-  "High-Tag-Number"
-};
-
-static int
-prettyPrintTag(FILE *out, unsigned char *src, unsigned char *end,
-	       unsigned char *codep, unsigned int level, PRBool raw)
-{
-    int rv;
-    unsigned char code, tagnum;
-
-    if (src >= end) {
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return -1;
-    }
-
-    code = *src;
-    tagnum = code & SEC_ASN1_TAGNUM_MASK;
-
-    /*
-     * NOTE: This code does not (yet) handle the high-tag-number form!
-     */
-    if (tagnum == SEC_ASN1_HIGH_TAG_NUMBER) {
-        PORT_SetError(SEC_ERROR_BAD_DER);
-	return -1;
-    }
-
-    if (raw)
-	rv = prettyPrintByte(out, code, level);
-    else
-	rv = prettyIndent(out, level);
-
-    if (rv < 0)
-	return rv;
-
-    if (code & SEC_ASN1_CONSTRUCTED) {
-        rv = fprintf(out, "C-");
-	if (rv < 0) {
-	    PORT_SetError(SEC_ERROR_IO);
-	    return rv;
-	}
-    }
-
-    switch (code & SEC_ASN1_CLASS_MASK) {
-    case SEC_ASN1_UNIVERSAL:
-        rv = fprintf(out, "%s ", prettyTagType[tagnum]);
-	break;
-    case SEC_ASN1_APPLICATION:
-        rv = fprintf(out, "Application: %d ", tagnum);
-	break;
-    case SEC_ASN1_CONTEXT_SPECIFIC:
-        rv = fprintf(out, "[%d] ", tagnum);
-	break;
-    case SEC_ASN1_PRIVATE:
-        rv = fprintf(out, "Private: %d ", tagnum);
-	break;
-    }
-
-    if (rv < 0) {
-        PORT_SetError(SEC_ERROR_IO);
-	return rv;
-    }
-
-    *codep = code;
-
-    return 1;
-}
-
-static int
-prettyPrintLength(FILE *out, unsigned char *data, unsigned char *end,
-		  int *lenp, PRBool *indefinitep, unsigned int lv, PRBool raw)
-{
-    unsigned char lbyte;
-    int lenLen;
-    int rv;
-
-    if (data >= end) {
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return -1;
-    }
-
-    rv = fprintf(out, " ");
-    if (rv < 0) {
-        PORT_SetError(SEC_ERROR_IO);
-	return rv;
-    }
-
-    *indefinitep = PR_FALSE;
-
-    lbyte = *data++;
-    if (lbyte >= 0x80) {
-	/* Multibyte length */
-	unsigned nb = (unsigned) (lbyte & 0x7f);
-	if (nb > 4) {
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return -1;
-	}
-	if (nb > 0) {
-	    int il;
-
-	    if ((data + nb) > end) {
-		PORT_SetError(SEC_ERROR_BAD_DER);
-		return -1;
-	    }
-	    il = getInteger256(data, nb);
-	    if (il < 0) return -1;
-	    *lenp = (unsigned) il;
-	} else {
-	    *lenp = 0;
-	    *indefinitep = PR_TRUE;
-	}
-	lenLen = nb + 1;
-	if (raw) {
-	    int i;
-
-	    rv = prettyPrintByte(out, lbyte, lv);
-	    if (rv < 0)
-		return rv;
-	    for (i = 0; i < nb; i++) {
-		rv = prettyPrintByte(out, data[i], lv);
-		if (rv < 0)
-		    return rv;
-	    }
-	}
-    } else {
-	*lenp = lbyte;
-	lenLen = 1;
-	if (raw) {
-	    rv = prettyPrintByte(out, lbyte, lv);
-	    if (rv < 0)
-		return rv;
-	}
-    }
-    if (*indefinitep)
-	rv = fprintf(out, "(indefinite)\n");
-    else
-	rv = fprintf(out, "(%d)\n", *lenp);
-    if (rv < 0) {
-        PORT_SetError(SEC_ERROR_IO);
-	return rv;
-    }
-
-    prettyColumn = -1;
-    return lenLen;
-}
-
-static int
-prettyPrintItem(FILE *out, unsigned char *data, unsigned char *end,
-		unsigned int lv, PRBool raw)
-{
-    int slen;
-    int lenLen;
-    unsigned char *orig = data;
-    int rv;
-
-    while (data < end) {
-        unsigned char code;
-	PRBool indefinite;
-
-	slen = prettyPrintTag(out, data, end, &code, lv, raw);
-	if (slen < 0)
-	    return slen;
-	data += slen;
-
-	lenLen = prettyPrintLength(out, data, end, &slen, &indefinite, lv, raw);
-	if (lenLen < 0)
-	    return lenLen;
-	data += lenLen;
-
-	/*
-	 * Just quit now if slen more bytes puts us off the end.
-	 */
-	if ((data + slen) > end) {
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return -1;
-	}
-
-        if (code & SEC_ASN1_CONSTRUCTED) {
-	    if (slen > 0 || indefinite) {
-		slen = prettyPrintItem(out, data,
-				       slen == 0 ? end : data + slen,
-				       lv+1, raw);
-		if (slen < 0)
-		    return slen;
-		data += slen;
-	    }
-	} else if (code == 0) {
-	    if (slen != 0 || lenLen != 1) {
-		PORT_SetError(SEC_ERROR_BAD_DER);
-		return -1;
-	    }
-	    break;
-	} else {
-	    switch (code) {
-	      case SEC_ASN1_PRINTABLE_STRING:
-	      case SEC_ASN1_IA5_STRING:
-	      case SEC_ASN1_VISIBLE_STRING:
-	        rv = prettyPrintString(out, data, slen, lv+1, raw);
-		if (rv < 0)
-		    return rv;
-		break;
-	      case SEC_ASN1_UTC_TIME:
-	        rv = prettyPrintTime(out, data, slen, lv+1, raw, PR_TRUE);
-		if (rv < 0)
-		    return rv;
-		break;
-	      case SEC_ASN1_GENERALIZED_TIME:
-	        rv = prettyPrintTime(out, data, slen, lv+1, raw, PR_FALSE);
-		if (rv < 0)
-		    return rv;
-		break;
-	      case SEC_ASN1_OBJECT_ID:
-	        rv = prettyPrintObjectID(out, data, slen, lv+1, raw);
-		if (rv < 0)
-		    return rv;
-		break;
-	      case SEC_ASN1_BOOLEAN:	/* could do nicer job */
-	      case SEC_ASN1_INTEGER:	/* could do nicer job */
-	      case SEC_ASN1_BIT_STRING:	/* could do nicer job */
-	      case SEC_ASN1_OCTET_STRING:
-	      case SEC_ASN1_NULL:
-	      case SEC_ASN1_ENUMERATED:	/* could do nicer job, as INTEGER */
-	      case SEC_ASN1_UTF8_STRING:
-	      case SEC_ASN1_T61_STRING:	/* print as printable string? */
-	      case SEC_ASN1_UNIVERSAL_STRING:
-	      case SEC_ASN1_BMP_STRING:
-	      default:
-	        rv = prettyPrintLeaf(out, data, slen, lv+1);
-		if (rv < 0)
-		    return rv;
-		break;
-	    }
-	    data += slen;
-	}
-    }
-
-    rv = prettyNewline(out);
-    if (rv < 0)
-	return rv;
-
-    return data - orig;
-}
-
-SECStatus
-DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw)
-{
-    int rv;
-
-    prettyColumn = -1;
-
-    rv = prettyPrintItem(out, it->data, it->data + it->len, 0, raw);
-    if (rv < 0)
-	return SECFailure;
-    return SECSuccess;
-}
diff --git a/security/nss/cmd/lib/ffs.c b/security/nss/cmd/lib/ffs.c
deleted file mode 100644
index c7105eb20..000000000
--- a/security/nss/cmd/lib/ffs.c
+++ /dev/null
@@ -1,51 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#if !defined(XP_UNIX) && !defined(XP_OS2)

-
-int ffs( unsigned int i)
-{
-    int rv	= 1;
-
-    if (!i) return 0;
-
-    while (!(i & 1)) {
-    	i >>= 1;
-	++rv;
-    }
-
-    return rv;
-}
-#endif
diff --git a/security/nss/cmd/lib/manifest.mn b/security/nss/cmd/lib/manifest.mn
deleted file mode 100644
index 767b58a10..000000000
--- a/security/nss/cmd/lib/manifest.mn
+++ /dev/null
@@ -1,65 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CORE_DEPTH	= ../../..
-
-LIBRARY_NAME	= sectool
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE		= nss
-
-DEFINES		= -DNSPR20
-
-PRIVATE_EXPORTS	= secutil.h \
-		  NSPRerrs.h \
-		  SECerrs.h \
-		  SSLerrs.h \
-		  pk11table.h \
-		  $(NULL)
-
-CSRCS		= secutil.c \
-		secpwd.c    \
-		derprint.c \
-		moreoids.c \
-		pppolicy.c \
-		secerror.c \
-		ffs.c \
-		pk11table.c \
-		$(NULL)
-
-REQUIRES	= dbm
-
-NO_MD_RELEASE	= 1
diff --git a/security/nss/cmd/lib/moreoids.c b/security/nss/cmd/lib/moreoids.c
deleted file mode 100644
index 27488c59e..000000000
--- a/security/nss/cmd/lib/moreoids.c
+++ /dev/null
@@ -1,180 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2004
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secoid.h"
-#include "secmodt.h" /* for CKM_INVALID_MECHANISM */
-
-#define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
-#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, desc, mech, ext }
-#define ODN(oid,desc) \
-  { OI(oid), 0, desc, CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION }
-
-#define OIDT static const unsigned char
-
-/* OIW Security Special Interest Group defined algorithms. */
-#define OIWSSIG   0x2B, 13, 3, 2
-
-OIDT  oiwMD5RSA[] 	= { OIWSSIG,  3 };
-OIDT  oiwDESCBC[] 	= { OIWSSIG,  7 };
-OIDT  oiwRSAsig[] 	= { OIWSSIG, 11 };
-OIDT  oiwDSA   [] 	= { OIWSSIG, 12 };
-OIDT  oiwMD5RSAsig[] 	= { OIWSSIG, 25 };
-OIDT  oiwSHA1  [] 	= { OIWSSIG, 26 };
-OIDT  oiwDSASHA1[] 	= { OIWSSIG, 27 };
-OIDT  oiwDSASHA1param[] = { OIWSSIG, 28 };
-OIDT  oiwSHA1RSA[] 	= { OIWSSIG, 29 };
-
-
-/* Microsoft OIDs.  (1 3 6 1 4 1 311 ... )   */
-#define MICROSOFT 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37
-
-OIDT  mCTL[] 	= { MICROSOFT, 10, 3, 1 }; /* Cert Trust List signing */
-OIDT  mTSS[] 	= { MICROSOFT, 10, 3, 2 }; /* Time Stamp Signing */
-OIDT  mSGC[] 	= { MICROSOFT, 10, 3, 3 }; /* Server gated cryptography */
-OIDT  mEFS[]	= { MICROSOFT, 10, 3, 4 }; /* Encrypted File System */
-OIDT  mSMIME[]	= { MICROSOFT, 16, 4    }; /* SMIME encryption key prefs */
-
-OIDT  mECRTT[]	= { MICROSOFT, 20, 2    }; /* Enrollment cert type xtn */
-OIDT  mEAGNT[]	= { MICROSOFT, 20, 2, 1 }; /* Enrollment Agent         */
-OIDT  mKPSCL[]	= { MICROSOFT, 20, 2, 2 }; /* KP SmartCard Logon       */
-OIDT  mNTPN []	= { MICROSOFT, 20, 2, 3 }; /* NT Principal Name        */
-OIDT  mCASRV[]	= { MICROSOFT, 21, 1    }; /* CertServ CA version      */
-
-/* AOL OIDs     (1 3 6 1 4 1 1066 ... )   */
-#define AOL 0x2B, 0x06, 0x01, 0x04, 0x01, 0x88, 0x2A
-
-/* PKIX IDs     (1 3 6 1 5 5 7 ...)  */
-#define ID_PKIX 0x2B, 6, 1, 5, 5, 7
-/* PKIX Access Descriptors (methods for Authority Info Access Extns) */
-#define ID_AD   ID_PKIX, 48
-
-OIDT  padOCSP[]      = { ID_AD, 1 };  /* OCSP method */
-OIDT  padCAissuer[]  = { ID_AD, 2 };  /* URI (for CRL ?) */
-OIDT  padTimeStamp[] = { ID_AD, 3 };  /* time stamping */
-
-/* ISO Cert Extension type OIDs (id-ce)  (2 5 29 ...) */
-#define X500                    0x55
-#define X520_ATTRIBUTE_TYPE     X500, 0x04
-#define X500_ALG                X500, 0x08
-#define X500_ALG_ENCRYPTION     X500_ALG, 0x01
-#define ID_CE			X500, 29
-
-OIDT cePlcyObs[] = { ID_CE,  3 };  /* Cert policies, obsolete. */
-OIDT cePlcyCns[] = { ID_CE, 36 };  /* Cert policy constraints. */
-
-/* US Company arc (2 16 840 1 ...) */
-#define USCOM        0x60, 0x86, 0x48, 0x01
-#define USGOV        USCOM, 0x65
-#define USDOD        USGOV, 2
-#define ID_INFOSEC   USDOD, 1
-
-/* Verisign PKI OIDs (2 16 840 1 113733 1 ...) */
-#define VERISIGN_PKI USCOM, 0x86, 0xf8, 0x45, 1
-#define VERISIGN_XTN VERISIGN_PKI, 6
-#define VERISIGN_POL VERISIGN_PKI, 7	/* Cert policies */
-#define VERISIGN_TNET VERISIGN_POL, 23	/* Verisign Trust Network */
-
-OIDT  vcx7[]	= { VERISIGN_XTN, 7 };	/* Cert Extension 7 (?) */
-OIDT  vcp1[]	= { VERISIGN_TNET, 1 };	/* class 1 cert policy */
-OIDT  vcp2[]	= { VERISIGN_TNET, 2 };	/* class 2 cert policy */
-OIDT  vcp3[]	= { VERISIGN_TNET, 3 };	/* class 3 cert policy */
-OIDT  vcp4[]	= { VERISIGN_TNET, 4 };	/* class 4 cert policy */
-
-
-/* ------------------------------------------------------------------- */
-static const SECOidData oids[] = {
-/* OIW Security Special Interest Group OIDs */
-    ODN( oiwMD5RSA,	  "OIWSecSIG MD5 with RSA"),
-    ODN( oiwDESCBC,	  "OIWSecSIG DES CBC"),
-    ODN( oiwRSAsig,	  "OIWSecSIG RSA signature"),
-    ODN( oiwDSA   ,	  "OIWSecSIG DSA"),
-    ODN( oiwMD5RSAsig,	  "OIWSecSIG MD5 with RSA signature"),
-    ODN( oiwSHA1  ,	  "OIWSecSIG SHA1"),
-    ODN( oiwDSASHA1,	  "OIWSecSIG DSA with SHA1"),
-    ODN( oiwDSASHA1param, "OIWSecSIG DSA with SHA1 with params"),
-    ODN( oiwSHA1RSA,	  "OIWSecSIG MD5 with RSA"),
-
-/* Microsoft OIDs */
-    ODN( mCTL,   "Microsoft Cert Trust List signing"), 
-    ODN( mTSS,   "Microsoft Time Stamp signing"),
-    ODN( mSGC,   "Microsoft SGC SSL server"),
-    ODN( mEFS,   "Microsoft Encrypted File System"),
-    ODN( mSMIME, "Microsoft SMIME preferences"),
-    ODN( mECRTT, "Microsoft Enrollment Cert Type Extension"),
-    ODN( mEAGNT, "Microsoft Enrollment Agent"),
-    ODN( mKPSCL, "Microsoft KP SmartCard Logon"),
-    ODN( mNTPN,  "Microsoft NT Principal Name"),
-    ODN( mCASRV, "Microsoft CertServ CA version"),
-
-/* PKIX OIDs */
-    ODN( padOCSP,	"PKIX OCSP method"),
-    ODN( padCAissuer,	"PKIX CA Issuer method"),
-    ODN( padTimeStamp,	"PKIX Time Stamping method"),
-
-/* ID_CE OIDs. */
-    ODN( cePlcyObs,	"Certificate Policies (Obsolete)"),
-    ODN( cePlcyCns,	"Certificate Policy Constraints"),
-
-/* Verisign OIDs. */
-    ODN( vcx7,		"Verisign Cert Extension 7 (?)"),
-    ODN( vcp1,		"Verisign Class 1 Certificate Policy"),
-    ODN( vcp2,		"Verisign Class 2 Certificate Policy"),
-    ODN( vcp3,		"Verisign Class 3 Certificate Policy"),
-    ODN( vcp4,		"Verisign Class 4 Certificate Policy"),
-
-};
-
-static const unsigned int numOids = (sizeof oids) / (sizeof oids[0]);
-
-SECStatus
-SECU_RegisterDynamicOids(void)
-{
-    unsigned int i;
-    SECStatus rv = SECSuccess;
-
-    for (i = 0; i < numOids; ++i) {
-	SECOidTag tag = SECOID_AddEntry(&oids[i]);
-	if (tag == SEC_OID_UNKNOWN) {
-	    rv = SECFailure;
-#ifdef DEBUG_DYN_OIDS
-	    fprintf(stderr, "Add OID[%d] failed\n", i);
-	} else {
-	    fprintf(stderr, "Add OID[%d] returned tag %d\n", i, tag);
-#endif
-	}
-    }
-    return rv;
-}
diff --git a/security/nss/cmd/lib/pk11table.c b/security/nss/cmd/lib/pk11table.c
deleted file mode 100644
index 5ec551fb2..000000000
--- a/security/nss/cmd/lib/pk11table.c
+++ /dev/null
@@ -1,1449 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "pk11table.h"
-
-const char *_valueString[] = {
-    "None",
-    "Variable",
-    "CK_ULONG",
-    "Data",
-    "UTF8",
-    "CK_INFO",
-    "CK_SLOT_INFO",
-    "CK_TOKEN_INFO",
-    "CK_SESSION_INFO",
-    "CK_ATTRIBUTE",
-    "CK_MECHANISM",
-    "CK_MECHANISM_INFO",
-    "CK_C_INITIALIZE_ARGS",
-    "CK_FUNCTION_LIST"
-};
-
-const char **valueString = &_valueString[0];
-const int valueCount = sizeof(_valueString)/sizeof(_valueString[0]);
-
-const char *_constTypeString[] = {
-    "None",
-    "Bool",
-    "InfoFlags",
-    "SlotFlags",
-    "TokenFlags",
-    "SessionFlags",
-    "MechanismFlags",
-    "InitializeFlags",
-    "Users",
-    "SessionState",
-    "Object",
-    "Hardware",
-    "KeyType",
-    "CertificateType",
-    "Attribute",
-    "Mechanism",
-    "Result",
-    "Trust",
-    "AvailableSizes",
-    "CurrentSize"
-};
-
-const char **constTypeString = &_constTypeString[0];
-const int constTypeCount = sizeof(_constTypeString)/sizeof(_constTypeString[0]);
-
-#define mkEntry(x,t) { #x, x, Const##t, ConstNone }
-#define mkEntry2(x,t,t2) { #x, x, Const##t, Const##t2 }
-
-const Constant _consts[] = {
-	mkEntry(CK_FALSE, Bool),
-	mkEntry(CK_TRUE, Bool),
-
-	mkEntry(CKF_TOKEN_PRESENT, SlotFlags),
-	mkEntry(CKF_REMOVABLE_DEVICE, SlotFlags),
-	mkEntry(CKF_HW_SLOT, SlotFlags),
-
-	mkEntry(CKF_RNG, TokenFlags),
-	mkEntry(CKF_WRITE_PROTECTED, TokenFlags),
-	mkEntry(CKF_LOGIN_REQUIRED, TokenFlags),
-	mkEntry(CKF_USER_PIN_INITIALIZED, TokenFlags),
-	mkEntry(CKF_RESTORE_KEY_NOT_NEEDED, TokenFlags),
-	mkEntry(CKF_CLOCK_ON_TOKEN, TokenFlags),
-	mkEntry(CKF_PROTECTED_AUTHENTICATION_PATH, TokenFlags),
-	mkEntry(CKF_DUAL_CRYPTO_OPERATIONS, TokenFlags),
-	mkEntry(CKF_TOKEN_INITIALIZED, TokenFlags),
-	mkEntry(CKF_SECONDARY_AUTHENTICATION, TokenFlags),
-	mkEntry(CKF_USER_PIN_COUNT_LOW, TokenFlags),
-	mkEntry(CKF_USER_PIN_FINAL_TRY, TokenFlags),
-	mkEntry(CKF_USER_PIN_LOCKED, TokenFlags),
-	mkEntry(CKF_USER_PIN_TO_BE_CHANGED, TokenFlags),
-	mkEntry(CKF_SO_PIN_COUNT_LOW, TokenFlags),
-	mkEntry(CKF_SO_PIN_FINAL_TRY, TokenFlags),
-	mkEntry(CKF_SO_PIN_LOCKED, TokenFlags),
-	mkEntry(CKF_SO_PIN_TO_BE_CHANGED, TokenFlags),
-
-	mkEntry(CKF_RW_SESSION, SessionFlags),
-	mkEntry(CKF_SERIAL_SESSION, SessionFlags),
-
-	mkEntry(CKF_HW, MechanismFlags),
-	mkEntry(CKF_ENCRYPT, MechanismFlags),
-	mkEntry(CKF_DECRYPT, MechanismFlags),
-	mkEntry(CKF_DIGEST, MechanismFlags),
-	mkEntry(CKF_SIGN, MechanismFlags),
-	mkEntry(CKF_SIGN_RECOVER, MechanismFlags),
-	mkEntry(CKF_VERIFY, MechanismFlags),
-	mkEntry(CKF_VERIFY_RECOVER, MechanismFlags),
-	mkEntry(CKF_GENERATE, MechanismFlags),
-	mkEntry(CKF_GENERATE_KEY_PAIR, MechanismFlags),
-	mkEntry(CKF_WRAP, MechanismFlags),
-	mkEntry(CKF_UNWRAP, MechanismFlags),
-	mkEntry(CKF_DERIVE, MechanismFlags),
-	mkEntry(CKF_EC_FP, MechanismFlags),
-	mkEntry(CKF_EC_F_2M, MechanismFlags),
-	mkEntry(CKF_EC_ECPARAMETERS, MechanismFlags),
-	mkEntry(CKF_EC_NAMEDCURVE, MechanismFlags),
-	mkEntry(CKF_EC_UNCOMPRESS, MechanismFlags),
-	mkEntry(CKF_EC_COMPRESS, MechanismFlags),
-
-	mkEntry(CKF_LIBRARY_CANT_CREATE_OS_THREADS, InitializeFlags),
-	mkEntry(CKF_OS_LOCKING_OK, InitializeFlags),
-
-	mkEntry(CKU_SO, Users),
-	mkEntry(CKU_USER, Users),
-
-	mkEntry(CKS_RO_PUBLIC_SESSION, SessionState),
-	mkEntry(CKS_RO_USER_FUNCTIONS, SessionState),
-	mkEntry(CKS_RW_PUBLIC_SESSION, SessionState),
-	mkEntry(CKS_RW_USER_FUNCTIONS, SessionState),
-	mkEntry(CKS_RW_SO_FUNCTIONS, SessionState),
-
-	mkEntry(CKO_DATA, Object),
-	mkEntry(CKO_CERTIFICATE, Object),
-	mkEntry(CKO_PUBLIC_KEY, Object),
-	mkEntry(CKO_PRIVATE_KEY, Object),
-	mkEntry(CKO_SECRET_KEY, Object),
-	mkEntry(CKO_HW_FEATURE, Object),
-	mkEntry(CKO_DOMAIN_PARAMETERS, Object),
-	mkEntry(CKO_KG_PARAMETERS, Object),
-	mkEntry(CKO_NETSCAPE_CRL, Object),
-	mkEntry(CKO_NETSCAPE_SMIME, Object),
-	mkEntry(CKO_NETSCAPE_TRUST, Object),
-	mkEntry(CKO_NETSCAPE_BUILTIN_ROOT_LIST, Object),
-
-	mkEntry(CKH_MONOTONIC_COUNTER, Hardware),
-	mkEntry(CKH_CLOCK, Hardware),
-
-	mkEntry(CKK_RSA, KeyType),
-	mkEntry(CKK_DSA, KeyType),
-	mkEntry(CKK_DH, KeyType),
-	mkEntry(CKK_ECDSA, KeyType),
-	mkEntry(CKK_EC, KeyType),
-	mkEntry(CKK_X9_42_DH, KeyType),
-	mkEntry(CKK_KEA, KeyType),
-	mkEntry(CKK_GENERIC_SECRET, KeyType),
-	mkEntry(CKK_RC2, KeyType),
-	mkEntry(CKK_RC4, KeyType),
-	mkEntry(CKK_DES, KeyType),
-	mkEntry(CKK_DES2, KeyType),
-	mkEntry(CKK_DES3, KeyType),
-	mkEntry(CKK_CAST, KeyType),
-	mkEntry(CKK_CAST3, KeyType),
-	mkEntry(CKK_CAST5, KeyType),
-	mkEntry(CKK_CAST128, KeyType),
-	mkEntry(CKK_RC5, KeyType),
-	mkEntry(CKK_IDEA, KeyType),
-	mkEntry(CKK_SKIPJACK, KeyType),
-	mkEntry(CKK_BATON, KeyType),
-	mkEntry(CKK_JUNIPER, KeyType),
-	mkEntry(CKK_CDMF, KeyType),
-	mkEntry(CKK_AES, KeyType),
-	mkEntry(CKK_CAMELLIA, KeyType),
-	mkEntry(CKK_NETSCAPE_PKCS8, KeyType),
-
-	mkEntry(CKC_X_509, CertType),
-	mkEntry(CKC_X_509_ATTR_CERT, CertType),
-
-	mkEntry2(CKA_CLASS, Attribute, Object),
-	mkEntry2(CKA_TOKEN, Attribute, Bool),
-	mkEntry2(CKA_PRIVATE, Attribute, Bool),
-	mkEntry2(CKA_LABEL, Attribute, None),
-	mkEntry2(CKA_APPLICATION, Attribute, None),
-	mkEntry2(CKA_VALUE, Attribute, None),
-	mkEntry2(CKA_OBJECT_ID, Attribute, None),
-	mkEntry2(CKA_CERTIFICATE_TYPE, Attribute, CertType),
-	mkEntry2(CKA_ISSUER, Attribute, None),
-	mkEntry2(CKA_SERIAL_NUMBER, Attribute, None),
-	mkEntry2(CKA_AC_ISSUER, Attribute, None),
-	mkEntry2(CKA_OWNER, Attribute, None),
-	mkEntry2(CKA_ATTR_TYPES, Attribute, None),
-	mkEntry2(CKA_TRUSTED, Attribute, Bool),
-	mkEntry2(CKA_KEY_TYPE, Attribute, KeyType),
-	mkEntry2(CKA_SUBJECT, Attribute, None),
-	mkEntry2(CKA_ID, Attribute, None),
-	mkEntry2(CKA_SENSITIVE, Attribute, Bool),
-	mkEntry2(CKA_ENCRYPT, Attribute, Bool),
-	mkEntry2(CKA_DECRYPT, Attribute, Bool),
-	mkEntry2(CKA_WRAP, Attribute, Bool),
-	mkEntry2(CKA_UNWRAP, Attribute, Bool),
-	mkEntry2(CKA_SIGN, Attribute, Bool),
-	mkEntry2(CKA_SIGN_RECOVER, Attribute, Bool),
-	mkEntry2(CKA_VERIFY, Attribute, Bool),
-	mkEntry2(CKA_VERIFY_RECOVER, Attribute, Bool),
-	mkEntry2(CKA_DERIVE, Attribute, Bool),
-	mkEntry2(CKA_START_DATE, Attribute, None),
-	mkEntry2(CKA_END_DATE, Attribute, None),
-	mkEntry2(CKA_MODULUS, Attribute, None),
-	mkEntry2(CKA_MODULUS_BITS, Attribute, None),
-	mkEntry2(CKA_PUBLIC_EXPONENT, Attribute, None),
-	mkEntry2(CKA_PRIVATE_EXPONENT, Attribute, None),
-	mkEntry2(CKA_PRIME_1, Attribute, None),
-	mkEntry2(CKA_PRIME_2, Attribute, None),
-	mkEntry2(CKA_EXPONENT_1, Attribute, None),
-	mkEntry2(CKA_EXPONENT_2, Attribute, None),
-	mkEntry2(CKA_COEFFICIENT, Attribute, None),
-	mkEntry2(CKA_PRIME, Attribute, None),
-	mkEntry2(CKA_SUBPRIME, Attribute, None),
-	mkEntry2(CKA_BASE, Attribute, None),
-	mkEntry2(CKA_PRIME_BITS, Attribute, None),
-	mkEntry2(CKA_SUB_PRIME_BITS, Attribute, None),
-	mkEntry2(CKA_VALUE_BITS, Attribute, None),
-	mkEntry2(CKA_VALUE_LEN, Attribute, None),
-	mkEntry2(CKA_EXTRACTABLE, Attribute, Bool),
-	mkEntry2(CKA_LOCAL, Attribute, Bool),
-	mkEntry2(CKA_NEVER_EXTRACTABLE, Attribute, Bool),
-	mkEntry2(CKA_ALWAYS_SENSITIVE, Attribute, Bool),
-	mkEntry2(CKA_KEY_GEN_MECHANISM, Attribute, Mechanism),
-	mkEntry2(CKA_MODIFIABLE, Attribute, Bool),
-	mkEntry2(CKA_ECDSA_PARAMS, Attribute, None),
-	mkEntry2(CKA_EC_PARAMS, Attribute, None),
-	mkEntry2(CKA_EC_POINT, Attribute, None),
-	mkEntry2(CKA_SECONDARY_AUTH, Attribute, None),
-	mkEntry2(CKA_AUTH_PIN_FLAGS, Attribute, None),
-	mkEntry2(CKA_HW_FEATURE_TYPE, Attribute, Hardware),
-	mkEntry2(CKA_RESET_ON_INIT, Attribute, Bool),
-	mkEntry2(CKA_HAS_RESET, Attribute, Bool),
-	mkEntry2(CKA_NETSCAPE_URL, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_EMAIL, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_SMIME_INFO, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_SMIME_TIMESTAMP, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PKCS8_SALT, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PASSWORD_CHECK, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_EXPIRES, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_KRL, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_COUNTER, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_SEED, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_H, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_SEED_BITS, Attribute, None),
-	mkEntry2(CKA_TRUST_DIGITAL_SIGNATURE, Attribute, Trust),
-	mkEntry2(CKA_TRUST_NON_REPUDIATION, Attribute, Trust),
-	mkEntry2(CKA_TRUST_KEY_ENCIPHERMENT, Attribute, Trust),
-	mkEntry2(CKA_TRUST_DATA_ENCIPHERMENT, Attribute, Trust),
-	mkEntry2(CKA_TRUST_KEY_AGREEMENT, Attribute, Trust),
-	mkEntry2(CKA_TRUST_KEY_CERT_SIGN, Attribute, Trust),
-	mkEntry2(CKA_TRUST_CRL_SIGN, Attribute, Trust),
-	mkEntry2(CKA_TRUST_SERVER_AUTH, Attribute, Trust),
-	mkEntry2(CKA_TRUST_CLIENT_AUTH, Attribute, Trust),
-	mkEntry2(CKA_TRUST_CODE_SIGNING, Attribute, Trust),
-	mkEntry2(CKA_TRUST_EMAIL_PROTECTION, Attribute, Trust),
-	mkEntry2(CKA_TRUST_IPSEC_END_SYSTEM, Attribute, Trust),
-	mkEntry2(CKA_TRUST_IPSEC_TUNNEL, Attribute, Trust),
-	mkEntry2(CKA_TRUST_IPSEC_USER, Attribute, Trust),
-	mkEntry2(CKA_TRUST_TIME_STAMPING, Attribute, Trust),
-	mkEntry2(CKA_CERT_SHA1_HASH, Attribute, None),
-	mkEntry2(CKA_CERT_MD5_HASH, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_DB, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_TRUST, Attribute, Trust),
-
-	mkEntry(CKM_RSA_PKCS, Mechanism),
-	mkEntry(CKM_RSA_9796, Mechanism),
-	mkEntry(CKM_RSA_X_509, Mechanism),
-	mkEntry(CKM_RSA_PKCS_KEY_PAIR_GEN, Mechanism),
-	mkEntry(CKM_MD2_RSA_PKCS, Mechanism),
-	mkEntry(CKM_MD5_RSA_PKCS, Mechanism),
-	mkEntry(CKM_SHA1_RSA_PKCS, Mechanism),
-	mkEntry(CKM_RIPEMD128_RSA_PKCS, Mechanism),
-	mkEntry(CKM_RIPEMD160_RSA_PKCS, Mechanism),
-	mkEntry(CKM_RSA_PKCS_OAEP, Mechanism),
-	mkEntry(CKM_RSA_X9_31_KEY_PAIR_GEN, Mechanism),
-	mkEntry(CKM_RSA_X9_31, Mechanism),
-	mkEntry(CKM_SHA1_RSA_X9_31, Mechanism),
-	mkEntry(CKM_DSA_KEY_PAIR_GEN, Mechanism),
-	mkEntry(CKM_DSA, Mechanism),
-	mkEntry(CKM_DSA_SHA1, Mechanism),
-	mkEntry(CKM_DH_PKCS_KEY_PAIR_GEN, Mechanism),
-	mkEntry(CKM_DH_PKCS_DERIVE, Mechanism),
-	mkEntry(CKM_X9_42_DH_DERIVE, Mechanism),
-	mkEntry(CKM_X9_42_DH_HYBRID_DERIVE, Mechanism),
-	mkEntry(CKM_X9_42_MQV_DERIVE, Mechanism),
-	mkEntry(CKM_SHA256_RSA_PKCS, Mechanism),
-	mkEntry(CKM_SHA384_RSA_PKCS, Mechanism),
-	mkEntry(CKM_SHA512_RSA_PKCS, Mechanism),
-	mkEntry(CKM_RC2_KEY_GEN, Mechanism),
-	mkEntry(CKM_RC2_ECB, Mechanism),
-	mkEntry(CKM_RC2_CBC, Mechanism),
-	mkEntry(CKM_RC2_MAC, Mechanism),
-	mkEntry(CKM_RC2_MAC_GENERAL, Mechanism),
-	mkEntry(CKM_RC2_CBC_PAD, Mechanism),
-	mkEntry(CKM_RC4_KEY_GEN, Mechanism),
-	mkEntry(CKM_RC4, Mechanism),
-	mkEntry(CKM_DES_KEY_GEN, Mechanism),
-	mkEntry(CKM_DES_ECB, Mechanism),
-	mkEntry(CKM_DES_CBC, Mechanism),
-	mkEntry(CKM_DES_MAC, Mechanism),
-	mkEntry(CKM_DES_MAC_GENERAL, Mechanism),
-	mkEntry(CKM_DES_CBC_PAD, Mechanism),
-	mkEntry(CKM_DES2_KEY_GEN, Mechanism),
-	mkEntry(CKM_DES3_KEY_GEN, Mechanism),
-	mkEntry(CKM_DES3_ECB, Mechanism),
-	mkEntry(CKM_DES3_CBC, Mechanism),
-	mkEntry(CKM_DES3_MAC, Mechanism),
-	mkEntry(CKM_DES3_MAC_GENERAL, Mechanism),
-	mkEntry(CKM_DES3_CBC_PAD, Mechanism),
-	mkEntry(CKM_CDMF_KEY_GEN, Mechanism),
-	mkEntry(CKM_CDMF_ECB, Mechanism),
-	mkEntry(CKM_CDMF_CBC, Mechanism),
-	mkEntry(CKM_CDMF_MAC, Mechanism),
-	mkEntry(CKM_CDMF_MAC_GENERAL, Mechanism),
-	mkEntry(CKM_CDMF_CBC_PAD, Mechanism),
-	mkEntry(CKM_MD2, Mechanism),
-	mkEntry(CKM_MD2_HMAC, Mechanism),
-	mkEntry(CKM_MD2_HMAC_GENERAL, Mechanism),
-	mkEntry(CKM_MD5, Mechanism),
-	mkEntry(CKM_MD5_HMAC, Mechanism),
-	mkEntry(CKM_MD5_HMAC_GENERAL, Mechanism),
-	mkEntry(CKM_SHA_1, Mechanism),
-	mkEntry(CKM_SHA_1_HMAC, Mechanism),
-	mkEntry(CKM_SHA_1_HMAC_GENERAL, Mechanism),
-	mkEntry(CKM_RIPEMD128, Mechanism),
-	mkEntry(CKM_RIPEMD128_HMAC, Mechanism),
-	mkEntry(CKM_RIPEMD128_HMAC_GENERAL, Mechanism),
-	mkEntry(CKM_RIPEMD160, Mechanism),
-	mkEntry(CKM_RIPEMD160_HMAC, Mechanism),
-	mkEntry(CKM_RIPEMD160_HMAC_GENERAL, Mechanism),
-	mkEntry(CKM_SHA256, Mechanism),
-	mkEntry(CKM_SHA256_HMAC_GENERAL, Mechanism),
-	mkEntry(CKM_SHA256_HMAC, Mechanism),
-	mkEntry(CKM_SHA384, Mechanism),
-	mkEntry(CKM_SHA384_HMAC_GENERAL, Mechanism),
-	mkEntry(CKM_SHA384_HMAC, Mechanism),
-	mkEntry(CKM_SHA512, Mechanism),
-	mkEntry(CKM_SHA512_HMAC_GENERAL, Mechanism),
-	mkEntry(CKM_SHA512_HMAC, Mechanism),
-	mkEntry(CKM_CAST_KEY_GEN, Mechanism),
-	mkEntry(CKM_CAST_ECB, Mechanism),
-	mkEntry(CKM_CAST_CBC, Mechanism),
-	mkEntry(CKM_CAST_MAC, Mechanism),
-	mkEntry(CKM_CAST_MAC_GENERAL, Mechanism),
-	mkEntry(CKM_CAST_CBC_PAD, Mechanism),
-	mkEntry(CKM_CAST3_KEY_GEN, Mechanism),
-	mkEntry(CKM_CAST3_ECB, Mechanism),
-	mkEntry(CKM_CAST3_CBC, Mechanism),
-	mkEntry(CKM_CAST3_MAC, Mechanism),
-	mkEntry(CKM_CAST3_MAC_GENERAL, Mechanism),
-	mkEntry(CKM_CAST3_CBC_PAD, Mechanism),
-	mkEntry(CKM_CAST5_KEY_GEN, Mechanism),
-	mkEntry(CKM_CAST128_KEY_GEN, Mechanism),
-	mkEntry(CKM_CAST5_ECB, Mechanism),
-	mkEntry(CKM_CAST128_ECB, Mechanism),
-	mkEntry(CKM_CAST5_CBC, Mechanism),
-	mkEntry(CKM_CAST128_CBC, Mechanism),
-	mkEntry(CKM_CAST5_MAC, Mechanism),
-	mkEntry(CKM_CAST128_MAC, Mechanism),
-	mkEntry(CKM_CAST5_MAC_GENERAL, Mechanism),
-	mkEntry(CKM_CAST128_MAC_GENERAL, Mechanism),
-	mkEntry(CKM_CAST5_CBC_PAD, Mechanism),
-	mkEntry(CKM_CAST128_CBC_PAD, Mechanism),
-	mkEntry(CKM_RC5_KEY_GEN, Mechanism),
-	mkEntry(CKM_RC5_ECB, Mechanism),
-	mkEntry(CKM_RC5_CBC, Mechanism),
-	mkEntry(CKM_RC5_MAC, Mechanism),
-	mkEntry(CKM_RC5_MAC_GENERAL, Mechanism),
-	mkEntry(CKM_RC5_CBC_PAD, Mechanism),
-	mkEntry(CKM_IDEA_KEY_GEN, Mechanism),
-	mkEntry(CKM_IDEA_ECB, Mechanism),
-	mkEntry(CKM_IDEA_CBC, Mechanism),
-	mkEntry(CKM_IDEA_MAC, Mechanism),
-	mkEntry(CKM_IDEA_MAC_GENERAL, Mechanism),
-	mkEntry(CKM_IDEA_CBC_PAD, Mechanism),
-	mkEntry(CKM_GENERIC_SECRET_KEY_GEN, Mechanism),
-	mkEntry(CKM_CONCATENATE_BASE_AND_KEY, Mechanism),
-	mkEntry(CKM_CONCATENATE_BASE_AND_DATA, Mechanism),
-	mkEntry(CKM_CONCATENATE_DATA_AND_BASE, Mechanism),
-	mkEntry(CKM_XOR_BASE_AND_DATA, Mechanism),
-	mkEntry(CKM_EXTRACT_KEY_FROM_KEY, Mechanism),
-	mkEntry(CKM_SSL3_PRE_MASTER_KEY_GEN, Mechanism),
-	mkEntry(CKM_SSL3_MASTER_KEY_DERIVE, Mechanism),
-	mkEntry(CKM_SSL3_KEY_AND_MAC_DERIVE, Mechanism),
-	mkEntry(CKM_SSL3_MASTER_KEY_DERIVE_DH, Mechanism),
-	mkEntry(CKM_TLS_PRE_MASTER_KEY_GEN, Mechanism),
-	mkEntry(CKM_TLS_MASTER_KEY_DERIVE, Mechanism),
-	mkEntry(CKM_TLS_KEY_AND_MAC_DERIVE, Mechanism),
-	mkEntry(CKM_TLS_MASTER_KEY_DERIVE_DH, Mechanism),
-	mkEntry(CKM_SSL3_MD5_MAC, Mechanism),
-	mkEntry(CKM_SSL3_SHA1_MAC, Mechanism),
-	mkEntry(CKM_MD5_KEY_DERIVATION, Mechanism),
-	mkEntry(CKM_MD2_KEY_DERIVATION, Mechanism),
-	mkEntry(CKM_SHA1_KEY_DERIVATION, Mechanism),
-	mkEntry(CKM_SHA256_KEY_DERIVATION, Mechanism),
-	mkEntry(CKM_SHA384_KEY_DERIVATION, Mechanism),
-	mkEntry(CKM_SHA512_KEY_DERIVATION, Mechanism),
-	mkEntry(CKM_PBE_MD2_DES_CBC, Mechanism),
-	mkEntry(CKM_PBE_MD5_DES_CBC, Mechanism),
-	mkEntry(CKM_PBE_MD5_CAST_CBC, Mechanism),
-	mkEntry(CKM_PBE_MD5_CAST3_CBC, Mechanism),
-	mkEntry(CKM_PBE_MD5_CAST5_CBC, Mechanism),
-	mkEntry(CKM_PBE_MD5_CAST128_CBC, Mechanism),
-	mkEntry(CKM_PBE_SHA1_CAST5_CBC, Mechanism),
-	mkEntry(CKM_PBE_SHA1_CAST128_CBC, Mechanism),
-	mkEntry(CKM_PBE_SHA1_RC4_128, Mechanism),
-	mkEntry(CKM_PBE_SHA1_RC4_40, Mechanism),
-	mkEntry(CKM_PBE_SHA1_DES3_EDE_CBC, Mechanism),
-	mkEntry(CKM_PBE_SHA1_DES2_EDE_CBC, Mechanism),
-	mkEntry(CKM_PBE_SHA1_RC2_128_CBC, Mechanism),
-	mkEntry(CKM_PBE_SHA1_RC2_40_CBC, Mechanism),
-	mkEntry(CKM_PKCS5_PBKD2, Mechanism),
-	mkEntry(CKM_PBA_SHA1_WITH_SHA1_HMAC, Mechanism),
-	mkEntry(CKM_KEY_WRAP_LYNKS, Mechanism),
-	mkEntry(CKM_KEY_WRAP_SET_OAEP, Mechanism),
-	mkEntry(CKM_SKIPJACK_KEY_GEN, Mechanism),
-	mkEntry(CKM_SKIPJACK_ECB64, Mechanism),
-	mkEntry(CKM_SKIPJACK_CBC64, Mechanism),
-	mkEntry(CKM_SKIPJACK_OFB64, Mechanism),
-	mkEntry(CKM_SKIPJACK_CFB64, Mechanism),
-	mkEntry(CKM_SKIPJACK_CFB32, Mechanism),
-	mkEntry(CKM_SKIPJACK_CFB16, Mechanism),
-	mkEntry(CKM_SKIPJACK_CFB8, Mechanism),
-	mkEntry(CKM_SKIPJACK_WRAP, Mechanism),
-	mkEntry(CKM_SKIPJACK_PRIVATE_WRAP, Mechanism),
-	mkEntry(CKM_SKIPJACK_RELAYX, Mechanism),
-	mkEntry(CKM_KEA_KEY_PAIR_GEN, Mechanism),
-	mkEntry(CKM_KEA_KEY_DERIVE, Mechanism),
-	mkEntry(CKM_FORTEZZA_TIMESTAMP, Mechanism),
-	mkEntry(CKM_BATON_KEY_GEN, Mechanism),
-	mkEntry(CKM_BATON_ECB128, Mechanism),
-	mkEntry(CKM_BATON_ECB96, Mechanism),
-	mkEntry(CKM_BATON_CBC128, Mechanism),
-	mkEntry(CKM_BATON_COUNTER, Mechanism),
-	mkEntry(CKM_BATON_SHUFFLE, Mechanism),
-	mkEntry(CKM_BATON_WRAP, Mechanism),
-	mkEntry(CKM_ECDSA_KEY_PAIR_GEN, Mechanism),
-	mkEntry(CKM_EC_KEY_PAIR_GEN, Mechanism),
-	mkEntry(CKM_ECDSA, Mechanism),
-	mkEntry(CKM_ECDSA_SHA1, Mechanism),
-	mkEntry(CKM_ECDH1_DERIVE, Mechanism),
-	mkEntry(CKM_ECDH1_COFACTOR_DERIVE, Mechanism),
-	mkEntry(CKM_ECMQV_DERIVE, Mechanism),
-	mkEntry(CKM_JUNIPER_KEY_GEN, Mechanism),
-	mkEntry(CKM_JUNIPER_ECB128, Mechanism),
-	mkEntry(CKM_JUNIPER_CBC128, Mechanism),
-	mkEntry(CKM_JUNIPER_COUNTER, Mechanism),
-	mkEntry(CKM_JUNIPER_SHUFFLE, Mechanism),
-	mkEntry(CKM_JUNIPER_WRAP, Mechanism),
-	mkEntry(CKM_FASTHASH, Mechanism),
-	mkEntry(CKM_AES_KEY_GEN, Mechanism),
-	mkEntry(CKM_AES_ECB, Mechanism),
-	mkEntry(CKM_AES_CBC, Mechanism),
-	mkEntry(CKM_AES_MAC, Mechanism),
-	mkEntry(CKM_AES_MAC_GENERAL, Mechanism),
-	mkEntry(CKM_AES_CBC_PAD, Mechanism),
-	mkEntry(CKM_CAMELLIA_KEY_GEN, Mechanism),
-	mkEntry(CKM_CAMELLIA_ECB, Mechanism),
-	mkEntry(CKM_CAMELLIA_CBC, Mechanism),
-	mkEntry(CKM_CAMELLIA_MAC, Mechanism),
-	mkEntry(CKM_CAMELLIA_MAC_GENERAL, Mechanism),
-	mkEntry(CKM_CAMELLIA_CBC_PAD, Mechanism),
-	mkEntry(CKM_SEED_KEY_GEN, Mechanism),
-	mkEntry(CKM_SEED_ECB, Mechanism),
-	mkEntry(CKM_SEED_CBC, Mechanism),
-	mkEntry(CKM_SEED_MAC, Mechanism),
-	mkEntry(CKM_SEED_MAC_GENERAL, Mechanism),
-	mkEntry(CKM_SEED_CBC_PAD, Mechanism),
-	mkEntry(CKM_SEED_ECB_ENCRYPT_DATA, Mechanism),
-	mkEntry(CKM_SEED_CBC_ENCRYPT_DATA, Mechanism),
-	mkEntry(CKM_DSA_PARAMETER_GEN, Mechanism),
-	mkEntry(CKM_DH_PKCS_PARAMETER_GEN, Mechanism),
-	mkEntry(CKM_NETSCAPE_AES_KEY_WRAP, Mechanism),
-	mkEntry(CKM_NETSCAPE_AES_KEY_WRAP_PAD, Mechanism),
-	mkEntry(CKM_NETSCAPE_PBE_SHA1_DES_CBC, Mechanism),
-	mkEntry(CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, Mechanism),
-	mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, Mechanism),
-	mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, Mechanism),
-	mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4, Mechanism),
-	mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4, Mechanism),
-	mkEntry(CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC, Mechanism),
-	mkEntry(CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN, Mechanism),
-	mkEntry(CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN, Mechanism),
-	mkEntry(CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN, Mechanism),
-	mkEntry(CKM_TLS_PRF_GENERAL, Mechanism),
-
-	mkEntry(CKR_OK, Result),
-	mkEntry(CKR_CANCEL, Result),
-	mkEntry(CKR_HOST_MEMORY, Result),
-	mkEntry(CKR_SLOT_ID_INVALID, Result),
-	mkEntry(CKR_GENERAL_ERROR, Result),
-	mkEntry(CKR_FUNCTION_FAILED, Result),
-	mkEntry(CKR_ARGUMENTS_BAD, Result),
-	mkEntry(CKR_NO_EVENT, Result),
-	mkEntry(CKR_NEED_TO_CREATE_THREADS, Result),
-	mkEntry(CKR_CANT_LOCK, Result),
-	mkEntry(CKR_ATTRIBUTE_READ_ONLY, Result),
-	mkEntry(CKR_ATTRIBUTE_SENSITIVE, Result),
-	mkEntry(CKR_ATTRIBUTE_TYPE_INVALID, Result),
-	mkEntry(CKR_ATTRIBUTE_VALUE_INVALID, Result),
-	mkEntry(CKR_DATA_INVALID, Result),
-	mkEntry(CKR_DATA_LEN_RANGE, Result),
-	mkEntry(CKR_DEVICE_ERROR, Result),
-	mkEntry(CKR_DEVICE_MEMORY, Result),
-	mkEntry(CKR_DEVICE_REMOVED, Result),
-	mkEntry(CKR_ENCRYPTED_DATA_INVALID, Result),
-	mkEntry(CKR_ENCRYPTED_DATA_LEN_RANGE, Result),
-	mkEntry(CKR_FUNCTION_CANCELED, Result),
-	mkEntry(CKR_FUNCTION_NOT_PARALLEL, Result),
-	mkEntry(CKR_FUNCTION_NOT_SUPPORTED, Result),
-	mkEntry(CKR_KEY_HANDLE_INVALID, Result),
-	mkEntry(CKR_KEY_SIZE_RANGE, Result),
-	mkEntry(CKR_KEY_TYPE_INCONSISTENT, Result),
-	mkEntry(CKR_KEY_NOT_NEEDED, Result),
-	mkEntry(CKR_KEY_CHANGED, Result),
-	mkEntry(CKR_KEY_NEEDED, Result),
-	mkEntry(CKR_KEY_INDIGESTIBLE, Result),
-	mkEntry(CKR_KEY_FUNCTION_NOT_PERMITTED, Result),
-	mkEntry(CKR_KEY_NOT_WRAPPABLE, Result),
-	mkEntry(CKR_KEY_UNEXTRACTABLE, Result),
-	mkEntry(CKR_KEY_PARAMS_INVALID, Result),
-	mkEntry(CKR_MECHANISM_INVALID, Result),
-	mkEntry(CKR_MECHANISM_PARAM_INVALID, Result),
-	mkEntry(CKR_OBJECT_HANDLE_INVALID, Result),
-	mkEntry(CKR_OPERATION_ACTIVE, Result),
-	mkEntry(CKR_OPERATION_NOT_INITIALIZED, Result),
-	mkEntry(CKR_PIN_INCORRECT, Result),
-	mkEntry(CKR_PIN_INVALID, Result),
-	mkEntry(CKR_PIN_LEN_RANGE, Result),
-	mkEntry(CKR_PIN_EXPIRED, Result),
-	mkEntry(CKR_PIN_LOCKED, Result),
-	mkEntry(CKR_SESSION_CLOSED, Result),
-	mkEntry(CKR_SESSION_COUNT, Result),
-	mkEntry(CKR_SESSION_HANDLE_INVALID, Result),
-	mkEntry(CKR_SESSION_PARALLEL_NOT_SUPPORTED, Result),
-	mkEntry(CKR_SESSION_READ_ONLY, Result),
-	mkEntry(CKR_SESSION_EXISTS, Result),
-	mkEntry(CKR_SESSION_READ_ONLY_EXISTS, Result),
-	mkEntry(CKR_SESSION_READ_WRITE_SO_EXISTS, Result),
-	mkEntry(CKR_SIGNATURE_INVALID, Result),
-	mkEntry(CKR_SIGNATURE_LEN_RANGE, Result),
-	mkEntry(CKR_TEMPLATE_INCOMPLETE, Result),
-	mkEntry(CKR_TEMPLATE_INCONSISTENT, Result),
-	mkEntry(CKR_TOKEN_NOT_PRESENT, Result),
-	mkEntry(CKR_TOKEN_NOT_RECOGNIZED, Result),
-	mkEntry(CKR_TOKEN_WRITE_PROTECTED, Result),
-	mkEntry(CKR_UNWRAPPING_KEY_HANDLE_INVALID, Result),
-	mkEntry(CKR_UNWRAPPING_KEY_SIZE_RANGE, Result),
-	mkEntry(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, Result),
-	mkEntry(CKR_USER_ALREADY_LOGGED_IN, Result),
-	mkEntry(CKR_USER_NOT_LOGGED_IN, Result),
-	mkEntry(CKR_USER_PIN_NOT_INITIALIZED, Result),
-	mkEntry(CKR_USER_TYPE_INVALID, Result),
-	mkEntry(CKR_USER_ANOTHER_ALREADY_LOGGED_IN, Result),
-	mkEntry(CKR_USER_TOO_MANY_TYPES, Result),
-	mkEntry(CKR_WRAPPED_KEY_INVALID, Result),
-	mkEntry(CKR_WRAPPED_KEY_LEN_RANGE, Result),
-	mkEntry(CKR_WRAPPING_KEY_HANDLE_INVALID, Result),
-	mkEntry(CKR_WRAPPING_KEY_SIZE_RANGE, Result),
-	mkEntry(CKR_WRAPPING_KEY_TYPE_INCONSISTENT, Result),
-	mkEntry(CKR_RANDOM_SEED_NOT_SUPPORTED, Result),
-	mkEntry(CKR_RANDOM_NO_RNG, Result),
-	mkEntry(CKR_DOMAIN_PARAMS_INVALID, Result),
-	mkEntry(CKR_BUFFER_TOO_SMALL, Result),
-	mkEntry(CKR_SAVED_STATE_INVALID, Result),
-	mkEntry(CKR_INFORMATION_SENSITIVE, Result),
-	mkEntry(CKR_STATE_UNSAVEABLE, Result),
-	mkEntry(CKR_CRYPTOKI_NOT_INITIALIZED, Result),
-	mkEntry(CKR_CRYPTOKI_ALREADY_INITIALIZED, Result),
-	mkEntry(CKR_MUTEX_BAD, Result),
-	mkEntry(CKR_MUTEX_NOT_LOCKED, Result),
-	mkEntry(CKR_VENDOR_DEFINED, Result),
-
-	mkEntry(CKT_NETSCAPE_TRUSTED, Trust),
-	mkEntry(CKT_NETSCAPE_TRUSTED_DELEGATOR, Trust),
-	mkEntry(CKT_NETSCAPE_UNTRUSTED, Trust),
-	mkEntry(CKT_NETSCAPE_MUST_VERIFY, Trust),
-	mkEntry(CKT_NETSCAPE_TRUST_UNKNOWN, Trust),
-	mkEntry(CKT_NETSCAPE_VALID, Trust),
-	mkEntry(CKT_NETSCAPE_VALID_DELEGATOR, Trust),
-
-	mkEntry(CK_EFFECTIVELY_INFINITE, AvailableSizes),
-	mkEntry(CK_UNAVAILABLE_INFORMATION, CurrentSize),
-};
-
-const Constant *consts = &_consts[0];
-const int constCount = sizeof(_consts)/sizeof(_consts[0]);
-
-const Commands _commands[] = {
-    {"C_Initialize", F_C_Initialize,
-"C_Initialize pInitArgs\n\n"
-"C_Initialize initializes the PKCS #11 library.\n"
-"  pInitArgs  if this is not NULL_PTR it gets cast to and dereferenced\n",
-	{ArgInitializeArgs, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_Finalize", F_C_Finalize,
-"C_Finalize pReserved\n\n"
-"C_Finalize indicates that an application is done with the PKCS #11 library.\n"
-" pReserved  reserved. Should be NULL_PTR\n",
-	{ArgInitializeArgs, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GetInfo", F_C_GetInfo,
-"C_GetInfo pInfo\n\n"
-"C_GetInfo returns general information about PKCS #11.\n"
-" pInfo   location that receives information\n",
-	{ArgInfo|ArgOut,   ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GetFunctionList", F_C_GetFunctionList,
-"C_GetFunctionList ppFunctionList\n\n"
-"C_GetFunctionList returns the function list.\n"
-" ppFunctionList   receives pointer to function list\n",
-	{ArgFunctionList|ArgOut,   ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GetSlotList", F_C_GetSlotList,
-"C_GetSlotList tokenPresent pSlotList pulCount\n\n"
-"C_GetSlotList obtains a list of slots in the system.\n"
-" tokenPresent    only slots with tokens?\n"
-" pSlotList       receives array of slot IDs\n"
-" pulCount        receives number of slots\n",
-	{ArgULong, ArgULong|ArgArray|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GetSlotInfo", F_C_GetSlotInfo,
-"C_GetSlotInfo slotID pInfo\n\n"
-"C_GetSlotInfo obtains information about a particular slot in the system.\n"
-" slotID    the ID of the slot\n"
-" pInfo     receives the slot information\n",
-	{ArgULong, ArgSlotInfo|ArgOut, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GetTokenInfo", F_C_GetTokenInfo,
-"C_GetTokenInfo slotID pInfo\n\n"
-"C_GetTokenInfo obtains information about a particular token in the system.\n"
-" slotID    ID of the token's slot\n"
-" pInfo     receives the token information\n",
-	{ArgULong, ArgTokenInfo|ArgOut, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GetMechanismList", F_C_GetMechanismList,
-"C_GetMechanismList slotID pMechanismList pulCount\n\n"
-"C_GetMechanismList obtains a list of mechanism types supported by a token.\n"
-" slotID            ID of token's slot\n"
-" pMechanismList    gets mech. array\n"
-" pulCount          gets # of mechs.\n",
-	{ArgULong, ArgULong|ArgArray|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GetMechanismInfo", F_C_GetMechanismInfo,
-"C_GetMechanismInfo slotID type pInfo\n\n"
-"C_GetMechanismInfo obtains information about a particular mechanism possibly\n"
-"supported by a token.\n"
-" slotID    ID of the token's slot\n"
-" type      type of mechanism\n"
-" pInfo     receives mechanism info\n",
-	{ArgULong, ArgULong, ArgMechanismInfo|ArgOut, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_InitToken", F_C_InitToken,
-"C_InitToken slotID pPin ulPinLen pLabel\n\n"
-"C_InitToken initializes a token.\n"
-" slotID      ID of the token's slot\n"
-" pPin        the SO's initial PIN\n"
-" ulPinLen    length in bytes of the PIN\n"
-" pLabel      32-byte token label (blank padded)\n",
-	{ArgULong, ArgUTF8, ArgULong, ArgUTF8, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_InitPIN", F_C_InitPIN,
-"C_InitPIN hSession pPin ulPinLen\n\n"
-"C_InitPIN initializes the normal user's PIN.\n"
-" hSession    the session's handle\n"
-" pPin        the normal user's PIN\n"
-" ulPinLen    length in bytes of the PIN\n",
-	{ArgULong, ArgUTF8, ArgULong, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_SetPIN", F_C_SetPIN,
-"C_SetPIN hSession pOldPin ulOldLen pNewPin ulNewLen\n\n"
-"C_SetPIN modifies the PIN of the user who is logged in.\n"
-" hSession    the session's handle\n"
-" pOldPin     the old PIN\n"
-" ulOldLen    length of the old PIN\n"
-" pNewPin     the new PIN\n"
-" ulNewLen    length of the new PIN\n",
-	{ArgULong, ArgUTF8, ArgULong, ArgUTF8, ArgULong,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_OpenSession", F_C_OpenSession,
-"C_OpenSession slotID flags phSession\n\n"
-"C_OpenSession opens a session between an application and a token.\n"
-" slotID          the slot's ID\n"
-" flags           from\n"
-" phSession       gets session handle\n",
-	{ArgULong, ArgULong, ArgULong|ArgOut, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_CloseSession", F_C_CloseSession,
-"C_CloseSession hSession\n\n"
-"C_CloseSession closes a session between an application and a token.\n"
-" hSession   the session's handle\n",
-	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_CloseAllSessions", F_C_CloseAllSessions,
-"C_CloseAllSessions slotID\n\n"
-"C_CloseAllSessions closes all sessions with a token.\n"
-" slotID   the token's slot\n",
-	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GetSessionInfo", F_C_GetSessionInfo,
-"C_GetSessionInfo hSession pInfo\n\n"
-"C_GetSessionInfo obtains information about the session.\n"
-" hSession    the session's handle\n"
-" pInfo       receives session info\n",
-	{ArgULong, ArgSessionInfo|ArgOut, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GetOperationState", F_C_GetOperationState,
-"C_GetOperationState hSession pOpState pulOpStateLen\n\n"
-"C_GetOperationState obtains the state of the cryptographic operation in a\n"
-"session.\n"
-" hSession        session's handle\n"
-" pOpState        gets state\n"
-" pulOpStateLen   gets state length\n",
-	{ArgULong, ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_SetOperationState", F_C_SetOperationState,
-"C_SetOperationState hSession pOpState ulOpStateLen hEncKey hAuthKey\n\n"
-"C_SetOperationState restores the state of the cryptographic operation in a\n"
-"session.\n"
-" hSession        session's handle\n"
-" pOpState        holds state\n"
-" ulOpStateLen    holds state length\n"
-" hEncKey         en/decryption key\n"
-" hAuthnKey       sign/verify key\n",
-	{ArgULong, ArgChar|ArgOut, ArgULong, ArgULong, ArgULong,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_Login", F_C_Login,
-"C_Login hSession userType pPin ulPinLen\n\n"
-"C_Login logs a user into a token.\n"
-" hSession    the session's handle\n"
-" userType    the user type\n"
-" pPin        the user's PIN\n"
-" ulPinLen    the length of the PIN\n",
-	{ArgULong, ArgULong, ArgVar, ArgULong, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_Logout", F_C_Logout,
-"C_Logout hSession\n\n"
-"C_Logout logs a user out from a token.\n"
-" hSession   the session's handle\n",
-	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_CreateObject", F_C_CreateObject,
-"C_CreateObject hSession pTemplate ulCount phObject\n\n"
-"C_CreateObject creates a new object.\n"
-" hSession      the session's handle\n"
-" pTemplate     the object's template\n"
-" ulCount       attributes in template\n"
-" phObject   gets new object's handle.\n",
-	{ArgULong, ArgAttribute|ArgArray, ArgULong, ArgULong|ArgOut, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_CopyObject", F_C_CopyObject,
-"C_CopyObject hSession hObject pTemplate ulCount phNewObject\n\n"
-"C_CopyObject copies an object creating a new object for the copy.\n"
-" hSession      the session's handle\n"
-" hObject       the object's handle\n"
-" pTemplate     template for new object\n"
-" ulCount       attributes in template\n"
-" phNewObject   receives handle of copy\n",
-	{ArgULong, ArgULong, ArgAttribute|ArgArray, ArgULong, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_DestroyObject", F_C_DestroyObject,
-"C_DestroyObject hSession hObject\n\n"
-"C_DestroyObject destroys an object.\n"
-" hSession    the session's handle\n"
-" hObject     the object's handle\n",
-	{ArgULong, ArgULong, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GetObjectSize", F_C_GetObjectSize,
-"C_GetObjectSize hSession hObject pulSize\n\n"
-"C_GetObjectSize gets the size of an object in bytes.\n"
-" hSession    the session's handle\n"
-" hObject     the object's handle\n"
-" pulSize     receives size of object\n",
-	{ArgULong, ArgULong, ArgULong|ArgOut, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GetAttributeValue", F_C_GetAttributeValue,
-"C_GetAttributeValue hSession hObject pTemplate ulCount\n\n"
-"C_GetAttributeValue obtains the value of one or more object attributes.\n"
-" hSession     the session's handle\n"
-" hObject      the object's handle\n"
-" pTemplate    specifies attrs; gets vals\n"
-" ulCount      attributes in template\n",
-	{ArgULong, ArgULong, ArgAttribute|ArgArray, ArgULong, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_SetAttributeValue", F_C_SetAttributeValue,
-"C_SetAttributeValue hSession hObject pTemplate ulCount\n\n"
-"C_SetAttributeValue modifies the value of one or more object attributes\n"
-" hSession     the session's handle\n"
-" hObject      the object's handle\n"
-" pTemplate    specifies attrs and values\n"
-" ulCount      attributes in template\n",
-	{ArgULong, ArgULong, ArgAttribute|ArgArray, ArgULong, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_FindObjectsInit", F_C_FindObjectsInit,
-"C_FindObjectsInit hSession pTemplate ulCount\n\n"
-"C_FindObjectsInit initializes a search for token and session objects that\n"
-"match a template.\n"
-" hSession     the session's handle\n"
-" pTemplate    attribute values to match\n"
-" ulCount      attrs in search template\n",
-	{ArgULong, ArgAttribute|ArgArray, ArgULong, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_FindObjectsFinal", F_C_FindObjectsFinal,
-"C_FindObjectsFinal hSession\n\n"
-"C_FindObjectsFinal finishes a search for token and session objects.\n"
-" hSession   the session's handle\n",
-	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_FindObjects", F_C_FindObjects,
-"C_FindObjects hSession phObject ulMaxObjectCount pulObjectCount\n\n"
-"C_FindObjects continues a search for token and session objects that match\n"
-"a template obtaining additional object handles.\n"
-" hSession            session's handle\n"
-" phObject            gets obj. handles\n"
-" ulMaxObjectCount    max handles to get\n"
-" pulObjectCount      actual # returned\n",
-	{ArgULong, ArgULong|ArgOut, ArgULong, ArgULong|ArgOut, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_EncryptInit", F_C_EncryptInit,
-"C_EncryptInit hSession pMechanism hKey\n\n"
-"C_EncryptInit initializes an encryption operation.\n"
-" hSession      the session's handle\n"
-" pMechanism    the encryption mechanism\n"
-" hKey          handle of encryption key\n",
-	{ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_EncryptUpdate", F_C_EncryptUpdate,
-"C_EncryptUpdate hSession pPart ulPartLen pEncryptedPart pulEncryptedPartLen\n"
-"\n"
-"C_EncryptUpdate continues a multiple-part encryption operation.\n"
-" hSession             session's handle\n"
-" pPart                the plaintext data\n"
-" ulPartLen            plaintext data len\n"
-" pEncryptedPart       gets ciphertext\n"
-" pulEncryptedPartLen  gets c-text size\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_EncryptFinal", F_C_EncryptFinal,
-"C_EncryptFinal hSession pLastEncryptedPart pulLastEncryptedPartLen\n\n"
-"C_EncryptFinal finishes a multiple-part encryption operation.\n"
-" hSession                  session handle\n"
-" pLastEncryptedPart        last c-text\n"
-" pulLastEncryptedPartLen   gets last size\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_Encrypt", F_C_Encrypt,
-"C_Encrypt hSession pData ulDataLen pEncryptedData pulEncryptedDataLen\n\n"
-"C_Encrypt encrypts single-part data.\n"
-" hSession              session's handle\n"
-" pData                 the plaintext data\n"
-" ulDataLen             bytes of plaintext\n"
-" pEncryptedData        gets ciphertext\n"
-" pulEncryptedDataLen   gets c-text size\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_DecryptInit", F_C_DecryptInit,
-"C_DecryptInit hSession pMechanism hKey\n\n"
-"C_DecryptInit initializes a decryption operation.\n"
-" hSession      the session's handle\n"
-" pMechanism    the decryption mechanism\n"
-" hKey          handle of decryption key\n",
-	{ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_DecryptUpdate", F_C_DecryptUpdate,
-"C_DecryptUpdate hSession pEncryptedPart ulEncryptedPartLen pPart pulPartLen\n"
-"\n"
-"C_DecryptUpdate continues a multiple-part decryption operation.\n"
-" hSession              session's handle\n"
-" pEncryptedPart        encrypted data\n"
-" ulEncryptedPartLen    input length\n"
-" pPart                 gets plaintext\n"
-" pulPartLen            p-text size\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_DecryptFinal", F_C_DecryptFinal,
-"C_DecryptFinal hSession pLastPart pulLastPartLen\n\n"
-"C_DecryptFinal finishes a multiple-part decryption operation.\n"
-" hSession         the session's handle\n"
-" pLastPart        gets plaintext\n"
-" pulLastPartLen   p-text size\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_Decrypt", F_C_Decrypt,
-"C_Decrypt hSession pEncryptedData ulEncryptedDataLen pData pulDataLen\n\n"
-"C_Decrypt decrypts encrypted data in a single part.\n"
-" hSession             session's handle\n"
-" pEncryptedData       ciphertext\n"
-" ulEncryptedDataLen   ciphertext length\n"
-" pData                gets plaintext\n"
-" pulDataLen           gets p-text size\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_DigestInit", F_C_DigestInit,
-"C_DigestInit hSession pMechanism\n\n"
-"C_DigestInit initializes a message-digesting operation.\n"
-" hSession     the session's handle\n"
-" pMechanism   the digesting mechanism\n",
-	{ArgULong, ArgMechanism, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_DigestUpdate", F_C_DigestUpdate,
-"C_DigestUpdate hSession pPart ulPartLen\n\n"
-"C_DigestUpdate continues a multiple-part message-digesting operation.\n"
-" hSession    the session's handle\n"
-" pPart       data to be digested\n"
-" ulPartLen   bytes of data to be digested\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_DigestKey", F_C_DigestKey,
-"C_DigestKey hSession hKey\n\n"
-"C_DigestKey continues a multi-part message-digesting operation by digesting\n"
-"the value of a secret key as part of the data already digested.\n"
-" hSession    the session's handle\n"
-" hKey        secret key to digest\n",
-	{ArgULong, ArgULong, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_DigestFinal", F_C_DigestFinal,
-"C_DigestFinal hSession pDigest pulDigestLen\n\n"
-"C_DigestFinal finishes a multiple-part message-digesting operation.\n"
-" hSession       the session's handle\n"
-" pDigest        gets the message digest\n"
-" pulDigestLen   gets byte count of digest\n",
-	{ArgULong, ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_Digest", F_C_Digest,
-"C_Digest hSession pData ulDataLen pDigest pulDigestLen\n\n"
-"C_Digest digests data in a single part.\n"
-" hSession       the session's handle\n"
-" pData          data to be digested\n"
-" ulDataLen      bytes of data to digest\n"
-" pDigest        gets the message digest\n"
-" pulDigestLen   gets digest length\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_SignInit", F_C_SignInit,
-"C_SignInit hSession pMechanism hKey\n\n"
-"C_SignInit initializes a signature (private key encryption operation where\n"
-"the signature is (will be) an appendix to the data and plaintext cannot be\n"
-"recovered from the signature.\n"
-" hSession      the session's handle\n"
-" pMechanism    the signature mechanism\n"
-" hKey          handle of signature key\n",
-	{ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_SignUpdate", F_C_SignUpdate,
-"C_SignUpdate hSession pPart ulPartLen\n\n"
-"C_SignUpdate continues a multiple-part signature operation where the\n"
-"signature is (will be) an appendix to the data and plaintext cannot be\n"
-"recovered from the signature.\n"
-" hSession    the session's handle\n"
-" pPart       the data to sign\n"
-" ulPartLen   count of bytes to sign\n",
-	{ArgULong, ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_SignFinal", F_C_SignFinal,
-"C_SignFinal hSession pSignature pulSignatureLen\n\n"
-"C_SignFinal finishes a multiple-part signature operation returning the\n"
-"signature.\n"
-" hSession          the session's handle\n"
-" pSignature        gets the signature\n"
-" pulSignatureLen   gets signature length\n",
-	{ArgULong, ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_SignRecoverInit", F_C_SignRecoverInit,
-"C_SignRecoverInit hSession pMechanism hKey\n\n"
-"C_SignRecoverInit initializes a signature operation where the data can be\n"
-"recovered from the signature.\n"
-" hSession     the session's handle\n"
-" pMechanism   the signature mechanism\n"
-" hKey         handle of the signature key\n",
-	{ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_SignRecover", F_C_SignRecover,
-"C_SignRecover hSession pData ulDataLen pSignature pulSignatureLen\n\n"
-"C_SignRecover signs data in a single operation where the data can be\n"
-"recovered from the signature.\n"
-" hSession          the session's handle\n"
-" pData             the data to sign\n"
-" ulDataLen         count of bytes to sign\n"
-" pSignature        gets the signature\n"
-" pulSignatureLen   gets signature length\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_Sign", F_C_Sign,
-"C_Sign hSession pData ulDataLen pSignature pulSignatureLen\n\n"
-"C_Sign signs (encrypts with private key) data in a single part where the\n"
-"signature is (will be) an appendix to the data and plaintext cannot be\n"
-"recovered from the signature.\n"
-" hSession          the session's handle\n"
-" pData             the data to sign\n"
-" ulDataLen         count of bytes to sign\n"
-" pSignature        gets the signature\n"
-" pulSignatureLen   gets signature length\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_VerifyInit", F_C_VerifyInit,
-"C_VerifyInit hSession pMechanism hKey\n\n"
-"C_VerifyInit initializes a verification operation where the signature is an\n"
-"appendix to the data and plaintext cannot cannot be recovered from the\n"
-"signature (e.g. DSA).\n"
-" hSession      the session's handle\n"
-" pMechanism    the verification mechanism\n"
-" hKey          verification key\n",
-	{ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_VerifyUpdate", F_C_VerifyUpdate,
-"C_VerifyUpdate hSession pPart ulPartLen\n\n"
-"C_VerifyUpdate continues a multiple-part verification operation where the\n"
-"signature is an appendix to the data and plaintext cannot be recovered from\n"
-"the signature.\n"
-" hSession    the session's handle\n"
-" pPart       signed data\n"
-" ulPartLen   length of signed data\n",
-	{ArgULong, ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_VerifyFinal", F_C_VerifyFinal,
-"C_VerifyFinal hSession pSignature ulSignatureLen\n\n"
-"C_VerifyFinal finishes a multiple-part verification operation checking the\n"
-"signature.\n"
-" hSession         the session's handle\n"
-" pSignature       signature to verify\n"
-" ulSignatureLen   signature length\n",
-	{ArgULong, ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_VerifyRecoverInit", F_C_VerifyRecoverInit,
-"C_VerifyRecoverInit hSession pMechanism hKey\n\n"
-"C_VerifyRecoverInit initializes a signature verification operation where the\n"
-"data is recovered from the signature.\n"
-" hSession      the session's handle\n"
-" pMechanism    the verification mechanism\n"
-" hKey          verification key\n",
-	{ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_VerifyRecover", F_C_VerifyRecover,
-"C_VerifyRecover hSession pSignature ulSignatureLen pData pulDataLen\n\n"
-"C_VerifyRecover verifies a signature in a single-part operation where the\n"
-"data is recovered from the signature.\n"
-" hSession          the session's handle\n"
-" pSignature        signature to verify\n"
-" ulSignatureLen    signature length\n"
-" pData             gets signed data\n"
-" pulDataLen        gets signed data len\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_Verify", F_C_Verify,
-"C_Verify hSession pData ulDataLen pSignature ulSignatureLen\n\n"
-"C_Verify verifies a signature in a single-part operation where the signature\n"
-"is an appendix to the data and plaintext cannot be recovered from the\n"
-"signature.\n"
-" hSession         the session's handle\n"
-" pData            signed data\n"
-" ulDataLen        length of signed data\n"
-" pSignature       signature\n"
-" ulSignatureLen   signature length*/\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_DigestEncryptUpdate", F_C_DigestEncryptUpdate,
-"C_DigestEncryptUpdate hSession pPart ulPartLen pEncryptedPart \\\n"
-"    pulEncryptedPartLen\n\n"
-"C_DigestEncryptUpdate continues a multiple-part digesting and encryption\n"
-"operation.\n"
-" hSession              session's handle\n"
-" pPart                 the plaintext data\n"
-" ulPartLen             plaintext length\n"
-" pEncryptedPart        gets ciphertext\n"
-" pulEncryptedPartLen   gets c-text length\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_DecryptDigestUpdate", F_C_DecryptDigestUpdate,
-"C_DecryptDigestUpdate hSession pEncryptedPart ulEncryptedPartLen pPart \\\n"
-"    pulPartLen\n\n"
-"C_DecryptDigestUpdate continues a multiple-part decryption and digesting\n"
-"operation.\n"
-" hSession              session's handle\n"
-" pEncryptedPart        ciphertext\n"
-" ulEncryptedPartLen    ciphertext length\n"
-" pPart                 gets plaintext\n"
-" pulPartLen            gets plaintext len\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_SignEncryptUpdate", F_C_SignEncryptUpdate,
-"C_SignEncryptUpdate hSession pPart ulPartLen pEncryptedPart \\\n"
-"    pulEncryptedPartLen\n\n"
-"C_SignEncryptUpdate continues a multiple-part signing and encryption\n"
-"operation.\n"
-" hSession              session's handle\n"
-" pPart                 the plaintext data\n"
-" ulPartLen             plaintext length\n"
-" pEncryptedPart        gets ciphertext\n"
-" pulEncryptedPartLen   gets c-text length\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_DecryptVerifyUpdate", F_C_DecryptVerifyUpdate,
-"C_DecryptVerifyUpdate hSession pEncryptedPart ulEncryptedPartLen pPart \\\n"
-"    pulPartLen\n\n"
-"C_DecryptVerifyUpdate continues a multiple-part decryption and verify\n"
-"operation.\n"
-" hSession              session's handle\n"
-" pEncryptedPart        ciphertext\n"
-" ulEncryptedPartLen    ciphertext length\n"
-" pPart                 gets plaintext\n"
-" pulPartLen            gets p-text length\n",
-	{ArgULong, ArgChar, ArgULong, ArgChar|ArgOut, ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GenerateKeyPair", F_C_GenerateKeyPair,
-"C_GenerateKeyPair hSession pMechanism pPublicKeyTemplate \\\n"
-"    ulPublicKeyAttributeCount pPrivateKeyTemplate ulPrivateKeyAttributeCount \\\n"
-"    phPublicKey phPrivateKey\n\n"
-"C_GenerateKeyPair generates a public-key/private-key pair creating new key\n"
-"objects.\n"
-" hSession                      sessionhandle\n"
-" pMechanism                    key-genmech.\n"
-" pPublicKeyTemplate            templatefor pub. key\n"
-" ulPublicKeyAttributeCount     # pub. attrs.\n"
-" pPrivateKeyTemplate           templatefor priv. key\n"
-" ulPrivateKeyAttributeCount    # priv. attrs.\n"
-" phPublicKey                   gets pub. keyhandle\n"
-" phPrivateKey                  getspriv. keyhandle\n",
-	{ArgULong, ArgMechanism, ArgAttribute|ArgArray, ArgULong, 
-						ArgAttribute|ArgArray,
-	 ArgULong, ArgULong|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone }},
-    {"C_GenerateKey", F_C_GenerateKey,
-"C_GenerateKey hSession pMechanism pTemplate ulCount phKey\n\n"
-"C_GenerateKey generates a secret key creating a new key object.\n"
-" hSession      the session's handle\n"
-" pMechanism    key generation mech.\n"
-" pTemplate     template for new key\n"
-" ulCount       # of attrs in template\n"
-" phKey         gets handle of new key\n",
-	{ArgULong, ArgMechanism, ArgAttribute|ArgArray, ArgULong, 
-	 					ArgULong|ArgOut,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_WrapKey", F_C_WrapKey,
-"C_WrapKey hSession pMechanism hWrappingKey hKey pWrappedKey pulWrappedKeyLen\n\n"
-"C_WrapKey wraps (i.e. encrypts) a key.\n"
-" hSession          the session's handle\n"
-" pMechanism        the wrapping mechanism\n"
-" hWrappingKey      wrapping key\n"
-" hKey              key to be wrapped\n"
-" pWrappedKey       gets wrapped key\n"
-" pulWrappedKeyLen  gets wrapped key size\n",
-	{ArgULong, ArgMechanism, ArgULong, ArgULong, ArgULong,
-	 ArgChar|ArgOut, ArgULong|ArgOut, ArgNone, ArgNone, ArgNone }},
-    {"C_UnwrapKey", F_C_UnwrapKey,
-"C_UnwrapKey hSession pMechanism hUnwrappingKey pWrappedKey ulWrappedKeyLen \\\n"
-"    pTemplate ulAttributeCount phKey\n\n"
-"C_UnwrapKey unwraps (decrypts) a wrapped key creating a new key object.\n"
-" hSession            session's handle\n"
-" pMechanism          unwrapping mech.\n"
-" hUnwrappingKey      unwrapping key\n"
-" pWrappedKey         the wrapped key\n"
-" ulWrappedKeyLen     wrapped key len\n"
-" pTemplate           new key template\n"
-" ulAttributeCount    template length\n"
-" phKey               gets new handle\n",
-	{ArgULong, ArgMechanism, ArgULong, ArgChar, ArgULong,
-	 ArgAttribute|ArgArray, ArgULong, ArgULong|ArgOut, ArgNone, ArgNone }},
-    {"C_DeriveKey", F_C_DeriveKey,
-"C_DeriveKey hSession pMechanism hBaseKey pTemplate ulAttributeCount phKey\n\n"
-"C_DeriveKey derives a key from a base key creating a new key object.\n"
-" hSession            session's handle\n"
-" pMechanism          key deriv. mech.\n"
-" hBaseKey            base key\n"
-" pTemplate           new key template\n"
-" ulAttributeCount    template length\n"
-" phKey               gets new handle\n",
-	{ArgULong, ArgMechanism, ArgULong, ArgAttribute|ArgArray,  ArgULong,
-	 ArgULong|ArgOut, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_SeedRandom", F_C_SeedRandom,
-"C_SeedRandom hSession pSeed ulSeedLen\n\n"
-"C_SeedRandom mixes additional seed material into the token's random number\n"
-"generator.\n"
-" hSession    the session's handle\n"
-" pSeed       the seed material\n"
-" ulSeedLen   length of seed material\n",
-	{ArgULong, ArgChar, ArgULong, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GenerateRandom", F_C_GenerateRandom,
-"C_GenerateRandom hSession RandomData ulRandomLen\n\n"
-"C_GenerateRandom generates random data.\n"
-" hSession      the session's handle\n"
-" RandomData    receives the random data\n"
-" ulRandomLen   # of bytes to generate\n",
-	{ArgULong, ArgChar, ArgULong, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_GetFunctionStatus", F_C_GetFunctionStatus,
-"C_GetFunctionStatus hSession\n\n"
-"C_GetFunctionStatus is a legacy function; it obtains an updated status of\n"
-"a function running in parallel with an application.\n"
-" hSession   the session's handle\n",
-	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_CancelFunction", F_C_CancelFunction,
-"C_CancelFunction hSession\n\n"
-"C_CancelFunction is a legacy function; it cancels a function running in\n"
-"parallel.\n"
-" hSession   the session's handle\n",
-	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"C_WaitForSlotEvent", F_C_WaitForSlotEvent,
-"C_WaitForSlotEvent flags pSlot pRserved\n\n"
-"C_WaitForSlotEvent waits for a slot event (token insertion removal etc.)\n"
-"to occur.\n"
-" flags          blocking/nonblocking flag\n"
-" pSlot    location that receives the slot ID\n"
-" pRserved    reserved.  Should be NULL_PTR\n",
-	{ArgULong, ArgULong|ArgArray, ArgVar, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"NewArray", F_NewArray,
-"NewArray varName varType array size\n\n"
-"Creates a new array variable.\n"
-" varName     variable name of the new array\n"
-" varType     data type of the new array\n"
-" size        number of elements in the array\n",
-	{ArgVar|ArgNew, ArgVar, ArgULong, ArgNone, ArgNone, 
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"NewInitArg", F_NewInitializeArgs,
-"NewInitArg varName flags string\n\n"
-"Creates a new init variable.\n"
-" varName     variable name of the new initArg\n"
-" flags       value to set the flags field\n"
-" string      string parameter for init arg\n",
-	{ArgVar|ArgNew, ArgULong, ArgVar|ArgNew, ArgNone, ArgNone, 
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"NewTemplate", F_NewTemplate,
-"NewTemplate varName attributeList\n\n"
-"Create a new empty template and populate the attribute list\n"
-" varName        variable name of the new template\n"
-" attributeList  comma separated list of CKA_ATTRIBUTE types\n",
-	{ArgVar|ArgNew, ArgVar, ArgNone, ArgNone, ArgNone, 
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"NewMechanism", F_NewMechanism,
-"NewMechanism varName mechanismType\n\n"
-"Create a new CK_MECHANISM object with type NULL paramters and specified type\n"
-" varName        variable name of the new mechansim\n"
-" mechanismType  CKM_ mechanism type value to set int the type field\n",
-	{ArgVar|ArgNew, ArgULong, ArgNone, ArgNone, ArgNone, 
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"BuildTemplate", F_BuildTemplate,
-"BuildTemplate template\n\n"
-"Allocates space for the value in a template which has the sizes filled in,\n"
-"but no values allocated yet.\n"
-" template        variable name of the template\n",
-	{ArgAttribute, ArgNone, ArgNone, ArgNone, ArgNone, 
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"SetTemplate", F_SetTemplate,
-"SetTemplate template index value\n\n"
-"Sets a particular element of a template to a CK_ULONG\n"
-" template        variable name of the template\n"
-" index           index into the template to the element to change\n"
-" value           32 bit value to set in the template\n",
-	{ArgAttribute, ArgULong, ArgULong, ArgNone, ArgNone, 
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"SetString", F_SetStringVar,
-"SetString varName string\n\n"
-"Sets a particular variable to a string value\n"
-" variable        variable name of new string\n"
-" string	         String to set the variable to\n",
-	{ArgVar|ArgNew, ArgVar, ArgNone, ArgNone, ArgNone, 
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"Set", F_SetVar,
-"Set varName value\n\n"
-"Sets a particular variable to CK_ULONG\n"
-" variable        name of the new variable\n"
-" value           32 bit value to set variable to\n",
-	{ArgVar|ArgNew, ArgULong, ArgNone, ArgNone, ArgNone, 
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"Print", F_Print,
-"Print varName\n\n"
-"prints a variable\n"
-" variable        name of the variable to print\n",
-	{ArgVar, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"Delete", F_Delete,
-"Delete varName\n\n"
-"delete a variable\n"
-" variable        name of the variable to delete\n",
-	{ArgVar|ArgNew, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"Load", F_Load,
-"load libraryName\n\n"
-"load a pkcs #11 module\n"
-" libraryName        Name of a shared library\n",
-	{ArgVar, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"Save", F_SaveVar,
-"Save filename variable\n\n"
-"Saves the binary value of 'variable' in file 'filename'\n"
-" fileName        target file to save the variable in\n"
-" variable        variable to save\n",
-	{ArgVar|ArgNew, ArgVar, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"Restore", F_RestoreVar,
-"Restore filename variable\n\n"
-"Restores a variable from a file\n"
-" fileName        target file to restore the variable from\n"
-" variable        variable to restore\n",
-	{ArgVar|ArgNew, ArgVar, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"Increment", F_Increment,
-"Increment variable value\n\n"
-"Increment a variable by value\n",
-	{ArgVar, ArgULong, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"Decrement", F_Decrement,
-"Decrement variable value\n\n"
-"Decrement a variable by value\n",
-	{ArgVar, ArgULong, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"List", F_List,
-"List all the variables\n",
-	{ArgNone, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"Unload", F_Unload,
-"Unload the currrently loaded PKCS #11 library\n",
-	{ArgNone, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"Run", F_Run,
-"Run filename\n\n"
-"reads filename as script of commands to execute\n",
-	{ArgVar|ArgNew, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"Time", F_Time,
-"Time pkcs11 command\n\n"
-"Execute a pkcs #11 command and time the results\n",
-	{ArgVar|ArgFull, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"System", F_System,
-	"Set System Flag",
-	{ArgULong, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"LoopRun", F_Loop,
-"LoopRun filename var start end step\n\n"
-"Run in a loop. Loop exit if scrip does and explicit quit (Quit QuitIf etc.)",
-	{ArgVar|ArgNew, ArgVar|ArgNew, ArgULong, ArgULong, ArgULong,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"Help", F_Help,
-"Help [command]\n\n"
-"print general help, or help for a specific command\n",
-	{ArgVar|ArgOpt, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"QuitIf", F_QuitIf,
-"QuitIf arg1 comparator arg2\n\n"
-"Exit from this program if Condition is valid, valid comparators:\n"
-"  < > <= >= = !=\n",
-	{ArgULong, ArgVar|ArgNew, ArgULong, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"QuitIfString", F_QuitIfString,
-"QuitIfString arg1 comparator arg2\n\n"
-"Exit from this program if Condition is valid, valid comparators:\n"
-"  = !=\n",
-	{ArgVar|ArgNew, ArgVar|ArgNew, ArgVar|ArgNew, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-    {"Quit", F_Quit,
-"Exit from this program",
-	{ArgNone, ArgNone, ArgNone, ArgNone, ArgNone,
-	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
-};
-
-const Commands  *commands= &_commands[0];
-const int commandCount = sizeof(_commands) / sizeof(_commands[0]);
-
-const Topics _topics[] = {
-   { "variables", 
-"Variables are random strings of characters. These should begin with alpha\n"
-" characters, and should not contain any spaces, nor should they match any\n"
-" built-in constants. There is some checking in the code for these things,\n"
-" but it's not 100% and using invalid variable names can cause problems.\n"
-" Variables are created by any 'OUT' parameter. If the variable does not\n"
-" exist, it will be created. For in parameters variables must already exist.\n"
-   },
-   { "constants",
-"pk11util recognizes *lots* of constants. All CKA_, CKF_, CKO_, CKU_, CKS_,\n"
-" CKC_, CKK_, CKH_, CKM_, CKT_ values from the PKCS #11 spec are recognized.\n"
-" Constants can be specified with their fully qualified CK?_ value, or the\n"
-" prefix can be dropped. Constants are matched case insensitve.\n" 
-   },
-   { "arrays",
-"Arrays are special variables which represent 'C' arrays. Each array \n"
-" variable can be referenced as a group (using just the name), or as \n"
-" individual elements (with the [int] operator). Example:\n"
-"      print myArray    # prints the full array.\n"
-"      print myArray[3] # prints the 3rd elemement of the array \n"
-   },
-   { "sizes",
-"Size operaters returns the size in bytes of a variable, or the number of\n"
-" elements in an array.\n"
-"    size(var) and sizeof(var) return the size of var in bytes.\n"
-"    sizea(var) and sizeofarray(var) return the number of elements in var.\n"
-"       If var is not an array, sizea(var) returns 1.\n"
-   },
-};
-
-const Topics  *topics= &_topics[0];
-const int topicCount = sizeof(_topics) / sizeof(_topics[0]);
-
-const char *
-getName(CK_ULONG value, ConstType type)
-{
-    int i;
-    
-    for (i=0; i < constCount; i++) {
-        if (consts[i].type == type && consts[i].value == value) {
-            return consts[i].name;
-        }
-        if (type == ConstNone && consts[i].value == value) {
-            return consts[i].name;
-        }
-    }
-
-    return NULL;
-}
-
-const char *
-getNameFromAttribute(CK_ATTRIBUTE_TYPE type)
-{
-    return getName(type, ConstAttribute);
-}
-
-int totalKnownType(ConstType type) {
-    int count = 0;
-    int i;
- 
-    for (i=0; i < constCount; i++) {
-        if (consts[i].type == type) count++;
-    }
-    return count;
-}
diff --git a/security/nss/cmd/lib/pk11table.h b/security/nss/cmd/lib/pk11table.h
deleted file mode 100644
index 4c2e3f038..000000000
--- a/security/nss/cmd/lib/pk11table.h
+++ /dev/null
@@ -1,212 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _PK11_TABLE_H_
-#define _PK11_TABLE_H_
-
-/*
- * Supported functions..
- */
-#include <pkcs11.h>
-#include "nspr.h"
-#include "prtypes.h"
-
-typedef enum {
-    F_No_Function,
-#undef CK_NEED_ARG_LIST
-#define CK_PKCS11_FUNCTION_INFO(func) F_##func,
-#include "pkcs11f.h"
-#undef CK_NEED_ARG_LISt
-#undef CK_PKCS11_FUNCTION_INFO
-    F_SetVar,
-    F_SetStringVar,
-    F_NewArray,
-    F_NewInitializeArgs,
-    F_NewTemplate,
-    F_NewMechanism,
-    F_BuildTemplate,
-    F_SetTemplate,
-    F_Print,
-    F_SaveVar,
-    F_RestoreVar,
-    F_Increment,
-    F_Decrement,
-    F_Delete,
-    F_List,
-    F_Run,
-    F_Load,
-    F_Unload,
-    F_System,
-    F_Loop,
-    F_Time,
-    F_Help,
-    F_Quit,
-    F_QuitIf,
-    F_QuitIfString,
-} FunctionType;
-
-/*
- * Supported Argument Types
- */
-typedef enum {
-    ArgNone,
-    ArgVar,
-    ArgULong,
-    ArgChar,
-    ArgUTF8,
-    ArgInfo,
-    ArgSlotInfo,
-    ArgTokenInfo,
-    ArgSessionInfo,
-    ArgAttribute,
-    ArgMechanism,
-    ArgMechanismInfo,
-    ArgInitializeArgs,
-    ArgFunctionList,
-/* Modifier Flags */
-    ArgMask = 0xff,
-    ArgOut = 0x100,
-    ArgArray = 0x200,
-    ArgNew = 0x400,
-    ArgFile = 0x800,
-    ArgStatic = 0x1000,
-    ArgOpt = 0x2000,
-    ArgFull = 0x4000,
-} ArgType;
-
-typedef enum _constType
-{
-    ConstNone,
-    ConstBool,
-    ConstInfoFlags,
-    ConstSlotFlags,
-    ConstTokenFlags,
-    ConstSessionFlags,
-    ConstMechanismFlags,
-    ConstInitializeFlags,
-    ConstUsers,
-    ConstSessionState,
-    ConstObject,
-    ConstHardware,
-    ConstKeyType,
-    ConstCertType,
-    ConstAttribute,
-    ConstMechanism,
-    ConstResult,
-    ConstTrust,
-    ConstAvailableSizes,
-    ConstCurrentSize
-} ConstType;
-
-typedef struct _constant {
-    const char *name;
-    CK_ULONG value;
-    ConstType type;
-    ConstType attrType;
-} Constant ;
-
-/*
- * Values structures.
- */
-typedef struct _values {
-    ArgType	type;
-    ConstType	constType;
-    int		size;
-    char	*filename;
-    void	*data;
-    int 	reference;
-    int		arraySize;
-} Value;
-
-/*
- * Variables
- */
-typedef struct _variable Variable;
-struct _variable {
-    Variable *next;
-    char *vname;
-    Value *value;
-};
-
-/* NOTE: if you change MAX_ARGS, you need to change the commands array
- * below as well.
- */
-
-#define MAX_ARGS 10
-/*
- * structure for master command array
- */
-typedef struct _commands {
-    char	*fname;
-    FunctionType	fType;
-    char	*helpString;
-    ArgType	args[MAX_ARGS];
-} Commands;
-
-typedef struct _module {
-    PRLibrary *library;
-    CK_FUNCTION_LIST *functionList;
-} Module;
-
-typedef struct _topics {
-    char	*name;
-    char	*helpString;
-} Topics;
-
-/*
- * the command array itself. Make name to function and it's arguments
- */
-
-extern const char **valueString;
-extern const int valueCount;
-extern const char **constTypeString;
-extern const int constTypeCount;
-extern const Constant *consts;
-extern const int constCount;
-extern const Commands *commands;
-extern const int commandCount;
-extern const Topics *topics;
-extern const int topicCount;
-
-extern const char *
-getName(CK_ULONG value, ConstType type);
-
-extern const char *
-getNameFromAttribute(CK_ATTRIBUTE_TYPE type);
-
-extern int totalKnownType(ConstType type);
-
-#endif /* _PK11_TABLE_H_ */
-
diff --git a/security/nss/cmd/lib/pppolicy.c b/security/nss/cmd/lib/pppolicy.c
deleted file mode 100644
index c0094083c..000000000
--- a/security/nss/cmd/lib/pppolicy.c
+++ /dev/null
@@ -1,299 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2004
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Support for various policy related extensions
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "secport.h"
-#include "secder.h"
-#include "cert.h"
-#include "secoid.h"
-#include "secasn1.h"
-#include "secerr.h"
-#include "nspr.h"
-#include "secutil.h"
-
-/* This implementation is derived from the one in nss/lib/certdb/policyxtn.c .
-** The chief difference is the addition of the OPTIONAL flag to many 
-** parts.  The idea is to be able to parse and print as much of the 
-** policy extension as possible, even if some parts are invalid.
-**
-** If this approach still is unable to decode policy extensions that
-** contain invalid parts, then the next approach will be to parse 
-** the PolicyInfos as a SEQUENCE of ANYs, and then parse each of them 
-** as PolicyInfos, with the PolicyQualifiers being ANYs, and finally
-** parse each of the PolicyQualifiers.
-*/
-
-static const SEC_ASN1Template secu_PolicyQualifierTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTPolicyQualifier) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTPolicyQualifier, qualifierID) },
-    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
-	  offsetof(CERTPolicyQualifier, qualifierValue) },
-    { 0 }
-};
-
-static const SEC_ASN1Template secu_PolicyInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTPolicyInfo) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTPolicyInfo, policyID) },
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_OPTIONAL,
-	  offsetof(CERTPolicyInfo, policyQualifiers),
-	  secu_PolicyQualifierTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template secu_CertificatePoliciesTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTCertificatePolicies, policyInfos),
-	  secu_PolicyInfoTemplate, sizeof(CERTCertificatePolicies)  }
-};
-
-
-static CERTCertificatePolicies *
-secu_DecodeCertificatePoliciesExtension(SECItem *extnValue)
-{
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    CERTCertificatePolicies *policies;
-    CERTPolicyInfo **policyInfos, *policyInfo;
-    CERTPolicyQualifier **policyQualifiers, *policyQualifier;
-    SECItem newExtnValue;
-    
-    /* make a new arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !arena ) {
-	goto loser;
-    }
-
-    /* allocate the certifiate policies structure */
-    policies = PORT_ArenaZNew(arena, CERTCertificatePolicies);
-    if ( policies == NULL ) {
-	goto loser;
-    }
-    
-    policies->arena = arena;
-
-    /* copy the DER into the arena, since Quick DER returns data that points
-       into the DER input, which may get freed by the caller */
-    rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* decode the policy info */
-    rv = SEC_QuickDERDecodeItem(arena, policies, 
-                                secu_CertificatePoliciesTemplate,
-			        &newExtnValue);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* initialize the oid tags */
-    policyInfos = policies->policyInfos;
-    while (policyInfos != NULL && *policyInfos != NULL ) {
-	policyInfo = *policyInfos;
-	policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID);
-	policyQualifiers = policyInfo->policyQualifiers;
-	while ( policyQualifiers && *policyQualifiers != NULL ) {
-	    policyQualifier = *policyQualifiers;
-	    policyQualifier->oid =
-		SECOID_FindOIDTag(&policyQualifier->qualifierID);
-	    policyQualifiers++;
-	}
-	policyInfos++;
-    }
-
-    return(policies);
-    
-loser:
-    if ( arena != NULL ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-
-static char *
-itemToString(SECItem *item)
-{
-    char *string;
-
-    string = PORT_ZAlloc(item->len+1);
-    if (string == NULL) return NULL;
-    PORT_Memcpy(string,item->data,item->len);
-    string[item->len] = 0;
-    return string;
-}
-
-static SECStatus
-secu_PrintUserNoticeQualifier(FILE *out, SECItem * qualifierValue,
-                              char *msg, int level)
-{
-    CERTUserNotice *userNotice = NULL;
-    if (qualifierValue)
-	userNotice = CERT_DecodeUserNotice(qualifierValue);
-    if (userNotice) {
-	if (userNotice->noticeReference.organization.len != 0) {
-            char *string = 
-	            itemToString(&userNotice->noticeReference.organization);
-            SECItem **itemList = userNotice->noticeReference.noticeNumbers;
-
-	    while (itemList && *itemList) {
-		SECU_PrintInteger(out,*itemList,string,level+1);
-	        itemList++;
-	    }
-	    PORT_Free(string);
-	}
-	if (userNotice->displayText.len != 0) {
-	    SECU_PrintString(out,&userNotice->displayText,
-			     "Display Text", level+1);
-	}
-	CERT_DestroyUserNotice(userNotice);
-	return SECSuccess;
-    }
-    return SECFailure;	/* caller will print this value */
-}
-
-static SECStatus
-secu_PrintPolicyQualifier(FILE *out,CERTPolicyQualifier *policyQualifier,
-			  char *msg,int level)
-{
-   SECStatus rv;
-   SECItem * qualifierValue = &policyQualifier->qualifierValue;
-
-   SECU_PrintObjectID(out, &policyQualifier->qualifierID , 
-					"Policy Qualifier Name", level);
-   if (!qualifierValue->data) {
-	SECU_Indent(out, level);
-	fprintf(out,"Error: missing qualifier\n");
-   } else 
-   switch (policyQualifier->oid) {
-   case SEC_OID_PKIX_USER_NOTICE_QUALIFIER:
-       rv = secu_PrintUserNoticeQualifier(out, qualifierValue, msg, level);
-       if (SECSuccess == rv)
-	   break;
-       /* fall through on error */
-   case SEC_OID_PKIX_CPS_POINTER_QUALIFIER:
-   default:
-	SECU_PrintAny(out, qualifierValue, "Policy Qualifier Data", level);
-	break;
-   }
-   return SECSuccess;
-}
-
-static SECStatus
-secu_PrintPolicyInfo(FILE *out,CERTPolicyInfo *policyInfo,char *msg,int level)
-{
-   CERTPolicyQualifier **policyQualifiers;
-
-   policyQualifiers = policyInfo->policyQualifiers;
-   SECU_PrintObjectID(out, &policyInfo->policyID , "Policy Name", level);
-   
-   while (policyQualifiers && *policyQualifiers != NULL) {
-	secu_PrintPolicyQualifier(out,*policyQualifiers,"",level+1);
-	policyQualifiers++;
-   }
-   return SECSuccess;
-}
-
-void
-SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level)
-{
-   CERTCertificatePolicies *policies = NULL;
-   CERTPolicyInfo **policyInfos;
-
-   if (msg) {
-	SECU_Indent(out, level);
-	fprintf(out,"%s: \n",msg);
-	level++;
-   }
-   policies = secu_DecodeCertificatePoliciesExtension(value);
-   if (policies == NULL) {
-	SECU_PrintAny(out, value, "Invalid Policy Data", level);
-	return;
-   }
-
-   policyInfos = policies->policyInfos;
-   while (policyInfos && *policyInfos != NULL) {
-	secu_PrintPolicyInfo(out,*policyInfos,"",level);
-	policyInfos++;
-   }
-
-   CERT_DestroyCertificatePoliciesExtension(policies);
-}
-
-
-void
-SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, 
-			              char *msg, int level)
-{
-    CERTPrivKeyUsagePeriod * prd;
-    PLArenaPool * arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-
-    if ( !arena ) {
-	goto loser;
-    }
-    prd = CERT_DecodePrivKeyUsagePeriodExtension(arena, value);
-    if (!prd) {
-	goto loser;
-    }
-    if (prd->notBefore.data) {
-	SECU_PrintGeneralizedTime(out, &prd->notBefore, "Not Before", level);
-    }
-    if (prd->notAfter.data) {
-	SECU_PrintGeneralizedTime(out, &prd->notAfter,  "Not After ", level);
-    }
-    if (!prd->notBefore.data && !prd->notAfter.data) {
-	SECU_Indent(out, level);
-	fprintf(out, "Error: notBefore or notAfter MUST be present.\n");
-loser:
-	SECU_PrintAny(out, value, msg, level);
-    }
-    if (arena) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-}
diff --git a/security/nss/cmd/lib/secerror.c b/security/nss/cmd/lib/secerror.c
deleted file mode 100644
index 651cf5520..000000000
--- a/security/nss/cmd/lib/secerror.c
+++ /dev/null
@@ -1,110 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "nspr.h"
-
-struct tuple_str {
-    PRErrorCode	 errNum;
-    const char * errString;
-};
-
-typedef struct tuple_str tuple_str;
-
-#define ER2(a,b)   {a, b},
-#define ER3(a,b,c) {a, c},
-
-#include "secerr.h"
-#include "sslerr.h"
-
-const tuple_str errStrings[] = {
-
-/* keep this list in asceding order of error numbers */
-#include "SSLerrs.h"
-#include "SECerrs.h"
-#include "NSPRerrs.h"
-
-};
-
-const PRInt32 numStrings = sizeof(errStrings) / sizeof(tuple_str);
-
-/* Returns a UTF-8 encoded constant error string for "errNum".
- * Returns NULL of errNum is unknown.
- */
-const char *
-SECU_Strerror(PRErrorCode errNum) {
-    PRInt32 low  = 0;
-    PRInt32 high = numStrings - 1;
-    PRInt32 i;
-    PRErrorCode num;
-    static int initDone;
-
-    /* make sure table is in ascending order.
-     * binary search depends on it.
-     */
-    if (!initDone) {
-	PRErrorCode lastNum = ((PRInt32)0x80000000);
-    	for (i = low; i <= high; ++i) {
-	    num = errStrings[i].errNum;
-	    if (num <= lastNum) {
-	    	fprintf(stderr, 
-"sequence error in error strings at item %d\n"
-"error %d (%s)\n"
-"should come after \n"
-"error %d (%s)\n",
-		        i, lastNum, errStrings[i-1].errString, 
-			num, errStrings[i].errString);
-	    }
-	    lastNum = num;
-	}
-	initDone = 1;
-    }
-
-    /* Do binary search of table. */
-    while (low + 1 < high) {
-    	i = (low + high) / 2;
-	num = errStrings[i].errNum;
-	if (errNum == num) 
-	    return errStrings[i].errString;
-        if (errNum < num)
-	    high = i;
-	else 
-	    low = i;
-    }
-    if (errNum == errStrings[low].errNum)
-    	return errStrings[low].errString;
-    if (errNum == errStrings[high].errNum)
-    	return errStrings[high].errString;
-    return NULL;
-}
diff --git a/security/nss/cmd/lib/secpwd.c b/security/nss/cmd/lib/secpwd.c
deleted file mode 100644
index ea4bc31d7..000000000
--- a/security/nss/cmd/lib/secpwd.c
+++ /dev/null
@@ -1,199 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "secutil.h"
-
-/*
- * NOTE:  The contents of this file are NOT used by the client.
- * (They are part of the security library as a whole, but they are
- * NOT USED BY THE CLIENT.)  Do not change things on behalf of the
- * client (like localizing strings), or add things that are only
- * for the client (put them elsewhere).  
- */
-
-
-#ifdef XP_UNIX
-#include <termios.h>
-#endif
-
-#if defined(XP_UNIX) || defined(XP_BEOS)
-#include <unistd.h>  /* for isatty() */
-#endif
-
-#if( defined(_WINDOWS) && !defined(_WIN32_WCE))
-#include <conio.h>
-#include <io.h>
-#define QUIET_FGETS quiet_fgets
-static char * quiet_fgets (char *buf, int length, FILE *input);
-#else
-#define QUIET_FGETS fgets
-#endif
-
-static void echoOff(int fd)
-{
-#if defined(XP_UNIX) && !defined(VMS)
-    if (isatty(fd)) {
-	struct termios tio;
-	tcgetattr(fd, &tio);
-	tio.c_lflag &= ~ECHO;
-	tcsetattr(fd, TCSAFLUSH, &tio);
-    }
-#endif
-}
-
-static void echoOn(int fd)
-{
-#if defined(XP_UNIX) && !defined(VMS)
-    if (isatty(fd)) {
-	struct termios tio;
-	tcgetattr(fd, &tio);
-	tio.c_lflag |= ECHO;
-	tcsetattr(fd, TCSAFLUSH, &tio);
-    }
-#endif
-}
-
-char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
-			       PRBool (*ok)(char *))
-{
-#if defined(_WINDOWS)
-    int isTTY = (input == stdin);
-#define echoOn(x)
-#define echoOff(x)
-#else
-    int infd  = fileno(input);
-    int isTTY = isatty(infd);
-#endif
-    char phrase[200] = {'\0'};      /* ensure EOF doesn't return junk */
-
-    for (;;) {
-	/* Prompt for password */
-	if (isTTY) {
-	    fprintf(output, "%s", prompt);
-            fflush (output);
-	    echoOff(infd);
-	}
-
-	QUIET_FGETS ( phrase, sizeof(phrase), input);
-
-	if (isTTY) {
-	    fprintf(output, "\n");
-	    echoOn(infd);
-	}
-
-	/* stomp on newline */
-	phrase[PORT_Strlen(phrase)-1] = 0;
-
-	/* Validate password */
-	if (!(*ok)(phrase)) {
-	    /* Not weird enough */
-	    if (!isTTY) return 0;
-	    fprintf(output, "Password must be at least 8 characters long with one or more\n");
-	    fprintf(output, "non-alphabetic characters\n");
-	    continue;
-	}
-	return (char*) PORT_Strdup(phrase);
-    }
-}
-
-
-
-PRBool SEC_CheckPassword(char *cp)
-{
-    int len;
-    char *end;
-
-    len = PORT_Strlen(cp);
-    if (len < 8) {
-	return PR_FALSE;
-    }
-    end = cp + len;
-    while (cp < end) {
-	unsigned char ch = *cp++;
-	if (!((ch >= 'A') && (ch <= 'Z')) &&
-	    !((ch >= 'a') && (ch <= 'z'))) {
-	    /* pass phrase has at least one non alphabetic in it */
-	    return PR_TRUE;
-	}
-    }
-    return PR_FALSE;
-}
-
-PRBool SEC_BlindCheckPassword(char *cp)
-{
-    if (cp != NULL) {
-	return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-/* Get a password from the input terminal, without echoing */
-
-#if defined(_WINDOWS)
-static char * quiet_fgets (char *buf, int length, FILE *input)
-  {
-  int c;
-  char *end = buf;
-
-  /* fflush (input); */
-  memset (buf, 0, length);
-
-  if (!isatty(fileno(input))) {
-     return fgets(buf,length,input);
-  }
-
-  while (1)
-    {
-#if defined (_WIN32_WCE)
-    c = getchar();	/* gets a character from stdin */
-#else
-    c = getch();	/* getch gets a character from the console */
-#endif
-    if (c == '\b')
-      {
-      if (end > buf)
-        end--;
-      }
-
-    else if (--length > 0)
-      *end++ = c;
-
-    if (!c || c == '\n' || c == '\r')
-      break;
-    }
-
-  return buf;
-  }
-#endif
diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c
deleted file mode 100644
index 765ca163f..000000000
--- a/security/nss/cmd/lib/secutil.c
+++ /dev/null
@@ -1,4169 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
-** secutil.c - various functions used by security stuff
-**
-*/
-
-#include "prtypes.h"
-#include "prtime.h"
-#include "prlong.h"
-#include "prerror.h"
-#include "prprf.h"
-#include "plgetopt.h"
-#include "prenv.h"
-#include "prnetdb.h"
-
-#include "cryptohi.h"
-#include "secutil.h"
-#include "secpkcs7.h"
-#include "secpkcs5.h"
-#include <stdarg.h>
-#if !defined(_WIN32_WCE)
-#include <sys/stat.h>
-#include <errno.h>
-#endif
-
-#ifdef XP_UNIX
-#include <unistd.h>
-#endif
-
-/* for SEC_TraverseNames */
-#include "cert.h"
-#include "certt.h"
-#include "certdb.h"
-
-/* #include "secmod.h" */
-#include "pk11func.h"
-#include "secoid.h"
-
-static char consoleName[] =  {
-#ifdef XP_UNIX
-#ifdef VMS
-    "TT"
-#else
-    "/dev/tty"
-#endif
-#else
-#ifdef XP_OS2
-    "\\DEV\\CON"
-#else
-    "CON:"
-#endif
-#endif
-};
-
-
-char *
-SECU_GetString(int16 error_number)
-{
-
-    static char errString[80];
-    sprintf(errString, "Unknown error string (%d)", error_number);
-    return errString;
-}
-
-void 
-SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
-{
-    va_list args;
-    PRErrorCode err = PORT_GetError();
-    const char * errString = SECU_Strerror(err);
-
-    va_start(args, msg);
-
-    SECU_Indent(out, level);
-    fprintf(out, "%s: ", progName);
-    vfprintf(out, msg, args);
-    if (errString != NULL && PORT_Strlen(errString) > 0)
-	fprintf(out, ": %s\n", errString);
-    else
-	fprintf(out, ": error %d\n", (int)err);
-
-    va_end(args);
-}
-
-void 
-SECU_PrintError(char *progName, char *msg, ...)
-{
-    va_list args;
-    PRErrorCode err = PORT_GetError();
-    const char * errString = SECU_Strerror(err);
-
-    va_start(args, msg);
-
-    fprintf(stderr, "%s: ", progName);
-    vfprintf(stderr, msg, args);
-    if (errString != NULL && PORT_Strlen(errString) > 0)
-	fprintf(stderr, ": %s\n", errString);
-    else
-	fprintf(stderr, ": error %d\n", (int)err);
-
-    va_end(args);
-}
-
-void
-SECU_PrintSystemError(char *progName, char *msg, ...)
-{
-    va_list args;
-
-    va_start(args, msg);
-    fprintf(stderr, "%s: ", progName);
-    vfprintf(stderr, msg, args);
-#if defined(_WIN32_WCE)
-    fprintf(stderr, ": %d\n", PR_GetOSError());
-#else
-    fprintf(stderr, ": %s\n", strerror(errno));
-#endif
-    va_end(args);
-}
-
-static void
-secu_ClearPassword(char *p)
-{
-    if (p) {
-	PORT_Memset(p, 0, PORT_Strlen(p));
-	PORT_Free(p);
-    }
-}
-
-char *
-SECU_GetPasswordString(void *arg, char *prompt)
-{
-#ifndef _WINDOWS
-    char *p = NULL;
-    FILE *input, *output;
-
-    /* open terminal */
-    input = fopen(consoleName, "r");
-    if (input == NULL) {
-	fprintf(stderr, "Error opening input terminal for read\n");
-	return NULL;
-    }
-
-    output = fopen(consoleName, "w");
-    if (output == NULL) {
-	fprintf(stderr, "Error opening output terminal for write\n");
-	return NULL;
-    }
-
-    p = SEC_GetPassword (input, output, prompt, SEC_BlindCheckPassword);
-        
-
-    fclose(input);
-    fclose(output);
-
-    return p;
-
-#else
-    /* Win32 version of above. opening the console may fail
-       on windows95, and certainly isn't necessary.. */
-
-    char *p = NULL;
-
-    p = SEC_GetPassword (stdin, stdout, prompt, SEC_BlindCheckPassword);
-    return p;
-
-#endif
-}
-
-
-/*
- *  p a s s w o r d _ h a r d c o d e 
- *
- *  A function to use the password passed in the -f(pwfile) argument
- *  of the command line.  
- *  After use once, null it out otherwise PKCS11 calls us forever.?
- *
- */
-char *
-SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
-{
-    char* phrases, *phrase;
-    PRFileDesc *fd;
-    PRInt32 nb;
-    char *pwFile = arg;
-    int i;
-    const long maxPwdFileSize = 4096;
-    char* tokenName = NULL;
-    int tokenLen = 0;
-
-    if (!pwFile)
-	return 0;
-
-    if (retry) {
-	return 0;  /* no good retrying - the files contents will be the same */
-    }
-
-    phrases = PORT_ZAlloc(maxPwdFileSize);
-
-    if (!phrases) {
-        return 0; /* out of memory */
-    }
- 
-    fd = PR_Open(pwFile, PR_RDONLY, 0);
-    if (!fd) {
-	fprintf(stderr, "No password file \"%s\" exists.\n", pwFile);
-        PORT_Free(phrases);
-	return NULL;
-    }
-
-    nb = PR_Read(fd, phrases, maxPwdFileSize);
-  
-    PR_Close(fd);
-
-    if (nb == 0) {
-        fprintf(stderr,"password file contains no data\n");
-        PORT_Free(phrases);
-        return NULL;
-    }
-
-    if (slot) {
-        tokenName = PK11_GetTokenName(slot);
-        if (tokenName) {
-            tokenLen = PORT_Strlen(tokenName);
-        }
-    }
-    i = 0;
-    do
-    {
-        int startphrase = i;
-        int phraseLen;
-
-        /* handle the Windows EOL case */
-        while (phrases[i] != '\r' && phrases[i] != '\n' && i < nb) i++;
-        /* terminate passphrase */
-        phrases[i++] = '\0';
-        /* clean up any EOL before the start of the next passphrase */
-        while ( (i<nb) && (phrases[i] == '\r' || phrases[i] == '\n')) {
-            phrases[i++] = '\0';
-        }
-        /* now analyze the current passphrase */
-        phrase = &phrases[startphrase];
-        if (!tokenName)
-            break;
-        if (PORT_Strncmp(phrase, tokenName, tokenLen)) continue;
-        phraseLen = PORT_Strlen(phrase);
-        if (phraseLen < (tokenLen+1)) continue;
-        if (phrase[tokenLen] != ':') continue;
-        phrase = &phrase[tokenLen+1];
-        break;
-
-    } while (i<nb);
-
-    phrase = PORT_Strdup((char*)phrase);
-    PORT_Free(phrases);
-    return phrase;
-}
-
-char *
-SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) 
-{
-    char prompt[255];
-    secuPWData *pwdata = (secuPWData *)arg;
-    secuPWData pwnull = { PW_NONE, 0 };
-    secuPWData pwxtrn = { PW_EXTERNAL, "external" };
-    char *pw;
-
-    if (pwdata == NULL)
-	pwdata = &pwnull;
-
-    if (PK11_ProtectedAuthenticationPath(slot)) {
-	pwdata = &pwxtrn;
-    }
-    if (retry && pwdata->source != PW_NONE) {
-	PR_fprintf(PR_STDERR, "Incorrect password/PIN entered.\n");
-    	return NULL;
-    }
-
-    switch (pwdata->source) {
-    case PW_NONE:
-	sprintf(prompt, "Enter Password or Pin for \"%s\":",
-	                 PK11_GetTokenName(slot));
-	return SECU_GetPasswordString(NULL, prompt);
-    case PW_FROMFILE:
-	/* Instead of opening and closing the file every time, get the pw
-	 * once, then keep it in memory (duh).
-	 */
-	pw = SECU_FilePasswd(slot, retry, pwdata->data);
-	pwdata->source = PW_PLAINTEXT;
-	pwdata->data = PL_strdup(pw);
-	/* it's already been dup'ed */
-	return pw;
-    case PW_EXTERNAL:
-	sprintf(prompt, 
-	        "Press Enter, then enter PIN for \"%s\" on external device.\n",
-		PK11_GetTokenName(slot));
-	(void) SECU_GetPasswordString(NULL, prompt);
-    	/* Fall Through */
-    case PW_PLAINTEXT:
-	return PL_strdup(pwdata->data);
-    default:
-	break;
-    }
-
-    PR_fprintf(PR_STDERR, "Password check failed:  No password found.\n");
-    return NULL;
-}
-
-char *
-secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg)
-{
-    char *p0 = NULL;
-    char *p1 = NULL;
-    FILE *input, *output;
-    secuPWData *pwdata = arg;
-
-    if (pwdata->source == PW_FROMFILE) {
-	return SECU_FilePasswd(slot, retry, pwdata->data);
-    } 
-    if (pwdata->source == PW_PLAINTEXT) {
-	return PL_strdup(pwdata->data);
-    }
-    
-    /* PW_NONE - get it from tty */
-    /* open terminal */
-#ifdef _WINDOWS
-    input = stdin;
-#else
-    input = fopen(consoleName, "r");
-#endif
-    if (input == NULL) {
-	PR_fprintf(PR_STDERR, "Error opening input terminal for read\n");
-	return NULL;
-    }
-
-    /* we have no password, so initialize database with one */
-    PR_fprintf(PR_STDERR, 
-        "Enter a password which will be used to encrypt your keys.\n"
-     	"The password should be at least 8 characters long,\n"
-     	"and should contain at least one non-alphabetic character.\n\n");
-
-    output = fopen(consoleName, "w");
-    if (output == NULL) {
-	PR_fprintf(PR_STDERR, "Error opening output terminal for write\n");
-	return NULL;
-    }
-
-
-    for (;;) {
-	if (p0) 
-	    PORT_Free(p0);
-	p0 = SEC_GetPassword(input, output, "Enter new password: ",
-			     SEC_BlindCheckPassword);
-
-	if (p1)
-	    PORT_Free(p1);
-	p1 = SEC_GetPassword(input, output, "Re-enter password: ",
-			     SEC_BlindCheckPassword);
-	if (p0 && p1 && !PORT_Strcmp(p0, p1)) {
-	    break;
-	}
-	PR_fprintf(PR_STDERR, "Passwords do not match. Try again.\n");
-    }
-        
-    /* clear out the duplicate password string */
-    secu_ClearPassword(p1);
-    
-    fclose(input);
-    fclose(output);
-
-    return p0;
-}
-
-SECStatus
-SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile)
-{
-    return SECU_ChangePW2(slot, passwd, 0, pwFile, 0);
-}
-
-SECStatus
-SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
-			char *oldPwFile, char *newPwFile)
-{
-    SECStatus rv;
-    secuPWData pwdata, newpwdata;
-    char *oldpw = NULL, *newpw = NULL;
-
-    if (oldPass) {
-	pwdata.source = PW_PLAINTEXT;
-	pwdata.data = oldPass;
-    } else if (oldPwFile) {
-	pwdata.source = PW_FROMFILE;
-	pwdata.data = oldPwFile;
-    } else {
-	pwdata.source = PW_NONE;
-	pwdata.data = NULL;
-    }
-
-    if (newPass) {
-	newpwdata.source = PW_PLAINTEXT;
-	newpwdata.data = newPass;
-    } else if (newPwFile) {
-	newpwdata.source = PW_FROMFILE;
-	newpwdata.data = newPwFile;
-    } else {
-	newpwdata.source = PW_NONE;
-	newpwdata.data = NULL;
-    }
-
-    if (PK11_NeedUserInit(slot)) {
-	newpw = secu_InitSlotPassword(slot, PR_FALSE, &pwdata);
-	rv = PK11_InitPin(slot, (char*)NULL, newpw);
-	goto done;
-    }
-
-    for (;;) {
-	oldpw = SECU_GetModulePassword(slot, PR_FALSE, &pwdata);
-
-	if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) {
-	    if (pwdata.source == PW_NONE) {
-		PR_fprintf(PR_STDERR, "Invalid password.  Try again.\n");
-	    } else {
-		PR_fprintf(PR_STDERR, "Invalid password.\n");
-		PORT_Memset(oldpw, 0, PL_strlen(oldpw));
-		PORT_Free(oldpw);
-		return SECFailure;
-	    }
-	} else
-	    break;
-
-	PORT_Free(oldpw);
-    }
-
-    newpw = secu_InitSlotPassword(slot, PR_FALSE, &newpwdata);
-
-    if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) {
-	PR_fprintf(PR_STDERR, "Failed to change password.\n");
-	return SECFailure;
-    }
-
-    PORT_Memset(oldpw, 0, PL_strlen(oldpw));
-    PORT_Free(oldpw);
-
-    PR_fprintf(PR_STDOUT, "Password changed successfully.\n");
-
-done:
-    PORT_Memset(newpw, 0, PL_strlen(newpw));
-    PORT_Free(newpw);
-    return SECSuccess;
-}
-
-struct matchobj {
-    SECItem index;
-    char *nname;
-    PRBool found;
-};
-
-char *
-SECU_DefaultSSLDir(void)
-{
-    char *dir;
-    static char sslDir[1000];
-
-    dir = PR_GetEnv("SSL_DIR");
-    if (!dir)
-	return NULL;
-
-    sprintf(sslDir, "%s", dir);
-
-    if (sslDir[strlen(sslDir)-1] == '/')
-	sslDir[strlen(sslDir)-1] = 0;
-
-    return sslDir;
-}
-
-char *
-SECU_AppendFilenameToDir(char *dir, char *filename)
-{
-    static char path[1000];
-
-    if (dir[strlen(dir)-1] == '/')
-	sprintf(path, "%s%s", dir, filename);
-    else
-	sprintf(path, "%s/%s", dir, filename);
-    return path;
-}
-
-char *
-SECU_ConfigDirectory(const char* base)
-{
-    static PRBool initted = PR_FALSE;
-    const char *dir = ".netscape";
-    char *home;
-    static char buf[1000];
-
-    if (initted) return buf;
-    
-
-    if (base == NULL || *base == 0) {
-	home = PR_GetEnv("HOME");
-	if (!home) home = "";
-
-	if (*home && home[strlen(home) - 1] == '/')
-	    sprintf (buf, "%.900s%s", home, dir);
-	else
-	    sprintf (buf, "%.900s/%s", home, dir);
-    } else {
-	sprintf(buf, "%.900s", base);
-	if (buf[strlen(buf) - 1] == '/')
-	    buf[strlen(buf) - 1] = 0;
-    }
-
-
-    initted = PR_TRUE;
-    return buf;
-}
-
-/*Turn off SSL for now */
-/* This gets called by SSL when server wants our cert & key */
-int
-SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
-		       struct CERTDistNamesStr *caNames,
-                      struct CERTCertificateStr **pRetCert,
-                      struct SECKEYPrivateKeyStr **pRetKey)
-{
-    SECKEYPrivateKey *key;
-    CERTCertificate *cert;
-    int errsave;
-
-    if (arg == NULL) {
-        fprintf(stderr, "no key/cert name specified for client auth\n");
-        return -1;
-    }
-    cert = PK11_FindCertFromNickname(arg, NULL);
-    errsave = PORT_GetError();
-    if (!cert) {
-        if (errsave == SEC_ERROR_BAD_PASSWORD)
-            fprintf(stderr, "Bad password\n");
-        else if (errsave > 0)
-            fprintf(stderr, "Unable to read cert (error %d)\n", errsave);
-        else if (errsave == SEC_ERROR_BAD_DATABASE)
-            fprintf(stderr, "Unable to get cert from database (%d)\n", errsave);
-        else
-            fprintf(stderr, "SECKEY_FindKeyByName: internal error %d\n", errsave);
-        return -1;
-    }
-
-    key = PK11_FindKeyByAnyCert(arg,NULL);
-    if (!key) {
-        fprintf(stderr, "Unable to get key (%d)\n", PORT_GetError());
-        return -1;
-    }
-
-
-    *pRetCert = cert;
-    *pRetKey = key;
-
-    return 0;
-}
-
-SECStatus
-secu_StdinToItem(SECItem *dst)
-{
-    unsigned char buf[1000];
-    PRInt32 numBytes;
-    PRBool notDone = PR_TRUE;
-
-    dst->len = 0;
-    dst->data = NULL;
-
-    while (notDone) {
-	numBytes = PR_Read(PR_STDIN, buf, sizeof(buf));
-
-	if (numBytes < 0) {
-	    return SECFailure;
-	}
-
-	if (numBytes == 0)
-	    break;
-
-	if (dst->data) {
-	    unsigned char * p = dst->data;
-	    dst->data = (unsigned char*)PORT_Realloc(p, dst->len + numBytes);
-	    if (!dst->data) {
-	    	PORT_Free(p);
-	    }
-	} else {
-	    dst->data = (unsigned char*)PORT_Alloc(numBytes);
-	}
-	if (!dst->data) {
-	    return SECFailure;
-	}
-	PORT_Memcpy(dst->data + dst->len, buf, numBytes);
-	dst->len += numBytes;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-SECU_FileToItem(SECItem *dst, PRFileDesc *src)
-{
-    PRFileInfo info;
-    PRInt32 numBytes;
-    PRStatus prStatus;
-
-    if (src == PR_STDIN)
-	return secu_StdinToItem(dst);
-
-    prStatus = PR_GetOpenFileInfo(src, &info);
-
-    if (prStatus != PR_SUCCESS) {
-	PORT_SetError(SEC_ERROR_IO);
-	return SECFailure;
-    }
-
-    /* XXX workaround for 3.1, not all utils zero dst before sending */
-    dst->data = 0;
-    if (!SECITEM_AllocItem(NULL, dst, info.size))
-	goto loser;
-
-    numBytes = PR_Read(src, dst->data, info.size);
-    if (numBytes != info.size) {
-	PORT_SetError(SEC_ERROR_IO);
-	goto loser;
-    }
-
-    return SECSuccess;
-loser:
-    SECITEM_FreeItem(dst, PR_FALSE);
-    dst->data = NULL;
-    return SECFailure;
-}
-
-SECStatus
-SECU_TextFileToItem(SECItem *dst, PRFileDesc *src)
-{
-    PRFileInfo info;
-    PRInt32 numBytes;
-    PRStatus prStatus;
-    unsigned char *buf;
-
-    if (src == PR_STDIN)
-	return secu_StdinToItem(dst);
-
-    prStatus = PR_GetOpenFileInfo(src, &info);
-
-    if (prStatus != PR_SUCCESS) {
-	PORT_SetError(SEC_ERROR_IO);
-	return SECFailure;
-    }
-
-    buf = (unsigned char*)PORT_Alloc(info.size);
-    if (!buf)
-	return SECFailure;
-
-    numBytes = PR_Read(src, buf, info.size);
-    if (numBytes != info.size) {
-	PORT_SetError(SEC_ERROR_IO);
-	goto loser;
-    }
-
-    if (buf[numBytes-1] == '\n') numBytes--;
-#ifdef _WINDOWS
-    if (buf[numBytes-1] == '\r') numBytes--;
-#endif
-
-    /* XXX workaround for 3.1, not all utils zero dst before sending */
-    dst->data = 0;
-    if (!SECITEM_AllocItem(NULL, dst, numBytes))
-	goto loser;
-
-    memcpy(dst->data, buf, numBytes);
-
-    PORT_Free(buf);
-    return SECSuccess;
-loser:
-    PORT_Free(buf);
-    return SECFailure;
-}
-
-SECStatus
-SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
-{
-    SECStatus rv;
-    if (ascii) {
-	/* First convert ascii to binary */
-	SECItem filedata;
-	char *asc, *body;
-
-	/* Read in ascii data */
-	rv = SECU_FileToItem(&filedata, inFile);
-	asc = (char *)filedata.data;
-	if (!asc) {
-	    fprintf(stderr, "unable to read data from input file\n");
-	    return SECFailure;
-	}
-
-	/* check for headers and trailers and remove them */
-	if ((body = strstr(asc, "-----BEGIN")) != NULL) {
-	    char *trailer = NULL;
-	    asc = body;
-	    body = PORT_Strchr(body, '\n');
-	    if (!body)
-		body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */
-	    if (body)
-		trailer = strstr(++body, "-----END");
-	    if (trailer != NULL) {
-		*trailer = '\0';
-	    } else {
-		fprintf(stderr, "input has header but no trailer\n");
-		PORT_Free(filedata.data);
-		return SECFailure;
-	    }
-	} else {
-	    body = asc;
-	}
-     
-	/* Convert to binary */
-	rv = ATOB_ConvertAsciiToItem(der, body);
-	if (rv) {
-	    fprintf(stderr, "error converting ascii to binary (%s)\n",
-		    SECU_Strerror(PORT_GetError()));
-	    PORT_Free(filedata.data);
-	    return SECFailure;
-	}
-
-	PORT_Free(filedata.data);
-    } else {
-	/* Read in binary der */
-	rv = SECU_FileToItem(der, inFile);
-	if (rv) {
-	    fprintf(stderr, "error converting der (%s)\n", 
-		    SECU_Strerror(PORT_GetError()));
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-#define INDENT_MULT	4
-void
-SECU_Indent(FILE *out, int level)
-{
-    int i;
-
-    for (i = 0; i < level; i++) {
-	fprintf(out, "    ");
-    }
-}
-
-static void secu_Newline(FILE *out)
-{
-    fprintf(out, "\n");
-}
-
-void
-SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level)
-{
-    unsigned i;
-    int column;
-    PRBool isString     = PR_TRUE;
-    PRBool isWhiteSpace = PR_TRUE;
-    PRBool printedHex   = PR_FALSE;
-    unsigned int limit = 15;
-
-    if ( m ) {
-	SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-	level++;
-    }
-    
-    SECU_Indent(out, level); column = level*INDENT_MULT;
-    if (!data->len) {
-	fprintf(out, "(empty)\n");
-	return;
-    }
-    /* take a pass to see if it's all printable. */
-    for (i = 0; i < data->len; i++) {
-	unsigned char val = data->data[i];
-        if (!val || !isprint(val)) {
-	    isString = PR_FALSE;
-	    break;
-	}
-	if (isWhiteSpace && !isspace(val)) {
-	    isWhiteSpace = PR_FALSE;
-	}
-    }
-
-    /* Short values, such as bit strings (which are printed with this
-    ** function) often look like strings, but we want to see the bits.
-    ** so this test assures that short values will be printed in hex,
-    ** perhaps in addition to being printed as strings.
-    ** The threshold size (4 bytes) is arbitrary.
-    */
-    if (!isString || data->len <= 4) {
-      for (i = 0; i < data->len; i++) {
-	if (i != data->len - 1) {
-	    fprintf(out, "%02x:", data->data[i]);
-	    column += 3;
-	} else {
-	    fprintf(out, "%02x", data->data[i]);
-	    column += 2;
-	    break;
-	}
-	if (column > 76 || (i % 16 == limit)) {
-	    secu_Newline(out);
-	    SECU_Indent(out, level); 
-	    column = level*INDENT_MULT;
-	    limit = i % 16;
-	}
-      }
-      printedHex = PR_TRUE;
-    }
-    if (isString && !isWhiteSpace) {
-	if (printedHex != PR_FALSE) {
-	    secu_Newline(out);
-	    SECU_Indent(out, level); column = level*INDENT_MULT;
-	}
-	for (i = 0; i < data->len; i++) {
-	    unsigned char val = data->data[i];
-
-	    if (val) {
-		fprintf(out,"%c",val);
-		column++;
-	    } else {
-		column = 77;
-	    }
-	    if (column > 76) {
-		secu_Newline(out);
-        	SECU_Indent(out, level); column = level*INDENT_MULT;
-	    }
-	}
-    }
-	    
-    if (column != level*INDENT_MULT) {
-	secu_Newline(out);
-    }
-}
-
-static const char *hex = "0123456789abcdef";
-
-static const char printable[257] = {
-	"................"	/* 0x */
-	"................"	/* 1x */
-	" !\"#$%&'()*+,-./"	/* 2x */
-	"0123456789:;<=>?"	/* 3x */
-	"@ABCDEFGHIJKLMNO"	/* 4x */
-	"PQRSTUVWXYZ[\\]^_"	/* 5x */
-	"`abcdefghijklmno"	/* 6x */
-	"pqrstuvwxyz{|}~."	/* 7x */
-	"................"	/* 8x */
-	"................"	/* 9x */
-	"................"	/* ax */
-	"................"	/* bx */
-	"................"	/* cx */
-	"................"	/* dx */
-	"................"	/* ex */
-	"................"	/* fx */
-};
-
-void 
-SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len)
-{
-    const unsigned char *cp = (const unsigned char *)vp;
-    char buf[80];
-    char *bp;
-    char *ap;
-
-    fprintf(out, "%s [Len: %d]\n", msg, len);
-    memset(buf, ' ', sizeof buf);
-    bp = buf;
-    ap = buf + 50;
-    while (--len >= 0) {
-	unsigned char ch = *cp++;
-	*bp++ = hex[(ch >> 4) & 0xf];
-	*bp++ = hex[ch & 0xf];
-	*bp++ = ' ';
-	*ap++ = printable[ch];
-	if (ap - buf >= 66) {
-	    *ap = 0;
-	    fprintf(out, "   %s\n", buf);
-	    memset(buf, ' ', sizeof buf);
-	    bp = buf;
-	    ap = buf + 50;
-	}
-    }
-    if (bp > buf) {
-	*ap = 0;
-	fprintf(out, "   %s\n", buf);
-    }
-}
-
-SECStatus
-SECU_StripTagAndLength(SECItem *i)
-{
-    unsigned int start;
-
-    if (!i || !i->data || i->len < 2) { /* must be at least tag and length */
-        return SECFailure;
-    }
-    start = ((i->data[1] & 0x80) ? (i->data[1] & 0x7f) + 2 : 2);
-    if (i->len < start) {
-        return SECFailure;
-    }
-    i->data += start;
-    i->len  -= start;
-    return SECSuccess;
-}
-
-
-/* This expents i->data[0] to be the MSB of the integer.
-** if you want to print a DER-encoded integer (with the tag and length)
-** call SECU_PrintEncodedInteger();
-*/
-void
-SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level)
-{
-    int iv;
-
-    if (!i || !i->len || !i->data) {
-	SECU_Indent(out, level); 
-	if (m) {
-	    fprintf(out, "%s: (null)\n", m);
-	} else {
-	    fprintf(out, "(null)\n");
-	}
-    } else if (i->len > 4) {
-	SECU_PrintAsHex(out, i, m, level);
-    } else {
-   	if (i->type == siUnsignedInteger && *i->data & 0x80) {
-            /* Make sure i->data has zero in the highest bite 
-             * if i->data is an unsigned integer */
-            SECItem tmpI;
-            char data[] = {0, 0, 0, 0, 0};
-
-            PORT_Memcpy(data + 1, i->data, i->len);
-            tmpI.len = i->len + 1;
-            tmpI.data = (void*)data;
-
-            iv = DER_GetInteger(&tmpI);
-	} else {
-            iv = DER_GetInteger(i);
-	}
-	SECU_Indent(out, level); 
-	if (m) {
-	    fprintf(out, "%s: %d (0x%x)\n", m, iv, iv);
-	} else {
-	    fprintf(out, "%d (0x%x)\n", iv, iv);
-	}
-    }
-}
-
-static void
-secu_PrintRawString(FILE *out, SECItem *si, char *m, int level)
-{
-    int column;
-    unsigned int i;
-
-    if ( m ) {
-	SECU_Indent(out, level); fprintf(out, "%s: ", m);
-	column = (level * INDENT_MULT) + strlen(m) + 2;
-	level++;
-    } else {
-	SECU_Indent(out, level); 
-	column = level*INDENT_MULT;
-    }
-    fprintf(out, "\""); column++;
-
-    for (i = 0; i < si->len; i++) {
-	unsigned char val = si->data[i];
-	if (column > 76) {
-	    secu_Newline(out);
-	    SECU_Indent(out, level); column = level*INDENT_MULT;
-	}
-
-	fprintf(out,"%c", printable[val]); column++;
-    }
-
-    fprintf(out, "\""); column++;
-    if (column != level*INDENT_MULT || column > 76) {
-	secu_Newline(out);
-    }
-}
-
-void
-SECU_PrintString(FILE *out, SECItem *si, char *m, int level)
-{
-    SECItem my = *si;
-
-    if (SECSuccess != SECU_StripTagAndLength(&my) || !my.len)
-    	return;
-    secu_PrintRawString(out, &my, m, level);
-}
-
-/* print an unencoded boolean */
-static void
-secu_PrintBoolean(FILE *out, SECItem *i, const char *m, int level)
-{
-    int val = 0;
-    
-    if ( i->data && i->len ) {
-	val = i->data[0];
-    }
-
-    if (!m) {
-    	m = "Boolean";
-    }
-    SECU_Indent(out, level); 
-    fprintf(out, "%s: %s\n", m, (val ? "True" : "False"));
-}
-
-/*
- * Format and print "time".  If the tag message "m" is not NULL,
- * do indent formatting based on "level" and add a newline afterward;
- * otherwise just print the formatted time string only.
- */
-static void
-secu_PrintTime(FILE *out, int64 time, char *m, int level)
-{
-    PRExplodedTime printableTime; 
-    char *timeString;
-
-    /* Convert to local time */
-    PR_ExplodeTime(time, PR_GMTParameters, &printableTime);
-
-    timeString = PORT_Alloc(256);
-    if (timeString == NULL)
-	return;
-
-    if (m != NULL) {
-	SECU_Indent(out, level);
-	fprintf(out, "%s: ", m);
-    }
-
-    if (PR_FormatTime(timeString, 256, "%a %b %d %H:%M:%S %Y", &printableTime)) {
-        fprintf(out, timeString);
-    }
-
-    if (m != NULL)
-	fprintf(out, "\n");
-
-    PORT_Free(timeString);
-}
-
-/*
- * Format and print the UTC Time "t".  If the tag message "m" is not NULL,
- * do indent formatting based on "level" and add a newline afterward;
- * otherwise just print the formatted time string only.
- */
-void
-SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level)
-{
-    int64 time;
-    SECStatus rv;
-
-    rv = DER_UTCTimeToTime(&time, t);
-    if (rv != SECSuccess)
-	return;
-
-    secu_PrintTime(out, time, m, level);
-}
-
-/*
- * Format and print the Generalized Time "t".  If the tag message "m"
- * is not NULL, * do indent formatting based on "level" and add a newline
- * afterward; otherwise just print the formatted time string only.
- */
-void
-SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m, int level)
-{
-    int64 time;
-    SECStatus rv;
-
-
-    rv = DER_GeneralizedTimeToTime(&time, t);
-    if (rv != SECSuccess)
-	return;
-
-    secu_PrintTime(out, time, m, level);
-}
-
-/*
- * Format and print the UTC or Generalized Time "t".  If the tag message
- * "m" is not NULL, do indent formatting based on "level" and add a newline
- * afterward; otherwise just print the formatted time string only.
- */
-void
-SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level)
-{
-    switch (t->type) {
-        case siUTCTime:
-            SECU_PrintUTCTime(out, t, m, level);
-            break;
-
-        case siGeneralizedTime:
-            SECU_PrintGeneralizedTime(out, t, m, level);
-            break;
-
-        default:
-            PORT_Assert(0);
-            break;
-    }
-}
-
-
-/* This prints a SET or SEQUENCE */
-void
-SECU_PrintSet(FILE *out, SECItem *t, char *m, int level)
-{
-    int            type        = t->data[0] & SEC_ASN1_TAGNUM_MASK;
-    int            constructed = t->data[0] & SEC_ASN1_CONSTRUCTED;
-    const char *   label;
-    SECItem        my          = *t;
-
-    if (!constructed) {
-	SECU_PrintAsHex(out, t, m, level);
-        return;
-    }
-    if (SECSuccess != SECU_StripTagAndLength(&my))
-    	return;
-
-    SECU_Indent(out, level);
-    if (m) {
-    	fprintf(out, "%s: ", m);
-    }
-
-    if (type == SEC_ASN1_SET)
-    	label = "Set ";
-    else if (type == SEC_ASN1_SEQUENCE)
-    	label = "Sequence ";
-    else
-    	label = "";
-    fprintf(out,"%s{\n", label); /* } */
-
-    while (my.len >= 2) {
-	SECItem  tmp = my;
-
-        if (tmp.data[1] & 0x80) {
-	    unsigned int i;
-	    unsigned int lenlen = tmp.data[1] & 0x7f;
-	    if (lenlen > sizeof tmp.len)
-	        break;
-	    tmp.len = 0;
-	    for (i=0; i < lenlen; i++) {
-		tmp.len = (tmp.len << 8) | tmp.data[2+i];
-	    }
-	    tmp.len += lenlen + 2;
-	} else {
-	    tmp.len = tmp.data[1] + 2;
-	}
-	if (tmp.len > my.len) {
-	    tmp.len = my.len;
-	}
-	my.data += tmp.len;
-	my.len  -= tmp.len;
-	SECU_PrintAny(out, &tmp, NULL, level + 1);
-    }
-    SECU_Indent(out, level); fprintf(out, /* { */ "}\n");
-}
-
-static void
-secu_PrintContextSpecific(FILE *out, SECItem *i, char *m, int level)
-{
-    int type        = i->data[0] & SEC_ASN1_TAGNUM_MASK;
-    int constructed = i->data[0] & SEC_ASN1_CONSTRUCTED;
-    SECItem tmp;
-
-    if (constructed) {
-	char * m2;
-	if (!m) 
-	    m2 = PR_smprintf("[%d]", type);
-	else
-	    m2 = PR_smprintf("%s: [%d]", m, type);
-	if (m2) {
-	    SECU_PrintSet(out, i, m2, level);
-	    PR_smprintf_free(m2);
-	}
-	return;
-    }
-
-    SECU_Indent(out, level);
-    if (m) {
-    	fprintf(out, "%s: ", m);
-    }
-    fprintf(out,"[%d]\n", type);
-
-    tmp = *i;
-    if (SECSuccess == SECU_StripTagAndLength(&tmp))
-	SECU_PrintAsHex(out, &tmp, m, level+1);
-}
-
-static void
-secu_PrintOctetString(FILE *out, SECItem *i, char *m, int level)
-{
-    SECItem tmp = *i;
-    if (SECSuccess == SECU_StripTagAndLength(&tmp))
-	SECU_PrintAsHex(out, &tmp, m, level);
-}
-
-static void
-secu_PrintBitString(FILE *out, SECItem *i, char *m, int level)
-{
-    int unused_bits;
-    SECItem tmp = *i;
-
-    if (SECSuccess != SECU_StripTagAndLength(&tmp) || tmp.len < 2)
-    	return;
-
-    unused_bits = *tmp.data++;
-    tmp.len--;
-
-    SECU_PrintAsHex(out, &tmp, m, level);
-    if (unused_bits) {
-	SECU_Indent(out, level + 1);
-	fprintf(out, "(%d least significant bits unused)\n", unused_bits);
-    }
-}
-
-/* in a decoded bit string, the len member is a bit length. */
-static void
-secu_PrintDecodedBitString(FILE *out, SECItem *i, char *m, int level)
-{
-    int unused_bits;
-    SECItem tmp = *i;
-
-
-    unused_bits = (tmp.len & 0x7) ? 8 - (tmp.len & 7) : 0;
-    DER_ConvertBitString(&tmp); /* convert length to byte length */
-
-    SECU_PrintAsHex(out, &tmp, m, level);
-    if (unused_bits) {
-	SECU_Indent(out, level + 1);
-	fprintf(out, "(%d least significant bits unused)\n", unused_bits);
-    }
-}
-
-
-/* Print a DER encoded Boolean */
-void
-SECU_PrintEncodedBoolean(FILE *out, SECItem *i, char *m, int level)
-{
-    SECItem my    = *i;
-    if (SECSuccess == SECU_StripTagAndLength(&my))
-	secu_PrintBoolean(out, &my, m, level);
-}
-
-/* Print a DER encoded integer */
-void
-SECU_PrintEncodedInteger(FILE *out, SECItem *i, char *m, int level)
-{
-    SECItem my    = *i;
-    if (SECSuccess == SECU_StripTagAndLength(&my))
-	SECU_PrintInteger(out, &my, m, level);
-}
-
-/* Print a DER encoded OID */
-void
-SECU_PrintEncodedObjectID(FILE *out, SECItem *i, char *m, int level)
-{
-    SECItem my    = *i;
-    if (SECSuccess == SECU_StripTagAndLength(&my))
-	SECU_PrintObjectID(out, &my, m, level);
-}
-
-static void
-secu_PrintBMPString(FILE *out, SECItem *i, char *m, int level)
-{
-    unsigned char * s;
-    unsigned char * d;
-    int      len;
-    SECItem  tmp = {0, 0, 0};
-    SECItem  my  = *i;
-
-    if (SECSuccess != SECU_StripTagAndLength(&my))
-	goto loser;
-    if (my.len % 2) 
-    	goto loser;
-    len = (int)(my.len / 2);
-    tmp.data = (unsigned char *)PORT_Alloc(len);
-    if (!tmp.data)
-    	goto loser;
-    tmp.len = len;
-    for (s = my.data, d = tmp.data ; len > 0; len--) {
-    	PRUint32 bmpChar = (s[0] << 8) | s[1]; s += 2;
-	if (!isprint(bmpChar))
-	    goto loser;
-	*d++ = (unsigned char)bmpChar;
-    }
-    secu_PrintRawString(out, &tmp, m, level);
-    PORT_Free(tmp.data);
-    return;
-
-loser:
-    SECU_PrintAsHex(out, i, m, level);
-    if (tmp.data)
-	PORT_Free(tmp.data);
-}
-
-static void
-secu_PrintUniversalString(FILE *out, SECItem *i, char *m, int level)
-{
-    unsigned char * s;
-    unsigned char * d;
-    int      len;
-    SECItem  tmp = {0, 0, 0};
-    SECItem  my  = *i;
-
-    if (SECSuccess != SECU_StripTagAndLength(&my))
-	goto loser;
-    if (my.len % 4) 
-    	goto loser;
-    len = (int)(my.len / 4);
-    tmp.data = (unsigned char *)PORT_Alloc(len);
-    if (!tmp.data)
-    	goto loser;
-    tmp.len = len;
-    for (s = my.data, d = tmp.data ; len > 0; len--) {
-    	PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3];
-	s += 4;
-	if (!isprint(bmpChar))
-	    goto loser;
-	*d++ = (unsigned char)bmpChar;
-    }
-    secu_PrintRawString(out, &tmp, m, level);
-    PORT_Free(tmp.data);
-    return;
-
-loser:
-    SECU_PrintAsHex(out, i, m, level);
-    if (tmp.data)
-	PORT_Free(tmp.data);
-}
-
-static void
-secu_PrintUniversal(FILE *out, SECItem *i, char *m, int level)
-{
-	switch (i->data[0] & SEC_ASN1_TAGNUM_MASK) {
-	  case SEC_ASN1_ENUMERATED:
-	  case SEC_ASN1_INTEGER:
-	    SECU_PrintEncodedInteger(out, i, m, level);
-	    break;
-	  case SEC_ASN1_OBJECT_ID:
-	    SECU_PrintEncodedObjectID(out, i, m, level);
-	    break;
-	  case SEC_ASN1_BOOLEAN:
-	    SECU_PrintEncodedBoolean(out, i, m, level);
-	    break;
-	  case SEC_ASN1_UTF8_STRING:
-	  case SEC_ASN1_PRINTABLE_STRING:
-	  case SEC_ASN1_VISIBLE_STRING:
-	  case SEC_ASN1_IA5_STRING:
-	  case SEC_ASN1_T61_STRING:
-	    SECU_PrintString(out, i, m, level);
-	    break;
-	  case SEC_ASN1_GENERALIZED_TIME:
-	    SECU_PrintGeneralizedTime(out, i, m, level);
-	    break;
-	  case SEC_ASN1_UTC_TIME:
-	    SECU_PrintUTCTime(out, i, m, level);
-	    break;
-	  case SEC_ASN1_NULL:
-	    SECU_Indent(out, level); 
-	    if (m && m[0]) 
-	      fprintf(out, "%s: NULL\n", m);
-	    else
-	      fprintf(out, "NULL\n");
-	    break;
-          case SEC_ASN1_SET:
-          case SEC_ASN1_SEQUENCE:
-	    SECU_PrintSet(out, i, m, level);
-	    break;
-	  case SEC_ASN1_OCTET_STRING:
-	    secu_PrintOctetString(out, i, m, level);
-	    break;
-	  case SEC_ASN1_BIT_STRING:
-	    secu_PrintBitString(out, i, m, level);
-	    break;
-	  case SEC_ASN1_BMP_STRING:
-	    secu_PrintBMPString(out, i, m, level);
-	    break;
-	  case SEC_ASN1_UNIVERSAL_STRING:
-	    secu_PrintUniversalString(out, i, m, level);
-	    break;
-	  default:
-	    SECU_PrintAsHex(out, i, m, level);
-	    break;
-	}
-}
-
-void
-SECU_PrintAny(FILE *out, SECItem *i, char *m, int level)
-{
-    if ( i && i->len && i->data ) {
-	switch (i->data[0] & SEC_ASN1_CLASS_MASK) {
-	case SEC_ASN1_CONTEXT_SPECIFIC:
-	    secu_PrintContextSpecific(out, i, m, level);
-	    break;
-	case SEC_ASN1_UNIVERSAL:
-	    secu_PrintUniversal(out, i, m, level);
-	    break;
-	default:
-	    SECU_PrintAsHex(out, i, m, level);
-	    break;
-	}
-    }
-}
-
-static int
-secu_PrintValidity(FILE *out, CERTValidity *v, char *m, int level)
-{
-    SECU_Indent(out, level);  fprintf(out, "%s:\n", m);
-    SECU_PrintTimeChoice(out, &v->notBefore, "Not Before", level+1);
-    SECU_PrintTimeChoice(out, &v->notAfter,  "Not After ", level+1);
-    return 0;
-}
-
-/* This function does NOT expect a DER type and length. */
-SECOidTag
-SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level)
-{
-    SECOidData *oiddata;
-    char *      oidString = NULL;
-    
-    oiddata = SECOID_FindOID(oid);
-    if (oiddata != NULL) {
-	const char *name = oiddata->desc;
-	SECU_Indent(out, level);
-	if (m != NULL)
-	    fprintf(out, "%s: ", m);
-	fprintf(out, "%s\n", name);
-	return oiddata->offset;
-    } 
-    oidString = CERT_GetOidString(oid);
-    if (oidString) {
-	SECU_Indent(out, level);
-	if (m != NULL)
-	    fprintf(out, "%s: ", m);
-	fprintf(out, "%s\n", oidString);
-	PR_smprintf_free(oidString);
-	return SEC_OID_UNKNOWN;
-    }
-    SECU_PrintAsHex(out, oid, m, level);
-    return SEC_OID_UNKNOWN;
-}
-
-typedef struct secuPBEParamsStr {
-    SECItem salt;
-    SECItem iterationCount;
-    SECItem keyLength;
-    SECAlgorithmID cipherAlg;
-    SECAlgorithmID kdfAlg;
-} secuPBEParams;
-
-SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate);
-
-/* SECOID_PKCS5_PBKDF2 */
-const SEC_ASN1Template secuKDF2Params[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
-    { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
-    { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
-    { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
-        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { 0 }
-};
-
-/* PKCS5v1 & PKCS12 */
-const SEC_ASN1Template secuPBEParamsTemp[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
-    { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
-    { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
-    { 0 }
-};
-
-/* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */
-const SEC_ASN1Template secuPBEV2Params[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams)},
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
-        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
-        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { 0 }
-};
-
-void
-secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level)
-{
-    PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    SECStatus rv;
-    secuPBEParams param;
-
-    if (m) {
-	SECU_Indent(out, level);
-	fprintf (out, "%s:\n", m);
-    }
-
-    if (!pool) {
-	SECU_Indent(out, level);
-	fprintf(out, "Out of memory\n");
-	return;
-    }
-
-    PORT_Memset(&param, 0, sizeof param);
-    rv = SEC_QuickDERDecodeItem(pool, &param, secuKDF2Params, value);
-    if (rv == SECSuccess) {
-	SECU_PrintAsHex(out, &param.salt, "Salt", level+1);
-	SECU_PrintInteger(out, &param.iterationCount, "Iteration Count", 
-			level+1);
-	SECU_PrintInteger(out, &param.keyLength, "Key Length", level+1);
-	SECU_PrintAlgorithmID(out, &param.kdfAlg, "KDF algorithm", level+1);
-    }
-    PORT_FreeArena(pool, PR_FALSE);
-}
-
-void
-secu_PrintPKCS5V2Params(FILE *out, SECItem *value, char *m, int level)
-{
-    PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    SECStatus rv;
-    secuPBEParams param;
-
-    if (m) {
-	SECU_Indent(out, level);
-	fprintf (out, "%s:\n", m);
-    }
-
-    if (!pool) {
-	SECU_Indent(out, level);
-	fprintf(out, "Out of memory\n");
-	return;
-    }
-
-    PORT_Memset(&param, 0, sizeof param);
-    rv = SEC_QuickDERDecodeItem(pool, &param, secuPBEV2Params, value);
-    if (rv == SECSuccess) {
-	SECU_PrintAlgorithmID(out, &param.kdfAlg, "KDF", level+1);
-	SECU_PrintAlgorithmID(out, &param.cipherAlg, "Cipher", level+1);
-    }
-    PORT_FreeArena(pool, PR_FALSE);
-}
-
-void
-secu_PrintPBEParams(FILE *out, SECItem *value, char *m, int level)
-{
-    PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    SECStatus rv;
-    secuPBEParams param;
-
-    if (m) {
-	SECU_Indent(out, level);
-	fprintf (out, "%s:\n", m);
-    }
-
-    if (!pool) {
-	SECU_Indent(out, level);
-	fprintf(out, "Out of memory\n");
-	return;
-    }
-
-    PORT_Memset(&param, 0, sizeof(secuPBEParams));
-    rv = SEC_QuickDERDecodeItem(pool, &param, secuPBEParamsTemp, value);
-    if (rv == SECSuccess) {
-	SECU_PrintAsHex(out, &param.salt, "Salt", level+1);
-	SECU_PrintInteger(out, &param.iterationCount, "Iteration Count", 
-			level+1);
-    }
-    PORT_FreeArena(pool, PR_FALSE);
-}
-
-/* This function does NOT expect a DER type and length. */
-void
-SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level)
-{
-    SECOidTag algtag;
-    SECU_PrintObjectID(out, &a->algorithm, m, level);
-
-    algtag = SECOID_GetAlgorithmTag(a);
-    if (SEC_PKCS5IsAlgorithmPBEAlgTag(algtag)) {
-	switch (algtag) {
-	case SEC_OID_PKCS5_PBKDF2:
-	    secu_PrintKDF2Params(out, &a->parameters, "Parameters", level+1);
-	    break;
-	case SEC_OID_PKCS5_PBES2:
-	    secu_PrintPKCS5V2Params(out, &a->parameters, "Encryption", level+1);
-	    break;
-	case SEC_OID_PKCS5_PBMAC1:
-	    secu_PrintPKCS5V2Params(out, &a->parameters, "MAC", level+1);
-	    break;
-	default:
-	    secu_PrintPBEParams(out, &a->parameters, "Parameters", level+1);
-	    break;
-	}
-	return;
-    }
-	
-
-    if (a->parameters.len == 0
-	|| (a->parameters.len == 2
-	    && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) {
-	/* No arguments or NULL argument */
-    } else {
-	/* Print args to algorithm */
-	SECU_PrintAsHex(out, &a->parameters, "Args", level+1);
-    }
-}
-
-static void
-secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m, int level)
-{
-    SECItem *value;
-    int i;
-    char om[100];
-
-    if (m) {
-    	SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    }
-
-    /*
-     * Should make this smarter; look at the type field and then decode
-     * and print the value(s) appropriately!
-     */
-    SECU_PrintObjectID(out, &(attr->type), "Type", level+1);
-    if (attr->values != NULL) {
-	i = 0;
-	while ((value = attr->values[i++]) != NULL) {
-	    sprintf(om, "Value (%d)%s", i, attr->encoded ? " (encoded)" : ""); 
-	    if (attr->encoded || attr->typeTag == NULL) {
-		SECU_PrintAny(out, value, om, level+1);
-	    } else {
-		switch (attr->typeTag->offset) {
-		  default:
-		    SECU_PrintAsHex(out, value, om, level+1);
-		    break;
-		  case SEC_OID_PKCS9_CONTENT_TYPE:
-		    SECU_PrintObjectID(out, value, om, level+1);
-		    break;
-		  case SEC_OID_PKCS9_SIGNING_TIME:
-		    SECU_PrintTimeChoice(out, value, om, level+1);
-		    break;
-		}
-	    }
-	}
-    }
-}
-
-static void
-secu_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
-{
-
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    SECU_PrintInteger(out, &pk->u.rsa.modulus, "Modulus", level+1);
-    SECU_PrintInteger(out, &pk->u.rsa.publicExponent, "Exponent", level+1);
-    if (pk->u.rsa.publicExponent.len == 1 &&
-        pk->u.rsa.publicExponent.data[0] == 1) {
-	SECU_Indent(out, level +1); fprintf(out, "Error: INVALID RSA KEY!\n");
-    }
-}
-
-static void
-secu_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
-{
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    SECU_PrintInteger(out, &pk->u.dsa.params.prime, "Prime", level+1);
-    SECU_PrintInteger(out, &pk->u.dsa.params.subPrime, "Subprime", level+1);
-    SECU_PrintInteger(out, &pk->u.dsa.params.base, "Base", level+1);
-    SECU_PrintInteger(out, &pk->u.dsa.publicValue, "PublicValue", level+1);
-}
-
-#ifdef NSS_ENABLE_ECC
-static void
-secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
-{
-    SECItem curveOID = { siBuffer, NULL, 0};
-
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level+1);
-    /* For named curves, the DEREncodedParams field contains an
-     * ASN Object ID (0x06 is SEC_ASN1_OBJECT_ID).
-     */
-    if ((pk->u.ec.DEREncodedParams.len > 2) &&
-	(pk->u.ec.DEREncodedParams.data[0] == 0x06)) {
-        curveOID.len = pk->u.ec.DEREncodedParams.data[1];
-	curveOID.data = pk->u.ec.DEREncodedParams.data + 2;
-	SECU_PrintObjectID(out, &curveOID, "Curve", level +1);
-    }
-}
-#endif /* NSS_ENABLE_ECC */
-
-static void
-secu_PrintSubjectPublicKeyInfo(FILE *out, PRArenaPool *arena,
-		       CERTSubjectPublicKeyInfo *i,  char *msg, int level)
-{
-    SECKEYPublicKey *pk;
-
-    SECU_Indent(out, level); fprintf(out, "%s:\n", msg);
-    SECU_PrintAlgorithmID(out, &i->algorithm, "Public Key Algorithm", level+1);
-
-    pk = SECKEY_ExtractPublicKey(i);
-    if (pk) {
-	switch (pk->keyType) {
-	case rsaKey:
-	    secu_PrintRSAPublicKey(out, pk, "RSA Public Key", level +1);
-	    break;
-
-	case dsaKey:
-	    secu_PrintDSAPublicKey(out, pk, "DSA Public Key", level +1);
-	    break;
-
-#ifdef NSS_ENABLE_ECC
-	case ecKey:
-	    secu_PrintECPublicKey(out, pk, "EC Public Key", level +1);
-	    break;
-#endif
-
-	case dhKey:
-	case fortezzaKey:
-	case keaKey:
-	    SECU_Indent(out, level);
-    	    fprintf(out, "unable to format this SPKI algorithm type\n");
-	    goto loser;
-	default:
-	    SECU_Indent(out, level);
-	    fprintf(out, "unknown SPKI algorithm type\n");
-	    goto loser;
-	}
-	PORT_FreeArena(pk->arena, PR_FALSE);
-    } else {
-	SECU_PrintErrMsg(out, level, "Error", "Parsing public key");
-loser:
-	if (i->subjectPublicKey.data) {
-	    SECU_PrintAny(out, &i->subjectPublicKey, "Raw", level);
-	}
-    }
-}
-
-static SECStatus
-secu_PrintX509InvalidDate(FILE *out, SECItem *value, char *msg, int level)
-{
-    SECItem decodedValue;
-    SECStatus rv;
-    int64 invalidTime;
-    char *formattedTime = NULL;
-
-    decodedValue.data = NULL;
-    rv = SEC_ASN1DecodeItem (NULL, &decodedValue, 
-			    SEC_ASN1_GET(SEC_GeneralizedTimeTemplate),
-			    value);
-    if (rv == SECSuccess) {
-	rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue);
-	if (rv == SECSuccess) {
-	    formattedTime = CERT_GenTime2FormattedAscii
-			    (invalidTime, "%a %b %d %H:%M:%S %Y");
-	    SECU_Indent(out, level +1);
-	    fprintf (out, "%s: %s\n", msg, formattedTime);
-	    PORT_Free (formattedTime);
-	}
-    }
-    PORT_Free (decodedValue.data);
-    return (rv);
-}
-
-static SECStatus
-PrintExtKeyUsageExtension  (FILE *out, SECItem *value, char *msg, int level)
-{
-    CERTOidSequence *os;
-    SECItem **op;
-
-    os = CERT_DecodeOidSequence(value);
-    if( (CERTOidSequence *)NULL == os ) {
-	return SECFailure;
-    }
-
-    for( op = os->oids; *op; op++ ) {
-	SECU_PrintObjectID(out, *op, msg, level + 1);
-    }
-    CERT_DestroyOidSequence(os);
-    return SECSuccess;
-}
-
-static SECStatus
-secu_PrintBasicConstraints(FILE *out, SECItem *value, char *msg, int level) {
-    CERTBasicConstraints constraints;
-    SECStatus rv;
-
-    SECU_Indent(out, level);
-    if (msg) {
-	    fprintf(out,"%s: ",msg);
-    } 
-    rv = CERT_DecodeBasicConstraintValue(&constraints,value);
-    if (rv == SECSuccess && constraints.isCA) {
-	if (constraints.pathLenConstraint >= 0) {
-	    fprintf(out,"Is a CA with a maximum path length of %d.\n",
-			constraints.pathLenConstraint);
-    	} else {
-	    fprintf(out,"Is a CA with no maximum path length.\n");
-	}
-    } else  {
-	fprintf(out,"Is not a CA.\n");
-    }
-    return SECSuccess;
-}
-
-static const char * const nsTypeBits[] = {
-    "SSL Client",
-    "SSL Server",
-    "S/MIME",
-    "Object Signing",
-    "Reserved",
-    "SSL CA",
-    "S/MIME CA",
-    "ObjectSigning CA" 
-};
-
-/* NSCertType is merely a bit string whose bits are displayed symbolically */
-static SECStatus
-secu_PrintNSCertType(FILE *out, SECItem *value, char *msg, int level) 
-{
-    int     unused;
-    int     NS_Type;
-    int     i;
-    int     found   = 0;
-    SECItem my      = *value;
-
-    if ((my.data[0] != SEC_ASN1_BIT_STRING) || 
-        SECSuccess != SECU_StripTagAndLength(&my)) {
-	SECU_PrintAny(out, value, "Data", level);
-	return SECSuccess;
-    }
-
-    unused = (my.len == 2) ? (my.data[0] & 0x0f) : 0;  
-    NS_Type = my.data[1] & (0xff << unused);
-	
-
-    SECU_Indent(out, level);
-    if (msg) {
-	fprintf(out,"%s: ",msg);
-    } else {
-	fprintf(out,"Netscape Certificate Type: ");
-    }
-    for (i=0; i < 8; i++) {
-	if ( (0x80 >> i) & NS_Type) {
-	    fprintf(out, "%c%s", (found ? ',' : '<'), nsTypeBits[i]);
-	    found = 1;
-	}
-    }
-    fprintf(out, (found ? ">\n" : "none\n"));
-    return SECSuccess;
-}
-
-static const char * const usageBits[] = {
-    "Digital Signature",   /* 0x80 */
-    "Non-Repudiation",     /* 0x40 */
-    "Key Encipherment",    /* 0x20 */
-    "Data Encipherment",   /* 0x10 */
-    "Key Agreement",       /* 0x08 */
-    "Certificate Signing", /* 0x04 */
-    "CRL Signing",         /* 0x02 */
-    "Encipher Only",       /* 0x01 */
-    "Decipher Only",       /* 0x0080 */ 
-    NULL
-};
-
-/* X509KeyUsage is merely a bit string whose bits are displayed symbolically */
-static void
-secu_PrintX509KeyUsage(FILE *out, SECItem *value, char *msg, int level) 
-{
-    int     unused;
-    int     usage;
-    int     i;
-    int     found   = 0;
-    SECItem my      = *value;
-
-    if ((my.data[0] != SEC_ASN1_BIT_STRING) || 
-        SECSuccess != SECU_StripTagAndLength(&my)) {
-	SECU_PrintAny(out, value, "Data", level);
-	return;
-    }
-
-    unused = (my.len >= 2) ? (my.data[0] & 0x0f) : 0;  
-    usage  = (my.len == 2) ? (my.data[1] & (0xff << unused)) << 8
-                           : (my.data[1] << 8) | 
-			     (my.data[2] & (0xff << unused));
-
-    SECU_Indent(out, level);
-    fprintf(out, "Usages: ");
-    for (i=0; usageBits[i]; i++) {
-	if ( (0x8000 >> i) & usage) {
-	    if (found)
-		SECU_Indent(out, level + 2);
-	    fprintf(out, "%s\n", usageBits[i]);
-	    found = 1;
-	}
-    }
-    if (!found) {
-	fprintf(out, "(none)\n");
-    }
-}
-
-static void
-secu_PrintIPAddress(FILE *out, SECItem *value, char *msg, int level)
-{
-    PRStatus   st;
-    PRNetAddr  addr;
-    char       addrBuf[80];
-
-    memset(&addr, 0, sizeof addr);
-    if (value->len == 4) {
-	addr.inet.family = PR_AF_INET;
-	memcpy(&addr.inet.ip, value->data, value->len);
-    } else if (value->len == 16) {
-	addr.ipv6.family = PR_AF_INET6;
-	memcpy(addr.ipv6.ip.pr_s6_addr, value->data, value->len);
-	if (PR_IsNetAddrType(&addr, PR_IpAddrV4Mapped)) {
-	    /* convert to IPv4.  */
-	    addr.inet.family = PR_AF_INET;
-	    memcpy(&addr.inet.ip, &addr.ipv6.ip.pr_s6_addr[12], 4);
-	    memset(&addr.inet.pad[0], 0, sizeof addr.inet.pad);
-	}
-    } else {
-	goto loser;
-    }
-
-    st = PR_NetAddrToString(&addr, addrBuf, sizeof addrBuf);
-    if (st == PR_SUCCESS) {
-	SECU_Indent(out, level);
-	fprintf(out, "%s: %s\n", msg, addrBuf);
-    } else {
-loser:
-	SECU_PrintAsHex(out, value, msg, level);
-    }
-}
-
-
-static void
-secu_PrintGeneralName(FILE *out, CERTGeneralName *gname, char *msg, int level) 
-{
-    char label[40];
-    if (msg && msg[0]) {
-    	SECU_Indent(out, level++); fprintf(out, "%s: \n", msg);
-    }
-    switch (gname->type) {
-    case certOtherName :
-	SECU_PrintAny(     out, &gname->name.OthName.name, "Other Name", level);
-	SECU_PrintObjectID(out, &gname->name.OthName.oid,  "OID",      level+1);
-	break;
-    case certDirectoryName :
-	SECU_PrintName(out, &gname->name.directoryName, "Directory Name", level);
-	break;
-    case certRFC822Name :
-	secu_PrintRawString(   out, &gname->name.other, "RFC822 Name", level);
-	break;
-    case certDNSName :
-	secu_PrintRawString(   out, &gname->name.other, "DNS name", level);
-	break;
-    case certURI :
-	secu_PrintRawString(   out, &gname->name.other, "URI", level);
-	break;
-    case certIPAddress :
-	secu_PrintIPAddress(out, &gname->name.other, "IP Address", level);
-	break;
-    case certRegisterID :
-	SECU_PrintObjectID( out, &gname->name.other, "Registered ID", level);
-	break;
-    case certX400Address :
-	SECU_PrintAny(      out, &gname->name.other, "X400 Address", level);
-	break;
-    case certEDIPartyName :
-	SECU_PrintAny(      out, &gname->name.other, "EDI Party", level);
-	break;
-    default:
-	PR_snprintf(label, sizeof label, "unknown type [%d]", 
-	                                (int)gname->type - 1);
-	SECU_PrintAsHex(out, &gname->name.other, label, level);
-	break;
-    }
-}
-
-static void
-secu_PrintGeneralNames(FILE *out, CERTGeneralName *gname, char *msg, int level) 
-{
-    CERTGeneralName *name = gname;
-    do { 
-    	secu_PrintGeneralName(out, name, msg, level);
-	name = CERT_GetNextGeneralName(name);
-    } while (name && name != gname);
-}
-
-
-static void
-secu_PrintAuthKeyIDExtension(FILE *out, SECItem *value, char *msg, int level) 
-{
-    CERTAuthKeyID *kid  = NULL;
-    PLArenaPool   *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-
-    if (!pool) {
-	SECU_PrintError("Error", "Allocating new ArenaPool");
-	return;
-    }
-    kid = CERT_DecodeAuthKeyID(pool, value);
-    if (!kid) {
-	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
-	SECU_PrintAny(out, value, "Data", level);
-    } else {
-	int keyIDPresent  = (kid->keyID.data && kid->keyID.len);
-	int issuerPresent = kid->authCertIssuer != NULL;
-	int snPresent = (kid->authCertSerialNumber.data &&
-	                 kid->authCertSerialNumber.len);
-
-	if (keyIDPresent)
-	    SECU_PrintAsHex(out, &kid->keyID, "Key ID", level);
-	if (issuerPresent)
-	    secu_PrintGeneralName(out, kid->authCertIssuer, "Issuer", level);
-	if (snPresent)
-	    SECU_PrintInteger(out, &kid->authCertSerialNumber, 
-	                    "Serial Number", level);
-    }
-    PORT_FreeArena(pool, PR_FALSE);
-}
-
-
-static void
-secu_PrintAltNameExtension(FILE *out, SECItem *value, char *msg, int level)
-{
-    CERTGeneralName * nameList;
-    CERTGeneralName * current;
-    PLArenaPool     * pool      = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-
-    if (!pool) {
-	SECU_PrintError("Error", "Allocating new ArenaPool");
-	return;
-    }
-    nameList = current = CERT_DecodeAltNameExtension(pool, value);
-    if (!current) {
-	if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
-	    /* Decoder found empty sequence, which is invalid. */
-	    PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID);
-	}
-	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
-	SECU_PrintAny(out, value, "Data", level);
-    } else {
-	do {
-	    secu_PrintGeneralName(out, current, msg, level);
-	    current = CERT_GetNextGeneralName(current);
-	} while (current != nameList);
-    }
-    PORT_FreeArena(pool, PR_FALSE);
-}
-
-static void
-secu_PrintCRLDistPtsExtension(FILE *out, SECItem *value, char *msg, int level)
-{
-    CERTCrlDistributionPoints * dPoints;
-    PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-
-    if (!pool) {
-	SECU_PrintError("Error", "Allocating new ArenaPool");
-	return;
-    }
-    dPoints = CERT_DecodeCRLDistributionPoints(pool, value);
-    if (dPoints && dPoints->distPoints && dPoints->distPoints[0]) {
-	CRLDistributionPoint ** pPoints = dPoints->distPoints;
-	CRLDistributionPoint *  pPoint;
-	while (NULL != (pPoint = *pPoints++)) {
-	    if (pPoint->distPointType == generalName && 
-	        pPoint->distPoint.fullName != NULL) {
-		secu_PrintGeneralNames(out, pPoint->distPoint.fullName, NULL,
-		                       level);
-	    } else if (pPoint->distPointType == relativeDistinguishedName &&
-	               pPoint->distPoint.relativeName.avas) {
-		SECU_PrintRDN(out, &pPoint->distPoint.relativeName, "RDN", 
-		              level);
-	    } else if (pPoint->derDistPoint.data) {
-		SECU_PrintAny(out, &pPoint->derDistPoint, "Point", level);
-	    }
-	    if (pPoint->reasons.data) {
-		secu_PrintDecodedBitString(out, &pPoint->reasons, "Reasons", 
-		                           level);
-	    }
-	    if (pPoint->crlIssuer) {
-		secu_PrintGeneralName(out, pPoint->crlIssuer, "Issuer", level);
-	    }
-	}
-    } else {
-	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
-	SECU_PrintAny(out, value, "Data", level);
-    }
-    PORT_FreeArena(pool, PR_FALSE);
-}
-
-
-static void
-secu_PrintNameConstraintSubtree(FILE *out, CERTNameConstraint *value, 
-                                char *msg, int level)
-{
-    CERTNameConstraint *head = value;
-    SECU_Indent(out, level); fprintf(out, "%s Subtree:\n", msg);
-    level++;
-    do {
-	secu_PrintGeneralName(out, &value->name, NULL, level);
-	if (value->min.data)
-	    SECU_PrintInteger(out, &value->min, "Minimum", level+1);
-	if (value->max.data)
-	    SECU_PrintInteger(out, &value->max, "Maximum", level+1);
-	value = CERT_GetNextNameConstraint(value);
-    } while (value != head);
-}
-
-static void
-secu_PrintNameConstraintsExtension(FILE *out, SECItem *value, char *msg, int level)
-{
-    CERTNameConstraints * cnstrnts;
-    PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-
-    if (!pool) {
-	SECU_PrintError("Error", "Allocating new ArenaPool");
-	return;
-    }
-    cnstrnts = CERT_DecodeNameConstraintsExtension(pool, value);
-    if (!cnstrnts) {
-	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
-    	SECU_PrintAny(out, value, "Raw", level);
-    } else {
-	if (cnstrnts->permited)
-	    secu_PrintNameConstraintSubtree(out, cnstrnts->permited, 
-	                                    "Permitted", level);
-	if (cnstrnts->excluded)
-	    secu_PrintNameConstraintSubtree(out, cnstrnts->excluded, 
-	                                    "Excluded", level);
-    }
-    PORT_FreeArena(pool, PR_FALSE);
-}
-
-
-static void
-secu_PrintAuthorityInfoAcess(FILE *out, SECItem *value, char *msg, int level)
-{
-    CERTAuthInfoAccess **infos = NULL;
-    PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-
-    if (!pool) {
-	SECU_PrintError("Error", "Allocating new ArenaPool");
-	return;
-    }
-    infos = CERT_DecodeAuthInfoAccessExtension(pool, value);
-    if (!infos) {
-	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
-    	SECU_PrintAny(out, value, "Raw", level);
-    } else {
-	CERTAuthInfoAccess *info;
-	while (NULL != (info = *infos++)) {
-	    if (info->method.data) {
-		SECU_PrintObjectID(out, &info->method, "Method", level);
-	    } else {
-	    	SECU_Indent(out,level);
-		fprintf(out, "Error: missing method\n");
-	    }
-	    if (info->location) {
-		secu_PrintGeneralName(out, info->location, "Location", level);
-	    } else {
-		SECU_PrintAny(out, &info->derLocation, "Location", level);
-	    }
-	}
-    }
-    PORT_FreeArena(pool, PR_FALSE);
-}
-
-
-void
-SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
-		     char *msg, int level)
-{
-    SECOidTag oidTag;
-    
-    if ( extensions ) {
-	if (msg && *msg) {
-	    SECU_Indent(out, level++); fprintf(out, "%s:\n", msg);
-	}
-	
-	while ( *extensions ) {
-	    SECItem *tmpitem;
-
-	    tmpitem = &(*extensions)->id;
-	    SECU_PrintObjectID(out, tmpitem, "Name", level);
-
-	    tmpitem = &(*extensions)->critical;
-	    if ( tmpitem->len ) {
-		secu_PrintBoolean(out, tmpitem, "Critical", level);
-	    }
-
-	    oidTag = SECOID_FindOIDTag (&((*extensions)->id));
-	    tmpitem = &((*extensions)->value);
-
-	    switch (oidTag) {
-	      	case SEC_OID_X509_INVALID_DATE:
-		case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME:
-		   secu_PrintX509InvalidDate(out, tmpitem, "Date", level );
-		   break;
-		case SEC_OID_X509_CERTIFICATE_POLICIES:
-		   SECU_PrintPolicy(out, tmpitem, "Data", level );
-		   break;
-		case SEC_OID_NS_CERT_EXT_BASE_URL:
-		case SEC_OID_NS_CERT_EXT_REVOCATION_URL:
-		case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL:
-		case SEC_OID_NS_CERT_EXT_CA_CRL_URL:
-		case SEC_OID_NS_CERT_EXT_CA_CERT_URL:
-		case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL:
-		case SEC_OID_NS_CERT_EXT_CA_POLICY_URL:
-		case SEC_OID_NS_CERT_EXT_HOMEPAGE_URL:
-		case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL:
-		case SEC_OID_OCSP_RESPONDER:
-		    SECU_PrintString(out,tmpitem, "URL", level);
-		    break;
-		case SEC_OID_NS_CERT_EXT_COMMENT:
-		    SECU_PrintString(out,tmpitem, "Comment", level);
-		    break;
-		case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME:
-		    SECU_PrintString(out,tmpitem, "ServerName", level);
-		    break;
-		case SEC_OID_NS_CERT_EXT_CERT_TYPE:
-		    secu_PrintNSCertType(out,tmpitem,"Data",level);
-		    break;
-		case SEC_OID_X509_BASIC_CONSTRAINTS:
-		    secu_PrintBasicConstraints(out,tmpitem,"Data",level);
-		    break;
-		case SEC_OID_X509_EXT_KEY_USAGE:
-		    PrintExtKeyUsageExtension(out, tmpitem, NULL, level);
-		    break;
-		case SEC_OID_X509_KEY_USAGE:
-		    secu_PrintX509KeyUsage(out, tmpitem, NULL, level );
-		    break;
-		case SEC_OID_X509_AUTH_KEY_ID:
-		    secu_PrintAuthKeyIDExtension(out, tmpitem, NULL, level );
-		    break;
-		case SEC_OID_X509_SUBJECT_ALT_NAME:
-		case SEC_OID_X509_ISSUER_ALT_NAME:
-		    secu_PrintAltNameExtension(out, tmpitem, NULL, level );
-		    break;
-		case SEC_OID_X509_CRL_DIST_POINTS:
-		    secu_PrintCRLDistPtsExtension(out, tmpitem, NULL, level );
-		    break;
-		case SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD:
-		    SECU_PrintPrivKeyUsagePeriodExtension(out, tmpitem, NULL, 
-							level );
-		    break;
-		case SEC_OID_X509_NAME_CONSTRAINTS:
-		    secu_PrintNameConstraintsExtension(out, tmpitem, NULL, level);
-		    break;
-		case SEC_OID_X509_AUTH_INFO_ACCESS:
-		    secu_PrintAuthorityInfoAcess(out, tmpitem, NULL, level);
-		    break;
-
-		case SEC_OID_X509_CRL_NUMBER:
-		case SEC_OID_X509_REASON_CODE:
-
-		/* PKIX OIDs */
-		case SEC_OID_PKIX_OCSP:
-		case SEC_OID_PKIX_OCSP_BASIC_RESPONSE:
-		case SEC_OID_PKIX_OCSP_NONCE:
-		case SEC_OID_PKIX_OCSP_CRL:
-		case SEC_OID_PKIX_OCSP_RESPONSE:
-		case SEC_OID_PKIX_OCSP_NO_CHECK:
-		case SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF:
-		case SEC_OID_PKIX_OCSP_SERVICE_LOCATOR:
-		case SEC_OID_PKIX_REGCTRL_REGTOKEN:
-		case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
-		case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
-		case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
-		case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
-		case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
-		case SEC_OID_PKIX_REGINFO_UTF8_PAIRS:
-		case SEC_OID_PKIX_REGINFO_CERT_REQUEST:
-
-	        /* Netscape extension OIDs. */
-		case SEC_OID_NS_CERT_EXT_NETSCAPE_OK:
-		case SEC_OID_NS_CERT_EXT_ISSUER_LOGO:
-		case SEC_OID_NS_CERT_EXT_SUBJECT_LOGO:
-		case SEC_OID_NS_CERT_EXT_ENTITY_LOGO:
-		case SEC_OID_NS_CERT_EXT_USER_PICTURE:
-
-		/* x.509 v3 Extensions */
-		case SEC_OID_X509_SUBJECT_DIRECTORY_ATTR:
-		case SEC_OID_X509_SUBJECT_KEY_ID:
-		case SEC_OID_X509_POLICY_MAPPINGS:
-		case SEC_OID_X509_POLICY_CONSTRAINTS:
-
-
-	        default:
-		    SECU_PrintAny(out, tmpitem, "Data", level);
-		break;
-	    }
-
-	    secu_Newline(out);
-	    extensions++;
-	}
-    }
-}
-
-/* An RDN is a subset of a DirectoryName, and we already know how to
- * print those, so make a directory name out of the RDN, and print it.
- */
-void
-SECU_PrintRDN(FILE *out, CERTRDN *rdn, char *msg, int level)
-{
-    CERTName name;
-    CERTRDN *rdns[2];
-
-    name.arena = NULL;
-    name.rdns  = rdns;
-    rdns[0] = rdn;
-    rdns[1] = NULL;
-    SECU_PrintName(out, &name, msg, level);
-}
-
-void
-SECU_PrintName(FILE *out, CERTName *name, char *msg, int level)
-{
-    char *nameStr = NULL;
-    char *str;
-    SECItem my;
-
-    if (!name) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return;
-    }
-    if (!name->rdns || !name->rdns[0]) {
-	str = "(empty)";
-    } else {
-	str = nameStr = CERT_NameToAscii(name);
-    }
-    if (!str) {
-    	str = "!Invalid AVA!";
-    }
-    my.data = (unsigned char *)str;
-    my.len  = PORT_Strlen(str);
-#if 1
-    secu_PrintRawString(out, &my, msg, level);
-#else
-    SECU_Indent(out, level); fprintf(out, "%s: ", msg);
-    fprintf(out, str);
-    secu_Newline(out);
-#endif
-    PORT_Free(nameStr);
-}
-
-void
-printflags(char *trusts, unsigned int flags)
-{
-    if (flags & CERTDB_VALID_CA)
-	if (!(flags & CERTDB_TRUSTED_CA) &&
-	    !(flags & CERTDB_TRUSTED_CLIENT_CA))
-	    PORT_Strcat(trusts, "c");
-    if (flags & CERTDB_VALID_PEER)
-	if (!(flags & CERTDB_TRUSTED))
-	    PORT_Strcat(trusts, "p");
-    if (flags & CERTDB_TRUSTED_CA)
-	PORT_Strcat(trusts, "C");
-    if (flags & CERTDB_TRUSTED_CLIENT_CA)
-	PORT_Strcat(trusts, "T");
-    if (flags & CERTDB_TRUSTED)
-	PORT_Strcat(trusts, "P");
-    if (flags & CERTDB_USER)
-	PORT_Strcat(trusts, "u");
-    if (flags & CERTDB_SEND_WARN)
-	PORT_Strcat(trusts, "w");
-    if (flags & CERTDB_INVISIBLE_CA)
-	PORT_Strcat(trusts, "I");
-    if (flags & CERTDB_GOVT_APPROVED_CA)
-	PORT_Strcat(trusts, "G");
-    return;
-}
-
-/* callback for listing certs through pkcs11 */
-SECStatus
-SECU_PrintCertNickname(CERTCertListNode *node, void *data)
-{
-    CERTCertTrust *trust;
-    CERTCertificate* cert;
-    FILE *out;
-    char trusts[30];
-    char *name;
-
-    cert = node->cert;
-
-    PORT_Memset (trusts, 0, sizeof (trusts));
-    out = (FILE *)data;
-    
-    name = node->appData;
-    if (!name || !name[0]) {
-        name = cert->nickname;
-    }
-    if (!name || !name[0]) {
-        name = cert->emailAddr;
-    }
-    if (!name || !name[0]) {
-        name = "(NULL)";
-    }
-
-    trust = cert->trust;
-    if (trust) {
-        printflags(trusts, trust->sslFlags);
-        PORT_Strcat(trusts, ",");
-        printflags(trusts, trust->emailFlags);
-        PORT_Strcat(trusts, ",");
-        printflags(trusts, trust->objectSigningFlags);
-    } else {
-        PORT_Memcpy(trusts,",,",3);
-    }
-    fprintf(out, "%-60s %-5s\n", name, trusts);
-
-    return (SECSuccess);
-}
-
-int
-SECU_DecodeAndPrintExtensions(FILE *out, SECItem *any, char *m, int level)
-{
-    CERTCertExtension **extensions = NULL;
-    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    int rv = 0;
-
-    if (!arena) 
-	return SEC_ERROR_NO_MEMORY;
-
-    rv = SEC_QuickDERDecodeItem(arena, &extensions, 
-		   SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate), any);
-    if (!rv)
-	SECU_PrintExtensions(out, extensions, m, level);
-    else 
-    	SECU_PrintAny(out, any, m, level);
-    PORT_FreeArena(arena, PR_FALSE);
-    return rv;
-}
-
-/* print a decoded SET OF or SEQUENCE OF Extensions */
-int
-SECU_PrintSetOfExtensions(FILE *out, SECItem **any, char *m, int level)
-{
-    int rv = 0;
-    if (m && *m) {
-	SECU_Indent(out, level++); fprintf(out, "%s:\n", m);
-    }
-    while (any && any[0]) {
-    	rv |= SECU_DecodeAndPrintExtensions(out, any[0], "", level);
-	any++;
-    }
-    return rv;
-}
-
-/* print a decoded SET OF or SEQUENCE OF "ANY" */
-int
-SECU_PrintSetOfAny(FILE *out, SECItem **any, char *m, int level)
-{
-    int rv = 0;
-    if (m && *m) {
-	SECU_Indent(out, level++); fprintf(out, "%s:\n", m);
-    }
-    while (any && any[0]) {
-    	SECU_PrintAny(out, any[0], "", level);
-	any++;
-    }
-    return rv;
-}
-
-int
-SECU_PrintCertAttribute(FILE *out, CERTAttribute *attr, char *m, int level)
-{
-    int rv = 0;
-    SECOidTag tag;
-    tag = SECU_PrintObjectID(out, &attr->attrType, "Attribute Type", level);
-    if (tag == SEC_OID_PKCS9_EXTENSION_REQUEST) {
-	rv = SECU_PrintSetOfExtensions(out, attr->attrValue, "Extensions", level);
-    } else {
-	rv = SECU_PrintSetOfAny(out, attr->attrValue, "Attribute Values", level);
-    }
-    return rv;
-}
-
-int
-SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level)
-{
-    int rv = 0;
-    while (attrs[0]) {
-	rv |= SECU_PrintCertAttribute(out, attrs[0], m, level+1);
-    	attrs++;
-    }
-    return rv;
-}
-
-int  /* sometimes a PRErrorCode, other times a SECStatus.  Sigh. */
-SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level)
-{
-    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    CERTCertificateRequest *cr;
-    int rv = SEC_ERROR_NO_MEMORY;
-
-    if (!arena) 
-	return rv;
-
-    /* Decode certificate request */
-    cr = PORT_ArenaZNew(arena, CERTCertificateRequest);
-    if (!cr)
-	goto loser;
-    cr->arena = arena;
-    rv = SEC_QuickDERDecodeItem(arena, cr, 
-                           SEC_ASN1_GET(CERT_CertificateRequestTemplate), der);
-    if (rv) 
-	goto loser;
-
-    /* Pretty print it out */
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    SECU_PrintInteger(out, &cr->version, "Version", level+1);
-    SECU_PrintName(out, &cr->subject, "Subject", level+1);
-    secu_PrintSubjectPublicKeyInfo(out, arena, &cr->subjectPublicKeyInfo,
-			      "Subject Public Key Info", level+1);
-    if (cr->attributes)
-	SECU_PrintCertAttributes(out, cr->attributes, "Attributes", level+1);
-    rv = 0;
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return rv;
-}
-
-int
-SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level)
-{
-    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    CERTCertificate *c;
-    int rv = SEC_ERROR_NO_MEMORY;
-    int iv;
-    
-    if (!arena)
-	return rv;
-
-    /* Decode certificate */
-    c = PORT_ArenaZNew(arena, CERTCertificate);
-    if (!c)
-	goto loser;
-    c->arena = arena;
-    rv = SEC_ASN1DecodeItem(arena, c, 
-                            SEC_ASN1_GET(CERT_CertificateTemplate), der);
-    if (rv) {
-        SECU_Indent(out, level); 
-	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
-	SECU_PrintAny(out, der, "Raw", level);
-	goto loser;
-    }
-    /* Pretty print it out */
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    iv = c->version.len ? DER_GetInteger(&c->version) : 0;  /* version is optional */
-    SECU_Indent(out, level+1); fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv);
-
-    SECU_PrintInteger(out, &c->serialNumber, "Serial Number", level+1);
-    SECU_PrintAlgorithmID(out, &c->signature, "Signature Algorithm", level+1);
-    SECU_PrintName(out, &c->issuer, "Issuer", level+1);
-    secu_PrintValidity(out, &c->validity, "Validity", level+1);
-    SECU_PrintName(out, &c->subject, "Subject", level+1);
-    secu_PrintSubjectPublicKeyInfo(out, arena, &c->subjectPublicKeyInfo,
-			      "Subject Public Key Info", level+1);
-    if (c->issuerID.data) 
-	secu_PrintDecodedBitString(out, &c->issuerID, "Issuer Unique ID", level+1);
-    if (c->subjectID.data) 
-	secu_PrintDecodedBitString(out, &c->subjectID, "Subject Unique ID", level+1);
-    SECU_PrintExtensions(out, c->extensions, "Signed Extensions", level+1);
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return rv;
-}
-
-int
-SECU_PrintRSAPublicKey(FILE *out, SECItem *der, char *m, int level)
-{
-    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    SECKEYPublicKey key;
-    int rv = SEC_ERROR_NO_MEMORY;
-
-    if (!arena)
-	return rv;
-
-    PORT_Memset(&key, 0, sizeof(key));
-    rv = SEC_ASN1DecodeItem(arena, &key, 
-                            SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), der);
-    if (!rv) {
-	/* Pretty print it out */
-	secu_PrintRSAPublicKey(out, &key, m, level);
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return rv;
-}
-
-int
-SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m, int level)
-{
-    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    int          rv    = SEC_ERROR_NO_MEMORY;
-    CERTSubjectPublicKeyInfo spki;
-
-    if (!arena)
-	return rv;
-
-    PORT_Memset(&spki, 0, sizeof spki);
-    rv = SEC_ASN1DecodeItem(arena, &spki, 
-                            SEC_ASN1_GET(CERT_SubjectPublicKeyInfoTemplate), 
-			    der);
-    if (!rv) {
-	if (m && *m) {
-	    SECU_Indent(out, level);  fprintf(out, "%s:\n", m);
-	}
-	secu_PrintSubjectPublicKeyInfo(out, arena, &spki,
-				       "Subject Public Key Info", level+1);
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return rv;
-}
-
-#ifdef HAVE_EPV_TEMPLATE
-int
-SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level)
-{
-    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    SECKEYEncryptedPrivateKeyInfo key;
-    int rv = SEC_ERROR_NO_MEMORY;
-
-    if (!arena)
-	return rv;
-
-    PORT_Memset(&key, 0, sizeof(key));
-    rv = SEC_ASN1DecodeItem(arena, &key, 
-		SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate), der);
-    if (rv)
-	goto loser;
-
-    /* Pretty print it out */
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    SECU_PrintAlgorithmID(out, &key.algorithm, "Encryption Algorithm", 
-			  level+1);
-    SECU_PrintAsHex(out, &key.encryptedData, "Encrypted Data", level+1);
-loser:
-    PORT_FreeArena(arena, PR_TRUE);
-    return rv;
-}
-#endif
-
-int
-SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level)
-{
-    unsigned char fingerprint[20];
-    char *fpStr = NULL;
-    int err     = PORT_GetError();
-    SECStatus rv;
-    SECItem fpItem;
-
-    /* print MD5 fingerprint */
-    memset(fingerprint, 0, sizeof fingerprint);
-    rv = PK11_HashBuf(SEC_OID_MD5,fingerprint, derCert->data, derCert->len);
-    fpItem.data = fingerprint;
-    fpItem.len = MD5_LENGTH;
-    fpStr = CERT_Hexify(&fpItem, 1);
-    SECU_Indent(out, level);  fprintf(out, "%s (MD5):\n", m);
-    SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr);
-    PORT_Free(fpStr);
-    fpStr = NULL;
-    if (rv != SECSuccess && !err)
-	err = PORT_GetError();
-
-    /* print SHA1 fingerprint */
-    memset(fingerprint, 0, sizeof fingerprint);
-    rv = PK11_HashBuf(SEC_OID_SHA1,fingerprint, derCert->data, derCert->len);
-    fpItem.data = fingerprint;
-    fpItem.len = SHA1_LENGTH;
-    fpStr = CERT_Hexify(&fpItem, 1);
-    SECU_Indent(out, level);  fprintf(out, "%s (SHA1):\n", m);
-    SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr);
-    PORT_Free(fpStr);
-    fprintf(out, "\n");
-
-    if (err) 
-	PORT_SetError(err);
-    if (err || rv != SECSuccess)
-	return SECFailure;
-
-    return 0;
-}
-
-/*
-** PKCS7 Support
-*/
-
-/* forward declaration */
-static int
-secu_PrintPKCS7ContentInfo(FILE *, SEC_PKCS7ContentInfo *, char *, int);
-
-/*
-** secu_PrintPKCS7EncContent
-**   Prints a SEC_PKCS7EncryptedContentInfo (without decrypting it)
-*/
-static void
-secu_PrintPKCS7EncContent(FILE *out, SEC_PKCS7EncryptedContentInfo *src, 
-			  char *m, int level)
-{
-    if (src->contentTypeTag == NULL)
-	src->contentTypeTag = SECOID_FindOID(&(src->contentType));
-
-    SECU_Indent(out, level);
-    fprintf(out, "%s:\n", m);
-    SECU_Indent(out, level + 1); 
-    fprintf(out, "Content Type: %s\n",
-	    (src->contentTypeTag != NULL) ? src->contentTypeTag->desc
-					  : "Unknown");
-    SECU_PrintAlgorithmID(out, &(src->contentEncAlg),
-			  "Content Encryption Algorithm", level+1);
-    SECU_PrintAsHex(out, &(src->encContent), 
-		    "Encrypted Content", level+1);
-}
-
-/*
-** secu_PrintRecipientInfo
-**   Prints a PKCS7RecipientInfo type
-*/
-static void
-secu_PrintRecipientInfo(FILE *out, SEC_PKCS7RecipientInfo *info, char *m, 
-			int level)
-{
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    SECU_PrintInteger(out, &(info->version), "Version", level + 1);	
-
-    SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", 
-		 level + 1);
-    SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), 
-		      "Serial Number", level + 1);
-
-    /* Parse and display encrypted key */
-    SECU_PrintAlgorithmID(out, &(info->keyEncAlg), 
-			"Key Encryption Algorithm", level + 1);
-    SECU_PrintAsHex(out, &(info->encKey), "Encrypted Key", level + 1);
-}
-
-/* 
-** secu_PrintSignerInfo
-**   Prints a PKCS7SingerInfo type
-*/
-static void
-secu_PrintSignerInfo(FILE *out, SEC_PKCS7SignerInfo *info, char *m, int level)
-{
-    SEC_PKCS7Attribute *attr;
-    int iv;
-    char om[100];
-    
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    SECU_PrintInteger(out, &(info->version), "Version", level + 1);	
-
-    SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", 
-		 level + 1);
-    SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), 
-		      "Serial Number", level + 1);
-  
-    SECU_PrintAlgorithmID(out, &(info->digestAlg), "Digest Algorithm",
-			  level + 1);
-    
-    if (info->authAttr != NULL) {
-	SECU_Indent(out, level + 1); 
-	fprintf(out, "Authenticated Attributes:\n");
-	iv = 0;
-	while ((attr = info->authAttr[iv++]) != NULL) {
-	    sprintf(om, "Attribute (%d)", iv); 
-	    secu_PrintAttribute(out, attr, om, level + 2);
-	}
-    }
-    
-    /* Parse and display signature */
-    SECU_PrintAlgorithmID(out, &(info->digestEncAlg), 
-			"Digest Encryption Algorithm", level + 1);
-    SECU_PrintAsHex(out, &(info->encDigest), "Encrypted Digest", level + 1);
-    
-    if (info->unAuthAttr != NULL) {
-	SECU_Indent(out, level + 1); 
-	fprintf(out, "Unauthenticated Attributes:\n");
-	iv = 0;
-	while ((attr = info->unAuthAttr[iv++]) != NULL) {
-	    sprintf(om, "Attribute (%x)", iv); 
-	    secu_PrintAttribute(out, attr, om, level + 2);
-	}
-    }
-}
-
-/* callers of this function must make sure that the CERTSignedCrl
-   from which they are extracting the CERTCrl has been fully-decoded.
-   Otherwise it will not have the entries even though the CRL may have
-   some */
-
-void
-SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level)
-{
-    CERTCrlEntry *entry;
-    int iv;
-    char om[100];
-    
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    /* version is optional */
-    iv = crl->version.len ? DER_GetInteger(&crl->version) : 0;  
-    SECU_Indent(out, level+1); 
-    	fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv);
-    SECU_PrintAlgorithmID(out, &(crl->signatureAlg), "Signature Algorithm",
-			  level + 1);
-    SECU_PrintName(out, &(crl->name), "Issuer", level + 1);
-    SECU_PrintTimeChoice(out, &(crl->lastUpdate), "This Update", level + 1);
-    if (crl->nextUpdate.data && crl->nextUpdate.len) /* is optional */
-	SECU_PrintTimeChoice(out, &(crl->nextUpdate), "Next Update", level + 1);
-    
-    if (crl->entries != NULL) {
-	iv = 0;
-	while ((entry = crl->entries[iv++]) != NULL) {
-	    sprintf(om, "Entry (%x):\n", iv); 
-	    SECU_Indent(out, level + 1); fprintf(out, om);
-	    SECU_PrintInteger(out, &(entry->serialNumber), "Serial Number",
-			      level + 2);
-	    SECU_PrintTimeChoice(out, &(entry->revocationDate), 
-	                         "Revocation Date", level + 2);
-	    SECU_PrintExtensions(out, entry->extensions, 
-	                         "Entry Extensions", level + 2);
-	}
-    }
-    SECU_PrintExtensions(out, crl->extensions, "CRL Extensions", level + 1);
-}
-
-/*
-** secu_PrintPKCS7Signed
-**   Pretty print a PKCS7 signed data type (up to version 1).
-*/
-static int
-secu_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src,
-		      const char *m, int level)
-{
-    SECAlgorithmID *digAlg;		/* digest algorithms */
-    SECItem *aCert;			/* certificate */
-    CERTSignedCrl *aCrl;		/* certificate revocation list */
-    SEC_PKCS7SignerInfo *sigInfo;	/* signer information */
-    int rv, iv;
-    char om[100];
-
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    SECU_PrintInteger(out, &(src->version), "Version", level + 1);
-
-    /* Parse and list digest algorithms (if any) */
-    if (src->digestAlgorithms != NULL) {
-	SECU_Indent(out, level + 1);  fprintf(out, "Digest Algorithm List:\n");
-	iv = 0;
-	while ((digAlg = src->digestAlgorithms[iv++]) != NULL) {
-	    sprintf(om, "Digest Algorithm (%x)", iv);
-	    SECU_PrintAlgorithmID(out, digAlg, om, level + 2);
-	}
-    }
-
-    /* Now for the content */
-    rv = secu_PrintPKCS7ContentInfo(out, &(src->contentInfo), 
-				    "Content Information", level + 1);
-    if (rv != 0)
-	return rv;
-
-    /* Parse and list certificates (if any) */
-    if (src->rawCerts != NULL) {
-	SECU_Indent(out, level + 1);  fprintf(out, "Certificate List:\n");
-	iv = 0;
-	while ((aCert = src->rawCerts[iv++]) != NULL) {
-	    sprintf(om, "Certificate (%x)", iv);
-	    rv = SECU_PrintSignedData(out, aCert, om, level + 2, 
-				      SECU_PrintCertificate);
-	    if (rv)
-		return rv;
-	}
-    }
-
-    /* Parse and list CRL's (if any) */
-    if (src->crls != NULL) {
-	SECU_Indent(out, level + 1);  
-	fprintf(out, "Signed Revocation Lists:\n");
-	iv = 0;
-	while ((aCrl = src->crls[iv++]) != NULL) {
-	    sprintf(om, "Signed Revocation List (%x)", iv);
-	    SECU_Indent(out, level + 2);  fprintf(out, "%s:\n", om);
-	    SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, 
-				  "Signature Algorithm", level+3);
-	    DER_ConvertBitString(&aCrl->signatureWrap.signature);
-	    SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature",
-			    level+3);
-	    SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", 
-			  level + 3); 
-	}
-    }
-
-    /* Parse and list signatures (if any) */
-    if (src->signerInfos != NULL) {
-	SECU_Indent(out, level + 1);
-	fprintf(out, "Signer Information List:\n");
-	iv = 0;
-	while ((sigInfo = src->signerInfos[iv++]) != NULL) {
-	    sprintf(om, "Signer Information (%x)", iv);
-	    secu_PrintSignerInfo(out, sigInfo, om, level + 2);
-	}
-    }  
-
-    return 0;
-}
-
-/*
-** secu_PrintPKCS7Enveloped
-**  Pretty print a PKCS7 enveloped data type (up to version 1).
-*/
-static void
-secu_PrintPKCS7Enveloped(FILE *out, SEC_PKCS7EnvelopedData *src,
-			 const char *m, int level)
-{
-    SEC_PKCS7RecipientInfo *recInfo;   /* pointer for signer information */
-    int iv;
-    char om[100];
-
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    SECU_PrintInteger(out, &(src->version), "Version", level + 1);
-
-    /* Parse and list recipients (this is not optional) */
-    if (src->recipientInfos != NULL) {
-	SECU_Indent(out, level + 1);
-	fprintf(out, "Recipient Information List:\n");
-	iv = 0;
-	while ((recInfo = src->recipientInfos[iv++]) != NULL) {
-	    sprintf(om, "Recipient Information (%x)", iv);
-	    secu_PrintRecipientInfo(out, recInfo, om, level + 2);
-	}
-    }  
-
-    secu_PrintPKCS7EncContent(out, &src->encContentInfo, 
-			      "Encrypted Content Information", level + 1);
-}
-
-/*
-** secu_PrintPKCS7SignedEnveloped
-**   Pretty print a PKCS7 singed and enveloped data type (up to version 1).
-*/
-static int
-secu_PrintPKCS7SignedAndEnveloped(FILE *out,
-				  SEC_PKCS7SignedAndEnvelopedData *src,
-				  const char *m, int level)
-{
-    SECAlgorithmID *digAlg;  /* pointer for digest algorithms */
-    SECItem *aCert;           /* pointer for certificate */
-    CERTSignedCrl *aCrl;        /* pointer for certificate revocation list */
-    SEC_PKCS7SignerInfo *sigInfo;   /* pointer for signer information */
-    SEC_PKCS7RecipientInfo *recInfo; /* pointer for recipient information */
-    int rv, iv;
-    char om[100];
-
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    SECU_PrintInteger(out, &(src->version), "Version", level + 1);
-
-    /* Parse and list recipients (this is not optional) */
-    if (src->recipientInfos != NULL) {
-	SECU_Indent(out, level + 1);
-	fprintf(out, "Recipient Information List:\n");
-	iv = 0;
-	while ((recInfo = src->recipientInfos[iv++]) != NULL) {
-	    sprintf(om, "Recipient Information (%x)", iv);
-	    secu_PrintRecipientInfo(out, recInfo, om, level + 2);
-	}
-    }  
-
-    /* Parse and list digest algorithms (if any) */
-    if (src->digestAlgorithms != NULL) {
-	SECU_Indent(out, level + 1);  fprintf(out, "Digest Algorithm List:\n");
-	iv = 0;
-	while ((digAlg = src->digestAlgorithms[iv++]) != NULL) {
-	    sprintf(om, "Digest Algorithm (%x)", iv);
-	    SECU_PrintAlgorithmID(out, digAlg, om, level + 2);
-	}
-    }
-
-    secu_PrintPKCS7EncContent(out, &src->encContentInfo, 
-			      "Encrypted Content Information", level + 1);
-
-    /* Parse and list certificates (if any) */
-    if (src->rawCerts != NULL) {
-	SECU_Indent(out, level + 1);  fprintf(out, "Certificate List:\n");
-	iv = 0;
-	while ((aCert = src->rawCerts[iv++]) != NULL) {
-	    sprintf(om, "Certificate (%x)", iv);
-	    rv = SECU_PrintSignedData(out, aCert, om, level + 2, 
-				      SECU_PrintCertificate);
-	    if (rv)
-		return rv;
-	}
-    }
-
-    /* Parse and list CRL's (if any) */
-    if (src->crls != NULL) {
-	SECU_Indent(out, level + 1);  
-	fprintf(out, "Signed Revocation Lists:\n");
-	iv = 0;
-	while ((aCrl = src->crls[iv++]) != NULL) {
-	    sprintf(om, "Signed Revocation List (%x)", iv);
-	    SECU_Indent(out, level + 2);  fprintf(out, "%s:\n", om);
-	    SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, 
-				  "Signature Algorithm", level+3);
-	    DER_ConvertBitString(&aCrl->signatureWrap.signature);
-	    SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature",
-			    level+3);
-	    SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", 
-			  level + 3); 
-	}
-    }
-
-    /* Parse and list signatures (if any) */
-    if (src->signerInfos != NULL) {
-	SECU_Indent(out, level + 1);
-	fprintf(out, "Signer Information List:\n");
-	iv = 0;
-	while ((sigInfo = src->signerInfos[iv++]) != NULL) {
-	    sprintf(om, "Signer Information (%x)", iv);
-	    secu_PrintSignerInfo(out, sigInfo, om, level + 2);
-	}
-    }  
-
-    return 0;
-}
-
-int
-SECU_PrintCrl (FILE *out, SECItem *der, char *m, int level)
-{
-    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    CERTCrl *c = NULL;
-    int rv = SEC_ERROR_NO_MEMORY;
-
-    if (!arena)
-    	return rv;
-    do {
-	/* Decode CRL */
-	c = PORT_ArenaZNew(arena, CERTCrl);
-	if (!c)
-	    break;
-
-	rv = SEC_QuickDERDecodeItem(arena, c, SEC_ASN1_GET(CERT_CrlTemplate), der);
-	if (rv != SECSuccess)
-	    break;
-	SECU_PrintCRLInfo (out, c, m, level);
-    } while (0);
-    PORT_FreeArena (arena, PR_FALSE);
-    return rv;
-}
-
-
-/*
-** secu_PrintPKCS7Encrypted
-**   Pretty print a PKCS7 encrypted data type (up to version 1).
-*/
-static void
-secu_PrintPKCS7Encrypted(FILE *out, SEC_PKCS7EncryptedData *src,
-			 const char *m, int level)
-{
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    SECU_PrintInteger(out, &(src->version), "Version", level + 1);
-
-    secu_PrintPKCS7EncContent(out, &src->encContentInfo, 
-			      "Encrypted Content Information", level + 1);
-}
-
-/*
-** secu_PrintPKCS7Digested
-**   Pretty print a PKCS7 digested data type (up to version 1).
-*/
-static void
-secu_PrintPKCS7Digested(FILE *out, SEC_PKCS7DigestedData *src,
-			const char *m, int level)
-{
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    SECU_PrintInteger(out, &(src->version), "Version", level + 1);
-    
-    SECU_PrintAlgorithmID(out, &src->digestAlg, "Digest Algorithm",
-			  level + 1);
-    secu_PrintPKCS7ContentInfo(out, &src->contentInfo, "Content Information",
-			       level + 1);
-    SECU_PrintAsHex(out, &src->digest, "Digest", level + 1);  
-}
-
-/*
-** secu_PrintPKCS7ContentInfo
-**   Takes a SEC_PKCS7ContentInfo type and sends the contents to the 
-** appropriate function
-*/
-static int
-secu_PrintPKCS7ContentInfo(FILE *out, SEC_PKCS7ContentInfo *src,
-			   char *m, int level)
-{
-    const char *desc;
-    SECOidTag kind;
-    int rv;
-
-    SECU_Indent(out, level);  fprintf(out, "%s:\n", m);
-    level++;
-
-    if (src->contentTypeTag == NULL)
-	src->contentTypeTag = SECOID_FindOID(&(src->contentType));
-
-    if (src->contentTypeTag == NULL) {
-	desc = "Unknown";
-	kind = SEC_OID_PKCS7_DATA;
-    } else {
-	desc = src->contentTypeTag->desc;
-	kind = src->contentTypeTag->offset;
-    }
-
-    if (src->content.data == NULL) {
-	SECU_Indent(out, level); fprintf(out, "%s:\n", desc);
-	level++;
-	SECU_Indent(out, level); fprintf(out, "<no content>\n");
-	return 0;
-    }
-
-    rv = 0;
-    switch (kind) {
-      case SEC_OID_PKCS7_SIGNED_DATA:  /* Signed Data */
-	rv = secu_PrintPKCS7Signed(out, src->content.signedData, desc, level);
-	break;
-
-      case SEC_OID_PKCS7_ENVELOPED_DATA:  /* Enveloped Data */
-        secu_PrintPKCS7Enveloped(out, src->content.envelopedData, desc, level);
-	break;
-
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:  /* Signed and Enveloped */
-	rv = secu_PrintPKCS7SignedAndEnveloped(out,
-					src->content.signedAndEnvelopedData,
-					desc, level);
-	break;
-
-      case SEC_OID_PKCS7_DIGESTED_DATA:  /* Digested Data */
-	secu_PrintPKCS7Digested(out, src->content.digestedData, desc, level);
-	break;
-
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:  /* Encrypted Data */
-	secu_PrintPKCS7Encrypted(out, src->content.encryptedData, desc, level);
-	break;
-
-      default:
-	SECU_PrintAsHex(out, src->content.data, desc, level);
-	break;
-    }
-
-    return rv;
-}
-
-/*
-** SECU_PrintPKCS7ContentInfo
-**   Decode and print any major PKCS7 data type (up to version 1).
-*/
-int
-SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, int level)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    int rv;
-
-    cinfo = SEC_PKCS7DecodeItem(der, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
-    if (cinfo != NULL) {
-	/* Send it to recursive parsing and printing module */
-	rv = secu_PrintPKCS7ContentInfo(out, cinfo, m, level);
-	SEC_PKCS7DestroyContentInfo(cinfo);
-    } else {
-	rv = -1;
-    }
-
-    return rv;
-}
-
-/*
-** End of PKCS7 functions
-*/
-
-void
-printFlags(FILE *out, unsigned int flags, int level)
-{
-    if ( flags & CERTDB_VALID_PEER ) {
-	SECU_Indent(out, level); fprintf(out, "Valid Peer\n");
-    }
-    if ( flags & CERTDB_TRUSTED ) {
-	SECU_Indent(out, level); fprintf(out, "Trusted\n");
-    }
-    if ( flags & CERTDB_SEND_WARN ) {
-	SECU_Indent(out, level); fprintf(out, "Warn When Sending\n");
-    }
-    if ( flags & CERTDB_VALID_CA ) {
-	SECU_Indent(out, level); fprintf(out, "Valid CA\n");
-    }
-    if ( flags & CERTDB_TRUSTED_CA ) {
-	SECU_Indent(out, level); fprintf(out, "Trusted CA\n");
-    }
-    if ( flags & CERTDB_NS_TRUSTED_CA ) {
-	SECU_Indent(out, level); fprintf(out, "Netscape Trusted CA\n");
-    }
-    if ( flags & CERTDB_USER ) {
-	SECU_Indent(out, level); fprintf(out, "User\n");
-    }
-    if ( flags & CERTDB_TRUSTED_CLIENT_CA ) {
-	SECU_Indent(out, level); fprintf(out, "Trusted Client CA\n");
-    }
-    if ( flags & CERTDB_GOVT_APPROVED_CA ) {
-	SECU_Indent(out, level); fprintf(out, "Step-up\n");
-    }
-}
-
-void
-SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level)
-{
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    SECU_Indent(out, level+1); fprintf(out, "SSL Flags:\n");
-    printFlags(out, trust->sslFlags, level+2);
-    SECU_Indent(out, level+1); fprintf(out, "Email Flags:\n");
-    printFlags(out, trust->emailFlags, level+2);
-    SECU_Indent(out, level+1); fprintf(out, "Object Signing Flags:\n");
-    printFlags(out, trust->objectSigningFlags, level+2);
-}
-
-int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
-			   int level, SECU_PPFunc inner)
-{
-    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    CERTSignedData *sd;
-    int rv = SEC_ERROR_NO_MEMORY;
-
-    if (!arena)
-	return rv;
-
-    /* Strip off the signature */
-    sd = PORT_ArenaZNew(arena, CERTSignedData);
-    if (!sd)
-	goto loser;
-
-    rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate), 
-                            der);
-    if (rv)
-	goto loser;
-
-    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
-    rv = (*inner)(out, &sd->data, "Data", level+1);
-
-    SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm",
-			  level+1);
-    DER_ConvertBitString(&sd->signature);
-    SECU_PrintAsHex(out, &sd->signature, "Signature", level+1);
-    SECU_PrintFingerprints(out, der, "Fingerprint", level+1);
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return rv;
-
-}
-
-SECStatus
-SEC_PrintCertificateAndTrust(CERTCertificate *cert,
-                             const char *label,
-                             CERTCertTrust *trust)
-{
-    SECStatus rv;
-    SECItem data;
-    
-    data.data = cert->derCert.data;
-    data.len = cert->derCert.len;
-
-    rv = SECU_PrintSignedData(stdout, &data, label, 0,
-			      SECU_PrintCertificate);
-    if (rv) {
-	return(SECFailure);
-    }
-    if (trust) {
-	SECU_PrintTrustFlags(stdout, trust,
-	                     "Certificate Trust Flags", 1);
-    } else if (cert->trust) {
-	SECU_PrintTrustFlags(stdout, cert->trust,
-	                     "Certificate Trust Flags", 1);
-    }
-
-    printf("\n");
-
-    return(SECSuccess);
-}
-
-#if defined(DEBUG) || defined(FORCE_PR_ASSERT)
-/* Returns true iff a[i].flag has a duplicate in a[i+1 : count-1]  */
-static PRBool HasShortDuplicate(int i, secuCommandFlag *a, int count)
-{
-	char target = a[i].flag;
-	int j;
-
-	/* duplicate '\0' flags are okay, they are used with long forms */
-	for (j = i+1; j < count; j++) {
-		if (a[j].flag && a[j].flag == target) {
-			return PR_TRUE;
-		}
-	}
-	return PR_FALSE;
-}
-
-/* Returns true iff a[i].longform has a duplicate in a[i+1 : count-1] */
-static PRBool HasLongDuplicate(int i, secuCommandFlag *a, int count)
-{
-	int j;	
-	char *target = a[i].longform;
-
-	if (!target)
-		return PR_FALSE;
-
-	for (j = i+1; j < count; j++) {
-		if (a[j].longform && strcmp(a[j].longform, target) == 0) {
-			return PR_TRUE;
-		}
-	}
-	return PR_FALSE;
-}
-
-/* Returns true iff a has no short or long form duplicates
- */
-PRBool HasNoDuplicates(secuCommandFlag *a, int count)
-{
-    int i;
-
-	for (i = 0; i < count; i++) {
-		if (a[i].flag && HasShortDuplicate(i, a, count)) {
-			return PR_FALSE;
-		}
-		if (a[i].longform && HasLongDuplicate(i, a, count)) {
-			return PR_FALSE;
-		}
-	}
-	return PR_TRUE;
-}
-#endif
-
-SECStatus
-SECU_ParseCommandLine(int argc, char **argv, char *progName,
-		      const secuCommand *cmd)
-{
-    PRBool found;
-    PLOptState *optstate;
-    PLOptStatus status;
-    char *optstring;
-    PLLongOpt *longopts = NULL;
-    int i, j;
-    int lcmd = 0, lopt = 0;
-
-    PR_ASSERT(HasNoDuplicates(cmd->commands, cmd->numCommands));
-    PR_ASSERT(HasNoDuplicates(cmd->options, cmd->numOptions));
-
-    optstring = (char *)PORT_Alloc(cmd->numCommands + 2*cmd->numOptions+1);
-    if (optstring == NULL)
-        return SECFailure;
-    
-    j = 0;
-    for (i=0; i<cmd->numCommands; i++) {
-	if (cmd->commands[i].flag) /* single character option ? */
-	    optstring[j++] = cmd->commands[i].flag;
-	if (cmd->commands[i].longform)
-	    lcmd++;
-    }
-    for (i=0; i<cmd->numOptions; i++) {
-	if (cmd->options[i].flag) {
-	    optstring[j++] = cmd->options[i].flag;
-	    if (cmd->options[i].needsArg)
-		optstring[j++] = ':';
-	}
-	if (cmd->options[i].longform)
-	    lopt++;
-    }
-    
-    optstring[j] = '\0';
-    
-    if (lcmd + lopt > 0) {
-	longopts = PORT_NewArray(PLLongOpt, lcmd+lopt+1);
-	if (!longopts) {
-	    PORT_Free(optstring);
-	    return SECFailure;
-	}
-
-	j = 0;
-	for (i=0; j<lcmd && i<cmd->numCommands; i++) {
-	    if (cmd->commands[i].longform) {
-		longopts[j].longOptName = cmd->commands[i].longform;
-		longopts[j].longOption = 0;
-		longopts[j++].valueRequired = cmd->commands[i].needsArg;
-	    } 
-	}
-	lopt += lcmd;
-	for (i=0; j<lopt && i<cmd->numOptions; i++) {
-	    if (cmd->options[i].longform) {
-		longopts[j].longOptName = cmd->options[i].longform;
-		longopts[j].longOption = 0;
-		longopts[j++].valueRequired = cmd->options[i].needsArg;
-	    }
-	}
-	longopts[j].longOptName = NULL;
-    }
-
-    optstate = PL_CreateLongOptState(argc, argv, optstring, longopts);
-    if (!optstate) {
-        PORT_Free(optstring);
-        PORT_Free(longopts);
-        return SECFailure;
-    }
-    /* Parse command line arguments */
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	const char *optstatelong;
-	char        option = optstate->option;
-
-	/*  positional parameter, single-char option or long opt? */
-	if (optstate->longOptIndex == -1) {
-	    /* not a long opt */
-	    if (option == '\0')
-	        continue;               /* it's a positional parameter */
-	    optstatelong = "";
-	} else {
-	    /* long opt */
-            if (option == '\0')
-		option = '\377';        /* force unequal with all flags */
-	    optstatelong = longopts[optstate->longOptIndex].longOptName;
-	}
-
-	found = PR_FALSE;
-
-	for (i=0; i<cmd->numCommands; i++) {
-	    if (cmd->commands[i].flag == option ||
-	        cmd->commands[i].longform == optstatelong) {
-		cmd->commands[i].activated = PR_TRUE;
-		if (optstate->value) {
-		    cmd->commands[i].arg = (char *)optstate->value;
-		}
-		found = PR_TRUE;
-		break;
-	    }
-	}
-
-	if (found)
-	    continue;
-
-	for (i=0; i<cmd->numOptions; i++) {
-	    if (cmd->options[i].flag == option ||
-		cmd->options[i].longform == optstatelong) {
-		cmd->options[i].activated = PR_TRUE;
-		if (optstate->value) {
-		    cmd->options[i].arg = (char *)optstate->value;
-		} else if (cmd->options[i].needsArg) {
-		    status = PL_OPT_BAD;
-		    goto loser;
-		}
-		found = PR_TRUE;
-		break;
-	    }
-	}
-
-	if (!found) {
-	    status = PL_OPT_BAD;
-	    break;
-	}
-    }
-
-loser:
-    PL_DestroyOptState(optstate);
-    PORT_Free(optstring);
-    if (longopts)
-	PORT_Free(longopts);
-    if (status == PL_OPT_BAD)
-	return SECFailure;
-    return SECSuccess;
-}
-
-char *
-SECU_GetOptionArg(const secuCommand *cmd, int optionNum)
-{
-	if (optionNum < 0 || optionNum >= cmd->numOptions)
-		return NULL;
-	if (cmd->options[optionNum].activated)
-		return PL_strdup(cmd->options[optionNum].arg);
-	else
-		return NULL;
-}
-
-static char SECUErrorBuf[64];
-
-char *
-SECU_ErrorStringRaw(int16 err)
-{
-    if (err == 0)
-	SECUErrorBuf[0] = '\0';
-    else if (err == SEC_ERROR_BAD_DATA)
-	sprintf(SECUErrorBuf, "Bad data");
-    else if (err == SEC_ERROR_BAD_DATABASE)
-	sprintf(SECUErrorBuf, "Problem with database");
-    else if (err == SEC_ERROR_BAD_DER)
-	sprintf(SECUErrorBuf, "Problem with DER");
-    else if (err == SEC_ERROR_BAD_KEY)
-	sprintf(SECUErrorBuf, "Problem with key");
-    else if (err == SEC_ERROR_BAD_PASSWORD)
-	sprintf(SECUErrorBuf, "Incorrect password");
-    else if (err == SEC_ERROR_BAD_SIGNATURE)
-	sprintf(SECUErrorBuf, "Bad signature");
-    else if (err == SEC_ERROR_EXPIRED_CERTIFICATE)
-	sprintf(SECUErrorBuf, "Expired certificate");
-    else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID)
-	sprintf(SECUErrorBuf, "Invalid extension value");
-    else if (err == SEC_ERROR_INPUT_LEN)
-	sprintf(SECUErrorBuf, "Problem with input length");
-    else if (err == SEC_ERROR_INVALID_ALGORITHM)
-	sprintf(SECUErrorBuf, "Invalid algorithm");
-    else if (err == SEC_ERROR_INVALID_ARGS)
-	sprintf(SECUErrorBuf, "Invalid arguments");
-    else if (err == SEC_ERROR_INVALID_AVA)
-	sprintf(SECUErrorBuf, "Invalid AVA");
-    else if (err == SEC_ERROR_INVALID_TIME)
-	sprintf(SECUErrorBuf, "Invalid time");
-    else if (err == SEC_ERROR_IO)
-	sprintf(SECUErrorBuf, "Security I/O error");
-    else if (err == SEC_ERROR_LIBRARY_FAILURE)
-	sprintf(SECUErrorBuf, "Library failure");
-    else if (err == SEC_ERROR_NO_MEMORY)
-	sprintf(SECUErrorBuf, "Out of memory");
-    else if (err == SEC_ERROR_OLD_CRL)
-	sprintf(SECUErrorBuf, "CRL is older than the current one");
-    else if (err == SEC_ERROR_OUTPUT_LEN)
-	sprintf(SECUErrorBuf, "Problem with output length");
-    else if (err == SEC_ERROR_UNKNOWN_ISSUER)
-	sprintf(SECUErrorBuf, "Unknown issuer");
-    else if (err == SEC_ERROR_UNTRUSTED_CERT)
-	sprintf(SECUErrorBuf, "Untrusted certificate");
-    else if (err == SEC_ERROR_UNTRUSTED_ISSUER)
-	sprintf(SECUErrorBuf, "Untrusted issuer");
-    else if (err == SSL_ERROR_BAD_CERTIFICATE)
-	sprintf(SECUErrorBuf, "Bad certificate");
-    else if (err == SSL_ERROR_BAD_CLIENT)
-	sprintf(SECUErrorBuf, "Bad client");
-    else if (err == SSL_ERROR_BAD_SERVER)
-	sprintf(SECUErrorBuf, "Bad server");
-    else if (err == SSL_ERROR_EXPORT_ONLY_SERVER)
-	sprintf(SECUErrorBuf, "Export only server");
-    else if (err == SSL_ERROR_NO_CERTIFICATE)
-	sprintf(SECUErrorBuf, "No certificate");
-    else if (err == SSL_ERROR_NO_CYPHER_OVERLAP)
-	sprintf(SECUErrorBuf, "No cypher overlap");
-    else if (err == SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE)
-	sprintf(SECUErrorBuf, "Unsupported certificate type");
-    else if (err == SSL_ERROR_UNSUPPORTED_VERSION)
-	sprintf(SECUErrorBuf, "Unsupported version");
-    else if (err == SSL_ERROR_US_ONLY_SERVER)
-	sprintf(SECUErrorBuf, "U.S. only server");
-    else if (err == PR_IO_ERROR)
-	sprintf(SECUErrorBuf, "I/O error");
-
-    else if (err == SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)
-        sprintf (SECUErrorBuf, "Expired Issuer Certificate");
-    else if (err == SEC_ERROR_REVOKED_CERTIFICATE)
-        sprintf (SECUErrorBuf, "Revoked certificate");
-    else if (err == SEC_ERROR_NO_KEY)
-        sprintf (SECUErrorBuf, "No private key in database for this cert");
-    else if (err == SEC_ERROR_CERT_NOT_VALID)
-        sprintf (SECUErrorBuf, "Certificate is not valid");
-    else if (err == SEC_ERROR_EXTENSION_NOT_FOUND)
-        sprintf (SECUErrorBuf, "Certificate extension was not found");
-    else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID)
-        sprintf (SECUErrorBuf, "Certificate extension value invalid");
-    else if (err == SEC_ERROR_CA_CERT_INVALID)
-        sprintf (SECUErrorBuf, "Issuer certificate is invalid");
-    else if (err == SEC_ERROR_CERT_USAGES_INVALID)
-        sprintf (SECUErrorBuf, "Certificate usages is invalid");
-    else if (err == SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)
-        sprintf (SECUErrorBuf, "Certificate has unknown critical extension");
-    else if (err == SEC_ERROR_PKCS7_BAD_SIGNATURE)
-        sprintf (SECUErrorBuf, "Bad PKCS7 signature");
-    else if (err == SEC_ERROR_INADEQUATE_KEY_USAGE)
-        sprintf (SECUErrorBuf, "Certificate not approved for this operation");
-    else if (err == SEC_ERROR_INADEQUATE_CERT_TYPE)
-        sprintf (SECUErrorBuf, "Certificate not approved for this operation");
-
-    return SECUErrorBuf;
-}
-
-char *
-SECU_ErrorString(int16 err)
-{
-    char *error_string;
-
-    *SECUErrorBuf = 0;
-    SECU_ErrorStringRaw (err);
-
-    if (*SECUErrorBuf == 0) { 
-	error_string = SECU_GetString(err);
-	if (error_string == NULL || *error_string == '\0') 
-	    sprintf(SECUErrorBuf, "No error string found for %d.",  err);
-	else
-	    return error_string;
-    }
-
-    return SECUErrorBuf;
-}
-
-
-void 
-SECU_PrintPRandOSError(char *progName) 
-{
-    char buffer[513];
-    PRInt32     errLen = PR_GetErrorTextLength();
-    if (errLen > 0 && errLen < sizeof buffer) {
-        PR_GetErrorText(buffer);
-    }
-    SECU_PrintError(progName, "function failed");
-    if (errLen > 0 && errLen < sizeof buffer) {
-        PR_fprintf(PR_STDERR, "\t%s\n", buffer);
-    }
-}
-
-
-static char *
-bestCertName(CERTCertificate *cert) {
-    if (cert->nickname) {
-	return cert->nickname;
-    }
-    if (cert->emailAddr && cert->emailAddr[0]) {
-	return cert->emailAddr;
-    }
-    return cert->subjectName;
-}
-
-void
-SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, 
-	CERTCertificate *cert, PRBool checksig, 
-	SECCertificateUsage certUsage, void *pinArg, PRBool verbose,
-	PRTime datetime)
-{
-    CERTVerifyLog      log;
-    CERTVerifyLogNode *node;
-
-    PRErrorCode	       err    = PORT_GetError();
-
-    log.arena = PORT_NewArena(512);
-    log.head = log.tail = NULL;
-    log.count = 0;
-    CERT_VerifyCertificate(handle, cert, checksig, certUsage, datetime, pinArg, &log, NULL);
-
-    SECU_displayVerifyLog(outfile, &log, verbose);
-
-    for (node = log.head; node; node = node->next) {
-        if (node->cert)
-            CERT_DestroyCertificate(node->cert);
-    }
-    PORT_FreeArena(log.arena, PR_FALSE);
-
-    PORT_SetError(err); /* restore original error code */
-}
-
-void
-SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
-                      PRBool verbose)
-{
-    CERTVerifyLogNode *node   = NULL;
-    unsigned int       depth  = (unsigned int)-1;
-    unsigned int       flags  = 0;
-    char *             errstr = NULL;
-
-    if (log->count > 0) {
-	fprintf(outfile,"PROBLEM WITH THE CERT CHAIN:\n");
-	for (node = log->head; node; node = node->next) {
-	    if (depth != node->depth) {
-		depth = node->depth;
-		fprintf(outfile,"CERT %d. %s %s:\n", depth,
-				 bestCertName(node->cert), 
-			  	 depth ? "[Certificate Authority]": "");
-	    	if (verbose) {
-		    const char * emailAddr;
-		    emailAddr = CERT_GetFirstEmailAddress(node->cert);
-		    if (emailAddr) {
-		    	fprintf(outfile,"Email Address(es): ");
-			do {
-			    fprintf(outfile, "%s\n", emailAddr);
-			    emailAddr = CERT_GetNextEmailAddress(node->cert,
-			                                         emailAddr);
-			} while (emailAddr);
-		    }
-		}
-	    }
-	    fprintf(outfile,"  ERROR %ld: %s\n", node->error,
-						SECU_Strerror(node->error));
-	    errstr = NULL;
-	    switch (node->error) {
-	    case SEC_ERROR_INADEQUATE_KEY_USAGE:
-		flags = (unsigned int)node->arg;
-		switch (flags) {
-		case KU_DIGITAL_SIGNATURE:
-		    errstr = "Cert cannot sign.";
-		    break;
-		case KU_KEY_ENCIPHERMENT:
-		    errstr = "Cert cannot encrypt.";
-		    break;
-		case KU_KEY_CERT_SIGN:
-		    errstr = "Cert cannot sign other certs.";
-		    break;
-		default:
-		    errstr = "[unknown usage].";
-		    break;
-		}
-	    case SEC_ERROR_INADEQUATE_CERT_TYPE:
-		flags = (unsigned int)node->arg;
-		switch (flags) {
-		case NS_CERT_TYPE_SSL_CLIENT:
-		case NS_CERT_TYPE_SSL_SERVER:
-		    errstr = "Cert cannot be used for SSL.";
-		    break;
-		case NS_CERT_TYPE_SSL_CA:
-		    errstr = "Cert cannot be used as an SSL CA.";
-		    break;
-		case NS_CERT_TYPE_EMAIL:
-		    errstr = "Cert cannot be used for SMIME.";
-		    break;
-		case NS_CERT_TYPE_EMAIL_CA:
-		    errstr = "Cert cannot be used as an SMIME CA.";
-		    break;
-		case NS_CERT_TYPE_OBJECT_SIGNING:
-		    errstr = "Cert cannot be used for object signing.";
-		    break;
-		case NS_CERT_TYPE_OBJECT_SIGNING_CA:
-		    errstr = "Cert cannot be used as an object signing CA.";
-		    break;
-		default:
-		    errstr = "[unknown usage].";
-		    break;
-		}
-	    case SEC_ERROR_UNKNOWN_ISSUER:
-	    case SEC_ERROR_UNTRUSTED_ISSUER:
-	    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
-		errstr = node->cert->issuerName;
-		break;
-	    default:
-		break;
-	    }
-	    if (errstr) {
-		fprintf(stderr,"    %s\n",errstr);
-	    }
-	}    
-    }
-}
-
-void
-SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, 
-	CERTCertificate *cert, PRBool checksig, 
-	SECCertificateUsage certUsage, void *pinArg, PRBool verbose)
-{
-    SECU_printCertProblemsOnDate(outfile, handle, cert, checksig, 
-	                         certUsage, pinArg, verbose, PR_Now());
-}
-
-SECOidTag 
-SECU_StringToSignatureAlgTag(const char *alg)
-{
-    SECOidTag hashAlgTag = SEC_OID_UNKNOWN;
-
-    if (alg) {
-	if (!PL_strcmp(alg, "MD2")) {
-	    hashAlgTag = SEC_OID_MD2;
-	} else if (!PL_strcmp(alg, "MD4")) {
-	    hashAlgTag = SEC_OID_MD4;
-	} else if (!PL_strcmp(alg, "MD5")) {
-	    hashAlgTag = SEC_OID_MD5;
-	} else if (!PL_strcmp(alg, "SHA1")) {
-	    hashAlgTag = SEC_OID_SHA1;
-	} else if (!PL_strcmp(alg, "SHA256")) {
-	    hashAlgTag = SEC_OID_SHA256;
-	} else if (!PL_strcmp(alg, "SHA384")) {
-	    hashAlgTag = SEC_OID_SHA384;
-	} else if (!PL_strcmp(alg, "SHA512")) {
-	    hashAlgTag = SEC_OID_SHA512;
-	}
-    }
-    return hashAlgTag;
-}
-
-
-SECStatus
-SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, PRFileDesc *outFile,
-              PRBool ascii, char *url)
-{
-    PORT_Assert(derCrl != NULL);
-    if (!derCrl) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    if (outFile != NULL) {
-        if (ascii) {
-            PR_fprintf(outFile, "%s\n%s\n%s\n", NS_CRL_HEADER, 
-                       BTOA_DataToAscii(derCrl->data, derCrl->len), 
-                       NS_CRL_TRAILER);
-        } else {
-            if (PR_Write(outFile, derCrl->data, derCrl->len) != derCrl->len) {
-                return SECFailure;
-            }
-        }
-    }
-    if (slot) {
-        CERTSignedCrl *newCrl = PK11_ImportCRL(slot, derCrl, url,
-                                               SEC_CRL_TYPE, NULL, 0, NULL, 0);
-        if (newCrl != NULL) {
-            SEC_DestroyCrl(newCrl);
-            return SECSuccess;
-        }
-        return SECFailure;
-    }
-    if (!outFile && !slot) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-    return SECSuccess;
-}
-
-SECStatus
-SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
-                      SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode)
-{
-    SECItem der;
-    SECKEYPrivateKey *caPrivateKey = NULL;    
-    SECStatus rv;
-    PRArenaPool *arena;
-    SECOidTag algID;
-    void *dummy;
-
-    PORT_Assert(issuer != NULL && signCrl != NULL);
-    if (!issuer || !signCrl) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    arena = signCrl->arena;
-
-    caPrivateKey = PK11_FindKeyByAnyCert(issuer, NULL);
-    if (caPrivateKey == NULL) {
-        *resCode = noKeyFound;
-        return SECFailure;
-    }
-
-    algID = SEC_GetSignatureAlgorithmOidTag(caPrivateKey->keyType, hashAlgTag);
-    if (algID == SEC_OID_UNKNOWN) {
-        *resCode = noSignatureMatch;
-        rv = SECFailure;
-        goto done;
-    }
-
-    if (!signCrl->crl.signatureAlg.parameters.data) {
-        rv = SECOID_SetAlgorithmID(arena, &signCrl->crl.signatureAlg, algID, 0);
-        if (rv != SECSuccess) {
-            *resCode = failToEncode;
-            goto done;
-        }
-    }
-
-    der.len = 0;
-    der.data = NULL;
-    dummy = SEC_ASN1EncodeItem(arena, &der, &signCrl->crl,
-                               SEC_ASN1_GET(CERT_CrlTemplate));
-    if (!dummy) {
-        *resCode = failToEncode;
-        rv = SECFailure;
-        goto done;
-    }
-
-    rv = SECU_DerSignDataCRL(arena, &signCrl->signatureWrap,
-                             der.data, der.len, caPrivateKey, algID);
-    if (rv != SECSuccess) {
-        *resCode = failToSign;
-        goto done;
-    }
-
-    signCrl->derCrl = PORT_ArenaZNew(arena, SECItem);
-    if (signCrl->derCrl == NULL) {
-        *resCode = noMem;
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-        rv = SECFailure;
-        goto done;
-    }
-
-    signCrl->derCrl->len = 0;
-    signCrl->derCrl->data = NULL;
-    dummy = SEC_ASN1EncodeItem (arena, signCrl->derCrl, signCrl,
-                                SEC_ASN1_GET(CERT_SignedCrlTemplate));
-    if (!dummy) {
-        *resCode = failToEncode;
-        rv = SECFailure;
-        goto done;
-    }
-
-done:
-    if (caPrivateKey) {
-        SECKEY_DestroyPrivateKey(caPrivateKey);
-    }
-    return rv;
-}
-
-
-
-SECStatus
-SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl)
-{
-    void *dummy;
-    SECStatus rv = SECSuccess;
-    SECItem der;
-
-    PORT_Assert(destArena && srcCrl && destCrl);
-    if (!destArena || !srcCrl || !destCrl) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    der.len = 0;
-    der.data = NULL;
-    dummy = SEC_ASN1EncodeItem (destArena, &der, srcCrl,
-                                SEC_ASN1_GET(CERT_CrlTemplate));
-    if (!dummy) {
-        return SECFailure;
-    }
-
-    rv = SEC_QuickDERDecodeItem(destArena, destCrl,
-                                SEC_ASN1_GET(CERT_CrlTemplate), &der);
-    if (rv != SECSuccess) {
-        return SECFailure;
-    }
-    
-    destCrl->arena = destArena;
-
-    return rv;
-}
-
-SECStatus
-SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
-                    unsigned char *buf, int len, SECKEYPrivateKey *pk,
-                    SECOidTag algID)
-{
-    SECItem it;
-    SECStatus rv;
-
-    it.data = 0;
-
-    /* XXX We should probably have some asserts here to make sure the key type
-     * and algID match
-     */
-
-    /* Sign input buffer */
-    rv = SEC_SignData(&it, buf, len, pk, algID);
-    if (rv) goto loser;
-
-    /* Fill out SignedData object */
-    PORT_Memset(sd, 0, sizeof(sd));
-    sd->data.data = buf;
-    sd->data.len = len;
-    sd->signature.data = it.data;
-    sd->signature.len = it.len << 3;		/* convert to bit string */
-    if (!sd->signatureAlgorithm.parameters.data) {
-        rv = SECOID_SetAlgorithmID(arena, &sd->signatureAlgorithm, algID, 0);
-        if (rv) goto loser;
-    }
-
-    return rv;
-
-  loser:
-    PORT_Free(it.data);
-    return rv;
-}
-
-#if 0
-
-/* we need access to the private function cert_FindExtension for this code to work */
-
-CERTAuthKeyID *
-SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *scrl)
-{
-    SECItem encodedExtenValue;
-    SECStatus rv;
-    CERTAuthKeyID *ret;
-    CERTCrl* crl;
-
-    if (!scrl) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    crl = &scrl->crl;
-    
-    encodedExtenValue.data = NULL;
-    encodedExtenValue.len = 0;
-
-    rv = cert_FindExtension(crl->extensions, SEC_OID_X509_AUTH_KEY_ID,
-			    &encodedExtenValue);
-    if ( rv != SECSuccess ) {
-	return (NULL);
-    }
-
-    ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue);
-
-    PORT_Free(encodedExtenValue.data);
-    encodedExtenValue.data = NULL;
-    
-    return(ret);
-}
-
-#endif
-
-/*
- * Find the issuer of a Crl.  Use the authorityKeyID if it exists.
- */
-CERTCertificate *
-SECU_FindCrlIssuer(CERTCertDBHandle *dbhandle, SECItem* subject,
-                   CERTAuthKeyID* authorityKeyID, PRTime validTime)
-{
-    CERTCertificate *issuerCert = NULL;
-    CERTCertList *certList = NULL;
-
-    if (!subject) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    certList =
-        CERT_CreateSubjectCertList(NULL, dbhandle, subject,
-                                   validTime, PR_TRUE);
-    if (certList) {
-        CERTCertListNode *node = CERT_LIST_HEAD(certList);
-    
-        /* XXX and authoritykeyid in the future */
-        while ( ! CERT_LIST_END(node, certList) ) {
-            CERTCertificate *cert = node->cert;
-            /* check cert CERTCertTrust data is allocated, check cert
-               usage extension, check that cert has pkey in db. Select
-               the first (newest) user cert */
-            if (cert->trust &&
-                CERT_CheckCertUsage(cert, KU_CRL_SIGN) == SECSuccess &&
-                CERT_IsUserCert(cert)) {
-                
-                issuerCert = CERT_DupCertificate(cert);
-                break;
-            }
-            node = CERT_LIST_NEXT(node);   
-        }
-        CERT_DestroyCertList(certList);
-    }
-    return(issuerCert);
-}
-
-
-/* Encodes and adds extensions to the CRL or CRL entries. */
-SECStatus 
-SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, 
-                                void *value, PRBool criticality, int extenType, 
-                                EXTEN_EXT_VALUE_ENCODER EncodeValueFn)
-{
-    SECItem encodedValue;
-    SECStatus rv;
-
-    encodedValue.data = NULL;
-    encodedValue.len = 0;
-    do {
-        rv = (*EncodeValueFn)(arena, value, &encodedValue);
-        if (rv != SECSuccess)
-            break;
-
-        rv = CERT_AddExtension(extHandle, extenType, &encodedValue,
-                               criticality, PR_TRUE);
-        if (rv != SECSuccess)
-            break;
-    } while (0);
-
-    return (rv);
-}
-
-/* Caller ensures that dst is at least item->len*2+1 bytes long */
-void
-SECU_SECItemToHex(const SECItem * item, char * dst)
-{
-    if (dst && item && item->data) {
-	unsigned char * src = item->data;
-	unsigned int    len = item->len;
-	for (; len > 0; --len, dst += 2) {
-	    sprintf(dst, "%02x", *src++);
-	}
-	*dst = '\0';
-    }
-}
-
-static unsigned char nibble(char c) {
-    c = PORT_Tolower(c);
-    return ( c >= '0' && c <= '9') ? c - '0' :
-           ( c >= 'a' && c <= 'f') ? c - 'a' +10 : -1;
-}
-
-SECStatus
-SECU_SECItemHexStringToBinary(SECItem* srcdest)
-{
-    int i;
-
-    if (!srcdest) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-    if (srcdest->len < 4 || (srcdest->len % 2) ) {
-        /* too short to convert, or even number of characters */
-        PORT_SetError(SEC_ERROR_BAD_DATA);
-        return SECFailure;
-    }
-    if (PORT_Strncasecmp((const char*)srcdest->data, "0x", 2)) {
-        /* wrong prefix */
-        PORT_SetError(SEC_ERROR_BAD_DATA);
-        return SECFailure;
-    }
-
-    /* 1st pass to check for hex characters */
-    for (i=2; i<srcdest->len; i++) {
-        char c = PORT_Tolower(srcdest->data[i]);
-        if (! ( ( c >= '0' && c <= '9') ||
-                ( c >= 'a' && c <= 'f')
-              ) ) {
-            PORT_SetError(SEC_ERROR_BAD_DATA);
-            return SECFailure;
-        }
-    }
-
-    /* 2nd pass to convert */
-    for (i=2; i<srcdest->len; i+=2) {
-        srcdest->data[(i-2)/2] = (nibble(srcdest->data[i]) << 4) +
-                                 nibble(srcdest->data[i+1]);
-    }
-
-    /* adjust length */
-    srcdest->len -= 2;
-    srcdest->len /= 2;
-    return SECSuccess;
-}
-
diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h
deleted file mode 100644
index 116f66a69..000000000
--- a/security/nss/cmd/lib/secutil.h
+++ /dev/null
@@ -1,460 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _SEC_UTIL_H_
-#define _SEC_UTIL_H_
-
-#include "seccomon.h"
-#include "secitem.h"
-#include "prerror.h"
-#include "base64.h"
-#include "key.h"
-#include "secpkcs7.h"
-#include "secasn1.h"
-#include "secder.h"
-#include <stdio.h>
-
-#define SEC_CT_PRIVATE_KEY		"private-key"
-#define SEC_CT_PUBLIC_KEY		"public-key"
-#define SEC_CT_CERTIFICATE		"certificate"
-#define SEC_CT_CERTIFICATE_REQUEST	"certificate-request"
-#define SEC_CT_PKCS7			"pkcs7"
-#define SEC_CT_CRL			"crl"
-
-#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
-#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
-
-#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
-#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
-
-#define NS_CRL_HEADER  "-----BEGIN CRL-----"
-#define NS_CRL_TRAILER "-----END CRL-----"
-
-#ifdef SECUTIL_NEW
-typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item, 
-                           char *msg, int level);
-#else
-typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level);
-#endif
-
-typedef struct {
-    enum {
-	PW_NONE = 0,
-	PW_FROMFILE = 1,
-	PW_PLAINTEXT = 2,
-	PW_EXTERNAL = 3
-    } source;
-    char *data;
-} secuPWData;
-
-/*
-** Change a password on a token, or initialize a token with a password
-** if it does not already have one.
-** Use passwd to send the password in plaintext, pwFile to specify a
-** file containing the password, or NULL for both to prompt the user.
-*/
-SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile);
-
-/*
-** Change a password on a token, or initialize a token with a password
-** if it does not already have one.
-** In this function, you can specify both the old and new passwords
-** as either a string or file. NOTE: any you don't specify will
-** be prompted for
-*/
-SECStatus SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
-                        char *oldPwFile, char *newPwFile);
-
-/*  These were stolen from the old sec.h... */
-/*
-** Check a password for legitimacy. Passwords must be at least 8
-** characters long and contain one non-alphabetic. Return DSTrue if the
-** password is ok, DSFalse otherwise.
-*/
-extern PRBool SEC_CheckPassword(char *password);
-
-/*
-** Blind check of a password. Complement to SEC_CheckPassword which 
-** ignores length and content type, just retuning DSTrue is the password
-** exists, DSFalse if NULL
-*/
-extern PRBool SEC_BlindCheckPassword(char *password);
-
-/*
-** Get a password.
-** First prompt with "msg" on "out", then read the password from "in".
-** The password is then checked using "chkpw".
-*/
-extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg,
-				      PRBool (*chkpw)(char *));
-
-char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg);
-
-char *SECU_GetPasswordString(void *arg, char *prompt);
-
-/*
-** Write a dongle password.
-** Uses MD5 to hash constant system data (hostname, etc.), and then
-** creates RC4 key to encrypt a password "pw" into a file "fd".
-*/
-extern SECStatus SEC_WriteDongleFile(int fd, char *pw);
-
-/*
-** Get a dongle password.
-** Uses MD5 to hash constant system data (hostname, etc.), and then
-** creates RC4 key to decrypt and return a password from file "fd".
-*/
-extern char *SEC_ReadDongleFile(int fd);
-
-
-/* End stolen headers */
-
-/* Just sticks the two strings together with a / if needed */
-char *SECU_AppendFilenameToDir(char *dir, char *filename);
-
-/* Returns result of getenv("SSL_DIR") or NULL */
-extern char *SECU_DefaultSSLDir(void);
-
-/*
-** Should be called once during initialization to set the default 
-**    directory for looking for cert.db, key.db, and cert-nameidx.db files
-** Removes trailing '/' in 'base' 
-** If 'base' is NULL, defaults to set to .netscape in home directory.
-*/
-extern char *SECU_ConfigDirectory(const char* base);
-
-/* 
-** Basic callback function for SSL_GetClientAuthDataHook
-*/
-extern int
-SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
-		       struct CERTDistNamesStr *caNames,
-		       struct CERTCertificateStr **pRetCert,
-		       struct SECKEYPrivateKeyStr **pRetKey);
-
-/* print out an error message */
-extern void SECU_PrintError(char *progName, char *msg, ...);
-
-/* print out a system error message */
-extern void SECU_PrintSystemError(char *progName, char *msg, ...);
-
-/* Return informative error string */
-extern const char * SECU_Strerror(PRErrorCode errNum);
-
-/* revalidate the cert and print information about cert verification
- * failure at time == now */
-extern void
-SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, 
-	CERTCertificate *cert, PRBool checksig, 
-	SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
-
-/* revalidate the cert and print information about cert verification
- * failure at specified time */
-extern void
-SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, 
-	CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage, 
-	void *pinArg, PRBool verbose, PRTime datetime);
-
-/* print out CERTVerifyLog info. */
-extern void
-SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
-                      PRBool verbose);
-
-/* Read the contents of a file into a SECItem */
-extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
-extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src);
-
-/* Read in a DER from a file, may be ascii  */
-extern SECStatus 
-SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
-
-/* Indent based on "level" */
-extern void SECU_Indent(FILE *out, int level);
-
-/* Print integer value and hex */
-extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
-
-/* Print ObjectIdentifier symbolically */
-extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level);
-
-/* Print AlgorithmIdentifier symbolically */
-extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
-				  int level);
-
-/* Print SECItem as hex */
-extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level);
-
-/* dump a buffer in hex and ASCII */
-extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len);
-
-/*
- * Format and print the UTC Time "t".  If the tag message "m" is not NULL,
- * do indent formatting based on "level" and add a newline afterward;
- * otherwise just print the formatted time string only.
- */
-extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level);
-
-/*
- * Format and print the Generalized Time "t".  If the tag message "m"
- * is not NULL, * do indent formatting based on "level" and add a newline
- * afterward; otherwise just print the formatted time string only.
- */
-extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m,
-				      int level);
-
-/*
- * Format and print the UTC or Generalized Time "t".  If the tag message
- * "m" is not NULL, do indent formatting based on "level" and add a newline
- * afterward; otherwise just print the formatted time string only.
- */
-extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level);
-
-/* callback for listing certs through pkcs11 */
-extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
-
-/* Dump all certificate nicknames in a database */
-extern SECStatus
-SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out, 
-                           PRBool sortByName, PRBool sortByTrust);
-
-/* See if nickname already in database. Return 1 true, 0 false, -1 error */
-int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
-
-/* Dump contents of cert req */
-extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
-	int level);
-
-/* Dump contents of certificate */
-extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
-
-/* print trust flags on a cert */
-extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, 
-                                 int level);
-
-/* Dump contents of an RSA public key */
-extern int SECU_PrintRSAPublicKey(FILE *out, SECItem *der, char *m, int level);
-
-extern int SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m, 
-                                          int level);
-
-#ifdef HAVE_EPV_TEMPLATE
-/* Dump contents of private key */
-extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
-#endif
-
-/* Print the MD5 and SHA1 fingerprints of a cert */
-extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
-                                  int level);
-
-/* Pretty-print any PKCS7 thing */
-extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, 
-				      int level);
-
-/* Init PKCS11 stuff */
-extern SECStatus SECU_PKCS11Init(PRBool readOnly);
-
-/* Dump contents of signed data */
-extern int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, 
-                                int level, SECU_PPFunc inner);
-
-/* Print cert data and its trust flags */
-extern SECStatus SEC_PrintCertificateAndTrust(CERTCertificate *cert,
-                                              const char *label,
-                                              CERTCertTrust *trust);
-
-extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level);
-
-extern void
-SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level);
-
-extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level);
-extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level);
-
-extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level);
-extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
-                                 char *msg, int level);
-
-extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
-				 char *msg, int level);
-
-extern void SECU_PrintName(FILE *out, CERTName *name, char *msg, int level);
-extern void SECU_PrintRDN(FILE *out, CERTRDN *rdn, char *msg, int level);
-
-#ifdef SECU_GetPassword
-/* Convert a High public Key to a Low public Key */
-extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
-#endif
-
-extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
-
-extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
-extern void SEC_Init(void);
-
-extern char *SECU_SECModDBName(void);
-
-extern void SECU_PrintPRandOSError(char *progName);
-
-extern SECStatus SECU_RegisterDynamicOids(void);
-
-/* Identifies hash algorithm tag by its string representation. */
-extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
-
-/* Store CRL in output file or pk11 db. Also
- * encodes with base64 and exports to file if ascii flag is set
- * and file is not NULL. */
-extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl,
-                               PRFileDesc *outFile, PRBool ascii, char *url);
-
-
-/*
-** DER sign a single block of data using private key encryption and the
-** MD5 hashing algorithm. This routine first computes a digital signature
-** using SEC_SignData, then wraps it with an CERTSignedData and then der
-** encodes the result.
-**	"arena" is the memory arena to use to allocate data from
-**      "sd" returned CERTSignedData 
-** 	"result" the final der encoded data (memory is allocated)
-** 	"buf" the input data to sign
-** 	"len" the amount of data to sign
-** 	"pk" the private key to encrypt with
-*/
-extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
-                                     unsigned char *buf, int len,
-                                     SECKEYPrivateKey *pk, SECOidTag algID);
-
-typedef enum  {
-    noKeyFound = 1,
-    noSignatureMatch = 2,
-    failToEncode = 3,
-    failToSign = 4,
-    noMem = 5
-} SignAndEncodeFuncExitStat;
-
-extern SECStatus
-SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
-                      SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
-
-extern SECStatus
-SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
-
-/*
-** Finds the crl Authority Key Id extension. Returns NULL if no such extension
-** was found.
-*/
-CERTAuthKeyID *
-SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl);
-
-/*
- * Find the issuer of a crl. Cert usage should be checked before signing a crl.
- */
-CERTCertificate *
-SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
-                   CERTAuthKeyID* id, PRTime validTime);
-
-
-/* call back function used in encoding of an extension. Called from
- * SECU_EncodeAndAddExtensionValue */
-typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena,
-                                               void *value, SECItem *encodedValue);
-
-/* Encodes and adds extensions to the CRL or CRL entries. */
-SECStatus 
-SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, 
-                                void *value, PRBool criticality, int extenType, 
-                                EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
-
-/* Caller ensures that dst is at least item->len*2+1 bytes long */
-void
-SECU_SECItemToHex(const SECItem * item, char * dst);
-
-/* Requires 0x prefix. Case-insensitive. Will do in-place replacement if
- * successful */
-SECStatus
-SECU_SECItemHexStringToBinary(SECItem* srcdest);
-
-/*
- *
- *  Utilities for parsing security tools command lines 
- *
- */
-
-/*  A single command flag  */
-typedef struct {
-    char flag;
-    PRBool needsArg;
-    char *arg;
-    PRBool activated;
-    char *longform;
-} secuCommandFlag;
-
-/*  A full array of command/option flags  */
-typedef struct
-{
-    int numCommands;
-    int numOptions;
-
-    secuCommandFlag *commands;
-    secuCommandFlag *options;
-} secuCommand;
-
-/*  fill the "arg" and "activated" fields for each flag  */
-SECStatus 
-SECU_ParseCommandLine(int argc, char **argv, char *progName,
-		      const secuCommand *cmd);
-char *
-SECU_GetOptionArg(const secuCommand *cmd, int optionNum);
-
-/*
- *
- *  Error messaging
- *
- */
-
-/* Return informative error string */
-char *SECU_ErrorString(int16 err);
-
-/* Return informative error string. Does not call XP_GetString */
-char *SECU_ErrorStringRaw(int16 err);
-
-void printflags(char *trusts, unsigned int flags);
-
-#if !defined(XP_UNIX) && !defined(XP_OS2)
-extern int ffs(unsigned int i);
-#endif
-
-#include "secerr.h"
-#include "sslerr.h"
-
-#endif /* _SEC_UTIL_H_ */
diff --git a/security/nss/cmd/libpkix/Makefile b/security/nss/cmd/libpkix/Makefile
deleted file mode 100755
index 032bd29c9..000000000
--- a/security/nss/cmd/libpkix/Makefile
+++ /dev/null
@@ -1,79 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
-
diff --git a/security/nss/cmd/libpkix/config.mk b/security/nss/cmd/libpkix/config.mk
deleted file mode 100644
index 5ad9e1b90..000000000
--- a/security/nss/cmd/libpkix/config.mk
+++ /dev/null
@@ -1,42 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-TARGETS = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
diff --git a/security/nss/cmd/libpkix/manifest.mn b/security/nss/cmd/libpkix/manifest.mn
deleted file mode 100755
index 3768a5ce5..000000000
--- a/security/nss/cmd/libpkix/manifest.mn
+++ /dev/null
@@ -1,44 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = .
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-DIRS =  testutil  pkix_pl  pkix  sample_apps  perf  pkixutil \
-	$(NULL)
diff --git a/security/nss/cmd/libpkix/perf/Makefile b/security/nss/cmd/libpkix/perf/Makefile
deleted file mode 100755
index c13b32931..000000000
--- a/security/nss/cmd/libpkix/perf/Makefile
+++ /dev/null
@@ -1,79 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
-
diff --git a/security/nss/cmd/libpkix/perf/libpkix_buildthreads.c b/security/nss/cmd/libpkix/perf/libpkix_buildthreads.c
deleted file mode 100644
index bce93f22a..000000000
--- a/security/nss/cmd/libpkix/perf/libpkix_buildthreads.c
+++ /dev/null
@@ -1,382 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * libpkixBuildThreads.c
- *
- * libpkix Builder Performance Evaluation application (multi-threaded)
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include "secutil.h"
-
-#include "nspr.h"
-#include "prtypes.h"
-#include "prtime.h"
-#include "prlong.h"
-
-#include "pk11func.h"
-#include "secasn1.h"
-#include "cert.h"
-#include "cryptohi.h"
-#include "secoid.h"
-#include "certdb.h"
-#include "nss.h"
-
-#include "pkix.h"
-#include "pkix_tools.h"
-#include "pkix_pl_cert.h"
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-#undef pkixTempResult
-#define PERF_DECREF(obj) \
-        { \
-                PKIX_Error *pkixTempResult = NULL; \
-                if (obj){ \
-                        pkixTempResult = PKIX_PL_Object_DecRef \
-                        ((PKIX_PL_Object *)(obj), plContext); \
-                        obj = NULL; \
-                } \
-        }
-
-static void finish(char* message, int code);
-
-typedef struct ThreadDataStr tData;
-
-struct ThreadDataStr {
-    CERTCertificate* anchor;
-    char* eecertName;
-    PRIntervalTime duration;
-    CERTCertDBHandle *handle;
-    PRUint32 iterations;
-};
-
-#define PKIX_LOGGER_ON 1
-
-#ifdef PKIX_LOGGER_ON
-
-char *logLevels[] = {
-        "None",
-        "Fatal Error",
-        "Error",
-        "Warning",
-        "Debug",
-        "Trace"
-};
-
-static PKIX_Error *loggerCallback(
-        PKIX_Logger *logger,
-        PKIX_PL_String *message,
-        PKIX_UInt32 logLevel,
-        PKIX_ERRORCLASS logComponent,
-        void *plContext)
-{
-        char *msg = NULL;
-        static int callCount = 0;
-
-        msg = PKIX_String2ASCII(message, plContext);
-        printf("Logging %s (%s): %s\n",
-                logLevels[logLevel],
-                PKIX_ERRORCLASSNAMES[logComponent],
-                msg);
-        PR_Free((void *)msg);
-
-        return(NULL);
-}
-
-#endif /* PKIX_LOGGER_ON */
-
-static void ThreadEntry(void* data)
-{
-        tData* tdata = (tData*) data;
-        PRIntervalTime duration = tdata->duration;
-        PRIntervalTime start = PR_IntervalNow();
-
-        PKIX_List *anchors = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_BuildResult *buildResult = NULL;
-        CERTCertificate* nsseecert;
-        PKIX_PL_Cert *eeCert = NULL;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_List *certStores = NULL;
-        PKIX_ComCertSelParams *certSelParams = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_PL_Date *nowDate = NULL;
-        void *state = NULL; /* only relevant with non-blocking I/O */
-        void *nbioContext = NULL; /* only relevant with non-blocking I/O */
-
-        PR_ASSERT(duration);
-        if (!duration){
-                return;
-        }
-
-        do {
-
-                /* libpkix code */
-
-                /* keep more update time, testing cache */
-                PKIX_PL_Date_Create_UTCTime(NULL, &nowDate, plContext);
-
-                /* CertUsage is 0x10 and no NSS arena */
-                /* We haven't determined how we obtain the value of wincx */
-
-                nsseecert = CERT_FindCertByNicknameOrEmailAddr(tdata->handle,
-                        tdata->eecertName);
-                if (!nsseecert) finish("Unable to find eecert.\n", 1);
-
-                pkix_pl_Cert_CreateWithNSSCert
-                        (nsseecert, &eeCert, plContext);
-
-                PKIX_List_Create(&anchors, plContext);
-
-        /*
-         * This code is retired.
-         *      pkix_pl_Cert_CreateWithNSSCert
-         *              (tdata->anchor, &anchorCert, NULL);
-         *      PKIX_TrustAnchor_CreateWithCert(anchorCert, &anchor, NULL);
-         *      PKIX_List_AppendItem(anchors, (PKIX_PL_Object *)anchor, NULL);
-         */
-
-                PKIX_ProcessingParams_Create(anchors, &procParams, plContext);
-
-                PKIX_ProcessingParams_SetRevocationEnabled
-                        (procParams, PKIX_TRUE, plContext);
-
-                PKIX_ProcessingParams_SetDate
-                        (procParams, nowDate, plContext);
-
-                /* create CertSelector with target certificate in params */
-
-                PKIX_ComCertSelParams_Create(&certSelParams, plContext);
-
-                PKIX_ComCertSelParams_SetCertificate
-                        (certSelParams, eeCert, plContext);
-
-                PKIX_CertSelector_Create
-                        (NULL, NULL, &certSelector, plContext);
-
-                PKIX_CertSelector_SetCommonCertSelectorParams
-                        (certSelector, certSelParams, plContext);
-
-                PKIX_ProcessingParams_SetTargetCertConstraints
-                        (procParams, certSelector, plContext);
-
-                PKIX_PL_Pk11CertStore_Create(&certStore, plContext);
-
-                PKIX_List_Create(&certStores, plContext);
-                PKIX_List_AppendItem
-                        (certStores, (PKIX_PL_Object *)certStore, plContext);
-                PKIX_ProcessingParams_SetCertStores
-                        (procParams, certStores, plContext);
-
-                PKIX_BuildChain
-                        (procParams,
-                        &nbioContext,
-                        &state,
-                        &buildResult,
-                        NULL,
-                        plContext);
-
-                /*
-                 * As long as we use only CertStores with blocking I/O, we
-                 * know we must be done at this point.
-                 */
-
-                if (!buildResult){
-                        (void) fprintf(stderr, "libpkix BuildChain failed.\n");
-                        PORT_Assert(0);
-                        return;
-                }
-
-                tdata->iterations ++;
-
-                PERF_DECREF(nowDate);
-                PERF_DECREF(anchors);
-                PERF_DECREF(procParams);
-                PERF_DECREF(buildResult);
-                PERF_DECREF(certStore);
-                PERF_DECREF(certStores);
-                PERF_DECREF(certSelParams);
-                PERF_DECREF(certSelector);
-                PERF_DECREF(eeCert);
-
-        } while ((PR_IntervalNow() - start) < duration);
-
-
-}
-
-static void
-Test(
-        CERTCertificate* anchor,
-        char* eecertName,
-        PRIntervalTime duration,
-        CERTCertDBHandle *handle,
-        PRUint32 threads)
-{
-        tData data;
-        tData** alldata;
-        PRIntervalTime starttime, endtime, elapsed;
-        PRUint32 msecs;
-        float total = 0;
-        PRThread** pthreads = NULL;
-        PRUint32 i = 0;
-
-        data.duration = duration;
-        data.anchor = anchor;
-        data.eecertName = eecertName;
-        data.handle = handle;
-
-        data.iterations = 0;
-
-        starttime = PR_IntervalNow();
-        pthreads = (PRThread**)PR_Malloc(threads*sizeof (PRThread*));
-        alldata = (tData**)PR_Malloc(threads*sizeof (tData*));
-        for (i = 0; i < threads; i++){
-                alldata[i] = (tData*)PR_Malloc(sizeof (tData));
-                *alldata[i] = data;
-                pthreads[i] =
-                        PR_CreateThread(PR_USER_THREAD,
-                                        ThreadEntry,
-                                        (void*) alldata[i],
-                                        PR_PRIORITY_NORMAL,
-                                        PR_GLOBAL_THREAD,
-                                        PR_JOINABLE_THREAD,
-                                        0);
-        }
-
-        for (i = 0; i < threads; i++) {
-                tData* args = alldata[i];
-                PR_JoinThread(pthreads[i]);
-                total += args->iterations;
-                PR_Free((void*)args);
-        }
-
-        PR_Free((void*) pthreads);
-        PR_Free((void*) alldata);
-        endtime = PR_IntervalNow();
-
-        endtime = PR_IntervalNow();
-        elapsed = endtime - starttime;
-        msecs = PR_IntervalToMilliseconds(elapsed);
-        total /= msecs;
-        total *= 1000;
-        (void) fprintf(stdout, "%f operations per second.\n", total);
-}
-
-
-static void finish(char* message, int code)
-{
-        (void) printf(message);
-        exit(code);
-}
-
-static void usage(char* progname)
-{
-        (void) printf("Usage : %s <-d certStoreDirectory> <duration> <threads> "
-                      "<anchorNickname> <eecertNickname>\n\n", progname);
-        finish("", 0);
-}
-
-int
-libpkix_buildthreads(int argc, char** argv)
-{
-        CERTCertDBHandle *handle = NULL;
-        CERTCertificate* eecert = NULL;
-        PRIntervalTime duration = PR_SecondsToInterval(1);
-        PRUint32 threads = 1;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-        PKIX_Logger *logger = NULL;
-        void *wincx = NULL;
-
-        /* if (argc != 5) -- when TrustAnchor used to be on command line */
-        if (argc != 4)
-                {
-                        usage(argv[0]);
-                }
-        if (atoi(argv[1]) > 0)
-                {
-                        duration = PR_SecondsToInterval(atoi(argv[1]));
-                }
-        if (atoi(argv[2]) > 0)
-                {
-                        threads = atoi(argv[2]);
-                }
-
-        PKIX_PL_NssContext_Create(certificateUsageEmailSigner, PKIX_FALSE,
-                                  NULL, &plContext);
-
-        handle = CERT_GetDefaultCertDB();
-        PR_ASSERT(handle);
-
-#ifdef PKIX_LOGGER_ON
-
-        /* set logger to log trace and up */
-        PKIX_SetLoggers(NULL, plContext);
-        PKIX_Logger_Create(loggerCallback, NULL, &logger, plContext);
-        PKIX_Logger_SetMaxLoggingLevel
-                (logger, PKIX_LOGGER_LEVEL_WARNING, plContext);
-        PKIX_AddLogger(logger, plContext);
-
-#endif /* PKIX_LOGGER_ON */
-
-        /*
-         * This code is retired
-         *      anchor = CERT_FindCertByNicknameOrEmailAddr(handle, argv[3]);
-         *      if (!anchor) finish("Unable to find anchor.\n", 1);
-         *
-         *      eecert = CERT_FindCertByNicknameOrEmailAddr(handle, argv[4]);
-     
-         *      if (!eecert) finish("Unable to find eecert.\n", 1);
-         *
-         *      Test(anchor, eecert, duration, threads);
-         */
-
-        Test(NULL, argv[3], duration, handle, threads);
-
-        PERF_DECREF(logger);
-
-        PKIX_Shutdown(plContext);
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/perf/manifest.mn b/security/nss/cmd/libpkix/perf/manifest.mn
deleted file mode 100755
index 511118d14..000000000
--- a/security/nss/cmd/libpkix/perf/manifest.mn
+++ /dev/null
@@ -1,54 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = libpkix_buildthreads.c \
-	nss_threads.c \
-	$(NULL)
-
-LIBRARY_NAME = pkixtoolperf
-
-SOURCE_LIB_DIR = $(PKIX_DEPTH)/$(OBJDIR)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/perf/nss_threads.c b/security/nss/cmd/libpkix/perf/nss_threads.c
deleted file mode 100644
index 7f1a16eee..000000000
--- a/security/nss/cmd/libpkix/perf/nss_threads.c
+++ /dev/null
@@ -1,197 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * nssThreads.c
- *
- * NSS Performance Evaluation application (multi-threaded)
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include "secutil.h"
-
-#include "nspr.h"
-#include "prtypes.h"
-#include "prtime.h"
-#include "prlong.h"
-
-#include "pk11func.h"
-#include "secasn1.h"
-#include "cert.h"
-#include "cryptohi.h"
-#include "secoid.h"
-#include "certdb.h"
-#include "nss.h"
-
-typedef struct ThreadDataStr tData;
-
-struct ThreadDataStr {
-    CERTCertificate* cert;
-    PRIntervalTime duration;
-    PRUint32 iterations;
-};
-
-static void ThreadEntry(void* data)
-{
-        tData* tdata = (tData*) data;
-        PRIntervalTime duration = tdata->duration;
-        PRTime now = PR_Now();
-        PRIntervalTime start = PR_IntervalNow();
-
-        PR_ASSERT(duration);
-        if (!duration)
-                {
-                        return;
-                }
-        do {
-                SECStatus rv = CERT_VerifyCertificate
-                        (CERT_GetDefaultCertDB(),
-                        tdata->cert,
-                        PR_TRUE,
-                        certificateUsageEmailSigner,
-                        now,
-                        NULL,
-                        NULL,
-                        NULL);
-                if (rv != SECSuccess)
-                        {
-                                (void) fprintf(stderr, "Validation failed.\n");
-                                PORT_Assert(0);
-                                return;
-                        }
-                tdata->iterations ++;
-        } while ((PR_IntervalNow() - start) < duration);
-}
-
-static void Test(CERTCertificate* cert, PRIntervalTime duration, PRUint32 threads)
-{
-        tData data;
-        tData** alldata;
-        PRIntervalTime starttime, endtime, elapsed;
-        PRUint32 msecs;
-        float total = 0;
-        PRThread** pthreads = NULL;
-        PRUint32 i = 0;
-
-        data.duration = duration;
-        data.cert = cert;
-        data.iterations = 0;
-
-        starttime = PR_IntervalNow();
-        pthreads = (PRThread**)PR_Malloc(threads*sizeof (PRThread*));
-        alldata = (tData**)PR_Malloc(threads*sizeof (tData*));
-        for (i = 0; i < threads; i++)
-                {
-                        alldata[i] = (tData*)PR_Malloc(sizeof (tData));
-                        *alldata[i] = data;
-                        pthreads[i] =
-                                PR_CreateThread(PR_USER_THREAD,
-                                                ThreadEntry,
-                                                (void*) alldata[i],
-                                                PR_PRIORITY_NORMAL,
-                                                PR_GLOBAL_THREAD,
-                                                PR_JOINABLE_THREAD,
-                                                0);
-
-                }
-        for (i = 0; i < threads; i++)
-                {
-                        tData* args = alldata[i];
-                        PR_JoinThread(pthreads[i]);
-                        total += args->iterations;
-                        PR_Free((void*)args);
-                }
-        PR_Free((void*) pthreads);
-        PR_Free((void*) alldata);
-        endtime = PR_IntervalNow();
-
-        endtime = PR_IntervalNow();
-        elapsed = endtime - starttime;
-        msecs = PR_IntervalToMilliseconds(elapsed);
-        total /= msecs;
-        total *= 1000;
-        (void) fprintf(stdout, "%f operations per second.\n", total);
-}
-
-
-static void finish(char* message, int code)
-{
-        (void) printf(message);
-        exit(code);
-}
-
-static void usage(char* progname)
-{
-        (void) printf("Usage : %s <duration> <threads> <certnickname>\n\n",
-                    progname);
-        finish("", 0);
-}
-
-int nss_threads(int argc, char** argv)
-{
-        SECStatus rv = SECSuccess;
-        CERTCertDBHandle *handle = NULL;
-        CERTCertificate* cert = NULL;
-        PRIntervalTime duration = PR_SecondsToInterval(1);
-        PRUint32 threads = 1;
-        if (argc != 4)
-                {
-                        usage(argv[0]);
-                }
-        if (atoi(argv[1]) > 0)
-                {
-                        duration = PR_SecondsToInterval(atoi(argv[1]));
-                }
-        if (atoi(argv[2]) > 0)
-                {
-                        threads = atoi(argv[2]);
-                }
-
-        handle = CERT_GetDefaultCertDB();
-        PR_ASSERT(handle);
-        cert = CERT_FindCertByNicknameOrEmailAddr(handle, argv[3]);
-        if (!cert)
-                {
-                        finish("Unable to find certificate.\n", 1);
-                }
-        Test(cert, duration, threads);
-
-        CERT_DestroyCertificate(cert);
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/Makefile b/security/nss/cmd/libpkix/pkix/Makefile
deleted file mode 100755
index 2b004b29e..000000000
--- a/security/nss/cmd/libpkix/pkix/Makefile
+++ /dev/null
@@ -1,81 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
-
diff --git a/security/nss/cmd/libpkix/pkix/certsel/Makefile b/security/nss/cmd/libpkix/pkix/certsel/Makefile
deleted file mode 100755
index 3f1484b02..000000000
--- a/security/nss/cmd/libpkix/pkix/certsel/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/certsel/manifest.mn b/security/nss/cmd/libpkix/pkix/certsel/manifest.mn
deleted file mode 100755
index 7dbfd56a1..000000000
--- a/security/nss/cmd/libpkix/pkix/certsel/manifest.mn
+++ /dev/null
@@ -1,54 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ../..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = test_certselector.c \
-	test_comcertselparams.c \
-	$(NULL)
-
-LIBRARY_NAME=pkixtoolcertsel
-
-SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/certsel/test_certselector.c b/security/nss/cmd/libpkix/pkix/certsel/test_certselector.c
deleted file mode 100644
index 57068b76e..000000000
--- a/security/nss/cmd/libpkix/pkix/certsel/test_certselector.c
+++ /dev/null
@@ -1,1992 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_certselector.c
- *
- * Test Cert Selector
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-#define PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS 5
-#define PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS 2
-#define PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS 2
-#define PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS 4
-#define PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS 1
-
-static void *plContext = NULL;
-
-/*
- * The first three certs are used to obtain policies to test
- * policy matching. Changing the table could break tests.
- */
-static char *certList[] = {
-#define POLICY1CERT 0
-                "GoodCACert.crt",
-#define ANYPOLICYCERT 1
-                "anyPolicyCACert.crt",
-#define POLICY2CERT 2
-                "PoliciesP12CACert.crt",
-#define SUBJECTCERT 3
-                "PoliciesP3CACert.crt",
-                "PoliciesP1234CACert.crt",
-                "pathLenConstraint0CACert.crt",
-                "pathLenConstraint1CACert.crt",
-                "pathLenConstraint6CACert.crt",
-                "TrustAnchorRootCertificate.crt",
-                "GoodsubCACert.crt",
-                "AnyPolicyTest14EE.crt",
-                "UserNoticeQualifierTest16EE.crt"
-        };
-#define NUMCERTS (sizeof (certList)/sizeof (certList[0]))
-
-/*
- * Following are Certs values for NameConstraints tests
- *
- * Cert0:nameConstraintsDN1subCA1Cert.crt:
- * Subject:CN=nameConstraints DN1 subCA1,OU=permittedSubtree1,
- *              O=Test Certificates,C=US
- *      Permitted Name:(OU=permittedSubtree2,OU=permittedSubtree1,
- *              O=Test Certificates,C=US)
- *      Excluded Name: (EMPTY)
- * Cert1:nameConstraintsDN3subCA2Cert.crt:
- *      Subject:CN=nameConstraints DN3 subCA2,O=Test Certificates,C=US
- *      Permitted Name:(O=Test Certificates,C=US)
- *      Excluded Name:(EMPTY)
- * Cert2:nameConstraintsDN2CACert.crt
- *      Subject:CN=nameConstraints DN2 CA,O=Test Certificates,C=US
- *      Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US,
- *              OU=permittedSubtree2,O=Test Certificates,C=US)
- *      Excluded Name:(EMPTY)
- * Cert3:nameConstraintsDN3subCA1Cert.crt
- *      Subject:CN=nameConstraints DN3 subCA1,O=Test Certificates,C=US
- *      Permitted Name:(EMPTY)
- *      Excluded Name:(OU=excludedSubtree2,O=Test Certificates,C=US)
- * Cert4:nameConstraintsDN4CACert.crt
- *      Subject:CN=nameConstraints DN4 CA,O=Test Certificates,C=US
- *      Permitted Name:(EMPTY)
- *      Excluded Name:(OU=excludedSubtree1,O=Test Certificates,C=US,
- *              OU=excludedSubtree2,O=Test Certificates,C=US)
- * Cert5:nameConstraintsDN5CACert.crt
- *      Subject:CN=nameConstraints DN5 CA,O=Test Certificates,C=US
- *      Permitted Name:(OU=permittedSubtree1,O=Test Certificates,C=US)
- *      Excluded Name:(OU=excludedSubtree1,OU=permittedSubtree1,
- *              O=Test Certificates,C=US)
- * Cert6:ValidDNnameConstraintsTest1EE.crt
- *      Subject:CN=Valid DN nameConstraints EE Certificate Test1,
- *      OU=permittedSubtree1,O=Test Certificates,C=US
- *
- */
-static char *ncCertList[] = {
-        "nameConstraintsDN1subCA1Cert.crt",
-        "nameConstraintsDN3subCA2Cert.crt",
-        "nameConstraintsDN2CACert.crt",
-        "nameConstraintsDN3subCA1Cert.crt",
-        "nameConstraintsDN4CACert.crt",
-        "nameConstraintsDN5CACert.crt",
-        "ValidDNnameConstraintsTest1EE.crt"
-};
-#define NUMNCCERTS (sizeof (ncCertList)/sizeof (ncCertList[0]))
-
-static char *sanCertList[] = {
-        "InvalidDNnameConstraintsTest3EE.crt",
-        "InvalidDNSnameConstraintsTest38EE.crt"
-};
-#define NUMSANCERTS (sizeof (sanCertList)/sizeof (sanCertList[0]))
-
-/*
- * This function calls the CertSelector pointed to by "selector" for each
- * cert in the List pointed to by "certs", and compares the results against
- * the bit array given by the UInt32 "expectedResults". If the first cert is
- * expected to pass, the lower-order bit of "expectedResults" should be 1.
- * If the second cert is expected to pass, the second bit of "expectedResults"
- * should be 1, and so on. If more than 32 certs are provided, only the first
- * 32 will be checked. It is not an error to provide more bits than needed.
- * (For example, if you expect every cert to pass, "expectedResult" can be
- * set to 0xFFFFFFFF, even if the chain has fewer than 32 certs.)
- */
-static
-void testSelector(
-        PKIX_CertSelector *selector,
-        PKIX_List *certs,
-        PKIX_UInt32 expectedResults)
-{
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 numCerts = 0;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_CertSelector_MatchCallback callback = NULL;
-        PKIX_Error *errReturn = NULL;
-        PKIX_Boolean result = PKIX_TRUE;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback
-                (selector, &callback, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (certs, &numCerts, plContext));
-        if (numCerts > 32) {
-                numCerts = 32;
-        }
-
-        for (i = 0; i < numCerts; i++) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                        (certs, i, (PKIX_PL_Object **)&cert, plContext));
-                errReturn = callback(selector, cert, &result, plContext);
-
-                if (errReturn || result == PKIX_FALSE) {
-                        if ((expectedResults & 1) == 1) {
-                                testError("selector unexpectedly failed");
-                                (void) printf("    processing cert:\t%d\n", i);
-                        }
-                } else {
-                        if ((expectedResults & 1) == 0) {
-                                testError("selector unexpectedly passed");
-                                (void) printf("    processing cert:\t%d\n", i);
-                        }
-                }
-
-                expectedResults = expectedResults >> 1;
-                PKIX_TEST_DECREF_BC(cert);
-                PKIX_TEST_DECREF_BC(errReturn);
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(errReturn);
-
-        PKIX_TEST_RETURN();
-}
-
-/*
- * This function gets a policy from the Cert pointed to by "cert", according
- * to the index provided by "index", creates an immutable List containing the
- * OID of that policy, and stores the result at "pPolicyList".
- */
-static void testGetPolicyFromCert(
-        PKIX_PL_Cert *cert,
-        PKIX_UInt32 index,
-        PKIX_List **pPolicyList)
-{
-        PKIX_List *policyInfo = NULL;
-        PKIX_PL_CertPolicyInfo *firstPolicy = NULL;
-        PKIX_PL_OID *policyOID = NULL;
-        PKIX_List *list = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (cert, &policyInfo, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (policyInfo,
-                index,
-                (PKIX_PL_Object **)&firstPolicy,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
-                (firstPolicy, &policyOID, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (list, (PKIX_PL_Object *)policyOID, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable(list, plContext));
-
-        *pPolicyList = list;
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(policyInfo);
-        PKIX_TEST_DECREF_AC(firstPolicy);
-        PKIX_TEST_DECREF_AC(policyOID);
-
-        PKIX_TEST_RETURN();
-}
-
-/*
- * This custom matchCallback will pass any Certificate which has no
- * CertificatePolicies extension and any Certificate whose Policies
- * extension include a CertPolicyQualifier.
- */
-static PKIX_Error *
-custom_CertSelector_MatchCallback(
-        PKIX_CertSelector *selector,
-        PKIX_PL_Cert *cert,
-        PKIX_Boolean *pResult,
-        void *plContext)
-{
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 numPolicies = 0;
-        PKIX_List *certPolicies = NULL;
-        PKIX_List *quals = NULL;
-        PKIX_PL_CertPolicyInfo *policy = NULL;
-        PKIX_Error *error = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        *pResult = PKIX_TRUE;
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (cert, &certPolicies, plContext));
-
-        if (certPolicies) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                        (certPolicies, &numPolicies, plContext));
-                      
-                for (i = 0; i < numPolicies; i++) {
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                            (certPolicies,
-                            i,
-                            (PKIX_PL_Object **)&policy,
-                            plContext));
-                        PKIX_TEST_EXPECT_NO_ERROR
-                            (PKIX_PL_CertPolicyInfo_GetPolQualifiers
-                            (policy, &quals, plContext));
-                        if (quals) {
-                            goto cleanup;
-                        }
-                        PKIX_TEST_DECREF_BC(policy);
-                }
-                PKIX_TEST_DECREF_BC(certPolicies);
-                *pResult = PKIX_FALSE;
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
-                        (PKIX_CERTSELECTOR_ERROR,
-                        NULL,
-                        NULL,
-                        PKIX_TESTPOLICYEXTWITHNOPOLICYQUALIFIERS,
-                        &error,
-                        plContext));
-
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(certPolicies);
-        PKIX_TEST_DECREF_AC(policy);
-        PKIX_TEST_DECREF_AC(quals);
-
-        return(error);
-}
-
-/*
- * This custom matchCallback will pass any Certificate whose
- * CertificatePolicies extension asserts the Policy specified by
- * the OID in the CertSelectorContext object.
- */
-static PKIX_Error *
-custom_CertSelector_MatchOIDCallback(
-        PKIX_CertSelector *selector,
-        PKIX_PL_Cert *cert,
-        PKIX_Boolean *pResult,
-        void *plContext)
-{
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 numPolicies = 0;
-        PKIX_Boolean match = PKIX_FALSE;
-        PKIX_PL_Object *certSelectorContext = NULL;
-        PKIX_PL_OID *constraintOID = NULL;
-        PKIX_List *certPolicies = NULL;
-        PKIX_PL_CertPolicyInfo *policy = NULL;
-        PKIX_PL_OID *policyOID = NULL;
-        PKIX_PL_String *errorDesc = NULL;
-        PKIX_Error *error = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        *pResult = PKIX_TRUE;
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCertSelectorContext
-                (selector, &certSelectorContext, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_CheckType
-                (certSelectorContext, PKIX_OID_TYPE, plContext));
-
-        constraintOID = (PKIX_PL_OID *)certSelectorContext;
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (cert, &certPolicies, plContext));
-
-        if (certPolicies) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                        (certPolicies, &numPolicies, plContext));
-
-                for (i = 0; i < numPolicies; i++) {
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                                (certPolicies,
-                                i,
-                                (PKIX_PL_Object **)&policy,
-                                plContext));
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_CertPolicyInfo_GetPolicyId
-                                (policy, &policyOID, plContext));
-
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                                ((PKIX_PL_Object *)policyOID,
-                                (PKIX_PL_Object *)constraintOID,
-                                &match,
-                                plContext));
-
-                        if (match) {
-                                goto cleanup;
-                        }
-                        PKIX_TEST_DECREF_BC(policy);
-                        PKIX_TEST_DECREF_BC(policyOID);
-                }
-        }
-
-        PKIX_TEST_DECREF_BC(certSelectorContext);
-        PKIX_TEST_DECREF_BC(certPolicies);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
-                        (PKIX_CERTSELECTOR_ERROR,
-                        NULL,
-                        NULL,
-                        PKIX_TESTNOMATCHINGPOLICY,
-                        &error,
-                        plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(certSelectorContext);
-        PKIX_TEST_DECREF_AC(certPolicies);
-        PKIX_TEST_DECREF_AC(policy);
-        PKIX_TEST_DECREF_AC(policyOID);
-        PKIX_TEST_DECREF_AC(errorDesc);
-
-        return(error);
-}
-
-static 
-void testSubjectMatch(
-        PKIX_List *certs,
-        PKIX_PL_Cert *certNameToMatch)
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *subjParams = NULL;
-        PKIX_PL_X500Name *subjectName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Subject name match");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&subjParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
-                (certNameToMatch, &subjectName, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
-                (subjParams, subjectName, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, subjParams, plContext));
-        testSelector(selector, certs, 0x008);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selector);
-        PKIX_TEST_DECREF_AC(subjParams);
-        PKIX_TEST_DECREF_AC(subjectName);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testBasicConstraintsMatch(
-        PKIX_List *certs)
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *bcParams = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Basic Constraints match");
-        subTest("    pathLenContraint = -2: pass only EE's");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&bcParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetBasicConstraints
-                (bcParams, -2, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, bcParams, plContext));
-        testSelector(selector, certs, 0xC00);
-
-        subTest("    pathLenContraint = -1: pass all certs");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetBasicConstraints
-                (bcParams, -1, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, bcParams, plContext));
-        testSelector(selector, certs, 0xFFF);
-
-        subTest("    pathLenContraint = 1: pass only certs with pathLen >= 1");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetBasicConstraints
-                (bcParams, 1, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, bcParams, plContext));
-        testSelector(selector, certs, 0x3DF);
-
-        subTest("    pathLenContraint = 2: pass only certs with  pathLen >= 2");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetBasicConstraints
-                (bcParams, 2, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, bcParams, plContext));
-        testSelector(selector, certs, 0x39F);
-
-cleanup:
-        PKIX_TEST_DECREF_AC(selector);
-        PKIX_TEST_DECREF_AC(bcParams);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testPolicyMatch(
-        PKIX_List *certs,
-        PKIX_PL_Cert *NIST1Cert, /* a source for policy NIST1 */
-        PKIX_PL_Cert *NIST2Cert, /* a source for policy NIST2 */
-        PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_List *emptyList = NULL; /* no members */
-        PKIX_List *policy1List = NULL; /* OIDs */
-        PKIX_List *policy2List = NULL; /* OIDs */
-        PKIX_List *anyPolicyList = NULL; /* OIDs */
-        PKIX_ComCertSelParams *polParams = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Policy match");
-        testGetPolicyFromCert(NIST1Cert, 0, &policy1List);
-        testGetPolicyFromCert(NIST2Cert, 1, &policy2List);
-        testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList);
-
-        subTest("    Pass certs with any CertificatePolicies extension");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&emptyList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_Create(&polParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetPolicy
-                (polParams, emptyList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, polParams, plContext));
-        testSelector(selector, certs, 0xEFF);
-        PKIX_TEST_DECREF_BC(polParams);
-
-        subTest("    Pass only certs with policy NIST1");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_Create(&polParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetPolicy
-                (polParams, policy1List, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, polParams, plContext));
-        testSelector(selector, certs, 0xEF5);
-        PKIX_TEST_DECREF_BC(polParams);
-
-        subTest("    Pass only certs with policy NIST2");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_Create(&polParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetPolicy
-                (polParams, policy2List, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, polParams, plContext));
-        testSelector(selector, certs, 0x814);
-        PKIX_TEST_DECREF_BC(polParams);
-
-        subTest("    Pass only certs with policy anyPolicy");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_Create(&polParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetPolicy
-                (polParams, anyPolicyList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, polParams, plContext));
-        testSelector(selector, certs, 0x002);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selector);
-        PKIX_TEST_DECREF_AC(emptyList);
-        PKIX_TEST_DECREF_AC(policy1List);
-        PKIX_TEST_DECREF_AC(policy2List);
-        PKIX_TEST_DECREF_AC(anyPolicyList);
-        PKIX_TEST_DECREF_AC(polParams);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testCertificateMatch(
-        PKIX_List *certs,
-        PKIX_PL_Cert *certToMatch)
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *params = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Certificate match");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&params, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate
-                (params, certToMatch, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-        testSelector(selector, certs, 0x008);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selector);
-        PKIX_TEST_DECREF_AC(params);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testNameConstraintsMatch(PKIX_List *certs)
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *params = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_PL_CertNameConstraints *permitNameConstraints1 = NULL;
-        PKIX_PL_CertNameConstraints *permitNameConstraints2 = NULL;
-        PKIX_PL_CertNameConstraints *permitNameConstraints3 = NULL;
-        PKIX_PL_CertNameConstraints *excludeNameConstraints1 = NULL;
-        PKIX_PL_CertNameConstraints *excludeNameConstraints2 = NULL;
-        PKIX_PL_CertNameConstraints *excludeNameConstraints3 = NULL;
-        PKIX_UInt32 numCerts = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("test NameConstraints Cert Selector");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (certs, &numCerts, plContext));
-
-        subTest("    PKIX_PL_Cert_GetNameConstraints <cert0-permitted>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (certs, 0, (PKIX_PL_Object **)&cert, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
-                (cert, &permitNameConstraints1, plContext));
-        PKIX_TEST_DECREF_BC(cert);
-
-        subTest("    PKIX_PL_Cert_GetNameConstraints <cert1-permitted>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (certs, 1, (PKIX_PL_Object **)&cert, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
-                (cert, &permitNameConstraints2, plContext));
-        PKIX_TEST_DECREF_BC(cert);
-
-        subTest("    PKIX_PL_Cert_GetNameConstraints <cert2-permitted>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (certs, 2, (PKIX_PL_Object **)&cert, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
-                (cert, &permitNameConstraints3, plContext));
-        PKIX_TEST_DECREF_BC(cert);
-
-        subTest("    PKIX_PL_Cert_GetNameConstraints <cert3-excluded>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (certs, 3, (PKIX_PL_Object **)&cert, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
-                (cert, &excludeNameConstraints1, plContext));
-        PKIX_TEST_DECREF_BC(cert);
-
-        subTest("    PKIX_PL_Cert_GetNameConstraints <cert4-excluded>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (certs, 4, (PKIX_PL_Object **)&cert, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
-                (cert, &excludeNameConstraints2, plContext));
-        PKIX_TEST_DECREF_BC(cert);
-
-        subTest("    PKIX_PL_Cert_GetNameConstraints <cert5-excluded>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (certs, 5, (PKIX_PL_Object **)&cert, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
-                (cert, &excludeNameConstraints3, plContext));
-        PKIX_TEST_DECREF_BC(cert);
-
-        subTest("    Create Selector and ComCertSelParams");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&params, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-
-        subTest("    CertNameConstraints testing permitted NONE");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
-                (params, permitNameConstraints1, plContext));
-        testSelector(selector, certs, 0x0);
-
-        subTest("    PKIX_ComCertSelParams_SetNameConstraint Reset");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
-                (params, NULL, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-
-        subTest("    CertNameConstraints testing permitted ALL");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
-                (params, permitNameConstraints2, plContext));
-        testSelector(selector, certs, 0x07F);
-
-        subTest("    CertNameConstraints testing permitted TWO");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
-                (params, permitNameConstraints3, plContext));
-        testSelector(selector, certs, 0x0041);
-
-        subTest("    PKIX_ComCertSelParams_SetNameConstraint Reset");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
-                (params, NULL, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-
-        subTest("    CertNameConstraints testing excluded");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
-                (params, excludeNameConstraints1, plContext));
-        testSelector(selector, certs, 0x07F);
-
-        subTest("    CertNameConstraints testing excluded");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
-                (params, excludeNameConstraints2, plContext));
-        testSelector(selector, certs, 0x07F);
-
-        subTest("    CertNameConstraints testing excluded");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
-                (params, excludeNameConstraints3, plContext));
-        testSelector(selector, certs, 0x41);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selector);
-        PKIX_TEST_DECREF_AC(params);
-        PKIX_TEST_DECREF_AC(permitNameConstraints1);
-        PKIX_TEST_DECREF_AC(permitNameConstraints2);
-        PKIX_TEST_DECREF_AC(permitNameConstraints3);
-        PKIX_TEST_DECREF_AC(excludeNameConstraints1);
-        PKIX_TEST_DECREF_AC(excludeNameConstraints2);
-        PKIX_TEST_DECREF_AC(excludeNameConstraints3);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testPathToNamesMatch(PKIX_List *certs)
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *params = NULL;
-        PKIX_List *nameList = NULL;
-        PKIX_PL_GeneralName *name = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("test PathToName Cert Selector");
-
-        subTest("    PKIX_PL_GeneralName List create");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext));
-
-        subTest("    Add directory name <O=NotATest Certificates,C=US>");
-        name = createGeneralName
-                (PKIX_DIRECTORY_NAME,
-                "O=NotATest Certificates,C=US",
-                plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (nameList, (PKIX_PL_Object *)name, plContext));
-
-        subTest("    Create Selector and ComCertSelParams");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&params, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-
-        subTest("    PKIX_ComCertSelParams_SetPathToNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
-                (params, nameList, plContext));
-
-        subTest("    Permitting THREE");
-        testSelector(selector, certs, 0x58);
-
-        subTest("    Remove directory name <O=NotATest Certificates,C=US...>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem
-                                (nameList, 0, plContext));
-        PKIX_TEST_DECREF_BC(name);
-
-        subTest("    PKIX_ComCertSelParams_SetPathToNames Reset");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
-                (params, NULL, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-
-        subTest("    Add directory name <OU=permittedSubtree1,O=Test...>");
-        name = createGeneralName
-                (PKIX_DIRECTORY_NAME,
-                "OU=permittedSubtree1,O=Test Certificates,C=US",
-                plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (nameList, (PKIX_PL_Object *)name, plContext));
-
-        subTest("    PKIX_ComCertSelParams_SetPathToNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
-                (params, nameList, plContext));
-
-        subTest("    Permitting SIX");
-        testSelector(selector, certs, 0x5F);
-
-        subTest("    Remove directory name <OU=permittedSubtree1,O=Test...>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem
-                                (nameList, 0, plContext));
-        PKIX_TEST_DECREF_BC(name);
-
-        subTest("    PKIX_ComCertSelParams_SetNameConstraint Reset");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
-                (params, NULL, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-
-        subTest("    Add directory name <O=Test Certificates,C=US...>");
-        name = createGeneralName
-                (PKIX_DIRECTORY_NAME,
-                "O=Test Certificates,C=US",
-                plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (nameList, (PKIX_PL_Object *)name, plContext));
-        PKIX_TEST_DECREF_BC(name);
-
-        subTest("    PKIX_ComCertSelParams_SetPathToNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
-                (params, nameList, plContext));
-
-        subTest("    Permitting FOUR");
-        testSelector(selector, certs, 0x47);
-
-        subTest("    Only directory name <OU=permittedSubtree1,O=Test ...>");
-        name = createGeneralName
-                (PKIX_DIRECTORY_NAME,
-                "OU=permittedSubtree1,O=Test Certificates,C=US",
-                plContext);
-
-        subTest("    PKIX_ComCertSelParams_AddPathToName");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName
-                (params, name, plContext));
-        PKIX_TEST_DECREF_BC(name);
-
-        subTest("    Permitting FOUR");
-        testSelector(selector, certs, 0x47);
-
-        subTest("    PKIX_ComCertSelParams_SetNameConstraint Reset");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
-                (params, NULL, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-        PKIX_TEST_DECREF_BC(nameList);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext));
-
-        subTest("    Add directory name <CN=Valid DN nameConstraints EE...>");
-        name = createGeneralName
-                (PKIX_DIRECTORY_NAME, "CN=Valid DN nameConstraints EE "
-                "Certificate Test1,OU=permittedSubtree1,"
-                "O=Test Certificates,C=US",
-                plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (nameList, (PKIX_PL_Object *)name, plContext));
-        PKIX_TEST_DECREF_BC(name);
-
-        subTest("    PKIX_ComCertSelParams_SetPathToNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
-                (params, nameList, plContext));
-
-        subTest("    Permitting SIX");
-        testSelector(selector, certs, 0x7e);
-
-        subTest("    Add directory name <OU=permittedSubtree1,O=Test>");
-        name = createGeneralName
-                (PKIX_DIRECTORY_NAME,
-                "OU=permittedSubtree1,O=Test",
-                plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (nameList, (PKIX_PL_Object *)name, plContext));
-        PKIX_TEST_DECREF_BC(name);
-
-        subTest("    PKIX_ComCertSelParams_SetPathToNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
-                (params, nameList, plContext));
-
-        subTest("    Permitting SIX");
-        testSelector(selector, certs, 0x58);
-
-        subTest("    Add directory name <O=Test Certificates,C=US>");
-        name = createGeneralName
-                (PKIX_DIRECTORY_NAME, "O=Test Certificates,C=US", plContext);
-
-        subTest("    PKIX_ComCertSelParams_SetPathToNames Reset");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
-                (params, NULL, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName
-                (params, name, plContext));
-        PKIX_TEST_DECREF_BC(name);
-
-        subTest("    Permitting FOUR");
-        testSelector(selector, certs, 0x47);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selector);
-        PKIX_TEST_DECREF_AC(params);
-        PKIX_TEST_DECREF_AC(nameList);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testSubjAltNamesMatch(PKIX_List *certs)
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *params = NULL;
-        PKIX_List *nameList = NULL;
-        PKIX_PL_GeneralName *name = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("test SubjAltNames Cert Selector");
-
-        subTest("    PKIX_PL_GeneralName List create");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&nameList, plContext));
-
-        subTest("    Create Selector and ComCertSelParams");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&params, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-
-        subTest("    Add directory name <CN=Invalid DN nameConstraints EE...>");
-        name = createGeneralName
-                (PKIX_DIRECTORY_NAME,
-                "CN=Invalid DN nameConstraints EE Certificate Test3,"
-                "OU=excludedSubtree1,O=Test Certificates,C=US",
-                plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (nameList, (PKIX_PL_Object *)name, plContext));
-
-        subTest("    PKIX_ComCertSelParams_SetSubjAltNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjAltNames
-                (params, nameList, plContext));
-
-        PKIX_TEST_DECREF_BC(name);
-        PKIX_TEST_DECREF_BC(nameList);
-
-        subTest("    Permitting ONE");
-        testSelector(selector, certs, 0x1);
-
-        subTest("    Add DNS name <mytestcertificates.gov>");
-        name = createGeneralName
-                (PKIX_DNS_NAME,
-                "mytestcertificates.gov",
-                plContext);
-
-        subTest("    PKIX_ComCertSelParams_AddSubjAltName");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName
-                (params, name, plContext));
-        PKIX_TEST_DECREF_BC(name);
-
-        subTest("    Permitting NONE");
-        testSelector(selector, certs, 0x0);
-
-        subTest("    PKIX_ComCertSelParams_SetMatchAllSubjAltNames to FALSE");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames
-                (params, PKIX_FALSE, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-
-        subTest("    Permitting TWO");
-        testSelector(selector, certs, 0x3);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selector);
-        PKIX_TEST_DECREF_AC(params);
-        PKIX_TEST_DECREF_AC(name);
-        PKIX_TEST_DECREF_AC(nameList);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testCertificateValidMatch(
-        PKIX_List *certs)
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *params = NULL;
-        PKIX_PL_String *stringRep = NULL;
-        PKIX_PL_Date *testDate = NULL;
-        char *asciiRep = "050501000000Z";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("CertificateValid match");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&params, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_String_Create
-                (PKIX_ESCASCII, asciiRep, 0, &stringRep, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Date_Create_UTCTime(stringRep, &testDate, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid
-                (params, testDate, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-        testSelector(selector, certs, 0xFFFFFFFF);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selector);
-        PKIX_TEST_DECREF_AC(params);
-        PKIX_TEST_DECREF_AC(stringRep);
-        PKIX_TEST_DECREF_AC(testDate);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void test_customCallback1(PKIX_List *certs)
-{
-        PKIX_CertSelector *selector = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("custom matchCallback");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (custom_CertSelector_MatchCallback,
-                NULL,
-                &selector,
-                plContext));
-
-        testSelector(selector, certs, 0x900);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selector);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void test_customCallback2
-        (PKIX_List *certs,
-        PKIX_PL_Cert *anyPolicyCert) /* a source for policy anyPolicy */
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_List *anyPolicyList = NULL; /* OIDs */
-        PKIX_PL_OID *policyOID = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("custom matchCallback with CertSelectorContext");
-
-        testGetPolicyFromCert(anyPolicyCert, 0, &anyPolicyList);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (anyPolicyList, 0, (PKIX_PL_Object **)&policyOID, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (custom_CertSelector_MatchOIDCallback,
-                (PKIX_PL_Object *)policyOID,
-                &selector,
-                plContext));
-
-        testSelector(selector, certs, (1 << ANYPOLICYCERT));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selector);
-        PKIX_TEST_DECREF_AC(anyPolicyList);
-        PKIX_TEST_DECREF_AC(policyOID);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testExtendedKeyUsageMatch(char *certDir)
-{
-        PKIX_ComCertSelParams *goodParams = NULL;
-        PKIX_PL_OID *ekuOid = NULL;
-        PKIX_List *ekuOidList = NULL;
-        PKIX_PL_String *dirString = NULL;
-        PKIX_CertStore_CertCallback certCallback;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_List *certList = NULL;
-        PKIX_UInt32 numCert = 0;
-        void *nbioContext = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("test Extended KeyUsage Cert Selector");
-
-        subTest("    PKIX_ComCertSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&goodParams, plContext));
-
-        subTest("    Create Extended Key Usage OID List");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&ekuOidList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                ("1.3.6.1.5.5.7.3.2", &ekuOid, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (ekuOidList, (PKIX_PL_Object *)ekuOid, plContext));
-
-        PKIX_TEST_DECREF_BC(ekuOid);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                ("1.3.6.1.5.5.7.3.3", &ekuOid, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (ekuOidList, (PKIX_PL_Object *)ekuOid, plContext));
-
-        PKIX_TEST_DECREF_BC(ekuOid);
-
-        subTest("    PKIX_ComCertSelParams_SetExtendedKeyUsage");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage
-                (goodParams, ekuOidList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, certDir, 0, &dirString, plContext));
-
-        subTest("    PKIX_PL_CollectionCertStoreContext_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                (dirString, &certStore, plContext));
-
-        subTest("    PKIX_CertSelector_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (certSelector, goodParams, plContext));
-
-        subTest("    PKIX_CertStore_GetCertCallback");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
-                (certStore, &certCallback, NULL));
-
-        subTest("    Getting data from Cert Callback");
-        PKIX_TEST_EXPECT_NO_ERROR(certCallback
-                (certStore, certSelector, &nbioContext, &certList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (certList, &numCert, plContext));
-
-        if (numCert != PKIX_TEST_CERTSELECTOR_EXTKEYUSAGE_NUM_CERTS) {
-                pkixTestErrorMsg = "unexpected Cert number mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(ekuOid);
-        PKIX_TEST_DECREF_AC(ekuOidList);
-        PKIX_TEST_DECREF_AC(goodParams);
-        PKIX_TEST_DECREF_AC(dirString);
-        PKIX_TEST_DECREF_AC(certList);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(certStore);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testKeyUsageMatch(char *certDir)
-{
-        PKIX_ComCertSelParams *goodParams = NULL;
-        PKIX_PL_String *dirString = NULL;
-        PKIX_CertStore_CertCallback certCallback;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_List *certList = NULL;
-        PKIX_UInt32 numCert = 0;
-        void *nbioContext = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("test KeyUsage Cert Selector");
-
-        subTest("    PKIX_ComCertSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&goodParams, plContext));
-
-        subTest("    PKIX_ComCertSelParams_SetKeyUsage");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetKeyUsage
-                (goodParams, PKIX_CRL_SIGN, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, certDir, 0, &dirString, plContext));
-
-        subTest("    PKIX_PL_CollectionCertStoreContext_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                (dirString, &certStore, plContext));
-
-        subTest("    PKIX_CertSelector_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (certSelector, goodParams, plContext));
-
-        subTest("    PKIX_CertStore_GetCertCallback");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
-                (certStore, &certCallback, NULL));
-
-        subTest("    Getting data from Cert Callback");
-        PKIX_TEST_EXPECT_NO_ERROR(certCallback
-                (certStore, certSelector, &nbioContext, &certList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (certList, &numCert, plContext));
-
-        if (numCert != PKIX_TEST_CERTSELECTOR_KEYUSAGE_NUM_CERTS) {
-                pkixTestErrorMsg = "unexpected Cert number mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodParams);
-        PKIX_TEST_DECREF_AC(dirString);
-        PKIX_TEST_DECREF_AC(certList);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(certStore);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testCertValidMatch(char *certDir)
-{
-        PKIX_ComCertSelParams *goodParams = NULL;
-        PKIX_PL_Date *validDate = NULL;
-        PKIX_PL_String *dirString = NULL;
-        PKIX_CertStore_CertCallback certCallback;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_List *certList = NULL;
-        PKIX_UInt32 numCert = 0;
-        void *nbioContext = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("test CertValid Cert Selector");
-
-        subTest("    PKIX_ComCertSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&goodParams, plContext));
-
-        validDate = createDate("050601000000Z", plContext);
-
-        subTest("    PKIX_ComCertSelParams_SetCertificateValid");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid
-                (goodParams, validDate, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, certDir, 0, &dirString, plContext));
-
-        subTest("    PKIX_PL_CollectionCertStoreContext_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                (dirString, &certStore, plContext));
-
-        subTest("    PKIX_CertSelector_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (certSelector, goodParams, plContext));
-
-        subTest("    PKIX_CertStore_GetCertCallback");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
-                (certStore, &certCallback, NULL));
-
-        subTest("    Getting data from Cert Callback");
-        PKIX_TEST_EXPECT_NO_ERROR(certCallback
-                (certStore, certSelector, &nbioContext, &certList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (certList, &numCert, plContext));
-
-        if (numCert != PKIX_TEST_CERTSELECTOR_CERTVALID_NUM_CERTS) {
-                pkixTestErrorMsg = "unexpected Cert number mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodParams);
-        PKIX_TEST_DECREF_AC(validDate);
-        PKIX_TEST_DECREF_AC(dirString);
-        PKIX_TEST_DECREF_AC(certList);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(certStore);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testIssuerMatch(char *certDir)
-{
-        PKIX_ComCertSelParams *goodParams = NULL;
-        PKIX_PL_X500Name *issuer = NULL;
-        PKIX_PL_String *issuerStr = NULL;
-        PKIX_PL_String *dirString = NULL;
-        PKIX_CertStore_CertCallback certCallback;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_List *certList = NULL;
-        char *issuerName = "CN=science,O=mit,C=US";
-        PKIX_UInt32 numCert = 0;
-        void *nbioContext = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("test Issuer Cert Selector");
-
-        subTest("    PKIX_ComCertSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&goodParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, issuerName, 0, &issuerStr, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create
-                (issuerStr, &issuer, plContext));
-
-        subTest("    PKIX_ComCertSelParams_SetIssuer");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetIssuer
-                (goodParams, issuer, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, certDir, 0, &dirString, plContext));
-
-        subTest("    PKIX_PL_CollectionCertStoreContext_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                (dirString, &certStore, plContext));
-
-        subTest("    PKIX_CertSelector_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (certSelector, goodParams, plContext));
-
-        subTest("    PKIX_CertStore_GetCertCallback");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
-                (certStore, &certCallback, NULL));
-
-        subTest("    Getting data from Cert Callback");
-        PKIX_TEST_EXPECT_NO_ERROR(certCallback
-                (certStore, certSelector, &nbioContext, &certList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (certList, &numCert, plContext));
-
-        if (numCert != PKIX_TEST_CERTSELECTOR_ISSUER_NUM_CERTS) {
-                pkixTestErrorMsg = "unexpected Cert number mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodParams);
-        PKIX_TEST_DECREF_AC(issuer);
-        PKIX_TEST_DECREF_AC(issuerStr);
-        PKIX_TEST_DECREF_AC(dirString);
-        PKIX_TEST_DECREF_AC(certList);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(certStore);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testSerialNumberVersionMatch(char *certDir)
-{
-        PKIX_ComCertSelParams *goodParams = NULL;
-        PKIX_PL_BigInt *serialNumber = NULL;
-        PKIX_PL_String *serialNumberStr = NULL;
-        PKIX_PL_String *dirString = NULL;
-        PKIX_CertStore_CertCallback certCallback;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_List *certList = NULL;
-        PKIX_UInt32 numCert = 0;
-        void *nbioContext = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("test Serial Number Cert Selector");
-
-        subTest("    PKIX_ComCertSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&goodParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, "01", 0, &serialNumberStr, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create
-                (serialNumberStr, &serialNumber, plContext));
-
-        subTest("    PKIX_ComCertSelParams_SetSerialNumber");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSerialNumber
-                (goodParams, serialNumber, plContext));
-
-        subTest("    PKIX_ComCertSelParams_SetVersion");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion
-                (goodParams, 0, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, certDir, 0, &dirString, plContext));
-
-        subTest("    PKIX_PL_CollectionCertStoreContext_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                (dirString, &certStore, plContext));
-
-        subTest("    PKIX_CertSelector_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (certSelector, goodParams, plContext));
-
-        subTest("    PKIX_CertStore_GetCertCallback");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
-                (certStore, &certCallback, NULL));
-
-        subTest("    Getting data from Cert Callback");
-        PKIX_TEST_EXPECT_NO_ERROR(certCallback
-                (certStore, certSelector, &nbioContext, &certList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (certList, &numCert, plContext));
-
-        PKIX_TEST_DECREF_BC(certList);
-
-        if (numCert != 0) {
-                pkixTestErrorMsg = "unexpected Version mismatch";
-        }
-
-        subTest("    PKIX_ComCertSelParams_SetVersion");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion
-                (goodParams, 2, plContext));
-
-        subTest("    Getting data from Cert Callback");
-        PKIX_TEST_EXPECT_NO_ERROR(certCallback
-                (certStore, certSelector, &nbioContext, &certList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (certList, &numCert, plContext));
-
-        if (numCert != PKIX_TEST_CERTSELECTOR_SERIALNUMBER_NUM_CERTS) {
-                pkixTestErrorMsg = "unexpected Serial Number mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodParams);
-        PKIX_TEST_DECREF_AC(serialNumber);
-        PKIX_TEST_DECREF_AC(serialNumberStr);
-        PKIX_TEST_DECREF_AC(dirString);
-        PKIX_TEST_DECREF_AC(certList);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(certStore);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testSubjKeyIdMatch(PKIX_List *certs)
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *params = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_PL_ByteArray *selSubjKeyId = NULL;
-        PKIX_UInt32 item = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("test Subject Key Id Cert Selector");
-
-        item = 2;
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (certs, item, (PKIX_PL_Object **)&cert, plContext));
-
-        subTest("    PKIX_PL_Cert_GetSubjectKeyIdentifier");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier
-                (cert, &selSubjKeyId, plContext));
-
-        subTest("    Create Selector and ComCertSelParams");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&params, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-
-        subTest("    PKIX_ComCertSelParams_SetSubjKeyIdentifier");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjKeyIdentifier
-                (params, selSubjKeyId, plContext));
-
-        subTest("    Select One");
-        testSelector(selector, certs, 1<<item);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selSubjKeyId);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(params);
-        PKIX_TEST_DECREF_AC(selector);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testAuthKeyIdMatch(PKIX_List *certs)
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *params = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_PL_ByteArray *selAuthKeyId = NULL;
-        PKIX_UInt32 item = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("test Auth Key Id Cert Selector");
-
-        item = 3;
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (certs, item, (PKIX_PL_Object **)&cert, plContext));
-
-        subTest("    PKIX_PL_Cert_GetAuthorityKeyIdentifier");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier
-                (cert, &selAuthKeyId, plContext));
-
-        subTest("    Create Selector and ComCertSelParams");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&params, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-
-        subTest("    PKIX_ComCertSelParams_SetAuthorityKeyIdentifier");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetAuthorityKeyIdentifier
-                (params, selAuthKeyId, plContext));
-
-        subTest("    Select TWO");
-        testSelector(selector, certs, (1<<item)|(1<<1));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selAuthKeyId);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(params);
-        PKIX_TEST_DECREF_AC(selector);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testSubjPKAlgIdMatch(PKIX_List *certs)
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *params = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_PL_OID *selAlgId = NULL;
-        PKIX_UInt32 item = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("test Subject Public Key Algorithm Id Cert Selector");
-
-        item = 0;
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (certs, item, (PKIX_PL_Object **)&cert, plContext));
-
-        subTest("    PKIX_PL_Cert_GetSubjectPublicKeyAlgId");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKeyAlgId
-                (cert, &selAlgId, plContext));
-
-        subTest("    Create Selector and ComCertSelParams");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&params, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-
-        subTest("    PKIX_ComCertSelParams_SetSubjPKAlgId");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPKAlgId
-                (params, selAlgId, plContext));
-
-        subTest("    Select All");
-        testSelector(selector, certs, 0x7F);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selAlgId);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(params);
-        PKIX_TEST_DECREF_AC(selector);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testSubjPublicKeyMatch(PKIX_List *certs)
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *params = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_PL_PublicKey *selPublicKey = NULL;
-        PKIX_UInt32 item = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("test Subject Public Key Cert Selector");
-
-        item = 5;
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (certs, item, (PKIX_PL_Object **)&cert, plContext));
-
-        subTest("    PKIX_PL_Cert_GetSubjectPublicKey");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
-                (cert, &selPublicKey, plContext));
-
-        subTest("    Create Selector and ComCertSelParams");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&params, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, params, plContext));
-
-        subTest("    PKIX_ComCertSelParams_SetSubjPubKey");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPubKey
-                (params, selPublicKey, plContext));
-
-        subTest("    Select ONE");
-        testSelector(selector, certs, 1<<item);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selPublicKey);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(params);
-        PKIX_TEST_DECREF_AC(selector);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void test_CertSelector_Duplicate(PKIX_CertSelector *selector)
-{
-        PKIX_Int32 goodBasicConstraints = 0;
-        PKIX_Int32 equalBasicConstraints = 0;
-        PKIX_CertSelector *dupSelector = NULL;
-        PKIX_ComCertSelParams *goodParams = NULL;
-        PKIX_ComCertSelParams *equalParams = NULL;
-        PKIX_CertSelector_MatchCallback goodCallback = NULL;
-        PKIX_CertSelector_MatchCallback equalCallback = NULL;
-        PKIX_PL_X500Name *goodSubject = NULL;
-        PKIX_PL_X500Name *equalSubject = NULL;
-        PKIX_List *goodPolicy = NULL;
-        PKIX_List *equalPolicy = NULL;
-        PKIX_PL_Cert *goodCert = NULL;
-        PKIX_PL_Cert *equalCert = NULL;
-        PKIX_PL_Date *goodDate = NULL;
-        PKIX_PL_Date *equalDate = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("test_CertSelector_Duplicate");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
-                ((PKIX_PL_Object *)selector,
-                (PKIX_PL_Object **)&dupSelector,
-                plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCommonCertSelectorParams
-                (selector, &goodParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetCommonCertSelectorParams
-                (dupSelector, &equalParams, plContext));
-        /* There is no equals function, so look at components separately. */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject
-                (goodParams, &goodSubject, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject
-                (equalParams, &equalSubject, plContext));
-        if (goodSubject && equalSubject) {
-                testEqualsHelper
-                        ((PKIX_PL_Object *)goodSubject,
-                        (PKIX_PL_Object *)equalSubject,
-                        PKIX_TRUE,
-                        plContext);
-        } else {
-                if PKIX_EXACTLY_ONE_NULL(goodSubject, equalSubject) {
-                        pkixTestErrorMsg = "Subject Names are not equal!";
-                        goto cleanup;
-                }
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy
-                (goodParams, &goodPolicy, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy
-                (equalParams, &equalPolicy, plContext));
-        if (goodPolicy && equalPolicy) {
-                testEqualsHelper
-                        ((PKIX_PL_Object *)goodPolicy,
-                        (PKIX_PL_Object *)equalPolicy,
-                        PKIX_TRUE,
-                        plContext);
-        } else {
-                if PKIX_EXACTLY_ONE_NULL(goodPolicy, equalPolicy) {
-                        pkixTestErrorMsg = "Policy Lists are not equal!";
-                        goto cleanup;
-                }
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate
-                (goodParams, &goodCert, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate
-                (equalParams, &equalCert, plContext));
-        if (goodCert && equalCert) {
-                testEqualsHelper
-                        ((PKIX_PL_Object *)goodCert,
-                        (PKIX_PL_Object *)equalCert,
-                        PKIX_TRUE,
-                        plContext);
-        } else {
-                if PKIX_EXACTLY_ONE_NULL(goodCert, equalCert) {
-                        pkixTestErrorMsg = "Cert Lists are not equal!";
-                        goto cleanup;
-                }
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid
-                (goodParams, &goodDate, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid
-                (equalParams, &equalDate, plContext));
-        if (goodCert && equalCert) {
-                testEqualsHelper
-                        ((PKIX_PL_Object *)goodDate,
-                        (PKIX_PL_Object *)equalDate,
-                        PKIX_TRUE,
-                        plContext);
-        } else {
-                if PKIX_EXACTLY_ONE_NULL(goodDate, equalDate) {
-                        pkixTestErrorMsg = "Date Lists are not equal!";
-                        goto cleanup;
-                }
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints
-                (goodParams, &goodBasicConstraints, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints
-                (equalParams, &equalBasicConstraints, plContext));
-        if (goodBasicConstraints != equalBasicConstraints) {
-                pkixTestErrorMsg = "BasicConstraints are not equal!";
-                goto cleanup;
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback
-                (selector, &goodCallback, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_GetMatchCallback
-                (dupSelector, &equalCallback, plContext));
-        if (goodCallback != equalCallback) {
-                pkixTestErrorMsg = "MatchCallbacks are not equal!";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(dupSelector);
-        PKIX_TEST_DECREF_AC(goodParams);
-        PKIX_TEST_DECREF_AC(equalParams);
-        PKIX_TEST_DECREF_AC(goodSubject);
-        PKIX_TEST_DECREF_AC(equalSubject);
-        PKIX_TEST_DECREF_AC(goodPolicy);
-        PKIX_TEST_DECREF_AC(equalPolicy);
-        PKIX_TEST_DECREF_AC(goodCert);
-        PKIX_TEST_DECREF_AC(equalCert);
-        PKIX_TEST_DECREF_AC(goodDate);
-        PKIX_TEST_DECREF_AC(equalDate);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void printUsage(void) {
-        (void) printf("\nUSAGE:\ttest_certselector <NIST_FILES_DIR> <cert-dir>\n\n");
-}
-
-int test_certselector(int argc, char *argv[]) {
-
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 j = 0;
-        PKIX_UInt32 actualMinorVersion;
-
-        PKIX_CertSelector *emptySelector = NULL;
-        PKIX_List *certs = NULL;
-        PKIX_List *nameConstraintsCerts = NULL;
-        PKIX_List *subjAltNamesCerts = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_PL_Cert *policy1Cert = NULL;
-        PKIX_PL_Cert *policy2Cert = NULL;
-        PKIX_PL_Cert *anyPolicyCert = NULL;
-        PKIX_PL_Cert *subjectCert = NULL;
-        PKIX_ComCertSelParams *selParams = NULL;
-        char *certDir = NULL;
-        char *dirName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("CertSelector");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 3) {
-                printUsage();
-                return (0);
-        }
-
-        dirName = argv[j+1];
-        certDir = argv[j+3];
-
-        /* Create a List of certs to use in testing the selector */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
-
-        for (i = 0; i < NUMCERTS; i++) {
-
-                cert = createCert(dirName, certList[i], plContext);
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                        (certs, (PKIX_PL_Object *)cert, plContext));
-                if (i == POLICY1CERT) {
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
-                                ((PKIX_PL_Object *)cert, plContext));
-                        policy1Cert = cert;
-                }
-                if (i == ANYPOLICYCERT) {
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
-                                ((PKIX_PL_Object *)cert, plContext));
-                        anyPolicyCert = cert;
-                }
-                if (i == POLICY2CERT) {
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
-                                ((PKIX_PL_Object *)cert, plContext));
-                        policy2Cert = cert;
-                }
-                if (i == SUBJECTCERT) {
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
-                                ((PKIX_PL_Object *)cert, plContext));
-                        subjectCert = cert;
-                }
-                PKIX_TEST_DECREF_BC(cert);
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
-                (&nameConstraintsCerts, plContext));
-
-        for (i = 0; i < NUMNCCERTS; i++) {
-
-                cert = createCert(dirName, ncCertList[i], plContext);
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                        (nameConstraintsCerts,
-                        (PKIX_PL_Object *)cert,
-                        plContext));
-
-                PKIX_TEST_DECREF_BC(cert);
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
-                (&subjAltNamesCerts, plContext));
-
-        for (i = 0; i < NUMSANCERTS; i++) {
-
-                cert = createCert(dirName, sanCertList[i], plContext);
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                        (subjAltNamesCerts,
-                        (PKIX_PL_Object *)cert,
-                        plContext));
-
-                PKIX_TEST_DECREF_BC(cert);
-        }
-
-        subTest("test_CertSelector_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &emptySelector, plContext));
-
-        subTest("Default Match, no parameters set");
-        testSelector(emptySelector, certs, 0xFFFFFFFF);
-
-        testSubjectMatch(certs, subjectCert);
-
-        testBasicConstraintsMatch(certs);
-
-        testPolicyMatch(certs, policy1Cert, policy2Cert, anyPolicyCert);
-
-        testCertificateMatch(certs, subjectCert);
-
-        testCertificateValidMatch(certs);
-
-        subTest("Combination: pass only EE certs that assert some policy");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_Create(&selParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetBasicConstraints
-                (selParams, -2, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (emptySelector, selParams, plContext));
-        testSelector(emptySelector, certs, 0xC00);
-
-        testNameConstraintsMatch(nameConstraintsCerts);
-
-        testPathToNamesMatch(nameConstraintsCerts);
-
-        testSubjAltNamesMatch(subjAltNamesCerts);
-
-        testExtendedKeyUsageMatch(certDir);
-
-        testKeyUsageMatch(certDir);
-
-        testIssuerMatch(certDir);
-
-        testSerialNumberVersionMatch(certDir);
-
-        testCertValidMatch(certDir);
-
-        testSubjKeyIdMatch(nameConstraintsCerts);
-
-        testAuthKeyIdMatch(nameConstraintsCerts);
-
-        testSubjPKAlgIdMatch(nameConstraintsCerts);
-
-        testSubjPublicKeyMatch(nameConstraintsCerts);
-
-        test_CertSelector_Duplicate(emptySelector);
-
-        test_customCallback1(certs);
-
-        test_customCallback2(certs, anyPolicyCert);
-
-        subTest("test_CertSelector_Destroy");
-
-        PKIX_TEST_DECREF_BC(emptySelector);
-
-
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(emptySelector);
-        PKIX_TEST_DECREF_AC(certs);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(policy1Cert);
-        PKIX_TEST_DECREF_AC(policy2Cert);
-        PKIX_TEST_DECREF_AC(anyPolicyCert);
-        PKIX_TEST_DECREF_AC(subjectCert);
-        PKIX_TEST_DECREF_AC(selParams);
-        PKIX_TEST_DECREF_AC(nameConstraintsCerts);
-        PKIX_TEST_DECREF_AC(subjAltNamesCerts);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("CertSelector");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/certsel/test_comcertselparams.c b/security/nss/cmd/libpkix/pkix/certsel/test_comcertselparams.c
deleted file mode 100644
index 0ebbdd462..000000000
--- a/security/nss/cmd/libpkix/pkix/certsel/test_comcertselparams.c
+++ /dev/null
@@ -1,953 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_comcertselparams.c
- *
- * Test Common Cert Selector Params
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static
-void test_CreateOIDList(PKIX_List *certPolicyInfos, PKIX_List **pPolicyOIDs)
-{
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 numInfos = 0;
-        PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL;
-        PKIX_PL_OID *policyOID = NULL;
-        PKIX_List *certPolicies = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        /* Convert from List of CertPolicyInfos to List of OIDs */
-        if (certPolicyInfos) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                        (certPolicyInfos, &numInfos, plContext));
-        }
-
-        if (numInfos > 0) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
-                        (&certPolicies, plContext));
-        }
-        for (i = 0; i < numInfos; i++) {
-            PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (certPolicyInfos,
-                i,
-                (PKIX_PL_Object **)&certPolicyInfo,
-                plContext));
-            PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
-                (certPolicyInfo, &policyOID, plContext));
-            PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (certPolicies, (PKIX_PL_Object *)policyOID, plContext));
-            PKIX_TEST_DECREF_BC(certPolicyInfo);
-            PKIX_TEST_DECREF_BC(policyOID);
-        }
-
-        *pPolicyOIDs = certPolicies;
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(certPolicyInfo);
-        PKIX_TEST_DECREF_AC(policyOID);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void test_NameConstraints(char *dirName)
-{
-        PKIX_PL_Cert *goodCert = NULL;
-        PKIX_PL_CertNameConstraints *getNameConstraints = NULL;
-        PKIX_PL_CertNameConstraints *setNameConstraints = NULL;
-        PKIX_ComCertSelParams *goodParams = NULL;
-        char *expectedAscii =
-                "[\n"
-                "\t\tPermitted Name:  (OU=permittedSubtree1,"
-                "O=Test Certificates,C=US, OU=permittedSubtree2,"
-                "O=Test Certificates,C=US)\n"
-                "\t\tExcluded Name:   (EMPTY)\n"
-                "\t]\n";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Create Cert for NameConstraints test");
-
-        goodCert = createCert
-                (dirName, "nameConstraintsDN2CACert.crt", plContext);
-
-        subTest("PKIX_PL_Cert_GetNameConstraints");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
-                (goodCert, &setNameConstraints, plContext));
-
-        subTest("PKIX_ComCertSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&goodParams, plContext));
-
-        subTest("PKIX_ComCertSelParams_SetNameConstraints");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetNameConstraints
-                (goodParams, setNameConstraints, plContext));
-
-        subTest("PKIX_ComCertSelParams_GetNameConstraints");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetNameConstraints
-                (goodParams, &getNameConstraints, plContext));
-
-        subTest("Compare NameConstraints");
-        testEqualsHelper((PKIX_PL_Object *)setNameConstraints,
-                (PKIX_PL_Object *)getNameConstraints,
-                PKIX_TRUE,
-                plContext);
-
-        subTest("Compare NameConstraints with canned string");
-        testToStringHelper
-                ((PKIX_PL_Object *)getNameConstraints,
-                expectedAscii,
-                plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodCert);
-        PKIX_TEST_DECREF_AC(getNameConstraints);
-        PKIX_TEST_DECREF_AC(setNameConstraints);
-        PKIX_TEST_DECREF_AC(goodParams);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void test_PathToNames(void)
-{
-        PKIX_ComCertSelParams *goodParams = NULL;
-        PKIX_List *setGenNames = NULL;
-        PKIX_List *getGenNames = NULL;
-        PKIX_PL_GeneralName *rfc822GenName = NULL;
-        PKIX_PL_GeneralName *dnsGenName = NULL;
-        PKIX_PL_GeneralName *dirGenName = NULL;
-        PKIX_PL_GeneralName *uriGenName = NULL;
-        PKIX_PL_GeneralName *oidGenName = NULL;
-        char *rfc822Name = "john.doe@labs.com";
-        char *dnsName = "comcast.net";
-        char *dirName = "cn=john, ou=labs, o=sun, c=us";
-        char *uriName = "http://comcast.net";
-        char *oidName = "1.2.840.11";
-        char *expectedAscii =
-                "(john.doe@labs.com, "
-                "comcast.net, "
-                "CN=john,OU=labs,O=sun,C=us, "
-                "http://comcast.net)";
-        char *expectedAsciiAll =
-                "(john.doe@labs.com, "
-                "comcast.net, "
-                "CN=john,OU=labs,O=sun,C=us, "
-                "http://comcast.net, "
-                "1.2.840.11)";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_GeneralName_Create");
-        dnsGenName = createGeneralName(PKIX_DNS_NAME, dnsName, plContext);
-        uriGenName = createGeneralName(PKIX_URI_NAME, uriName, plContext);
-        oidGenName = createGeneralName(PKIX_OID_NAME, oidName, plContext);
-        dirGenName = createGeneralName(PKIX_DIRECTORY_NAME, dirName, plContext);
-        rfc822GenName = createGeneralName
-                (PKIX_RFC822_NAME,
-                rfc822Name,
-                plContext);
-
-        subTest("PKIX_PL_GeneralName List create and append");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setGenNames, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (setGenNames, (PKIX_PL_Object *)rfc822GenName, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (setGenNames, (PKIX_PL_Object *)dnsGenName, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (setGenNames, (PKIX_PL_Object *)dirGenName, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (setGenNames, (PKIX_PL_Object *)uriGenName, plContext));
-
-        subTest("PKIX_ComCertSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&goodParams, plContext));
-
-        subTest("PKIX_ComCertSelParams_SetPathToNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPathToNames
-                (goodParams, setGenNames, plContext));
-
-        subTest("PKIX_ComCertSelParams_GetPathToNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPathToNames
-                (goodParams, &getGenNames, plContext));
-
-        subTest("Compare GeneralName List");
-        testEqualsHelper((PKIX_PL_Object *)setGenNames,
-                (PKIX_PL_Object *)getGenNames,
-                PKIX_TRUE,
-                plContext);
-
-        subTest("Compare GeneralName List with canned string");
-        testToStringHelper
-                ((PKIX_PL_Object *)getGenNames,
-                expectedAscii,
-                plContext);
-
-        subTest("PKIX_ComCertSelParams_AddPathToName");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddPathToName
-                (goodParams, oidGenName, plContext));
-
-        PKIX_TEST_DECREF_BC(getGenNames);
-
-        subTest("PKIX_ComCertSelParams_GetPathToNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPathToNames
-                (goodParams, &getGenNames, plContext));
-
-        subTest("Compare GeneralName List with canned string");
-        testToStringHelper
-                ((PKIX_PL_Object *)getGenNames,
-                expectedAsciiAll,
-                plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodParams);
-        PKIX_TEST_DECREF_AC(setGenNames);
-        PKIX_TEST_DECREF_AC(getGenNames);
-        PKIX_TEST_DECREF_AC(rfc822GenName);
-        PKIX_TEST_DECREF_AC(dnsGenName);
-        PKIX_TEST_DECREF_AC(dirGenName);
-        PKIX_TEST_DECREF_AC(uriGenName);
-        PKIX_TEST_DECREF_AC(oidGenName);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void test_SubjAltNames(void)
-{
-        PKIX_ComCertSelParams *goodParams = NULL;
-        PKIX_List *setGenNames = NULL;
-        PKIX_List *getGenNames = NULL;
-        PKIX_PL_GeneralName *rfc822GenName = NULL;
-        PKIX_PL_GeneralName *dnsGenName = NULL;
-        PKIX_PL_GeneralName *dirGenName = NULL;
-        PKIX_PL_GeneralName *uriGenName = NULL;
-        PKIX_PL_GeneralName *oidGenName = NULL;
-        PKIX_Boolean matchAll = PKIX_TRUE;
-        char *rfc822Name = "john.doe@labs.com";
-        char *dnsName = "comcast.net";
-        char *dirName = "cn=john, ou=labs, o=sun, c=us";
-        char *uriName = "http://comcast.net";
-        char *oidName = "1.2.840.11";
-        char *expectedAscii =
-                "(john.doe@labs.com, "
-                "comcast.net, "
-                "CN=john,OU=labs,O=sun,C=us, "
-                "http://comcast.net)";
-        char *expectedAsciiAll =
-                "(john.doe@labs.com, "
-                "comcast.net, "
-                "CN=john,OU=labs,O=sun,C=us, "
-                "http://comcast.net, "
-                "1.2.840.11)";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_GeneralName_Create");
-        dnsGenName = createGeneralName(PKIX_DNS_NAME, dnsName, plContext);
-        uriGenName = createGeneralName(PKIX_URI_NAME, uriName, plContext);
-        oidGenName = createGeneralName(PKIX_OID_NAME, oidName, plContext);
-        dirGenName = createGeneralName(PKIX_DIRECTORY_NAME, dirName, plContext);
-        rfc822GenName = createGeneralName
-                (PKIX_RFC822_NAME,
-                rfc822Name,
-                plContext);
-
-        subTest("PKIX_PL_GeneralName List create and append");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setGenNames, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (setGenNames, (PKIX_PL_Object *)rfc822GenName, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (setGenNames, (PKIX_PL_Object *)dnsGenName, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (setGenNames, (PKIX_PL_Object *)dirGenName, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (setGenNames, (PKIX_PL_Object *)uriGenName, plContext));
-
-        subTest("PKIX_ComCertSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&goodParams, plContext));
-
-        subTest("PKIX_ComCertSelParams_SetSubjAltNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjAltNames
-                (goodParams, setGenNames, plContext));
-
-        subTest("PKIX_ComCertSelParams_GetSubjAltNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjAltNames
-                (goodParams, &getGenNames, plContext));
-
-        subTest("Compare GeneralName List");
-        testEqualsHelper((PKIX_PL_Object *)setGenNames,
-                (PKIX_PL_Object *)getGenNames,
-                PKIX_TRUE,
-                plContext);
-
-        subTest("Compare GeneralName List with canned string");
-        testToStringHelper
-                ((PKIX_PL_Object *)getGenNames,
-                expectedAscii,
-                plContext);
-
-
-        subTest("PKIX_ComCertSelParams_AddSubjAltName");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName
-                (goodParams, oidGenName, plContext));
-
-        PKIX_TEST_DECREF_BC(getGenNames);
-
-        subTest("PKIX_ComCertSelParams_GetSubjAltNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjAltNames
-                (goodParams, &getGenNames, plContext));
-
-        subTest("Compare GeneralName List with canned string");
-        testToStringHelper
-                ((PKIX_PL_Object *)getGenNames,
-                expectedAsciiAll,
-                plContext);
-
-        subTest("PKIX_ComCertSelParams_GetMatchAllSubjAltNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetMatchAllSubjAltNames
-                (goodParams, &matchAll, plContext));
-        if (matchAll != PKIX_TRUE) {
-                testError("unexpected mismatch <expect TRUE>");
-        }
-
-        subTest("PKIX_ComCertSelParams_SetMatchAllSubjAltNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames
-                (goodParams, PKIX_FALSE, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetMatchAllSubjAltNames
-                (goodParams, &matchAll, plContext));
-        if (matchAll != PKIX_FALSE) {
-                testError("unexpected mismatch <expect FALSE>");
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodParams);
-        PKIX_TEST_DECREF_AC(setGenNames);
-        PKIX_TEST_DECREF_AC(getGenNames);
-        PKIX_TEST_DECREF_AC(rfc822GenName);
-        PKIX_TEST_DECREF_AC(dnsGenName);
-        PKIX_TEST_DECREF_AC(dirGenName);
-        PKIX_TEST_DECREF_AC(uriGenName);
-        PKIX_TEST_DECREF_AC(oidGenName);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void test_KeyUsages(void)
-{
-        PKIX_ComCertSelParams *goodParams = NULL;
-        PKIX_PL_OID *ekuOid = NULL;
-        PKIX_List *setExtKeyUsage = NULL;
-        PKIX_List *getExtKeyUsage = NULL;
-        PKIX_UInt32 getKeyUsage = 0;
-        PKIX_UInt32 setKeyUsage = 0x1FF;
-        PKIX_Boolean isEqual = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_ComCertSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&goodParams, plContext));
-
-        subTest("PKIX_ComCertSelParams_SetKeyUsage");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetKeyUsage
-                (goodParams, setKeyUsage, plContext));
-
-        subTest("PKIX_ComCertSelParams_GetKeyUsage");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetKeyUsage
-                (goodParams, &getKeyUsage, plContext));
-
-        if (setKeyUsage != getKeyUsage) {
-                testError("unexpected KeyUsage mismatch <expect equal>");
-        }
-
-        subTest("PKIX_PL_OID List create and append");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setExtKeyUsage, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                ("1.3.6.1.5.5.7.3.1",   &ekuOid, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (setExtKeyUsage, (PKIX_PL_Object *)ekuOid, plContext));
-        PKIX_TEST_DECREF_BC(ekuOid);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                ("1.3.6.1.5.5.7.3.8",   &ekuOid, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (setExtKeyUsage, (PKIX_PL_Object *)ekuOid, plContext));
-        PKIX_TEST_DECREF_BC(ekuOid);
-
-        subTest("PKIX_ComCertSelParams_SetExtendedKeyUsage");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage
-                (goodParams, setExtKeyUsage, plContext));
-
-        subTest("PKIX_ComCertSelParams_GetExtendedKeyUsage");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetExtendedKeyUsage
-                (goodParams, &getExtKeyUsage, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                ((PKIX_PL_Object *)setExtKeyUsage,
-                (PKIX_PL_Object *)getExtKeyUsage,
-                &isEqual,
-                plContext));
-
-        if (isEqual == PKIX_FALSE) {
-                testError("unexpected ExtKeyUsage mismatch <expect equal>");
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(ekuOid);
-        PKIX_TEST_DECREF_AC(setExtKeyUsage);
-        PKIX_TEST_DECREF_AC(getExtKeyUsage);
-        PKIX_TEST_DECREF_AC(goodParams);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void test_Version_Issuer_SerialNumber(void)
-{
-        PKIX_ComCertSelParams *goodParams = NULL;
-        PKIX_UInt32 version = 0;
-        PKIX_PL_X500Name *setIssuer = NULL;
-        PKIX_PL_X500Name *getIssuer = NULL;
-        PKIX_PL_String *str = NULL;
-        PKIX_PL_BigInt *setSerialNumber = NULL;
-        PKIX_PL_BigInt *getSerialNumber = NULL;
-        PKIX_Boolean isEqual = PKIX_FALSE;
-        char *bigInt = "999999999999999999";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_ComCertSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&goodParams, plContext));
-
-        /* Version */
-        subTest("PKIX_ComCertSelParams_SetVersion");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetVersion
-                (goodParams, 2, plContext));
-
-        subTest("PKIX_ComCertSelParams_GetVersion");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetVersion
-                (goodParams, &version, plContext));
-
-        if (version != 2) {
-                testError("unexpected Version mismatch <expect 2>");
-        }
-
-        /* Issuer */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, "CN=Test,O=Sun,C=US", 0, &str, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create
-                (str, &setIssuer, plContext));
-
-        PKIX_TEST_DECREF_BC(str);
-
-        subTest("PKIX_ComCertSelParams_SetIssuer");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetIssuer
-                (goodParams, setIssuer, plContext));
-
-        subTest("PKIX_ComCertSelParams_GetIssuer");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetIssuer
-                (goodParams, &getIssuer, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                ((PKIX_PL_Object *)setIssuer,
-                (PKIX_PL_Object *)getIssuer,
-                &isEqual,
-                plContext));
-
-        if (isEqual == PKIX_FALSE) {
-                testError("unexpected Issuer mismatch <expect equal>");
-        }
-
-        /* Serial Number */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, bigInt, PL_strlen(bigInt), &str, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create
-                (str, &setSerialNumber, plContext));
-
-        subTest("PKIX_ComCertSelParams_SetSerialNumber");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSerialNumber
-                (goodParams, setSerialNumber, plContext));
-
-        subTest("PKIX_ComCertSelParams_GetSerialNumber");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSerialNumber
-                (goodParams, &getSerialNumber, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                ((PKIX_PL_Object *)setSerialNumber,
-                (PKIX_PL_Object *)getSerialNumber,
-                &isEqual,
-                plContext));
-
-        if (isEqual == PKIX_FALSE) {
-                testError("unexpected Serial Number mismatch <expect equal>");
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(str);
-        PKIX_TEST_DECREF_AC(setIssuer);
-        PKIX_TEST_DECREF_AC(getIssuer);
-        PKIX_TEST_DECREF_AC(setSerialNumber);
-        PKIX_TEST_DECREF_AC(getSerialNumber);
-        PKIX_TEST_DECREF_AC(goodParams);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void test_SubjKeyId_AuthKeyId(void)
-{
-        PKIX_ComCertSelParams *goodParams = NULL;
-        PKIX_PL_ByteArray *setKeyId = NULL;
-        PKIX_PL_ByteArray *getKeyId = NULL;
-        PKIX_Boolean isEqual = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-
-        /* Subject Key Identifier */
-        subTest("PKIX_PL_ByteArray_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create
-                ((void*)"66099", 1, &setKeyId, plContext));
-
-        subTest("PKIX_ComCertSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&goodParams, plContext));
-
-        subTest("PKIX_ComCertSelParams_SetSubjectKeyIdentifier");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjKeyIdentifier
-                (goodParams, setKeyId, plContext));
-
-        subTest("PKIX_ComCertSelParams_GetSubjectKeyIdentifier");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjKeyIdentifier
-                (goodParams, &getKeyId, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                ((PKIX_PL_Object *)setKeyId,
-                (PKIX_PL_Object *)getKeyId,
-                &isEqual,
-                plContext));
-
-        if (isEqual == PKIX_FALSE) {
-                testError("unexpected Subject Key Id mismatch <expect equal>");
-        }
-
-        PKIX_TEST_DECREF_BC(setKeyId);
-        PKIX_TEST_DECREF_BC(getKeyId);
-
-        /* Authority Key Identifier */
-        subTest("PKIX_PL_ByteArray_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create
-                ((void*)"11022", 1, &setKeyId, plContext));
-
-        subTest("PKIX_ComCertSelParams_SetAuthorityKeyIdentifier");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetAuthorityKeyIdentifier
-                (goodParams, setKeyId, plContext));
-
-        subTest("PKIX_ComCertSelParams_GetAuthorityKeyIdentifier");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_GetAuthorityKeyIdentifier
-                (goodParams, &getKeyId, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                ((PKIX_PL_Object *)setKeyId,
-                (PKIX_PL_Object *)getKeyId,
-                &isEqual,
-                plContext));
-
-        if (isEqual == PKIX_FALSE) {
-                testError("unexpected Auth Key Id mismatch <expect equal>");
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(setKeyId);
-        PKIX_TEST_DECREF_AC(getKeyId);
-        PKIX_TEST_DECREF_AC(goodParams);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void test_SubjAlgId_SubjPublicKey(char *dirName)
-{
-        PKIX_ComCertSelParams *goodParams = NULL;
-        PKIX_PL_OID *setAlgId = NULL;
-        PKIX_PL_OID *getAlgId = NULL;
-        PKIX_PL_Cert *goodCert = NULL;
-        PKIX_PL_PublicKey *setPublicKey = NULL;
-        PKIX_PL_PublicKey *getPublicKey = NULL;
-        PKIX_Boolean isEqual = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-
-        /* Subject Algorithm Identifier */
-        subTest("PKIX_PL_OID_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                ("1.1.2.3", &setAlgId, plContext));
-
-        subTest("PKIX_ComCertSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&goodParams, plContext));
-
-        subTest("PKIX_ComCertSelParams_SetSubjPKAlgId");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPKAlgId
-                (goodParams, setAlgId, plContext));
-
-        subTest("PKIX_ComCertSelParams_GetSubjPKAlgId");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjPKAlgId
-                (goodParams, &getAlgId, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                ((PKIX_PL_Object *)setAlgId,
-                (PKIX_PL_Object *)getAlgId,
-                &isEqual,
-                plContext));
-
-        if (isEqual == PKIX_FALSE) {
-                testError("unexpected Subject Public Key Alg mismatch "
-                            "<expect equal>");
-        }
-
-        /* Subject Public Key */
-        subTest("Getting Cert for Subject Public Key");
-
-        goodCert = createCert
-                (dirName, "nameConstraintsDN2CACert.crt", plContext);
-
-        subTest("PKIX_PL_Cert_GetSubjectPublicKey");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
-                (goodCert, &setPublicKey, plContext));
-
-        subTest("PKIX_ComCertSelParams_SetSubjPubKey");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubjPubKey
-                (goodParams, setPublicKey, plContext));
-
-        subTest("PKIX_ComCertSelParams_GetSubjPubKey");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubjPubKey
-                (goodParams, &getPublicKey, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                ((PKIX_PL_Object *)setPublicKey,
-                (PKIX_PL_Object *)getPublicKey,
-                &isEqual,
-                plContext));
-
-        if (isEqual == PKIX_FALSE) {
-                testError("unexpected Subject Public Key mismatch "
-                            "<expect equal>");
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(setAlgId);
-        PKIX_TEST_DECREF_AC(getAlgId);
-        PKIX_TEST_DECREF_AC(goodParams);
-        PKIX_TEST_DECREF_AC(goodCert);
-        PKIX_TEST_DECREF_AC(setPublicKey);
-        PKIX_TEST_DECREF_AC(getPublicKey);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void printUsage(void) {
-        (void) printf("\nUSAGE:\ttest_comcertselparams <NIST_FILES_DIR> \n\n");
-}
-
-int test_comcertselparams(int argc, char *argv[]) {
-
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_PL_Cert *testCert = NULL;
-        PKIX_PL_Cert *goodCert = NULL;
-        PKIX_PL_Cert *equalCert = NULL;
-        PKIX_PL_Cert *diffCert = NULL;
-        PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL;
-        PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL;
-        PKIX_List *testPolicyInfos = NULL; /* CertPolicyInfos */
-        PKIX_List *cert2PolicyInfos = NULL; /* CertPolicyInfos */
-
-        PKIX_ComCertSelParams *goodParams = NULL;
-        PKIX_ComCertSelParams *equalParams = NULL;
-        PKIX_PL_X500Name *goodSubject = NULL;
-        PKIX_PL_X500Name *equalSubject = NULL;
-        PKIX_PL_X500Name *diffSubject = NULL;
-        PKIX_PL_X500Name *testSubject = NULL;
-        PKIX_Int32 goodMinPathLength = 0;
-        PKIX_Int32 equalMinPathLength = 0;
-        PKIX_Int32 diffMinPathLength = 0;
-        PKIX_Int32 testMinPathLength = 0;
-        PKIX_List *goodPolicies = NULL; /* OIDs */
-        PKIX_List *equalPolicies = NULL; /* OIDs */
-        PKIX_List *testPolicies = NULL; /* OIDs */
-        PKIX_List *cert2Policies = NULL; /* OIDs */
-
-        PKIX_PL_Date *testDate = NULL;
-        PKIX_PL_Date *goodDate = NULL;
-        PKIX_PL_Date *equalDate = NULL;
-        PKIX_PL_String *stringRep = NULL;
-        char *asciiRep = NULL;
-        char *dirName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 2) {
-                printUsage();
-                return (0);
-        }
-
-        startTests("ComCertSelParams");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        dirName = argv[j+1];
-
-        asciiRep = "050501000000Z";
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_String_Create
-                (PKIX_ESCASCII, asciiRep, 0, &stringRep, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Date_Create_UTCTime(stringRep, &testDate, plContext));
-
-        testCert = createCert
-                (dirName, "PoliciesP1234CACert.crt",  plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
-                (testCert, &testSubject, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints
-                (testCert, &goodBasicConstraints, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint
-                (goodBasicConstraints, &testMinPathLength, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (testCert, &testPolicyInfos, plContext));
-
-        /* Convert from List of CertPolicyInfos to List of OIDs */
-        test_CreateOIDList(testPolicyInfos, &testPolicies);
-
-        subTest("Create goodParams and set its fields");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&goodParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
-                (goodParams, testSubject, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
-                (goodParams, testMinPathLength, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid
-                (goodParams, testDate, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy
-                (goodParams, testPolicies, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate
-                (goodParams, testCert, plContext));
-
-        subTest("Duplicate goodParams and verify copy");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
-                ((PKIX_PL_Object *)goodParams,
-                (PKIX_PL_Object **)&equalParams,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject
-                (goodParams, &goodSubject, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints
-                (goodParams, &goodMinPathLength, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_GetCertificate
-                (goodParams, &goodCert, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid
-                (goodParams, &goodDate, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy
-                (goodParams, &goodPolicies, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject
-                (equalParams, &equalSubject, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints
-                (equalParams, &equalMinPathLength, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy
-                (equalParams, &equalPolicies, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificate
-                (equalParams, &equalCert, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetCertificateValid
-                (equalParams, &equalDate, plContext));
-
-        testEqualsHelper
-                ((PKIX_PL_Object *)goodSubject,
-                (PKIX_PL_Object *)equalSubject,
-                PKIX_TRUE,
-                plContext);
-
-        if (goodMinPathLength != equalMinPathLength) {
-                testError("unexpected mismatch");
-                (void) printf("goodMinPathLength:\t%d\n", goodMinPathLength);
-                (void) printf("equalMinPathLength:\t%d\n", equalMinPathLength);
-        }
-
-        testEqualsHelper((PKIX_PL_Object *)goodPolicies,
-                (PKIX_PL_Object *)equalPolicies,
-                PKIX_TRUE,
-                plContext);
-
-        testEqualsHelper((PKIX_PL_Object *)goodCert,
-                (PKIX_PL_Object *)equalCert,
-                PKIX_TRUE,
-                plContext);
-
-        testEqualsHelper((PKIX_PL_Object *)goodDate,
-                (PKIX_PL_Object *)equalDate,
-                PKIX_TRUE,
-                plContext);
-
-        PKIX_TEST_DECREF_BC(equalSubject);
-        PKIX_TEST_DECREF_BC(equalPolicies);
-        PKIX_TEST_DECREF_BC(equalCert);
-        PKIX_TEST_DECREF_AC(equalDate);
-
-        subTest("Set different values and verify differences");
-
-        diffCert = createCert
-                (dirName, "pathLenConstraint6CACert.crt", plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
-                (diffCert, &diffSubject, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints
-                (diffCert, &diffBasicConstraints, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint
-                (diffBasicConstraints, &diffMinPathLength, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (diffCert, &cert2PolicyInfos, plContext));
-        test_CreateOIDList(cert2PolicyInfos, &cert2Policies);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject(
-                equalParams, diffSubject, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
-                (equalParams, diffMinPathLength, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetPolicy
-                (equalParams, cert2Policies, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetSubject
-                (equalParams, &equalSubject, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetBasicConstraints
-                (equalParams, &equalMinPathLength, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_GetPolicy
-                (equalParams, &equalPolicies, plContext));
-
-        testEqualsHelper
-                ((PKIX_PL_Object *)goodSubject,
-                (PKIX_PL_Object *)equalSubject,
-                PKIX_FALSE,
-                plContext);
-
-        if (goodMinPathLength == equalMinPathLength) {
-                testError("unexpected match");
-                (void) printf("goodMinPathLength:\t%d\n", goodMinPathLength);
-                (void) printf("equalMinPathLength:\t%d\n", equalMinPathLength);
-        }
-
-        testEqualsHelper
-                ((PKIX_PL_Object *)goodPolicies,
-                (PKIX_PL_Object *)equalPolicies,
-                PKIX_FALSE,
-                plContext);
-
-        test_NameConstraints(dirName);
-        test_PathToNames();
-        test_SubjAltNames();
-        test_KeyUsages();
-        test_Version_Issuer_SerialNumber();
-        test_SubjKeyId_AuthKeyId();
-        test_SubjAlgId_SubjPublicKey(dirName);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(testSubject);
-        PKIX_TEST_DECREF_AC(goodSubject);
-        PKIX_TEST_DECREF_AC(equalSubject);
-        PKIX_TEST_DECREF_AC(diffSubject);
-        PKIX_TEST_DECREF_AC(testSubject);
-        PKIX_TEST_DECREF_AC(goodPolicies);
-        PKIX_TEST_DECREF_AC(equalPolicies);
-        PKIX_TEST_DECREF_AC(testPolicies);
-        PKIX_TEST_DECREF_AC(cert2Policies);
-        PKIX_TEST_DECREF_AC(goodParams);
-        PKIX_TEST_DECREF_AC(equalParams);
-        PKIX_TEST_DECREF_AC(goodCert);
-        PKIX_TEST_DECREF_AC(diffCert);
-        PKIX_TEST_DECREF_AC(testCert);
-        PKIX_TEST_DECREF_AC(goodBasicConstraints);
-        PKIX_TEST_DECREF_AC(diffBasicConstraints);
-        PKIX_TEST_DECREF_AC(testPolicyInfos);
-        PKIX_TEST_DECREF_AC(cert2PolicyInfos);
-        PKIX_TEST_DECREF_AC(stringRep);
-        PKIX_TEST_DECREF_AC(testDate);
-        PKIX_TEST_DECREF_AC(goodDate);
-
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("ComCertSelParams");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/checker/Makefile b/security/nss/cmd/libpkix/pkix/checker/Makefile
deleted file mode 100755
index 3f1484b02..000000000
--- a/security/nss/cmd/libpkix/pkix/checker/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/checker/manifest.mn b/security/nss/cmd/libpkix/pkix/checker/manifest.mn
deleted file mode 100755
index 317015232..000000000
--- a/security/nss/cmd/libpkix/pkix/checker/manifest.mn
+++ /dev/null
@@ -1,52 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ../..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = test_certchainchecker.c
-
-LIBRARY_NAME=pkixtoolchecker
-
-SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/checker/test_certchainchecker.c b/security/nss/cmd/libpkix/pkix/checker/test_certchainchecker.c
deleted file mode 100755
index 7ddd2c74e..000000000
--- a/security/nss/cmd/libpkix/pkix/checker/test_certchainchecker.c
+++ /dev/null
@@ -1,255 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_certchainchecker.c
- *
- * Test Cert Chain Checker
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-
-static
-PKIX_Error *dummyChecker_Check(
-        PKIX_CertChainChecker *checker,
-        PKIX_PL_Cert *cert,
-        PKIX_List *unresolvedCriticalExtensions,
-        void **pNBIOContext,
-        void *plContext)
-{
-        goto cleanup;
-
-cleanup:
-
-        return(NULL);
-}
-
-
-static
-void test_CertChainChecker_Duplicate(PKIX_CertChainChecker *original)
-{
-        PKIX_Boolean originalForward = PKIX_FALSE;
-        PKIX_Boolean copyForward = PKIX_FALSE;
-        PKIX_Boolean originalForwardDir = PKIX_FALSE;
-        PKIX_Boolean copyForwardDir = PKIX_FALSE;
-        PKIX_CertChainChecker *copy = NULL;
-        PKIX_CertChainChecker_CheckCallback originalCallback = NULL;
-        PKIX_CertChainChecker_CheckCallback copyCallback = NULL;
-        PKIX_PL_Object *originalState = NULL;
-        PKIX_PL_Object *copyState = NULL;
-        PKIX_List *originalList = NULL;
-        PKIX_List *copyList = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("CertChainChecker_Duplicate");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
-                ((PKIX_PL_Object *)original,
-                (PKIX_PL_Object **)&copy,
-                plContext));
-
-        subTest("CertChainChecker_GetCheckCallback");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_GetCheckCallback
-                (original, &originalCallback, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_GetCheckCallback
-                (copy, &copyCallback, plContext));
-        if (originalCallback != copyCallback) {
-                pkixTestErrorMsg = "CheckCallback functions are not equal!";
-                goto cleanup;
-        }
-
-        subTest("CertChainChecker_IsForwardCheckingSupported");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertChainChecker_IsForwardCheckingSupported
-                (original, &originalForward, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertChainChecker_IsForwardCheckingSupported
-                (copy, &copyForward, plContext));
-        if (originalForward != copyForward) {
-                pkixTestErrorMsg = "ForwardChecking booleans are not equal!";
-                goto cleanup;
-        }
-
-        subTest("CertChainChecker_IsForwardDirectionExpected");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertChainChecker_IsForwardDirectionExpected
-                (original, &originalForwardDir, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertChainChecker_IsForwardDirectionExpected
-                (copy, &copyForwardDir, plContext));
-        if (originalForwardDir != copyForwardDir) {
-                pkixTestErrorMsg = "ForwardDirection booleans are not equal!";
-                goto cleanup;
-        }
-
-        subTest("CertChainChecker_GetCertChainCheckerState");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertChainChecker_GetCertChainCheckerState
-                (original, &originalState, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertChainChecker_GetCertChainCheckerState
-                (copy, &copyState, plContext));
-        testEqualsHelper(originalState, copyState, PKIX_TRUE, plContext);
-
-        subTest("CertChainChecker_GetSupportedExtensions");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertChainChecker_GetSupportedExtensions
-                (original, &originalList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertChainChecker_GetSupportedExtensions
-                (copy, &copyList, plContext));
-        testEqualsHelper
-                ((PKIX_PL_Object *)originalList,
-                (PKIX_PL_Object *)copyList,
-                PKIX_TRUE,
-                plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(copy);
-        PKIX_TEST_DECREF_AC(originalState);
-        PKIX_TEST_DECREF_AC(copyState);
-        PKIX_TEST_DECREF_AC(originalList);
-        PKIX_TEST_DECREF_AC(copyList);
-
-        PKIX_TEST_RETURN();
-}
-
-int test_certchainchecker(int argc, char *argv[]) {
-
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_PL_OID *bcOID = NULL;
-        PKIX_PL_OID *ncOID = NULL;
-        PKIX_PL_OID *cpOID = NULL;
-        PKIX_PL_OID *pmOID = NULL;
-        PKIX_PL_OID *pcOID = NULL;
-        PKIX_PL_OID *iaOID = NULL;
-        PKIX_CertChainChecker *dummyChecker = NULL;
-        PKIX_List *supportedExtensions = NULL;
-        PKIX_PL_Object *initialState = NULL;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("CertChainChecker");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
-                (&supportedExtensions, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                (PKIX_BASICCONSTRAINTS_OID, &bcOID, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (supportedExtensions, (PKIX_PL_Object *)bcOID, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                (PKIX_NAMECONSTRAINTS_OID, &ncOID, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (supportedExtensions, (PKIX_PL_Object *)ncOID, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                (PKIX_CERTIFICATEPOLICIES_OID, &cpOID, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (supportedExtensions, (PKIX_PL_Object *)cpOID, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                (PKIX_POLICYMAPPINGS_OID, &pmOID, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (supportedExtensions, (PKIX_PL_Object *)pmOID, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                (PKIX_POLICYCONSTRAINTS_OID, &pcOID, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (supportedExtensions, (PKIX_PL_Object *)pcOID, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                (PKIX_INHIBITANYPOLICY_OID, &iaOID, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (supportedExtensions, (PKIX_PL_Object *)iaOID, plContext));
-
-        PKIX_TEST_DECREF_BC(bcOID);
-        PKIX_TEST_DECREF_BC(ncOID);
-        PKIX_TEST_DECREF_BC(cpOID);
-        PKIX_TEST_DECREF_BC(pmOID);
-        PKIX_TEST_DECREF_BC(pcOID);
-        PKIX_TEST_DECREF_BC(iaOID);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
-                ((PKIX_PL_Object *)supportedExtensions, plContext));
-
-        initialState = (PKIX_PL_Object *)supportedExtensions;
-
-        subTest("CertChainChecker_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
-                (dummyChecker_Check, /* PKIX_CertChainChecker_CheckCallback */
-                PKIX_FALSE,          /* forwardCheckingSupported */
-                PKIX_FALSE,          /* forwardDirectionExpected */
-                supportedExtensions,
-                NULL,                /* PKIX_PL_Object *initialState */
-                &dummyChecker,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertChainChecker_SetCertChainCheckerState
-                (dummyChecker, initialState, plContext));
-
-        test_CertChainChecker_Duplicate(dummyChecker);
-
-        subTest("CertChainChecker_Destroy");
-        PKIX_TEST_DECREF_BC(dummyChecker);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(dummyChecker);
-        PKIX_TEST_DECREF_AC(initialState);
-        PKIX_TEST_DECREF_AC(supportedExtensions);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("CertChainChecker");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/crlsel/Makefile b/security/nss/cmd/libpkix/pkix/crlsel/Makefile
deleted file mode 100755
index 3f1484b02..000000000
--- a/security/nss/cmd/libpkix/pkix/crlsel/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/crlsel/manifest.mn b/security/nss/cmd/libpkix/pkix/crlsel/manifest.mn
deleted file mode 100755
index 0357ba854..000000000
--- a/security/nss/cmd/libpkix/pkix/crlsel/manifest.mn
+++ /dev/null
@@ -1,54 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ../..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = test_crlselector.c \
-	test_comcrlselparams.c \
-	$(NULL)
-
-LIBRARY_NAME=pkixtoolcrlsel
-
-SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/crlsel/test_comcrlselparams.c b/security/nss/cmd/libpkix/pkix/crlsel/test_comcrlselparams.c
deleted file mode 100644
index 64a61e966..000000000
--- a/security/nss/cmd/libpkix/pkix/crlsel/test_comcrlselparams.c
+++ /dev/null
@@ -1,474 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_comcrlselparams.c
- *
- * Test ComCRLSelParams Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-testIssuer(PKIX_ComCRLSelParams *goodObject)
-{
-        PKIX_PL_String *issuer1String = NULL;
-        PKIX_PL_String *issuer2String = NULL;
-        PKIX_PL_String *issuer3String = NULL;
-        PKIX_PL_X500Name *issuerName1 = NULL;
-        PKIX_PL_X500Name *issuerName2 = NULL;
-        PKIX_PL_X500Name *issuerName3 = NULL;
-        PKIX_List *setIssuerList = NULL;
-        PKIX_List *getIssuerList = NULL;
-        PKIX_PL_String *issuerListString = NULL;
-        char *name1 = "CN=yassir,OU=bcn,OU=east,O=sun,C=us";
-        char *name2 = "CN=richard,OU=bcn,OU=east,O=sun,C=us";
-        char *name3 = "CN=hanfei,OU=bcn,OU=east,O=sun,C=us";
-        PKIX_Int32 length;
-        PKIX_Boolean result = PKIX_FALSE;
-        char *expectedAscii =
-                "(CN=yassir,OU=bcn,OU=east,O=sun,"
-                "C=us, CN=richard,OU=bcn,OU=east,O=sun,C=us, "
-                "CN=hanfei,OU=bcn,OU=east,O=sun,C=us)";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_ComCRLSelParams Create Issuers");
-
-        length = PL_strlen(name1);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_UTF8,
-                                    name1,
-                                    length,
-                                    &issuer1String,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create(issuer1String,
-                                    &issuerName1,
-                                    plContext));
-
-        length = PL_strlen(name2);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_UTF8,
-                                    name2,
-                                    length,
-                                    &issuer2String,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create(issuer2String,
-                                    &issuerName2,
-                                    plContext));
-
-        length = PL_strlen(name3);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_UTF8,
-                                    name3,
-                                    length,
-                                    &issuer3String,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create
-                                    (issuer3String,
-                                    &issuerName3,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setIssuerList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                    (setIssuerList,
-                                    (PKIX_PL_Object *)issuerName1,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                    (setIssuerList,
-                                    (PKIX_PL_Object *)issuerName2,
-                                    plContext));
-
-        subTest("PKIX_ComCRLSelParams_AddIssuerName");
-
-        /* Test adding an issuer to an empty list */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_AddIssuerName
-                                    (goodObject, issuerName3, plContext));
-
-        subTest("PKIX_ComCRLSelParams_GetIssuerNames");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_GetIssuerNames
-                                    (goodObject, &getIssuerList, plContext));
-
-        /* DECREF for GetIssuerNames */
-        PKIX_TEST_DECREF_BC(getIssuerList);
-        /* DECREF for AddIssuerName so next SetIssuerName start clean */
-        PKIX_TEST_DECREF_BC(getIssuerList);
-
-        /* Test setting issuer names on the list */
-        subTest("PKIX_ComCRLSelParams_SetIssuerNames");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetIssuerNames
-                                    (goodObject, setIssuerList, plContext));
-
-        subTest("PKIX_ComCRLSelParams_GetIssuerNames");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_GetIssuerNames
-                                    (goodObject, &getIssuerList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                                    ((PKIX_PL_Object *)setIssuerList,
-                                    (PKIX_PL_Object *)getIssuerList,
-                                    &result,
-                                    plContext));
-
-        if (result != PKIX_TRUE) {
-                pkixTestErrorMsg = "unexpected Issuers mismatch";
-        }
-
-        /* Test adding an issuer to existing list */
-        subTest("PKIX_ComCRLSelParams_AddIssuerName");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_AddIssuerName
-                                    (goodObject, issuerName3, plContext));
-
-        subTest("PKIX_ComCRLSelParams_GetIssuerNames");
-        PKIX_TEST_DECREF_BC(getIssuerList);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_GetIssuerNames
-                                    (goodObject, &getIssuerList, plContext));
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                                    ((PKIX_PL_Object *)getIssuerList,
-                                    &issuerListString,
-                                    plContext));
-
-        testToStringHelper((PKIX_PL_Object *)getIssuerList,
-                            expectedAscii, plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(issuer1String);
-        PKIX_TEST_DECREF_AC(issuer2String);
-        PKIX_TEST_DECREF_AC(issuer3String);
-        PKIX_TEST_DECREF_AC(issuerListString);
-        PKIX_TEST_DECREF_AC(issuerName1);
-        PKIX_TEST_DECREF_AC(issuerName2);
-        PKIX_TEST_DECREF_AC(issuerName3);
-        PKIX_TEST_DECREF_AC(setIssuerList);
-        PKIX_TEST_DECREF_AC(getIssuerList);
-
-        PKIX_TEST_RETURN();
-
-}
-
-static
-void testCertificateChecking(
-        char *dataCentralDir,
-        char *goodInput,
-        PKIX_ComCRLSelParams *goodObject)
-{
-        PKIX_PL_Cert *setCert = NULL;
-        PKIX_PL_Cert *getCert = NULL;
-        PKIX_Boolean result = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Test CertificateChecking Cert Create");
-        setCert = createCert(dataCentralDir, goodInput, plContext);
-        if (setCert == NULL) {
-                pkixTestErrorMsg = "create certificate failed";
-                goto cleanup;
-        }
-
-        subTest("PKIX_ComCRLSelParams_SetCertificateChecking");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetCertificateChecking
-                                    (goodObject, setCert, plContext));
-
-        subTest("PKIX_ComCRLSelParams_GetCertificateChecking");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_GetCertificateChecking
-                                    (goodObject, &getCert, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                                    ((PKIX_PL_Object *)setCert,
-                                    (PKIX_PL_Object *)getCert,
-                                    &result, plContext));
-
-        if (result != PKIX_TRUE) {
-                pkixTestErrorMsg = "unexpected Cert mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(setCert);
-        PKIX_TEST_DECREF_AC(getCert);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testDateAndTime(PKIX_ComCRLSelParams *goodObject){
-
-        PKIX_PL_Date *setDate = NULL;
-        PKIX_PL_Date *getDate = NULL;
-        char *asciiDate = "040329134847Z";
-        PKIX_Boolean result = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_ComCRLSelParams_Date Create");
-        setDate = createDate(asciiDate, plContext);
-
-        subTest("PKIX_ComCRLSelParams_SetDateAndTime");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCRLSelParams_SetDateAndTime
-                (goodObject, setDate, plContext));
-
-        subTest("PKIX_ComCRLSelParams_GetDateAndTime");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCRLSelParams_GetDateAndTime
-                (goodObject, &getDate, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                                    ((PKIX_PL_Object *)setDate,
-                                    (PKIX_PL_Object *)getDate,
-                                    &result, plContext));
-
-        if (result != PKIX_TRUE) {
-                pkixTestErrorMsg = "unexpected DateAndTime mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(setDate);
-        PKIX_TEST_DECREF_AC(getDate);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testMaxMinCRLNumbers(PKIX_ComCRLSelParams *goodObject){
-        PKIX_PL_BigInt *setMaxCrlNumber = NULL;
-        PKIX_PL_BigInt *getMaxCrlNumber = NULL;
-        PKIX_PL_BigInt *setMinCrlNumber = NULL;
-        PKIX_PL_BigInt *getMinCrlNumber = NULL;
-        char *asciiCrlNumber1 = "01";
-        char *asciiCrlNumber99999 = "0909090909";
-        PKIX_PL_String *crlNumber1String = NULL;
-        PKIX_PL_String *crlNumber99999String = NULL;
-
-        PKIX_Boolean result = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_ComCRLSelParams_SetMinCRLNumber");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                    (PKIX_ESCASCII,
-                    asciiCrlNumber1,
-                    PL_strlen(asciiCrlNumber1),
-                    &crlNumber1String,
-                    NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create
-                    (crlNumber1String, &setMinCrlNumber, NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetMinCRLNumber
-                    (goodObject, setMinCrlNumber, NULL));
-
-        subTest("PKIX_ComCRLSelParams_GetMinCRLNumber");
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCRLSelParams_GetMinCRLNumber
-                (goodObject, &getMinCrlNumber, NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                                    ((PKIX_PL_Object *)setMinCrlNumber,
-                                    (PKIX_PL_Object *)getMinCrlNumber,
-                                    &result, NULL));
-
-        if (result != PKIX_TRUE) {
-                pkixTestErrorMsg = "unexpected Minimum CRL Number mismatch";
-        }
-
-        subTest("PKIX_ComCRLSelParams_SetMaxCRLNumber");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                    (PKIX_ESCASCII,
-                    asciiCrlNumber99999,
-                    PL_strlen(asciiCrlNumber99999),
-                    &crlNumber99999String,
-                    NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create
-                    (crlNumber99999String, &setMaxCrlNumber, NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetMaxCRLNumber
-                    (goodObject, setMaxCrlNumber, NULL));
-
-        subTest("PKIX_ComCRLSelParams_GetMaxCRLNumber");
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCRLSelParams_GetMaxCRLNumber
-                (goodObject, &getMaxCrlNumber, NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                                    ((PKIX_PL_Object *)setMaxCrlNumber,
-                                    (PKIX_PL_Object *)getMaxCrlNumber,
-                                    &result, NULL));
-
-        if (result != PKIX_TRUE) {
-                pkixTestErrorMsg = "unexpected Maximum CRL Number mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(setMaxCrlNumber);
-        PKIX_TEST_DECREF_AC(getMaxCrlNumber);
-        PKIX_TEST_DECREF_AC(setMinCrlNumber);
-        PKIX_TEST_DECREF_AC(getMinCrlNumber);
-        PKIX_TEST_DECREF_AC(crlNumber1String);
-        PKIX_TEST_DECREF_AC(crlNumber99999String);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testDuplicate(PKIX_ComCRLSelParams *goodObject){
-
-        PKIX_ComCRLSelParams *dupObject = NULL;
-        PKIX_Boolean result = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_ComCRLSelParams_Duplicate");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
-                ((PKIX_PL_Object *)goodObject,
-                (PKIX_PL_Object **)&dupObject,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                                    ((PKIX_PL_Object *)goodObject,
-                                    (PKIX_PL_Object *)dupObject,
-                                    &result, plContext));
-
-        if (result != PKIX_TRUE) {
-                pkixTestErrorMsg =
-                        "unexpected Duplicate ComCRLSelParams mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(dupObject);
-        PKIX_TEST_RETURN();
-}
-
-static
-void printUsage(char *pName){
-        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
-}
-
-/* Functional tests for ComCRLSelParams public functions */
-
-int test_comcrlselparams(int argc, char *argv[]){
-
-        char *dataCentralDir = NULL;
-        char *goodInput = "yassir2yassir";
-        PKIX_ComCRLSelParams *goodObject = NULL;
-        PKIX_ComCRLSelParams *diffObject = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("ComCRLSelParams");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 2){
-                printUsage(argv[0]);
-                return (0);
-        }
-
-        dataCentralDir = argv[j+1];
-
-        subTest("PKIX_ComCRLSelParams_Create");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create
-                                    (&goodObject,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create
-                                    (&diffObject,
-                                    plContext));
-
-        testIssuer(goodObject);
-
-        testCertificateChecking(dataCentralDir, goodInput, goodObject);
-
-        testDateAndTime(goodObject);
-
-        testMaxMinCRLNumbers(goodObject);
-
-        testDuplicate(goodObject);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodObject,
-                goodObject,
-                diffObject,
-                NULL,
-                ComCRLSelParams,
-                PKIX_TRUE);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodObject);
-        PKIX_TEST_DECREF_AC(diffObject);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("ComCRLSelParams");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/crlsel/test_crlselector.c b/security/nss/cmd/libpkix/pkix/crlsel/test_crlselector.c
deleted file mode 100644
index f5d6c4f3b..000000000
--- a/security/nss/cmd/libpkix/pkix/crlsel/test_crlselector.c
+++ /dev/null
@@ -1,206 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_crlselector.c
- *
- * Test CRLSelector Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-testGetMatchCallback(PKIX_CRLSelector *goodObject)
-{
-        PKIX_CRLSelector_MatchCallback mCallback = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("testGetMatchCallback");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_GetMatchCallback
-                                    (goodObject, &mCallback, plContext));
-
-        if (mCallback == NULL) {
-                pkixTestErrorMsg = "MatchCallback is NULL";
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-static
-void testGetCRLSelectorContext(PKIX_CRLSelector *goodObject)
-{
-        PKIX_PL_Object *context = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("testGetCRLSelectorContext");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_GetCRLSelectorContext
-                                    (goodObject, (void *)&context, plContext));
-
-        if (context == NULL) {
-                pkixTestErrorMsg = "CRLSelectorContext is NULL";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(context);
-        PKIX_TEST_RETURN();
-}
-
-static
-void testCommonCRLSelectorParams(PKIX_CRLSelector *goodObject){
-        PKIX_ComCRLSelParams *setParams = NULL;
-        PKIX_ComCRLSelParams *getParams = NULL;
-        PKIX_PL_Date *setDate = NULL;
-        char *asciiDate = "040329134847Z";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_ComCRLSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create
-                                    (&setParams,
-                                    plContext));
-
-        subTest("PKIX_ComCRLSelParams_Date Create");
-
-        setDate = createDate(asciiDate, plContext);
-
-        subTest("PKIX_ComCRLSelParams_SetDateAndTime");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetDateAndTime
-                (setParams, setDate, plContext));
-
-        subTest("PKIX_CRLSelector_SetCommonCRLSelectorParams");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_SetCommonCRLSelectorParams(
-                goodObject, setParams, plContext));
-
-        subTest("PKIX_CRLSelector_GetCommonCRLSelectorParams");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_GetCommonCRLSelectorParams(
-                goodObject, &getParams, plContext));
-
-        testEqualsHelper((PKIX_PL_Object *)setParams,
-                        (PKIX_PL_Object *)getParams,
-                        PKIX_TRUE,
-                        plContext);
-
-        testHashcodeHelper((PKIX_PL_Object *)setParams,
-                        (PKIX_PL_Object *)getParams,
-                        PKIX_TRUE,
-                        plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(setDate);
-        PKIX_TEST_DECREF_AC(setParams);
-        PKIX_TEST_DECREF_AC(getParams);
-
-        PKIX_TEST_RETURN();
-}
-
-/* Functional tests for CRLSelector public functions */
-
-int test_crlselector(int argc, char *argv[]){
-
-        PKIX_PL_Date *context = NULL;
-        PKIX_CRLSelector *goodObject = NULL;
-        PKIX_CRLSelector *diffObject = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-        char *asciiDate = "040329134847Z";
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("CRLSelector");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        context = createDate(asciiDate, plContext);
-
-        subTest("PKIX_CRLSelector_Create");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
-                                    (NULL,
-                                    (PKIX_PL_Object *)context,
-                                    &goodObject,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
-                                    (NULL,
-                                    (PKIX_PL_Object *)context,
-                                    &diffObject,
-                                    plContext));
-
-        testGetMatchCallback(goodObject);
-
-        testGetCRLSelectorContext(goodObject);
-
-        testCommonCRLSelectorParams(goodObject);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodObject,
-                goodObject,
-                diffObject,
-                NULL,
-                CRLSelector,
-                PKIX_TRUE);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodObject);
-        PKIX_TEST_DECREF_AC(diffObject);
-        PKIX_TEST_DECREF_AC(context);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("CRLSelector");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/manifest.mn b/security/nss/cmd/libpkix/pkix/manifest.mn
deleted file mode 100755
index 0b467713e..000000000
--- a/security/nss/cmd/libpkix/pkix/manifest.mn
+++ /dev/null
@@ -1,44 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-DIRS =  certsel checker crlsel params results store top util \
-	$(NULL)
diff --git a/security/nss/cmd/libpkix/pkix/params/Makefile b/security/nss/cmd/libpkix/pkix/params/Makefile
deleted file mode 100755
index 3f1484b02..000000000
--- a/security/nss/cmd/libpkix/pkix/params/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/params/manifest.mn b/security/nss/cmd/libpkix/pkix/params/manifest.mn
deleted file mode 100755
index 2c0cde745..000000000
--- a/security/nss/cmd/libpkix/pkix/params/manifest.mn
+++ /dev/null
@@ -1,56 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ../..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = test_procparams.c \
-	test_trustanchor.c \
-	test_valparams.c \
-	test_resourcelimits.c \
-	$(NULL)
-
-LIBRARY_NAME=pkixtoolparams
-
-SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/params/test_buildparams.c b/security/nss/cmd/libpkix/pkix/params/test_buildparams.c
deleted file mode 100644
index b3d165443..000000000
--- a/security/nss/cmd/libpkix/pkix/params/test_buildparams.c
+++ /dev/null
@@ -1,212 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_buildparams.c
- *
- * Test BuildParams Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-testDestroy(void *goodObject, void *equalObject, void *diffObject)
-{
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_BuildParams_Destroy");
-
-        PKIX_TEST_DECREF_BC(goodObject);
-        PKIX_TEST_DECREF_BC(equalObject);
-        PKIX_TEST_DECREF_BC(diffObject);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-static
-void testGetProcParams(
-        PKIX_BuildParams *goodObject,
-        PKIX_BuildParams *equalObject){
-
-        PKIX_ProcessingParams *goodProcParams = NULL;
-        PKIX_ProcessingParams *equalProcParams = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_BuildParams_GetProcessingParams");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildParams_GetProcessingParams
-                (goodObject, &goodProcParams, NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildParams_GetProcessingParams
-                (equalObject, &equalProcParams, NULL));
-
-        testEqualsHelper
-                ((PKIX_PL_Object *)goodProcParams,
-                (PKIX_PL_Object *)equalProcParams,
-                PKIX_TRUE,
-                plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodProcParams);
-        PKIX_TEST_DECREF_AC(equalProcParams);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void printUsage(char *pName){
-        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
-}
-
-int test_buildparams(int argc, char *argv[]) {
-
-        PKIX_BuildParams *goodObject = NULL;
-        PKIX_BuildParams *equalObject = NULL;
-        PKIX_BuildParams *diffObject = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        char *dataCentralDir = NULL;
-        char *goodInput = "yassir2yassir";
-        char *diffInput = "yassir2bcn";
-
-        char *expectedAscii =
-                "[\n"
-                "\tProcessing Params: \n"
-                "\t********BEGIN PROCESSING PARAMS********\n"
-                "\t\t"
-                "[\n"
-                "\tTrust Anchors: \n"
-                "\t********BEGIN LIST OF TRUST ANCHORS********\n"
-                "\t\t"
-"([\n"
-                "\tTrusted CA Name:         "
-                "CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
-                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
-                "\tInitial Name Constraints:(null)\n"
-                "]\n"
-                ", [\n"
-                "\tTrusted CA Name:         OU=bcn,OU=east,O=sun,C=us\n"
-                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
-                "\tInitial Name Constraints:(null)\n"
-                "]\n"
-                ")\n"
-                "\t********END LIST OF TRUST ANCHORS********\n"
-                "\tDate:    \t\t(null)\n"
-                "\tTarget Constraints:    (null)\n"
-                "\tInitial Policies:      (null)\n"
-                "\tQualifiers Rejected:   FALSE\n"
-                "\tCert Stores:           (EMPTY)\n"
-                "\tResource Limits:       (null)\n"
-                "\tCRL Checking Enabled:  0\n"
-                "]\n"
-                "\n"
-                "\t********END PROCESSING PARAMS********\n"
-                "]\n";
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("BuildParams");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 2){
-                printUsage(argv[0]);
-                return (0);
-        }
-
-        dataCentralDir = argv[j+1];
-
-        subTest("PKIX_BuildParams_Create");
-
-        goodObject = createBuildParams
-                (dataCentralDir,
-                goodInput,
-                diffInput,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                plContext);
-
-        equalObject = createBuildParams
-                (dataCentralDir,
-                goodInput,
-                diffInput,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                plContext);
-
-        diffObject = createBuildParams
-                (dataCentralDir,
-                diffInput,
-                goodInput,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                plContext);
-
-        testGetProcParams(goodObject, equalObject);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodObject,
-                equalObject,
-                diffObject,
-                expectedAscii,
-                BuildParams,
-                PKIX_FALSE);
-
-        testDestroy(goodObject, equalObject, diffObject);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("BuildParams");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/params/test_procparams.c b/security/nss/cmd/libpkix/pkix/params/test_procparams.c
deleted file mode 100644
index 1598de199..000000000
--- a/security/nss/cmd/libpkix/pkix/params/test_procparams.c
+++ /dev/null
@@ -1,552 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_procparams.c
- *
- * Test ProcessingParams Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-testDestroy(void *goodObject, void *equalObject, void *diffObject)
-{
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_ProcessingParams_Destroy");
-
-        PKIX_TEST_DECREF_BC(goodObject);
-        PKIX_TEST_DECREF_BC(equalObject);
-        PKIX_TEST_DECREF_BC(diffObject);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-static
-void testGetAnchors(
-        PKIX_ProcessingParams *goodObject,
-        PKIX_ProcessingParams *equalObject){
-
-        PKIX_List *goodAnchors = NULL;
-        PKIX_List *equalAnchors = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_ProcessingParams_GetTrustAnchors");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetTrustAnchors
-                                    (goodObject, &goodAnchors, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetTrustAnchors
-                                    (equalObject, &equalAnchors, plContext));
-
-        testEqualsHelper((PKIX_PL_Object *)goodAnchors,
-                        (PKIX_PL_Object *)equalAnchors,
-                        PKIX_TRUE,
-                        plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodAnchors);
-        PKIX_TEST_DECREF_AC(equalAnchors);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testGetSetDate(
-        PKIX_ProcessingParams *goodObject,
-        PKIX_ProcessingParams *equalObject){
-
-        PKIX_PL_Date *setDate = NULL;
-        PKIX_PL_Date *getDate = NULL;
-        char *asciiDate = "040329134847Z";
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_ProcessingParams_Get/SetDate");
-
-        setDate = createDate(asciiDate, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_SetDate(goodObject, setDate, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_GetDate
-                (goodObject, &getDate, plContext));
-
-        testEqualsHelper((PKIX_PL_Object *)setDate,
-                        (PKIX_PL_Object *)getDate,
-                        PKIX_TRUE,
-                        plContext);
-
-        /* we want to make sure that goodObject and equalObject are "equal" */
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_SetDate
-                (equalObject, setDate, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(setDate);
-        PKIX_TEST_DECREF_AC(getDate);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-PKIX_Error *userChecker1cb(
-        PKIX_CertChainChecker *checker,
-        PKIX_PL_Cert *cert,
-        PKIX_List *unresolvedCriticalExtensions,  /* list of PKIX_PL_OID */
-        void **pNBIOContext,
-        void *plContext)
-{
-        return(NULL);
-}
-
-static
-void testGetSetCertChainCheckers(
-        PKIX_ProcessingParams *goodObject,
-        PKIX_ProcessingParams *equalObject){
-
-        PKIX_CertChainChecker *checker = NULL;
-        PKIX_List *setCheckersList = NULL;
-        PKIX_List *getCheckersList = NULL;
-        PKIX_PL_Date *date = NULL;
-        char *asciiDate = "040329134847Z";
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_ProcessingParams_Get/SetCertChainCheckers");
-
-        date = createDate(asciiDate, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
-                    (userChecker1cb,
-                    PKIX_FALSE,
-                    PKIX_FALSE,
-                    NULL,
-                    (PKIX_PL_Object *) date,
-                    &checker,
-                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
-                (&setCheckersList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (setCheckersList, (PKIX_PL_Object *) checker, plContext));
-        PKIX_TEST_DECREF_BC(checker);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertChainCheckers
-                (goodObject, setCheckersList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
-                (userChecker1cb,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                NULL,
-                (PKIX_PL_Object *) date,
-                &checker,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker
-                (goodObject, checker, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetCertChainCheckers
-                (goodObject, &getCheckersList, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(setCheckersList);
-        PKIX_TEST_DECREF_AC(getCheckersList);
-        PKIX_TEST_DECREF_AC(date);
-        PKIX_TEST_DECREF_BC(checker);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-PKIX_Error *userChecker2cb(
-        PKIX_RevocationChecker *checker,
-        PKIX_PL_Cert *cert,
-        PKIX_UInt32 *pResult,
-        void *plContext)
-{
-        return(NULL);
-}
-
-static
-void testGetSetRevocationCheckers(
-        PKIX_ProcessingParams *goodObject,
-        PKIX_ProcessingParams *equalObject){
-
-        PKIX_RevocationChecker *checker = NULL;
-        PKIX_List *setCheckersList = NULL;
-        PKIX_List *getCheckersList = NULL;
-        PKIX_PL_Date *date = NULL;
-        char *asciiDate = "040329134847Z";
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_ProcessingParams_Get/SetRevocationCheckers");
-
-        date = createDate(asciiDate, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_RevocationChecker_Create
-                    (userChecker2cb,
-                    (PKIX_PL_Object *) date,
-                    &checker,
-                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
-                (&setCheckersList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                    (setCheckersList,
-                    (PKIX_PL_Object *) checker,
-                    plContext));
-        PKIX_TEST_DECREF_BC(checker);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
-                    (goodObject, setCheckersList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_RevocationChecker_Create
-                    (userChecker2cb,
-                    (PKIX_PL_Object *) date,
-                    &checker,
-                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddRevocationChecker
-                    (goodObject, checker, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetRevocationCheckers
-                    (goodObject, &getCheckersList, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(setCheckersList);
-        PKIX_TEST_DECREF_AC(getCheckersList);
-        PKIX_TEST_DECREF_AC(date);
-        PKIX_TEST_DECREF_BC(checker);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testGetSetResourceLimits(
-        PKIX_ProcessingParams *goodObject,
-        PKIX_ProcessingParams *equalObject)
-
-{
-        PKIX_ResourceLimits *resourceLimits1 = NULL;
-        PKIX_ResourceLimits *resourceLimits2 = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_ProcessingParams_Get/SetResourceLimits");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create
-                    (&resourceLimits1, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create
-                    (&resourceLimits2, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
-                    (resourceLimits1, 3, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
-                    (resourceLimits1, 3, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime
-                    (resourceLimits1, 2, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetResourceLimits
-                    (goodObject, resourceLimits1, plContext));
-
-        PKIX_TEST_DECREF_BC(resourceLimits2);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetResourceLimits
-                    (goodObject, &resourceLimits2, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetResourceLimits
-                    (equalObject, resourceLimits2, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(resourceLimits1);
-        PKIX_TEST_DECREF_AC(resourceLimits2);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testGetSetConstraints(PKIX_ProcessingParams *goodObject){
-
-        PKIX_CertSelector *setConstraints = NULL;
-        PKIX_CertSelector *getConstraints = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_ProcessingParams_Get/SetTargetCertConstraints");
-
-        /*
-        * After createConstraints is implemented
-        * setConstraints = createConstraints();
-        */
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_SetTargetCertConstraints
-                (goodObject, setConstraints, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_GetTargetCertConstraints
-                (goodObject, &getConstraints, plContext));
-
-        testEqualsHelper((PKIX_PL_Object *)setConstraints,
-                        (PKIX_PL_Object *)getConstraints,
-                        PKIX_TRUE,
-                        plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(setConstraints);
-        PKIX_TEST_DECREF_AC(getConstraints);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testGetSetInitialPolicies(
-        PKIX_ProcessingParams *goodObject,
-        char *asciiPolicyOID)
-{
-        PKIX_PL_OID *policyOID = NULL;
-        PKIX_List* setPolicyList = NULL;
-        PKIX_List* getPolicyList = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_ProcessingParams_Get/SetInitialPolicies");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                (asciiPolicyOID, &policyOID, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&setPolicyList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (setPolicyList, (PKIX_PL_Object *)policyOID, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_SetImmutable(setPolicyList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetInitialPolicies
-                (goodObject, setPolicyList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_GetInitialPolicies
-                (goodObject, &getPolicyList, plContext));
-
-        testEqualsHelper
-                ((PKIX_PL_Object *)setPolicyList,
-                (PKIX_PL_Object *)getPolicyList,
-                PKIX_TRUE,
-                plContext);
-
-cleanup:
-        PKIX_TEST_DECREF_AC(policyOID);
-        PKIX_TEST_DECREF_AC(setPolicyList);
-        PKIX_TEST_DECREF_AC(getPolicyList);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testGetSetPolicyQualifiersRejected(
-        PKIX_ProcessingParams *goodObject,
-        PKIX_Boolean rejected)
-{
-        PKIX_Boolean getRejected = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_ProcessingParams_Get/SetPolicyQualifiersRejected");
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_SetPolicyQualifiersRejected
-                (goodObject, rejected, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_GetPolicyQualifiersRejected
-                (goodObject, &getRejected, plContext));
-
-        if (rejected != getRejected) {
-            testError
-                ("GetPolicyQualifiersRejected returned unexpected value");
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void printUsage(char *pName){
-        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
-}
-
-int test_procparams(int argc, char *argv[]) {
-
-        PKIX_ProcessingParams *goodObject = NULL;
-        PKIX_ProcessingParams *equalObject = NULL;
-        PKIX_ProcessingParams *diffObject = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        char *dataCentralDir = NULL;
-        PKIX_UInt32 j = 0;
-
-        char *oidAnyPolicy = PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID;
-        char *oidNist1Policy = "2.16.840.1.101.3.2.1.48.2";
-
-        char *goodInput = "yassir2yassir";
-        char *diffInput = "yassir2bcn";
-
-        char *expectedAscii =
-                "[\n"
-                "\tTrust Anchors: \n"
-                "\t********BEGIN LIST OF TRUST ANCHORS********\n"
-                "\t\t"
-                "([\n"
-                "\tTrusted CA Name:         "
-                "CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
-                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
-                "\tInitial Name Constraints:(null)\n"
-                "]\n"
-                ", [\n"
-                "\tTrusted CA Name:         OU=bcn,OU=east,O=sun,C=us\n"
-                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
-                "\tInitial Name Constraints:(null)\n"
-                "]\n"
-                ")\n"
-                "\t********END LIST OF TRUST ANCHORS********\n"
-                "\tDate:    \t\tMon Mar 29 08:48:47 2004\n"
-                "\tTarget Constraints:    (null)\n"
-                "\tInitial Policies:      (2.5.29.32.0)\n"
-                "\tQualifiers Rejected:   FALSE\n"
-                "\tCert Stores:           (EMPTY)\n"
-                "\tResource Limits:       [\n"
-                "\tMaxTime:                     2\n"
-                "\tMaxFanout:                   3\n"
-                "\tMaxDepth:                    3\n"
-                "]\n\n"
-                "\tCRL Checking Enabled:  0\n"
-                "]\n";
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("ProcessingParams");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 2){
-                printUsage(argv[0]);
-                return (0);
-        }
-
-        dataCentralDir = argv[j+1];
-
-        subTest("PKIX_ProcessingParams_Create");
-        goodObject = createProcessingParams
-                (dataCentralDir,
-                goodInput,
-                diffInput,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                plContext);
-
-        equalObject = createProcessingParams
-                (dataCentralDir,
-                goodInput,
-                diffInput,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                plContext);
-
-        diffObject = createProcessingParams
-                (dataCentralDir,
-                diffInput,
-                goodInput,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                plContext);
-
-        testGetAnchors(goodObject, equalObject);
-        testGetSetDate(goodObject, equalObject);
-        testGetSetCertChainCheckers(goodObject, equalObject);
-        testGetSetRevocationCheckers(goodObject, equalObject);
-        testGetSetResourceLimits(goodObject, equalObject);
-
-        /*
-        * XXX testGetSetConstraints(goodObject);
-        */
-
-        testGetSetInitialPolicies(goodObject, oidAnyPolicy);
-        testGetSetInitialPolicies(equalObject, oidAnyPolicy);
-        testGetSetInitialPolicies(diffObject, oidNist1Policy);
-        testGetSetPolicyQualifiersRejected(goodObject, PKIX_FALSE);
-        testGetSetPolicyQualifiersRejected(equalObject, PKIX_FALSE);
-        testGetSetPolicyQualifiersRejected(diffObject, PKIX_TRUE);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodObject,
-                equalObject,
-                diffObject,
-                NULL, /* expectedAscii, */
-                ProcessingParams,
-                PKIX_FALSE);
-
-        testDestroy(goodObject, equalObject, diffObject);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("ProcessingParams");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/params/test_resourcelimits.c b/security/nss/cmd/libpkix/pkix/params/test_resourcelimits.c
deleted file mode 100644
index 9299d4239..000000000
--- a/security/nss/cmd/libpkix/pkix/params/test_resourcelimits.c
+++ /dev/null
@@ -1,147 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_resourcelimits.c
- *
- * Test ResourceLimits Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-testDestroy(void *goodObject, void *equalObject, void *diffObject)
-{
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_ResourceLimits_Destroy");
-
-        PKIX_TEST_DECREF_BC(goodObject);
-        PKIX_TEST_DECREF_BC(equalObject);
-        PKIX_TEST_DECREF_BC(diffObject);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-int test_resourcelimits(int argc, char *argv[]) {
-
-        PKIX_ResourceLimits *goodObject = NULL;
-        PKIX_ResourceLimits *equalObject = NULL;
-        PKIX_ResourceLimits *diffObject = NULL;
-        PKIX_UInt32 maxTime = 0;
-        PKIX_UInt32 maxFanout = 0;
-        PKIX_UInt32 maxDepth = 0;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-        char *expectedAscii =
-                "[\n"
-                "\tMaxTime:           		10\n"
-                "\tMaxFanout:         		5\n"
-                "\tMaxDepth:         		5\n"
-                "]\n";
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("ResourceLimits");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest("PKIX_ResourceLimits_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create
-                                  (&goodObject, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create
-                                  (&diffObject, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create
-                                  (&equalObject, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime
-                                  (goodObject, 10, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_GetMaxTime
-                                  (goodObject, &maxTime, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime
-                                  (equalObject, maxTime, plContext));
-        maxTime++;
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime
-                                  (diffObject, maxTime, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
-                                  (goodObject, 5, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_GetMaxFanout
-                                  (goodObject, &maxFanout, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
-                                  (equalObject, maxFanout, plContext));
-        maxFanout++;
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
-                                  (diffObject, maxFanout, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
-                                  (goodObject, 5, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_GetMaxDepth
-                                  (goodObject, &maxDepth, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
-                                  (equalObject, maxDepth, plContext));
-        maxDepth++;
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
-                                  (diffObject, maxDepth, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodObject,
-                equalObject,
-                diffObject,
-                expectedAscii,
-                ResourceLimits,
-                PKIX_FALSE);
-
-        testDestroy(goodObject, equalObject, diffObject);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("ResourceLimits");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/params/test_trustanchor.c b/security/nss/cmd/libpkix/pkix/params/test_trustanchor.c
deleted file mode 100644
index 6d4909304..000000000
--- a/security/nss/cmd/libpkix/pkix/params/test_trustanchor.c
+++ /dev/null
@@ -1,295 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_trustanchor.c
- *
- * Test TrustAnchor Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static
-void createTrustAnchors(
-        char *dirName,
-        char *goodInput,
-        PKIX_TrustAnchor **goodObject,
-        PKIX_TrustAnchor **equalObject,
-        PKIX_TrustAnchor **diffObject)
-{
-        subTest("PKIX_TrustAnchor_CreateWithNameKeyPair <goodObject>");
-        *goodObject = createTrustAnchor
-                        (dirName, goodInput, PKIX_FALSE, plContext);
-
-        subTest("PKIX_TrustAnchor_CreateWithNameKeyPair <equalObject>");
-        *equalObject = createTrustAnchor
-                        (dirName, goodInput, PKIX_FALSE, plContext);
-
-        subTest("PKIX_TrustAnchor_CreateWithCert <diffObject>");
-        *diffObject = createTrustAnchor
-                        (dirName, goodInput, PKIX_TRUE, plContext);
-}
-
-static
-void testGetCAName(
-        PKIX_PL_Cert *diffCert,
-        PKIX_TrustAnchor *equalObject){
-
-        PKIX_PL_X500Name *diffCAName = NULL;
-        PKIX_PL_X500Name *equalCAName = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_TrustAnchor_GetCAName");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
-                                    (diffCert, &diffCAName, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_GetCAName
-                                    (equalObject, &equalCAName, plContext));
-
-        testEqualsHelper((PKIX_PL_Object *)diffCAName,
-                        (PKIX_PL_Object *)equalCAName,
-                        PKIX_TRUE,
-                        plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(diffCAName);
-        PKIX_TEST_DECREF_AC(equalCAName);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testGetCAPublicKey(
-        PKIX_PL_Cert *diffCert,
-        PKIX_TrustAnchor *equalObject){
-
-        PKIX_PL_PublicKey *diffPubKey = NULL;
-        PKIX_PL_PublicKey *equalPubKey = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_TrustAnchor_GetCAPublicKey");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
-                                    (diffCert, &diffPubKey, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_GetCAPublicKey
-                                    (equalObject, &equalPubKey, plContext));
-
-        testEqualsHelper((PKIX_PL_Object *)diffPubKey,
-                        (PKIX_PL_Object *)equalPubKey,
-                        PKIX_TRUE,
-                        plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(diffPubKey);
-        PKIX_TEST_DECREF_AC(equalPubKey);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testGetNameConstraints(char *dirName)
-{
-        PKIX_TrustAnchor *goodObject = NULL;
-        PKIX_TrustAnchor *equalObject = NULL;
-        PKIX_TrustAnchor *diffObject = NULL;
-        PKIX_PL_Cert *diffCert;
-        PKIX_PL_CertNameConstraints *diffNC = NULL;
-        PKIX_PL_CertNameConstraints *equalNC = NULL;
-        char *goodInput = "nameConstraintsDN5CACert.crt";
-        char *expectedAscii =
-                "[\n"
-                "\tTrusted CA Name:         CN=nameConstraints DN5 CA,"
-                "O=Test Certificates,C=US\n"
-                "\tTrusted CA PublicKey:    PKCS #1 RSA Encryption\n"
-                "\tInitial Name Constraints:[\n"
-                "\t\tPermitted Name:  (OU=permittedSubtree1,"
-                "O=Test Certificates,C=US)\n"
-                "\t\tExcluded Name:   (OU=excludedSubtree1,"
-                "OU=permittedSubtree1,O=Test Certificates,C=US)\n"
-                "\t]\n"
-                "\n"
-                "]\n";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Create TrustAnchors and compare");
-
-        createTrustAnchors
-                (dirName, goodInput, &goodObject, &equalObject, &diffObject);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodObject,
-                equalObject,
-                diffObject,
-                expectedAscii,
-                TrustAnchor,
-                PKIX_TRUE);
-
-        subTest("PKIX_TrustAnchor_GetTrustedCert");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_GetTrustedCert
-                                    (diffObject, &diffCert, plContext));
-
-        subTest("PKIX_PL_Cert_GetNameConstraints");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
-                                    (diffCert, &diffNC, plContext));
-
-        subTest("PKIX_TrustAnchor_GetNameConstraints");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_GetNameConstraints
-                                    (equalObject, &equalNC, plContext));
-
-        testEqualsHelper((PKIX_PL_Object *)diffNC,
-                        (PKIX_PL_Object *)equalNC,
-                        PKIX_TRUE,
-                        plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(diffNC);
-        PKIX_TEST_DECREF_AC(equalNC);
-        PKIX_TEST_DECREF_BC(diffCert);
-        PKIX_TEST_DECREF_BC(goodObject);
-        PKIX_TEST_DECREF_BC(equalObject);
-        PKIX_TEST_DECREF_BC(diffObject);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testDestroy(void *goodObject, void *equalObject, void *diffObject)
-{
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_TrustAnchor_Destroy");
-
-        PKIX_TEST_DECREF_BC(goodObject);
-        PKIX_TEST_DECREF_BC(equalObject);
-        PKIX_TEST_DECREF_BC(diffObject);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-static
-void printUsage(void) {
-        (void) printf("\nUSAGE:\ttest_trustanchor <NIST_FILES_DIR> <central-data-dir>\n\n");
-}
-
-int test_trustanchor(int argc, char *argv[]) {
-
-        PKIX_TrustAnchor *goodObject = NULL;
-        PKIX_TrustAnchor *equalObject = NULL;
-        PKIX_TrustAnchor *diffObject = NULL;
-        PKIX_PL_Cert *diffCert = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        char *goodInput = "yassir2yassir";
-        char *expectedAscii =
-                "[\n"
-                "\tTrusted CA Name:         "
-                "CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
-                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
-                "\tInitial Name Constraints:(null)\n"
-                "]\n";
-        char *dirName = NULL;
-        char *dataCentralDir = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("TrustAnchor");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 3) {
-                printUsage();
-                return (0);
-        }
-
-        dirName = argv[j+1];
-        dataCentralDir = argv[j+2];
-
-        createTrustAnchors
-                (dataCentralDir,
-                goodInput,
-                &goodObject,
-                &equalObject,
-                &diffObject);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodObject,
-                equalObject,
-                diffObject,
-                expectedAscii,
-                TrustAnchor,
-                PKIX_TRUE);
-
-        subTest("PKIX_TrustAnchor_GetTrustedCert");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_GetTrustedCert
-                                    (diffObject, &diffCert, plContext));
-
-        testGetCAName(diffCert, equalObject);
-        testGetCAPublicKey(diffCert, equalObject);
-
-        testGetNameConstraints(dirName);
-
-        testDestroy(goodObject, equalObject, diffObject);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(diffCert);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("TrustAnchor");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/params/test_valparams.c b/security/nss/cmd/libpkix/pkix/params/test_valparams.c
deleted file mode 100644
index 999fd95bc..000000000
--- a/security/nss/cmd/libpkix/pkix/params/test_valparams.c
+++ /dev/null
@@ -1,301 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_valparams.c
- *
- * Test ValidateParams Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-testDestroy(void *goodObject, void *equalObject, void *diffObject)
-{
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_ValidateParams_Destroy");
-
-        PKIX_TEST_DECREF_BC(goodObject);
-        PKIX_TEST_DECREF_BC(equalObject);
-        PKIX_TEST_DECREF_BC(diffObject);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-static
-void testGetProcParams(
-        PKIX_ValidateParams *goodObject,
-        PKIX_ValidateParams *equalObject){
-
-        PKIX_ProcessingParams *goodProcParams = NULL;
-        PKIX_ProcessingParams *equalProcParams = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_ValidateParams_GetProcessingParams");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
-                (goodObject, &goodProcParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
-                (equalObject, &equalProcParams, plContext));
-
-        testEqualsHelper
-                ((PKIX_PL_Object *)goodProcParams,
-                (PKIX_PL_Object *)equalProcParams,
-                PKIX_TRUE,
-                plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodProcParams);
-        PKIX_TEST_DECREF_AC(equalProcParams);
-
-        PKIX_TEST_RETURN();
-}
-
-
-static
-void testGetCertChain(
-        PKIX_ValidateParams *goodObject,
-        PKIX_ValidateParams *equalObject){
-
-        PKIX_List *goodChain = NULL;
-        PKIX_List *equalChain = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_ValidateParams_GetCertChain");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetCertChain
-                (goodObject, &goodChain, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetCertChain
-                (equalObject, &equalChain, plContext));
-
-        testEqualsHelper
-                ((PKIX_PL_Object *)goodChain,
-                (PKIX_PL_Object *)equalChain,
-                PKIX_TRUE,
-                plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodChain);
-        PKIX_TEST_DECREF_AC(equalChain);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void printUsage(char *pName){
-        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
-}
-
-int test_valparams(int argc, char *argv[]) {
-
-        PKIX_ValidateParams *goodObject = NULL;
-        PKIX_ValidateParams *equalObject = NULL;
-        PKIX_ValidateParams *diffObject = NULL;
-        PKIX_List *chain = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-        char *dirName = NULL;
-
-        char *goodInput = "yassir2yassir";
-        char *diffInput = "yassir2bcn";
-
-        char *expectedAscii =
-                "[\n"
-                "\tProcessing Params: \n"
-                "\t********BEGIN PROCESSING PARAMS********\n"
-                "\t\t"
-                "[\n"
-                "\tTrust Anchors: \n"
-                "\t********BEGIN LIST OF TRUST ANCHORS********\n"
-                "\t\t"
-"([\n"
-                "\tTrusted CA Name:         "
-                "CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
-                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
-                "\tInitial Name Constraints:(null)\n"
-                "]\n"
-                ", [\n"
-                "\tTrusted CA Name:         OU=bcn,OU=east,O=sun,C=us\n"
-                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
-                "\tInitial Name Constraints:(null)\n"
-                "]\n"
-                ")\n"
-                "\t********END LIST OF TRUST ANCHORS********\n"
-                "\tDate:    \t\t(null)\n"
-                "\tTarget Constraints:    (null)\n"
-                "\tInitial Policies:      (null)\n"
-                "\tQualifiers Rejected:   FALSE\n"
-                "\tCert Stores:           (EMPTY)\n"
-                "\tCRL Checking Enabled:  0\n"
-                "]\n"
-                "\n"
-                "\t********END PROCESSING PARAMS********\n"
-                "\tChain:    \t\t"
-                "([\n"
-                "\tVersion:         v3\n"
-                "\tSerialNumber:    37bc66ec\n"
-                "\tIssuer:          CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
-                "\tSubject:         OU=bcn,OU=east,O=sun,C=us\n"
-                "\tValidity: [From: Thu Aug 19 16:19:56 1999\n"
-                "\t           To:   Fri Aug 18 16:19:56 2000]\n"
-                "\tSubjectAltNames: (null)\n"
-                "\tAuthorityKeyId:  (null)\n"
-                "\tSubjectKeyId:    (null)\n"
-                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
-                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
-                "\tExtKeyUsages:    (null)\n"
-                "\tBasicConstraint: CA(0)\n"
-                "\tCertPolicyInfo:  (null)\n"
-                "\tPolicyMappings:  (null)\n"
-                "\tExplicitPolicy:  -1\n"
-                "\tInhibitMapping:  -1\n"
-                "\tInhibitAnyPolicy:-1\n"
-                "\tNameConstraints: (null)\n"
-                "]\n"
-                ", [\n"
-                "\tVersion:         v3\n"
-                "\tSerialNumber:    37bc65af\n"
-                "\tIssuer:          CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
-                "\tSubject:         CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
-                "\tValidity: [From: Thu Aug 19 16:14:39 1999\n"
-                "\t           To:   Fri Aug 18 16:14:39 2000]\n"
-                "\tSubjectAltNames: (null)\n"
-                "\tAuthorityKeyId:  (null)\n"
-                "\tSubjectKeyId:    (null)\n"
-                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
-                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
-                "\tExtKeyUsages:    (null)\n"
-                "\tBasicConstraint: CA(0)\n"
-                "\tCertPolicyInfo:  (null)\n"
-                "\tPolicyMappings:  (null)\n"
-                "\tExplicitPolicy:  -1\n"
-                "\tInhibitMapping:  -1\n"
-                "\tInhibitAnyPolicy:-1\n"
-                "\tNameConstraints: (null)\n"
-                "]\n"
-                ")\n"
-                "]\n";
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("ValidateParams");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 2){
-                printUsage(argv[0]);
-                return (0);
-        }
-
-        dirName = argv[j+1];
-
-        subTest("PKIX_ValidateParams_Create");
-        chain = createCertChain(dirName, diffInput, goodInput, plContext);
-        goodObject = createValidateParams
-                (dirName,
-                goodInput,
-                diffInput,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-        equalObject = createValidateParams
-                (dirName,
-                goodInput,
-                diffInput,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-        diffObject = createValidateParams
-                (dirName,
-                diffInput,
-                goodInput,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        testGetProcParams(goodObject, equalObject);
-        testGetCertChain(goodObject, equalObject);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodObject,
-                equalObject,
-                diffObject,
-                NULL, /* expectedAscii, */
-                ValidateParams,
-                PKIX_FALSE);
-
-        testDestroy(goodObject, equalObject, diffObject);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(chain);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("ValidateParams");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/results/Makefile b/security/nss/cmd/libpkix/pkix/results/Makefile
deleted file mode 100755
index 3f1484b02..000000000
--- a/security/nss/cmd/libpkix/pkix/results/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/results/manifest.mn b/security/nss/cmd/libpkix/pkix/results/manifest.mn
deleted file mode 100755
index a043f672e..000000000
--- a/security/nss/cmd/libpkix/pkix/results/manifest.mn
+++ /dev/null
@@ -1,56 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH      = ../..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = test_buildresult.c \
-	test_policynode.c \
-	test_verifynode.c \
-	test_valresult.c \
-	$(NULL)
-
-LIBRARY_NAME=pkixtoolresults
-
-SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/results/test_buildresult.c b/security/nss/cmd/libpkix/pkix/results/test_buildresult.c
deleted file mode 100644
index 89bd9c531..000000000
--- a/security/nss/cmd/libpkix/pkix/results/test_buildresult.c
+++ /dev/null
@@ -1,251 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_buildresult.c
- *
- * Test BuildResult Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-testDestroy(void *goodObject, void *equalObject, void *diffObject)
-{
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_BuildResult_Destroy");
-
-        PKIX_TEST_DECREF_BC(goodObject);
-        PKIX_TEST_DECREF_BC(equalObject);
-        PKIX_TEST_DECREF_BC(diffObject);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-static
-void testGetValidateResult(
-        PKIX_BuildResult *goodObject,
-        PKIX_BuildResult *equalObject){
-
-        PKIX_ValidateResult *goodValResult = NULL;
-        PKIX_ValidateResult *equalValResult = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_BuildResult_GetValidateResult");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetValidateResult
-                (goodObject, &goodValResult, NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetValidateResult
-                (equalObject, &equalValResult, NULL));
-
-        testEqualsHelper
-                ((PKIX_PL_Object *)goodValResult,
-                (PKIX_PL_Object *)equalValResult,
-                PKIX_TRUE,
-                plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodValResult);
-        PKIX_TEST_DECREF_AC(equalValResult);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testGetCertChain(
-        PKIX_BuildResult *goodObject,
-        PKIX_BuildResult *equalObject){
-
-        PKIX_List *goodChain = NULL;
-        PKIX_List *equalChain = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_BuildResult_GetCertChain");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain
-                (goodObject, &goodChain, NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildResult_GetCertChain
-                (equalObject, &equalChain, NULL));
-
-        testEqualsHelper
-                ((PKIX_PL_Object *)goodChain,
-                (PKIX_PL_Object *)equalChain,
-                PKIX_TRUE,
-                plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodChain);
-        PKIX_TEST_DECREF_AC(equalChain);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void printUsage(char *pName){
-        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
-}
-
-int test_buildresult(int argc, char *argv[]) {
-
-        PKIX_BuildResult *goodObject = NULL;
-        PKIX_BuildResult *equalObject = NULL;
-        PKIX_BuildResult *diffObject = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        char *dirName = NULL;
-	PKIX_UInt32 j = 0;
-
-        char *goodInput = "yassir2yassir";
-        char *diffInput = "yassir2bcn";
-
-        char *expectedAscii =
-                "[\n"
-                "\tValidateResult: \t\t"
-                "[\n"
-                "\tTrustAnchor: \t\t"
-                "[\n"
-                "\tTrusted CA Name:         "
-                "CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
-                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
-                "\tInitial Name Constraints:(null)\n"
-                "]\n"
-                "\tPubKey:    \t\t"
-                "ANSI X9.57 DSA Signature\n"
-                "\tPolicyTree:  \t\t(null)\n"
-                "]\n"
-                "\tCertChain:    \t\t("
-                "[\n"
-                "\tVersion:         v3\n"
-                "\tSerialNumber:    37bc65af\n"
-                "\tIssuer:          CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
-                "\tSubject:         CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
-                "\tValidity: [From: Thu Aug 19 16:14:39 1999\n"
-                "\t           To:   Fri Aug 18 16:14:39 2000]\n"
-                "\tSubjectAltNames: (null)\n"
-                "\tAuthorityKeyId:  (null)\n"
-                "\tSubjectKeyId:    (null)\n"
-                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
-                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
-                "\tExtKeyUsages:    (null)\n"
-                "\tBasicConstraint: CA(0)\n"
-                "\tCertPolicyInfo:  (null)\n"
-                "\tPolicyMappings:  (null)\n"
-                "\tExplicitPolicy:  -1\n"
-                "\tInhibitMapping:  -1\n"
-                "\tInhibitAnyPolicy:-1\n"
-                "\tNameConstraints: (null)\n"
-                "]\n"
-                ", [\n"
-                "\tVersion:         v3\n"
-                "\tSerialNumber:    37bc66ec\n"
-                "\tIssuer:          CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
-                "\tSubject:         OU=bcn,OU=east,O=sun,C=us\n"
-                "\tValidity: [From: Thu Aug 19 16:19:56 1999\n"
-                "\t           To:   Fri Aug 18 16:19:56 2000]\n"
-                "\tSubjectAltNames: (null)\n"
-                "\tAuthorityKeyId:  (null)\n"
-                "\tSubjectKeyId:    (null)\n"
-                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
-                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
-                "\tExtKeyUsages:    (null)\n"
-                "\tBasicConstraint: CA(0)\n"
-                "\tCertPolicyInfo:  (null)\n"
-                "\tPolicyMappings:  (null)\n"
-                "\tExplicitPolicy:  -1\n"
-                "\tInhibitMapping:  -1\n"
-                "\tInhibitAnyPolicy:-1\n"
-                "\tNameConstraints: (null)\n"
-                "]\n"
-                ")\n"
-                "]\n";
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("BuildResult");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 2){
-                printUsage(argv[0]);
-                return (0);
-        }
-
-        dirName = argv[j+1];
-
-        subTest("pkix_BuildResult_Create");
-
-        goodObject = createBuildResult
-            (dirName, goodInput, diffInput, goodInput, diffInput, plContext);
-        equalObject = createBuildResult
-            (dirName, goodInput, diffInput, goodInput, diffInput, plContext);
-        diffObject = createBuildResult
-            (dirName, diffInput, goodInput, diffInput, goodInput, plContext);
-
-        testGetValidateResult(goodObject, equalObject);
-        testGetCertChain(goodObject, equalObject);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodObject,
-                equalObject,
-                diffObject,
-                NULL, /* expectedAscii, */
-                BuildResult,
-                PKIX_FALSE);
-
-        testDestroy(goodObject, equalObject, diffObject);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("BuildResult");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/results/test_policynode.c b/security/nss/cmd/libpkix/pkix/results/test_policynode.c
deleted file mode 100644
index 8229a337f..000000000
--- a/security/nss/cmd/libpkix/pkix/results/test_policynode.c
+++ /dev/null
@@ -1,712 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_policynode.c
- *
- * Test PolicyNode Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext =  NULL;
-
-static void
-test_GetChildren(
-        PKIX_PolicyNode *goodNode,
-        PKIX_PolicyNode *equalNode,
-        PKIX_PolicyNode *diffNode)
-{
-
-/*
- * Caution: be careful where you insert this test. PKIX_PolicyNode_GetChildren
- * is required by the API to return an immutable List, and it does it by setting
- * the List immutable. We don't make a copy because the assumption is that
- * certificate and policy processing have been completed before the user gets at
- * the public API. So subsequent tests of functions that modify the policy tree,
- * such as Prune, will fail if called after the execution of this test.
- */
-
-        PKIX_Boolean isImmutable = PKIX_FALSE;
-        PKIX_List *goodList = NULL;
-        PKIX_List *equalList = NULL;
-        PKIX_List *diffList = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PolicyNode_GetChildren");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetChildren
-                (goodNode, &goodList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetChildren
-                (equalNode, &equalList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetChildren
-                (diffNode, &diffList, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodList, equalList, diffList, NULL, List, NULL);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable
-                (goodList, &isImmutable, plContext));
-
-        if (isImmutable != PKIX_TRUE) {
-            testError("PKIX_PolicyNode_GetChildren returned a mutable List");
-        }
-
-cleanup:
-        PKIX_TEST_DECREF_AC(goodList);
-        PKIX_TEST_DECREF_AC(equalList);
-        PKIX_TEST_DECREF_AC(diffList);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-test_GetParent(
-        PKIX_PolicyNode *goodNode,
-        PKIX_PolicyNode *equalNode,
-        PKIX_PolicyNode *diffNode,
-        char *expectedAscii)
-{
-        PKIX_PolicyNode *goodParent = NULL;
-        PKIX_PolicyNode *equalParent = NULL;
-        PKIX_PolicyNode *diffParent = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PolicyNode_GetParent");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetParent
-                (goodNode, &goodParent, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetParent
-                (equalNode, &equalParent, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetParent
-                (diffNode, &diffParent, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodParent,
-                equalParent,
-                diffParent,
-                expectedAscii,
-                CertPolicyNode,
-                NULL);
-
-cleanup:
-        PKIX_TEST_DECREF_AC(goodParent);
-        PKIX_TEST_DECREF_AC(equalParent);
-        PKIX_TEST_DECREF_AC(diffParent);
-
-        PKIX_TEST_RETURN();
-}
-
-/*
- * This test is the same as testDuplicateHelper, except that it
- * produces a more useful "Actual value" and "Expected value"
- * in the case of an unexpected mismatch.
- */
-static void
-test_DuplicateHelper(PKIX_PolicyNode *object, void *plContext)
-{
-        PKIX_PolicyNode *newObject = NULL;
-        PKIX_Boolean cmpResult;
-        PKIX_PL_String *original = NULL;
-        PKIX_PL_String *copy = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("testing pkix_PolicyNode_Duplicate");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
-                ((PKIX_PL_Object *)object,
-                (PKIX_PL_Object **)&newObject,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                ((PKIX_PL_Object *)object,
-                (PKIX_PL_Object *)newObject,
-                &cmpResult,
-                plContext));
-
-        if (!cmpResult){
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                        ((PKIX_PL_Object*)object, &original, plContext));
-                testError("unexpected mismatch");
-                (void) printf
-                        ("original value:\t%s\n", original->escAsciiString);
-
-                if (newObject) {
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                                ((PKIX_PL_Object*)newObject, &copy, plContext));
-                        (void) printf
-                                ("copy value:\t%s\n", copy->escAsciiString);
-                } else {
-                        (void) printf("copy value:\t(NULL)\n");
-                }
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(newObject);
-        PKIX_TEST_DECREF_AC(original);
-        PKIX_TEST_DECREF_AC(copy);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-test_GetValidPolicy(
-        PKIX_PolicyNode *goodNode,
-        PKIX_PolicyNode *equalNode,
-        PKIX_PolicyNode *diffNode,
-        char *expectedAscii)
-{
-        PKIX_PL_OID *goodPolicy = NULL;
-        PKIX_PL_OID *equalPolicy = NULL;
-        PKIX_PL_OID *diffPolicy = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PolicyNode_GetValidPolicy");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetValidPolicy
-                (goodNode, &goodPolicy, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetValidPolicy
-                (equalNode, &equalPolicy, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetValidPolicy
-                (diffNode, &diffPolicy, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodPolicy, equalPolicy, diffPolicy, expectedAscii, OID, NULL);
-
-cleanup:
-        PKIX_TEST_DECREF_AC(goodPolicy);
-        PKIX_TEST_DECREF_AC(equalPolicy);
-        PKIX_TEST_DECREF_AC(diffPolicy);
-
-
-        PKIX_TEST_RETURN();
-}
-
-static void test_GetPolicyQualifiers(
-        PKIX_PolicyNode *goodNode,
-        PKIX_PolicyNode *equalNode,
-        PKIX_PolicyNode *diffNode,
-        char *expectedAscii)
-{
-        PKIX_Boolean isImmutable = PKIX_FALSE;
-        PKIX_List *goodList = NULL;
-        PKIX_List *equalList = NULL;
-        PKIX_List *diffList = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PolicyNode_GetPolicyQualifiers");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetPolicyQualifiers
-                (goodNode, &goodList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetPolicyQualifiers
-                (equalNode, &equalList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetPolicyQualifiers
-                (diffNode, &diffList, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodList, equalList, diffList, expectedAscii, List, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable
-                (goodList, &isImmutable, plContext));
-
-        if (isImmutable != PKIX_TRUE) {
-            testError
-                ("PKIX_PolicyNode_GetPolicyQualifiers returned a mutable List");
-        }
-cleanup:
-        PKIX_TEST_DECREF_AC(goodList);
-        PKIX_TEST_DECREF_AC(equalList);
-        PKIX_TEST_DECREF_AC(diffList);
-
-        PKIX_TEST_RETURN();
-}
-
-static void test_GetExpectedPolicies(
-        PKIX_PolicyNode *goodNode,
-        PKIX_PolicyNode *equalNode,
-        PKIX_PolicyNode *diffNode,
-        char *expectedAscii)
-{
-        PKIX_Boolean isImmutable = PKIX_FALSE;
-        PKIX_List *goodList = NULL;
-        PKIX_List *equalList = NULL;
-        PKIX_List *diffList = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PolicyNode_GetExpectedPolicies");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetExpectedPolicies
-                (goodNode, &goodList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetExpectedPolicies
-                (equalNode, &equalList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetExpectedPolicies
-                (diffNode, &diffList, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodList, equalList, diffList, expectedAscii, List, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable
-                (goodList, &isImmutable, plContext));
-
-        if (isImmutable != PKIX_TRUE) {
-            testError
-                ("PKIX_PolicyNode_GetExpectedPolicies returned a mutable List");
-        }
-cleanup:
-        PKIX_TEST_DECREF_AC(goodList);
-        PKIX_TEST_DECREF_AC(equalList);
-        PKIX_TEST_DECREF_AC(diffList);
-
-        PKIX_TEST_RETURN();
-}
-
-static void test_IsCritical(
-        PKIX_PolicyNode *goodNode,
-        PKIX_PolicyNode *equalNode,
-        PKIX_PolicyNode *diffNode)
-{
-        PKIX_Boolean goodBool = PKIX_FALSE;
-        PKIX_Boolean equalBool = PKIX_FALSE;
-        PKIX_Boolean diffBool = PKIX_FALSE;
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PolicyNode_IsCritical");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_IsCritical
-                (goodNode, &goodBool, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_IsCritical
-                (equalNode, &equalBool, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_IsCritical
-                (diffNode, &diffBool, plContext));
-
-        if ((!goodBool) || (!equalBool) || (diffBool)) {
-                testError("IsCritical returned unexpected value");
-        }
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void test_GetDepth(
-        PKIX_PolicyNode *depth1Node,
-        PKIX_PolicyNode *depth2Node,
-        PKIX_PolicyNode *depth3Node)
-{
-        PKIX_UInt32 depth1 = 0;
-        PKIX_UInt32 depth2 = 0;
-        PKIX_UInt32 depth3 = 0;
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PolicyNode_GetDepth");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetDepth
-                (depth1Node, &depth1, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetDepth
-                (depth2Node, &depth2, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PolicyNode_GetDepth
-                (depth3Node, &depth3, plContext));
-
-        if ((depth1 != 1) || (depth2 != 2) || (depth3 != 3)) {
-                testError("GetDepth returned unexpected value");
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void printUsage(void) {
-        (void) printf("\nUSAGE:\ttest_policynode <NIST_FILES_DIR> \n\n");
-}
-
-int test_policynode(int argc, char *argv[]) {
-
-        /*
-         * Create a tree with parent = anyPolicy,
-         * child1 with Nist1+Nist2, child2 with Nist1.
-         * Give each child another child, with policies Nist2
-         * and Nist1, respectively. Pruning with a depth of two
-         * should have no effect. Give one of the children
-         * another child. Then pruning with a depth of three
-         * should reduce the tree to a single strand, as child1
-         * and child3 are removed.
-         *
-         *              parent (anyPolicy)
-         *          /                   \
-         *      child1(Nist1+Nist2)     child2(Nist1)
-         *          |                       |
-         *      child3(Nist2)           child4(Nist1)
-         *                                  |
-         *                              child5(Nist1)
-         *
-         */
-        char *asciiAnyPolicy = "2.5.29.32.0";
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_PL_CertPolicyInfo *nist1Policy = NULL;
-        PKIX_PL_CertPolicyInfo *nist2Policy = NULL;
-        PKIX_List *policyQualifierList = NULL;
-        PKIX_PL_OID *oidAnyPolicy = NULL;
-        PKIX_PL_OID *oidNist1Policy = NULL;
-        PKIX_PL_OID *oidNist2Policy = NULL;
-        PKIX_List *expectedAnyList = NULL;
-        PKIX_List *expectedNist1List = NULL;
-        PKIX_List *expectedNist2List = NULL;
-        PKIX_List *expectedNist1Nist2List = NULL;
-        PKIX_List *emptyList = NULL;
-        PKIX_PolicyNode *parentNode = NULL;
-        PKIX_PolicyNode *childNode1 = NULL;
-        PKIX_PolicyNode *childNode2 = NULL;
-        PKIX_PolicyNode *childNode3 = NULL;
-        PKIX_PolicyNode *childNode4 = NULL;
-        PKIX_PolicyNode *childNode5 = NULL;
-        PKIX_PL_String *parentString = NULL;
-        PKIX_Boolean pDelete = PKIX_FALSE;
-        char *expectedParentAscii =
-                "{2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30 5C "
-                "1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 65"
-                " 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D 2"
-                "0 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 69 "
-                "73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 66"
-                " 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20 6"
-                "F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1[(1.3"
-                ".6.1.5.5.7.2.2:[30 5C 1A 5A 71 31 3A 20 20 54 68 69 7"
-                "3 20 69 73 20 74 68 65 20 75 73 65 72 20 6E 6F 74 69 "
-                "63 65 20 66 72 6F 6D 20 71 75 61 6C 69 66 69 65 72 20"
-                " 31 2E 20 20 54 68 69 73 20 63 65 72 74 69 66 69 63 6"
-                "1 74 65 20 69 73 20 66 6F 72 20 74 65 73 74 20 70 75 "
-                "72 70 6F 73 65 73 20 6F 6E 6C 79])], 2.16.840.1.101.3"
-                ".2.1.48.2[(1.3.6.1.5.5.7.2.2:[30 5A 1A 58 71 32 3A 20"
-                " 20 54 68 69 73 20 69 73 20 74 68 65 20 75 73 65 72 2"
-                "0 6E 6F 74 69 63 65 20 66 72 6F 6D 20 71 75 61 6C 69 "
-                "66 69 65 72 20 32 2E 20 20 54 68 69 73 20 75 73 65 72"
-                " 20 6E 6F 74 69 63 65 20 73 68 6F 75 6C 64 20 6E 6F 7"
-                "4 20 62 65 20 64 69 73 70 6C 61 79 65 64])]),1}\n"
-                ". {2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30 5"
-                "C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 "
-                "65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D"
-                " 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6"
-                "9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 "
-                "66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20"
-                " 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.2),2}";
-        char *expectedValidAscii =
-                "2.16.840.1.101.3.2.1.48.2";
-        char *expectedQualifiersAscii =
-                /* "(1.3.6.1.5.5.7.2.2)"; */
-                "(1.3.6.1.5.5.7.2.2:[30 5C 1A 5A 71 31 3A 20 20 54 68 "
-                "69 73 20 69 73 20 74 68 65 20 75 73 65 72 20 6E 6F 74"
-                " 69 63 65 20 66 72 6F 6D 20 71 75 61 6C 69 66 69 65 7"
-                "2 20 31 2E 20 20 54 68 69 73 20 63 65 72 74 69 66 69 "
-                "63 61 74 65 20 69 73 20 66 6F 72 20 74 65 73 74 20 70"
-                " 75 72 70 6F 73 65 73 20 6F 6E 6C 79])";
-        char *expectedPoliciesAscii =
-                "(2.16.840.1.101.3.2.1.48.1)";
-        char *expectedTree =
-                "{2.5.29.32.0,{},Critical,(2.5.29.32.0),0}\n"
-                ". {2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30 5"
-                "C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 "
-                "65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D"
-                " 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6"
-                "9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 "
-                "66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20"
-                " 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1[(1"
-                ".3.6.1.5.5.7.2.2:[30 5C 1A 5A 71 31 3A 20 20 54 68 69"
-                " 73 20 69 73 20 74 68 65 20 75 73 65 72 20 6E 6F 74 6"
-                "9 63 65 20 66 72 6F 6D 20 71 75 61 6C 69 66 69 65 72 "
-                "20 31 2E 20 20 54 68 69 73 20 63 65 72 74 69 66 69 63"
-                " 61 74 65 20 69 73 20 66 6F 72 20 74 65 73 74 20 70 7"
-                "5 72 70 6F 73 65 73 20 6F 6E 6C 79])], 2.16.840.1.101"
-                ".3.2.1.48.2[(1.3.6.1.5.5.7.2.2:[30 5A 1A 58 71 32 3A "
-                "20 20 54 68 69 73 20 69 73 20 74 68 65 20 75 73 65 72"
-                " 20 6E 6F 74 69 63 65 20 66 72 6F 6D 20 71 75 61 6C 6"
-                "9 66 69 65 72 20 32 2E 20 20 54 68 69 73 20 75 73 65 "
-                "72 20 6E 6F 74 69 63 65 20 73 68 6F 75 6C 64 20 6E 6F"
-                " 74 20 62 65 20 64 69 73 70 6C 61 79 65 64])]"
-                "),1}\n"
-                ". . {2.16.840.1.101.3.2.1.48.2,(1.3.6.1.5.5.7.2.2:[30"
-                " 5C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 6"
-                "8 65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F "
-                "6D 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68"
-                " 69 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 2"
-                "0 66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 "
-                "20 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.2)"
-                ",2}\n"
-                ". {2.16.840.1.101.3.2.1.48.1,(1.3.6.1.5.5.7.2.2:[30 5"
-                "C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 "
-                "65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D"
-                " 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6"
-                "9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 "
-                "66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20"
-                " 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1),1}\n"
-                ". . {2.16.840.1.101.3.2.1.48.1,(EMPTY),Not Critical,"
-                "(2.16.840.1.101.3.2.1.48.1),2}\n"
-                ". . . {2.16.840.1.101.3.2.1.48.1,{},Critical,(2.16.84"
-                "0.1.101.3.2.1.48.1),3}";
-        char *expectedPrunedTree =
-                "{2.5.29.32.0,{},Critical,(2.5.29.32.0),0}\n"
-                ". {2.16.840.1.101.3.2.1.48.1,(1.3.6.1.5.5.7.2.2:[30 5"
-                "C 1A 5A 71 31 3A 20 20 54 68 69 73 20 69 73 20 74 68 "
-                "65 20 75 73 65 72 20 6E 6F 74 69 63 65 20 66 72 6F 6D"
-                " 20 71 75 61 6C 69 66 69 65 72 20 31 2E 20 20 54 68 6"
-                "9 73 20 63 65 72 74 69 66 69 63 61 74 65 20 69 73 20 "
-                "66 6F 72 20 74 65 73 74 20 70 75 72 70 6F 73 65 73 20"
-                " 6F 6E 6C 79]),Critical,(2.16.840.1.101.3.2.1.48.1),1}\n"
-                ". . {2.16.840.1.101.3.2.1.48.1,(EMPTY),Not Critical,"
-                "(2.16.840.1.101.3.2.1.48.1),2}\n"
-                ". . . {2.16.840.1.101.3.2.1.48.1,{},Critical,(2.16.84"
-                "0.1.101.3.2.1.48.1),3}";
-
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-        char *dirName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 2) {
-                printUsage();
-                return (0);
-        }
-
-        startTests("PolicyNode");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        dirName = argv[j+1];
-
-        subTest("Creating OID objects");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                (asciiAnyPolicy, &oidAnyPolicy, plContext));
-
-        /* Read certificates to get real policies, qualifiers */
-
-        cert = createCert
-                (dirName, "UserNoticeQualifierTest16EE.crt", plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (cert, &expectedNist1Nist2List, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (expectedNist1Nist2List,
-                0,
-                (PKIX_PL_Object **)&nist1Policy,
-                plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (expectedNist1Nist2List,
-                1,
-                (PKIX_PL_Object **)&nist2Policy,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
-                (nist1Policy, &policyQualifierList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
-                (nist1Policy, &oidNist1Policy, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
-                (nist2Policy, &oidNist2Policy, plContext));
-
-        subTest("Creating expectedPolicy List objects");
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_Create(&expectedAnyList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_Create(&expectedNist1List, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_Create(&expectedNist2List, plContext));
-
-
-        subTest("Populating expectedPolicy List objects");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (expectedAnyList, (PKIX_PL_Object *)oidAnyPolicy, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_AppendItem
-                (expectedNist1List,
-                (PKIX_PL_Object *)oidNist1Policy,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                    (expectedNist2List,
-                                    (PKIX_PL_Object *)oidNist2Policy,
-                                    plContext));
-
-        subTest("Creating PolicyNode objects");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&emptyList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
-                (oidAnyPolicy,
-                NULL,
-                PKIX_TRUE,
-                expectedAnyList,
-                &parentNode,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
-                (oidNist2Policy,
-                policyQualifierList,
-                PKIX_TRUE,
-                expectedNist1Nist2List,
-                &childNode1,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
-                (oidNist1Policy,
-                policyQualifierList,
-                PKIX_TRUE,
-                expectedNist1List,
-                &childNode2,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
-                (oidNist2Policy,
-                policyQualifierList,
-                PKIX_TRUE,
-                expectedNist2List,
-                &childNode3,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
-                (oidNist1Policy,
-                emptyList,
-                PKIX_FALSE,
-                expectedNist1List,
-                &childNode4,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Create
-                (oidNist1Policy,
-                NULL,
-                PKIX_TRUE,
-                expectedNist1List,
-                &childNode5,
-                plContext));
-
-        subTest("Creating the PolicyNode tree");
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
-                (parentNode, childNode1, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
-                (parentNode, childNode2, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
-                (childNode1, childNode3, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
-                (childNode2, childNode4, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_AddToParent
-                (childNode4, childNode5, plContext));
-
-        subTest("Displaying PolicyNode objects");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                ((PKIX_PL_Object*)parentNode, &parentString, plContext));
-        (void) printf("parentNode is\n\t%s\n", parentString->escAsciiString);
-
-        testToStringHelper
-                ((PKIX_PL_Object*)parentNode, expectedTree, plContext);
-
-        test_DuplicateHelper(parentNode, plContext);
-
-        test_GetParent(childNode3, childNode3, childNode4, expectedParentAscii);
-        test_GetValidPolicy
-                (childNode1, childNode3, parentNode, expectedValidAscii);
-        test_GetPolicyQualifiers
-                (childNode1, childNode3, childNode4, expectedQualifiersAscii);
-        test_GetExpectedPolicies
-                (childNode2, childNode4, childNode3, expectedPoliciesAscii);
-        test_IsCritical(childNode1, childNode2, childNode4);
-        test_GetDepth(childNode2, childNode4, childNode5);
-
-        subTest("pkix_PolicyNode_Prune");
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Prune
-                (parentNode, 2, &pDelete, plContext));
-
-        testToStringHelper
-                ((PKIX_PL_Object*)parentNode, expectedTree, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_PolicyNode_Prune
-                (parentNode, 3, &pDelete, plContext));
-
-        testToStringHelper
-                ((PKIX_PL_Object*)parentNode, expectedPrunedTree, plContext);
-
-        test_GetChildren(parentNode, parentNode, childNode2);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(nist1Policy);
-        PKIX_TEST_DECREF_AC(nist2Policy);
-        PKIX_TEST_DECREF_AC(policyQualifierList);
-        PKIX_TEST_DECREF_AC(oidAnyPolicy);
-        PKIX_TEST_DECREF_AC(oidNist1Policy);
-        PKIX_TEST_DECREF_AC(oidNist2Policy);
-        PKIX_TEST_DECREF_AC(expectedAnyList);
-        PKIX_TEST_DECREF_AC(expectedNist1List);
-        PKIX_TEST_DECREF_AC(expectedNist2List);
-        PKIX_TEST_DECREF_AC(expectedNist1Nist2List);
-        PKIX_TEST_DECREF_AC(emptyList);
-        PKIX_TEST_DECREF_AC(parentNode);
-        PKIX_TEST_DECREF_AC(childNode1);
-        PKIX_TEST_DECREF_AC(childNode2);
-        PKIX_TEST_DECREF_AC(childNode3);
-        PKIX_TEST_DECREF_AC(childNode4);
-        PKIX_TEST_DECREF_AC(childNode5);
-        PKIX_TEST_DECREF_AC(parentString);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("PolicyNode");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/results/test_valresult.c b/security/nss/cmd/libpkix/pkix/results/test_valresult.c
deleted file mode 100644
index 6633c5529..000000000
--- a/security/nss/cmd/libpkix/pkix/results/test_valresult.c
+++ /dev/null
@@ -1,240 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_valresult.c
- *
- * Test ValidateResult Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-testDestroy(void *goodObject, void *equalObject, void *diffObject)
-{
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_ValidateResult_Destroy");
-
-        PKIX_TEST_DECREF_BC(goodObject);
-        PKIX_TEST_DECREF_BC(equalObject);
-        PKIX_TEST_DECREF_BC(diffObject);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-static
-void testGetPublicKey(
-        PKIX_ValidateResult *goodObject,
-        PKIX_ValidateResult *equalObject){
-
-        PKIX_PL_PublicKey *goodPubKey = NULL;
-        PKIX_PL_PublicKey *equalPubKey = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_ValidateResult_GetPublicKey");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPublicKey
-                (goodObject, &goodPubKey, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPublicKey
-                (equalObject, &equalPubKey, plContext));
-
-        testEqualsHelper
-                ((PKIX_PL_Object *)goodPubKey,
-                (PKIX_PL_Object *)equalPubKey,
-                PKIX_TRUE,
-                plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodPubKey);
-        PKIX_TEST_DECREF_AC(equalPubKey);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testGetTrustAnchor(
-        PKIX_ValidateResult *goodObject,
-        PKIX_ValidateResult *equalObject){
-
-        PKIX_TrustAnchor *goodAnchor = NULL;
-        PKIX_TrustAnchor *equalAnchor = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_ValidateResult_GetTrustAnchor");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetTrustAnchor
-                (goodObject, &goodAnchor, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetTrustAnchor
-                (equalObject, &equalAnchor, plContext));
-
-        testEqualsHelper
-                ((PKIX_PL_Object *)goodAnchor,
-                (PKIX_PL_Object *)equalAnchor,
-                PKIX_TRUE,
-                plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodAnchor);
-        PKIX_TEST_DECREF_AC(equalAnchor);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testGetPolicyTree(
-        PKIX_ValidateResult *goodObject,
-        PKIX_ValidateResult *equalObject){
-
-        PKIX_PolicyNode *goodTree = NULL;
-        PKIX_PolicyNode *equalTree = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_ValidateResult_GetPolicyTree");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPolicyTree
-                (goodObject, &goodTree, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPolicyTree
-                (equalObject, &equalTree, plContext));
-
-        if (goodTree) {
-                testEqualsHelper
-                        ((PKIX_PL_Object *)goodTree,
-                        (PKIX_PL_Object *)equalTree,
-                        PKIX_TRUE,
-                        plContext);
-        } else if (equalTree) {
-                pkixTestErrorMsg = "Mismatch: NULL and non-NULL Policy Trees";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodTree);
-        PKIX_TEST_DECREF_AC(equalTree);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void printUsage(char *pName){
-        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
-}
-
-int test_valresult(int argc, char *argv[]) {
-
-        PKIX_ValidateResult *goodObject = NULL;
-        PKIX_ValidateResult *equalObject = NULL;
-        PKIX_ValidateResult *diffObject = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        char *goodInput = "yassir2yassir";
-        char *diffInput = "yassir2bcn";
-        char *dirName = NULL;
-
-        char *expectedAscii =
-                "[\n"
-                "\tTrustAnchor: \t\t"
-                "[\n"
-                "\tTrusted CA Name:         "
-                "CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
-                "\tTrusted CA PublicKey:    ANSI X9.57 DSA Signature\n"
-                "\tInitial Name Constraints:(null)\n"
-                "]\n"
-                "\tPubKey:    \t\t"
-                "ANSI X9.57 DSA Signature\n"
-                "\tPolicyTree:  \t\t(null)\n"
-                "]\n";
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("ValidateResult");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 2){
-                printUsage(argv[0]);
-                return (0);
-        }
-
-        dirName = argv[j+1];
-
-        subTest("pkix_ValidateResult_Create");
-
-        goodObject = createValidateResult
-                (dirName, goodInput, diffInput, plContext);
-        equalObject = createValidateResult
-                (dirName, goodInput, diffInput, plContext);
-        diffObject = createValidateResult
-                (dirName, diffInput, goodInput, plContext);
-
-        testGetPublicKey(goodObject, equalObject);
-        testGetTrustAnchor(goodObject, equalObject);
-        testGetPolicyTree(goodObject, equalObject);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodObject,
-                equalObject,
-                diffObject,
-                expectedAscii,
-                ValidateResult,
-                PKIX_FALSE);
-
-        testDestroy(goodObject, equalObject, diffObject);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("ValidateResult");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/results/test_verifynode.c b/security/nss/cmd/libpkix/pkix/results/test_verifynode.c
deleted file mode 100644
index 849c1d13d..000000000
--- a/security/nss/cmd/libpkix/pkix/results/test_verifynode.c
+++ /dev/null
@@ -1,153 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_verifynode.c
- *
- * Test VerifyNode Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext =  NULL;
-
-static
-void printUsage(void) {
-        (void) printf("\nUSAGE:\ttest_verifynode path cert1 cert2 cert3\n\n");
-}
-
-int test_verifynode(int argc, char *argv[]) {
-
-        /*
-         * Create a tree with parent = cert1, child=cert2, grandchild=cert3
-         */
-        PKIX_PL_Cert *cert1 = NULL;
-        PKIX_PL_Cert *cert2 = NULL;
-	PKIX_PL_Cert *cert3 = NULL;
-        PKIX_VerifyNode *parentNode = NULL;
-        PKIX_VerifyNode *childNode = NULL;
-        PKIX_VerifyNode *grandChildNode = NULL;
-        PKIX_PL_String *parentString = NULL;
-
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-        char *dirName = NULL;
-	char *twoNodeAscii = "CERT[Issuer:CN=Trust Anchor,O=Test Cert"
-		"ificates,C=US, Subject:CN=Trust Anchor,O=Test Certif"
-		"icates,C=US], depth=0, error=(null)\n. CERT[Issuer:C"
-		"N=Trust Anchor,O=Test Certificates,C=US, Subject:CN="
-		"Good CA,O=Test Certificates,C=US], depth=1, error=(null)";
-	char *threeNodeAscii = "CERT[Issuer:CN=Trust Anchor,O=Test Ce"
-		"rtificates,C=US, Subject:CN=Trust Anchor,O=Test Cert"
-		"ificates,C=US], depth=0, error=(null)\n. CERT[Issuer"
-		":CN=Trust Anchor,O=Test Certificates,C=US, Subject:C"
-		"N=Good CA,O=Test Certificates,C=US], depth=1, error="
-		"(null)\n. . CERT[Issuer:CN=Good CA,O=Test Certificat"
-		"es,C=US, Subject:CN=Valid EE Certificate Test1,O=Tes"
-		"t Certificates,C=US], depth=2, error=(null)";
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 3) {
-                printUsage();
-                return (0);
-        }
-
-        startTests("VerifyNode");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        dirName = argv[++j];
-
-        subTest("Creating Certs");
-
-        cert1 = createCert
-                (dirName, argv[++j], plContext);
-
-        cert2 = createCert
-                (dirName, argv[++j], plContext);
-
-        cert3 = createCert
-                (dirName, argv[++j], plContext);
-
-        subTest("Creating VerifyNode objects");
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_VerifyNode_Create
-		(cert1, 0, NULL, &parentNode, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_VerifyNode_Create
-		(cert2, 1, NULL, &childNode, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_VerifyNode_Create
-		(cert3, 2, NULL, &grandChildNode, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_VerifyNode_AddToChain
-		(parentNode, childNode, plContext));
-
-        subTest("Creating VerifyNode ToString objects");
-
-	testToStringHelper
-		((PKIX_PL_Object *)parentNode, twoNodeAscii, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_VerifyNode_AddToChain
-		(parentNode, grandChildNode, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                ((PKIX_PL_Object*)parentNode, &parentString, plContext));
-        (void) printf("parentNode is\n\t%s\n", parentString->escAsciiString);
-
-	testToStringHelper
-		((PKIX_PL_Object *)parentNode, threeNodeAscii, plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(cert1);
-        PKIX_TEST_DECREF_AC(cert2);
-        PKIX_TEST_DECREF_AC(parentNode);
-        PKIX_TEST_DECREF_AC(childNode);
-        PKIX_TEST_DECREF_AC(parentString);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("VerifyNode");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/store/Makefile b/security/nss/cmd/libpkix/pkix/store/Makefile
deleted file mode 100755
index 3f1484b02..000000000
--- a/security/nss/cmd/libpkix/pkix/store/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/store/manifest.mn b/security/nss/cmd/libpkix/pkix/store/manifest.mn
deleted file mode 100755
index 813a7902a..000000000
--- a/security/nss/cmd/libpkix/pkix/store/manifest.mn
+++ /dev/null
@@ -1,52 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ../..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = test_store.c
-
-LIBRARY_NAME=pkixtoolstore
-
-SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/store/test_store.c b/security/nss/cmd/libpkix/pkix/store/test_store.c
deleted file mode 100755
index d54b7f9a2..000000000
--- a/security/nss/cmd/libpkix/pkix/store/test_store.c
+++ /dev/null
@@ -1,229 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_certstore.c
- *
- * Test CertStore Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static
-PKIX_Error *testCRLCallback(
-        PKIX_CertStore *store,
-        PKIX_CRLSelector *selector,
-	void **pNBIOContext,
-        PKIX_List **pCrls,  /* list of PKIX_PL_Crl */
-        void *plContext)
-{
-        return (0);
-}
-
-static
-PKIX_Error *testCRLContinue(
-        PKIX_CertStore *store,
-        PKIX_CRLSelector *selector,
-	void **pNBIOContext,
-        PKIX_List **pCrls,  /* list of PKIX_PL_Crl */
-        void *plContext)
-{
-        return (0);
-}
-
-static
-PKIX_Error *testCertCallback(
-        PKIX_CertStore *store,
-        PKIX_CertSelector *selector,
-	void **pNBIOContext,
-        PKIX_List **pCerts,  /* list of PKIX_PL_Cert */
-        void *plContext)
-{
-        return (0);
-}
-
-static
-PKIX_Error *testCertContinue(
-        PKIX_CertStore *store,
-        PKIX_CertSelector *selector,
-	void **pNBIOContext,
-        PKIX_List **pCerts,  /* list of PKIX_PL_Cert */
-        void *plContext)
-{
-        return (0);
-}
-
-static char *catDirName(char *platform, char *dir, void *plContext)
-{
-        char *pathName = NULL;
-        PKIX_UInt32 dirLen;
-        PKIX_UInt32 platformLen;
-
-        PKIX_TEST_STD_VARS();
-
-        dirLen = PL_strlen(dir);
-        platformLen = PL_strlen(platform);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
-                (platformLen + dirLen + 2, (void **)&pathName, plContext));
-
-        PL_strcpy(pathName, platform);
-        PL_strcat(pathName, "/");
-        PL_strcat(pathName, dir);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-        return (pathName);
-}
-
-static
-void testCertStore(char *crlDir)
-{
-        PKIX_PL_String *dirString = NULL;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_PL_Object *getCertStoreContext = NULL;
-        PKIX_CertStore_CertCallback certCallback = NULL;
-        PKIX_CertStore_CRLCallback crlCallback = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_ESCASCII,
-                                    crlDir,
-                                    0,
-                                    &dirString,
-                                    plContext));
-
-        subTest("PKIX_CertStore_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_Create
-                                    (testCertCallback,
-                                    testCRLCallback,
-                                    testCertContinue,
-                                    testCRLContinue,
-                                    NULL,        /* trustCallback */
-                                    (PKIX_PL_Object *) dirString,
-                                    PKIX_TRUE,   /* cacheFlag */
-                                    PKIX_TRUE,   /* local */
-                                    &certStore,
-                                    plContext));
-
-        subTest("PKIX_CertStore_GetCertCallback");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
-                                    (certStore, &certCallback, plContext));
-
-        if (certCallback != testCertCallback) {
-                testError("PKIX_CertStore_GetCertCallback unexpected mismatch");
-        }
-
-        subTest("PKIX_CertStore_GetCRLCallback");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback
-                                    (certStore, &crlCallback, plContext));
-
-        if (crlCallback != testCRLCallback) {
-                testError("PKIX_CertStore_GetCRLCallback unexpected mismatch");
-        }
-
-        subTest("PKIX_CertStore_GetCertStoreContext");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertStore_GetCertStoreContext
-                (certStore, &getCertStoreContext, plContext));
-
-        if ((PKIX_PL_Object *)dirString != getCertStoreContext) {
-            testError("PKIX_CertStore_GetCertStoreContext unexpected mismatch");
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(dirString);
-        PKIX_TEST_DECREF_AC(certStore);
-        PKIX_TEST_DECREF_AC(getCertStoreContext);
-
-        PKIX_TEST_RETURN();
-}
-
-
-static
-void printUsage(char *pName){
-        printf("\nUSAGE: %s testName <data-dir> <platform-dir>\n\n", pName);
-}
-
-/* Functional tests for CertStore public functions */
-
-int test_store(int argc, char *argv[]) {
-
-        char *platformDir = NULL;
-        char *dataDir = NULL;
-        char *combinedDir = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < (3 + j)) {
-                printUsage(argv[0]);
-                return (0);
-        }
-
-        startTests(argv[1 + j]);
-
-        dataDir = argv[2 + j];
-        platformDir = argv[3 + j];
-	combinedDir = catDirName(platformDir, dataDir, plContext);
-
-        testCertStore(combinedDir);
-
-
-cleanup:
-
-        pkixTestErrorResult = PKIX_PL_Free(combinedDir, plContext);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("CertStore");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/Makefile b/security/nss/cmd/libpkix/pkix/top/Makefile
deleted file mode 100755
index 3f1484b02..000000000
--- a/security/nss/cmd/libpkix/pkix/top/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/top/manifest.mn b/security/nss/cmd/libpkix/pkix/top/manifest.mn
deleted file mode 100755
index ba30cedb3..000000000
--- a/security/nss/cmd/libpkix/pkix/top/manifest.mn
+++ /dev/null
@@ -1,66 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ../..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = test_basicchecker.c \
-	test_basicconstraintschecker.c \
-	test_buildchain.c \
-	test_buildchain_uchecker.c \
-	test_buildchain_partialchain.c \
-	test_buildchain_resourcelimits.c \
-	test_customcrlchecker.c \
-	test_defaultcrlchecker2stores.c \
-	test_ocsp.c \
-	test_policychecker.c \
-	test_subjaltnamechecker.c \
-	test_validatechain.c \
-	test_validatechain_bc.c \
-	test_validatechain_NB.c \
-	$(NULL)
-
-LIBRARY_NAME=pkixtooltop
-
-SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/top/test_basicchecker.c b/security/nss/cmd/libpkix/pkix/top/test_basicchecker.c
deleted file mode 100644
index f66fdf390..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_basicchecker.c
+++ /dev/null
@@ -1,276 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_basicchecker.c
- *
- * Test Basic Checking
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static
-void testPass(char *dirName, char *goodInput, char *diffInput, char *dateAscii){
-
-        PKIX_List *chain = NULL;
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-	PKIX_VerifyNode *verifyTree = NULL;
-	PKIX_PL_String *verifyString = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Basic-Common-Fields <pass>");
-        /*
-         * Tests the Expiration, NameChaining, and Signature Checkers
-         */
-
-        chain = createCertChain(dirName, goodInput, diffInput, plContext);
-
-        valParams = createValidateParams
-                (dirName,
-                goodInput,
-                diffInput,
-                dateAscii,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
-                (valParams, &valResult, &verifyTree, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
-        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(verifyString);
-        PKIX_TEST_DECREF_AC(verifyTree);
-        PKIX_TEST_DECREF_AC(chain);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testNameChainingFail(
-        char *dirName,
-        char *goodInput,
-        char *diffInput,
-        char *dateAscii)
-{
-        PKIX_List *chain = NULL;
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-	PKIX_VerifyNode *verifyTree = NULL;
-	PKIX_PL_String *verifyString = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("NameChaining <fail>");
-
-        chain = createCertChain(dirName, diffInput, goodInput, plContext);
-
-        valParams = createValidateParams
-                (dirName,
-                goodInput,
-                diffInput,
-                dateAscii,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
-                (valParams, &valResult, &verifyTree, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(verifyString);
-        PKIX_TEST_DECREF_AC(verifyTree);
-        PKIX_TEST_DECREF_AC(chain);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testDateFail(char *dirName, char *goodInput, char *diffInput){
-
-        PKIX_List *chain = NULL;
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        chain = createCertChain(dirName, goodInput, diffInput, plContext);
-
-        subTest("Expiration <fail>");
-        valParams = createValidateParams
-                (dirName,
-                goodInput,
-                diffInput,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
-                                (valParams, &valResult, NULL, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(chain);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testSignatureFail(
-       char *dirName,
-       char *goodInput,
-       char *diffInput,
-       char *dateAscii)
-{
-        PKIX_List *chain = NULL;
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Signature <fail>");
-
-        chain = createCertChain(dirName, diffInput, goodInput, plContext);
-
-        valParams = createValidateParams
-                (dirName,
-                goodInput,
-                diffInput,
-                dateAscii,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
-                                (valParams, &valResult, NULL, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(chain);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void printUsage(char *pName){
-        printf("\nUSAGE: %s <central-data-dir>\n\n", pName);
-}
-
-int test_basicchecker(int argc, char *argv[]) {
-
-        char *goodInput = "yassir2yassir";
-        char *diffInput = "yassir2bcn";
-        char *dateAscii = "991201000000Z";
-        char *dirName = NULL;
-        PKIX_UInt32 j = 0;
-        PKIX_UInt32 actualMinorVersion;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("SignatureChecker");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 2){
-                printUsage(argv[0]);
-                return (0);
-        }
-
-        dirName = argv[j+1];
-
-        /* The NameChaining, Expiration, and Signature Checkers all pass */
-        testPass(dirName, goodInput, diffInput, dateAscii);
-
-        /* Individual Checkers fail */
-        testNameChainingFail(dirName, goodInput, diffInput, dateAscii);
-        testDateFail(dirName, goodInput, diffInput);
-
-        /*
-         * XXX
-         * since the signature check is done last, we need to create
-         * certs whose name chaining passes, but their signatures fail;
-         * we currently don't have any such certs.
-         */
-        /* testSignatureFail(goodInput, diffInput, dateAscii); */
-
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("SignatureChecker");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_basicconstraintschecker.c b/security/nss/cmd/libpkix/pkix/top/test_basicconstraintschecker.c
deleted file mode 100644
index fcaf2d966..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_basicconstraintschecker.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_basicconstraintschecker.c
- *
- * Test Basic Constraints Checking
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-#define PKIX_TEST_MAX_CERTS     10
-
-static void *plContext = NULL;
-
-static
-void printUsage1(char *pName){
-        printf("\nUSAGE: %s test-name [ENE|EE] ", pName);
-        printf("cert [certs].\n");
-}
-
-static
-void printUsageMax(PKIX_UInt32 numCerts){
-        printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
-                numCerts, PKIX_TEST_MAX_CERTS);
-}
-
-int test_basicconstraintschecker(int argc, char *argv[]){
-
-        PKIX_List *chain = NULL;
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        char *certNames[PKIX_TEST_MAX_CERTS];
-        PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
-	PKIX_VerifyNode *verifyTree = NULL;
-	PKIX_PL_String *verifyString = NULL;
-        PKIX_UInt32 chainLength = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 j = 0;
-        PKIX_Boolean testValid = PKIX_FALSE;
-        char *dirName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 4){
-                printUsage1(argv[0]);
-                return (0);
-        }
-
-        startTests("BasicConstraintsChecker");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        /* ENE = expect no error; EE = expect error */
-        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
-                testValid = PKIX_TRUE;
-        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
-                testValid = PKIX_FALSE;
-        } else {
-                printUsage1(argv[0]);
-                return (0);
-        }
-
-        dirName = argv[3+j];
-
-        chainLength = (argc - j) - 4;
-        if (chainLength > PKIX_TEST_MAX_CERTS) {
-                printUsageMax(chainLength);
-        }
-
-        for (i = 0; i < chainLength; i++) {
-                certNames[i] = argv[(4+j)+i];
-                certs[i] = NULL;
-        }
-
-        subTest(argv[1+j]);
-
-        subTest("Basic-Constraints - Create Cert Chain");
-
-        chain = createCertChainPlus
-                (dirName, certNames, certs, chainLength, plContext);
-
-        /*
-         * Error occurs when creating Cert, this is critical and test
-         * should not continue. Since we expect error, we assume this
-         * error is the one that is expected, so undo the error count.
-         *
-         * This work needs future enhancement. We will introduce another
-         * flag ESE, in addition to the existing EE(expect validation
-         * error) and ENE(expect no validation error). ESE stands for
-         * "expect setup error". When running with ESE, if any of the setup
-         * calls such creating Cert Chain fails, the test can end and
-         * considered to be successful.
-         */
-        if (testValid == PKIX_FALSE && chain == NULL) {
-                testErrorUndo("Cert Error - Create failed");
-                goto cleanup;
-        }
-
-        subTest("Basic-Constraints - Create Params");
-
-        valParams = createValidateParams
-                (dirName,
-                argv[4+j],
-                NULL,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        subTest("Basic-Constraints - Validate Chain");
-
-        if (testValid == PKIX_TRUE) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
-                        (valParams, &valResult, &verifyTree, plContext));
-        } else {
-                PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
-                        (valParams, &valResult, &verifyTree, plContext));
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(verifyString);
-        PKIX_TEST_DECREF_AC(verifyTree);
-        PKIX_TEST_DECREF_AC(chain);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("BasicConstraintsChecker");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_buildchain.c b/security/nss/cmd/libpkix/pkix/top/test_buildchain.c
deleted file mode 100644
index 1f22e4f6a..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_buildchain.c
+++ /dev/null
@@ -1,504 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_buildchain.c
- *
- * Test BuildChain function
- *
- */
-
-/* #define debuggingWithoutRevocation */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-#define LDAP_PORT 389
-static PKIX_Boolean usebind = PKIX_FALSE;
-static PKIX_Boolean useLDAP = PKIX_FALSE;
-static char buf[PR_NETDB_BUF_SIZE];
-static char *serverName = NULL;
-static char *sepPtr = NULL;
-static PRNetAddr netAddr;
-static PRHostEnt hostent;
-static PKIX_UInt32 portNum = 0;
-static PRIntn hostenum = 0;
-static PRStatus prstatus = PR_FAILURE;
-static void *ipaddr = NULL;
-
-
-static void *plContext = NULL;
-
-static void printUsage(void) {
-    (void) printf("\nUSAGE:\ttest_buildchain [-arenas] [usebind] "
-        "servername[:port] <testName> [ENE|EE]\n"
-        "\t <certStoreDirectory> <targetCert>"
-        " <intermediate Certs...> <trustedCert>\n\n");
-    (void) printf
-        ("Builds a chain of certificates from <targetCert> to <trustedCert>\n"
-        "using the certs and CRLs in <certStoreDirectory>. "
-        "servername[:port] gives\n"
-        "the address of an LDAP server. If port is not"
-        " specified, port 389 is used. \"-\" means no LDAP server.\n"
-        "If ENE is specified, then an Error is Not Expected. "
-        "EE indicates an Error is Expected.\n");
-}
-
-static PKIX_Error *
-createLdapCertStore(
-        char *hostname,
-        PRIntervalTime timeout,
-        PKIX_CertStore **pLdapCertStore,
-        void* plContext)
-{
-        PRIntn backlog = 0;
-
-        char *bindname = "";
-        char *auth = "";
-
-        LDAPBindAPI bindAPI;
-        LDAPBindAPI *bindPtr = NULL;
-        PKIX_PL_LdapDefaultClient *ldapClient = NULL;
-        PKIX_CertStore *ldapCertStore = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (usebind) {
-                bindPtr = &bindAPI;
-                bindAPI.selector = SIMPLE_AUTH;
-                bindAPI.chooser.simple.bindName = bindname;
-                bindAPI.chooser.simple.authentication = auth;
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapDefaultClient_CreateByName
-                (hostname, timeout, bindPtr, &ldapClient, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapCertStore_Create
-                ((PKIX_PL_LdapClient *)ldapClient,
-                &ldapCertStore,
-                plContext));
-
-        *pLdapCertStore = ldapCertStore;
-cleanup:
-
-        PKIX_TEST_DECREF_AC(ldapClient);
-
-        PKIX_TEST_RETURN();
-
-        return (pkixTestErrorResult);
-
-}
-
-int test_buildchain(int argc, char *argv[])
-{
-        PKIX_BuildResult *buildResult = NULL;
-        PKIX_ComCertSelParams *certSelParams = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_TrustAnchor *anchor = NULL;
-        PKIX_PL_PublicKey *trustedPubKey = NULL;
-        PKIX_List *anchors = NULL;
-        PKIX_List *certs = NULL;
-        PKIX_RevocationChecker *revChecker = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        char *dirName = NULL;
-        PKIX_PL_String *dirNameString = NULL;
-        PKIX_PL_Cert *trustedCert = NULL;
-        PKIX_PL_Cert *targetCert = NULL;
-        PKIX_UInt32 actualMinorVersion = 0;
-        PKIX_UInt32 numCerts = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 j = 0;
-        PKIX_UInt32 k = 0;
-        PKIX_CertStore *ldapCertStore = NULL;
-        PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; /* blocking */
-        /* PRIntervalTime timeout = PR_INTERVAL_NO_WAIT; =0 for non-blocking */
-        PKIX_CertStore *certStore = NULL;
-        PKIX_List *certStores = NULL;
-        PKIX_List *revCheckers = NULL;
-        char * asciiResult = NULL;
-        PKIX_Boolean result = PKIX_FALSE;
-        PKIX_Boolean testValid = PKIX_TRUE;
-        PKIX_List *expectedCerts = NULL;
-        PKIX_PL_Cert *dirCert = NULL;
-	PKIX_VerifyNode *verifyTree = NULL;
-	PKIX_PL_String *verifyString = NULL;
-        PKIX_PL_String *actualCertsString = NULL;
-        PKIX_PL_String *expectedCertsString = NULL;
-        void *state = NULL;
-        char *actualCertsAscii = NULL;
-        char *expectedCertsAscii = NULL;
-        PRPollDesc *pollDesc = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 5) {
-                printUsage();
-                return (0);
-        }
-
-        startTests("BuildChain");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        /*
-         * arguments:
-         * [optional] -arenas
-         * [optional] usebind
-         *            servername or servername:port ( - for no server)
-         *            testname
-         *            EE or ENE
-         *            cert directory
-         *            target cert (end entity)
-         *            intermediate certs
-         *            trust anchor
-         */
-
-        /* optional argument "usebind" for Ldap CertStore */
-        if (argv[j + 1]) {
-                if (PORT_Strcmp(argv[j + 1], "usebind") == 0) {
-                        usebind = PKIX_TRUE;
-                        j++;
-                }
-        }
-
-        if (PORT_Strcmp(argv[++j], "-") == 0) {
-                useLDAP = PKIX_FALSE;
-        } else {
-                serverName = argv[j];
-                useLDAP = PKIX_TRUE;
-        }
-
-        subTest(argv[++j]);
-
-        /* ENE = expect no error; EE = expect error */
-        if (PORT_Strcmp(argv[++j], "ENE") == 0) {
-                testValid = PKIX_TRUE;
-        } else if (PORT_Strcmp(argv[j], "EE") == 0) {
-                testValid = PKIX_FALSE;
-        } else {
-                printUsage();
-                return (0);
-        }
-
-        dirName = argv[++j];
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
-
-        for (k = ++j; k < (PKIX_UInt32)argc; k++) {
-
-                dirCert = createCert(dirName, argv[k], plContext);
-
-                if (k == (PKIX_UInt32)(argc - 1)) {
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
-                                ((PKIX_PL_Object *)dirCert, plContext));
-                        trustedCert = dirCert;
-                } else {
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_AppendItem
-                                (expectedCerts,
-                                (PKIX_PL_Object *)dirCert,
-                                plContext));
-
-                        if (k == j) {
-                                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
-                                        ((PKIX_PL_Object *)dirCert, plContext));
-                                targetCert = dirCert;
-                        }
-                }
-
-                PKIX_TEST_DECREF_BC(dirCert);
-        }
-
-        /* create processing params with list of trust anchors */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
-                (trustedCert, &anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_AppendItem
-                (anchors, (PKIX_PL_Object *)anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
-                (anchors, &procParams, plContext));
-
-        /* create CertSelector with target certificate in params */
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetCertificate
-                (certSelParams, targetCert, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
-                (certSelector, certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_SetTargetCertConstraints
-                (procParams, certSelector, plContext));
-
-        /* create CertStores */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, dirName, 0, &dirNameString, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
-
-        if (useLDAP == PKIX_TRUE) {
-                PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore
-                        (serverName, timeout, &ldapCertStore, plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_AppendItem
-                        (certStores,
-                        (PKIX_PL_Object *)ldapCertStore,
-                        plContext));
-        } else {
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_PL_CollectionCertStore_Create
-                        (dirNameString, &certStore, plContext));
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_AppendItem
-                        (certStores, (PKIX_PL_Object *)certStore, plContext));
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
-                (procParams, certStores, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
-                (trustedCert, &trustedPubKey, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (expectedCerts, &numCerts, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize
-                (certStores,
-                NULL, /* testDate, may be NULL */
-                trustedPubKey,
-                numCerts,
-                &revChecker,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (revCheckers, (PKIX_PL_Object *)revChecker, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
-                (procParams, revCheckers, plContext));
-
-#ifdef debuggingWithoutRevocation
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
-                (procParams, PKIX_FALSE, plContext));
-#endif
-
-        /* build cert chain using processing params and return buildResult */
-
-        pkixTestErrorResult = PKIX_BuildChain
-                (procParams,
-                (void **)&pollDesc,
-                &state,
-                &buildResult,
-		&verifyTree,
-                plContext);
-
-        while (pollDesc != NULL) {
-
-                if (PR_Poll(pollDesc, 1, 0) < 0) {
-                        testError("PR_Poll failed");
-                }
-
-                pkixTestErrorResult = PKIX_BuildChain
-                        (procParams,
-                        (void **)&pollDesc,
-                        &state,
-                        &buildResult,
-			&verifyTree,
-                        plContext);
-        }
-
-        if (pkixTestErrorResult) {
-                if (testValid == PKIX_FALSE) { /* EE */
-                        (void) printf("EXPECTED ERROR RECEIVED!\n");
-                } else { /* ENE */
-                        testError("UNEXPECTED ERROR RECEIVED");
-                }
-        } else {
-	        if (testValid == PKIX_TRUE) { /* ENE */
-        	        (void) printf("EXPECTED NON-ERROR RECEIVED!\n");
-	        } else { /* EE */
-        	        (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n");
-	        }
-	}
-
-        subTest("Displaying VerifyNode objects");
-
-	if (verifyTree == NULL) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-		    (PKIX_ESCASCII, "(null)", 0, &verifyString, plContext));
-	} else {
-	        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-        	    ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
-	}
-
-        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
-
-        if (pkixTestErrorResult) {
-                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
-                goto cleanup;
-        }
-
-        if (buildResult) {
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_BuildResult_GetCertChain
-                        (buildResult, &certs, plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_GetLength(certs, &numCerts, plContext));
-
-                printf("\n");
-
-                for (i = 0; i < numCerts; i++) {
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_GetItem
-                                (certs,
-                                i,
-                                (PKIX_PL_Object**)&cert,
-                                plContext));
-
-                        asciiResult = PKIX_Cert2ASCII(cert);
-
-                        printf("CERT[%d]:\n%s\n", i, asciiResult);
-
-                        /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Free(asciiResult, NULL));
-                        asciiResult = NULL;
-
-                        PKIX_TEST_DECREF_BC(cert);
-                }
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_PL_Object_Equals
-                        ((PKIX_PL_Object*)certs,
-                        (PKIX_PL_Object*)expectedCerts,
-                        &result,
-                        plContext));
-
-                if (!result) {
-                        testError("BUILT CERTCHAIN IS "
-                                    "NOT THE ONE THAT WAS EXPECTED");
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Object_ToString
-                                ((PKIX_PL_Object *)certs,
-                                &actualCertsString,
-                                plContext));
-
-                        actualCertsAscii = PKIX_String2ASCII
-                                (actualCertsString, plContext);
-                        if (actualCertsAscii == NULL) {
-                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
-                                goto cleanup;
-                        }
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Object_ToString
-                                ((PKIX_PL_Object *)expectedCerts,
-                                &expectedCertsString,
-                                plContext));
-
-                        expectedCertsAscii = PKIX_String2ASCII
-                                (expectedCertsString, plContext);
-                        if (expectedCertsAscii == NULL) {
-                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
-                                goto cleanup;
-                        }
-
-                        (void) printf("Actual value:\t%s\n", actualCertsAscii);
-                        (void) printf("Expected value:\t%s\n",
-                                        expectedCertsAscii);
-                }
-
-        }
-
-cleanup:
-        PKIX_TEST_DECREF_AC(verifyString);
-        PKIX_TEST_DECREF_AC(verifyTree);
-
-        PKIX_PL_Free(asciiResult, NULL);
-        PKIX_PL_Free(actualCertsAscii, plContext);
-        PKIX_PL_Free(expectedCertsAscii, plContext);
-
-        PKIX_TEST_DECREF_AC(state);
-        PKIX_TEST_DECREF_AC(actualCertsString);
-        PKIX_TEST_DECREF_AC(expectedCertsString);
-        PKIX_TEST_DECREF_AC(expectedCerts);
-        PKIX_TEST_DECREF_AC(buildResult);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(certStores);
-        PKIX_TEST_DECREF_AC(revCheckers);
-        PKIX_TEST_DECREF_AC(revChecker);
-        PKIX_TEST_DECREF_AC(ldapCertStore);
-        PKIX_TEST_DECREF_AC(certStore);
-        PKIX_TEST_DECREF_AC(dirNameString);
-        PKIX_TEST_DECREF_AC(certSelParams);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(anchors);
-        PKIX_TEST_DECREF_AC(anchor);
-        PKIX_TEST_DECREF_AC(trustedCert);
-        PKIX_TEST_DECREF_AC(trustedPubKey);
-
-        PKIX_TEST_DECREF_AC(certs);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(targetCert);
-
-        PKIX_TEST_RETURN();
-
-        PKIX_Shutdown(plContext);
-
-        endTests("BuildChain");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_buildchain_partialchain.c b/security/nss/cmd/libpkix/pkix/top/test_buildchain_partialchain.c
deleted file mode 100644
index 2cc26e08b..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_buildchain_partialchain.c
+++ /dev/null
@@ -1,854 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_buildchain_partialchain.c
- *
- * Test BuildChain function
- *
- */
-
-#define debuggingWithoutRevocation
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-#define LDAP_PORT 389
-static PKIX_Boolean usebind = PKIX_FALSE;
-static PKIX_Boolean useLDAP = PKIX_FALSE;
-static char buf[PR_NETDB_BUF_SIZE];
-static char *serverName = NULL;
-static char *sepPtr = NULL;
-static PRNetAddr netAddr;
-static PRHostEnt hostent;
-static PKIX_UInt32 portNum = 0;
-static PRIntn hostenum = 0;
-static PRStatus prstatus = PR_FAILURE;
-static void *ipaddr = NULL;
-
-
-static void *plContext = NULL;
-
-static void printUsage(void) {
-    (void) printf("\nUSAGE:\ttest_buildchain [-arenas] [usebind] "
-        "servername[:port] <testName> [ENE|EE]\n"
-        "\t <certStoreDirectory> <targetCert>"
-        " <intermediate Certs...> <trustedCert>\n\n");
-    (void) printf
-        ("Builds a chain of certificates from <targetCert> to <trustedCert>\n"
-        "using the certs and CRLs in <certStoreDirectory>. "
-        "servername[:port] gives\n"
-        "the address of an LDAP server. If port is not"
-        " specified, port 389 is used. \"-\" means no LDAP server.\n"
-        "If ENE is specified, then an Error is Not Expected. "
-        "EE indicates an Error is Expected.\n");
-}
-
-static PKIX_Error *
-createLdapCertStore(
-        char *hostname,
-        PRIntervalTime timeout,
-        PKIX_CertStore **pLdapCertStore,
-        void* plContext)
-{
-        PRIntn backlog = 0;
-
-        char *bindname = "";
-        char *auth = "";
-
-        LDAPBindAPI bindAPI;
-        LDAPBindAPI *bindPtr = NULL;
-        PKIX_PL_LdapDefaultClient *ldapClient = NULL;
-        PKIX_CertStore *ldapCertStore = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (usebind) {
-                bindPtr = &bindAPI;
-                bindAPI.selector = SIMPLE_AUTH;
-                bindAPI.chooser.simple.bindName = bindname;
-                bindAPI.chooser.simple.authentication = auth;
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapDefaultClient_CreateByName
-                (hostname, timeout, bindPtr, &ldapClient, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapCertStore_Create
-                ((PKIX_PL_LdapClient *)ldapClient,
-                &ldapCertStore,
-                plContext));
-
-        *pLdapCertStore = ldapCertStore;
-cleanup:
-
-        PKIX_TEST_DECREF_AC(ldapClient);
-
-        PKIX_TEST_RETURN();
-
-        return (pkixTestErrorResult);
-
-}
-
-/* Test with all Certs in the partial list, no leaf */
-static PKIX_Error *
-testWithNoLeaf(
-        PKIX_PL_Cert *trustedCert,
-        PKIX_List *listOfCerts,
-        PKIX_PL_Cert *targetCert,
-        PKIX_List *certStores,
-        PKIX_Boolean testValid,
-        void* plContext)
-{
-        PKIX_UInt32 numCerts = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_TrustAnchor *anchor = NULL;
-        PKIX_List *anchors = NULL;
-        PKIX_List *hintCerts = NULL;
-        PKIX_List *revCheckers = NULL;
-        PKIX_List *certs = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_ComCertSelParams *certSelParams = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_PL_PublicKey *trustedPubKey = NULL;
-        PKIX_RevocationChecker *revChecker = NULL;
-        PKIX_BuildResult *buildResult = NULL;
-        PRPollDesc *pollDesc = NULL;
-        void *state = NULL;
-        char *asciiResult = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        /* create processing params with list of trust anchors */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
-                (trustedCert, &anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (anchors, (PKIX_PL_Object *)anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
-                (anchors, &procParams, plContext));
-
-        /* create CertSelector with no target certificate in params */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
-                (certSelector, certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
-                (procParams, certSelector, plContext));
-
-        /* create hintCerts */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
-                ((PKIX_PL_Object *)listOfCerts,
-                (PKIX_PL_Object **)&hintCerts,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetHintCerts
-                (procParams, hintCerts, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
-                (procParams, certStores, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
-                (trustedCert, &trustedPubKey, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (listOfCerts, &numCerts, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize
-                (certStores,
-                NULL, /* testDate, may be NULL */
-                trustedPubKey,
-                numCerts,
-                &revChecker,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (revCheckers, (PKIX_PL_Object *)revChecker, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
-                (procParams, revCheckers, plContext));
-
-#ifdef debuggingWithoutRevocation
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
-                (procParams, PKIX_FALSE, plContext));
-#endif
-
-        /* build cert chain using processing params and return buildResult */
-
-        pkixTestErrorResult = PKIX_BuildChain
-                (procParams,
-                (void **)&pollDesc,
-                &state,
-                &buildResult,
-                NULL,
-                plContext);
-
-        while (pollDesc != NULL) {
-
-                if (PR_Poll(pollDesc, 1, 0) < 0) {
-                        testError("PR_Poll failed");
-                }
-
-                pkixTestErrorResult = PKIX_BuildChain
-                        (procParams,
-                        (void **)&pollDesc,
-                        &state,
-                        &buildResult,
-                        NULL,
-                        plContext);
-        }
-
-        if (pkixTestErrorResult) {
-                if (testValid == PKIX_FALSE) { /* EE */
-                        (void) printf("EXPECTED ERROR RECEIVED!\n");
-                } else { /* ENE */
-                        testError("UNEXPECTED ERROR RECEIVED");
-                }
-                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
-                goto cleanup;
-        }
-
-        if (testValid == PKIX_TRUE) { /* ENE */
-                (void) printf("EXPECTED NON-ERROR RECEIVED!\n");
-        } else { /* EE */
-                (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n");
-        }
-
-        if (buildResult) {
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_BuildResult_GetCertChain
-                        (buildResult, &certs, plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_GetLength(certs, &numCerts, plContext));
-
-                printf("\n");
-
-                for (i = 0; i < numCerts; i++) {
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_GetItem
-                                (certs,
-                                i,
-                                (PKIX_PL_Object**)&cert,
-                                plContext));
-
-                        asciiResult = PKIX_Cert2ASCII(cert);
-
-                        printf("CERT[%d]:\n%s\n", i, asciiResult);
-
-                        /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Free(asciiResult, NULL));
-                        asciiResult = NULL;
-
-                        PKIX_TEST_DECREF_BC(cert);
-                }
-        }
-
-cleanup:
-        PKIX_PL_Free(asciiResult, NULL);
-
-        PKIX_TEST_DECREF_AC(state);
-        PKIX_TEST_DECREF_AC(buildResult);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(revCheckers);
-        PKIX_TEST_DECREF_AC(revChecker);
-        PKIX_TEST_DECREF_AC(certSelParams);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(anchors);
-        PKIX_TEST_DECREF_AC(anchor);
-        PKIX_TEST_DECREF_AC(hintCerts);
-        PKIX_TEST_DECREF_AC(trustedPubKey);
-        PKIX_TEST_DECREF_AC(certs);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_RETURN();
-
-        return (pkixTestErrorResult);
-
-}
-
-/* Test with all Certs in the partial list, leaf duplicates the first one */
-static PKIX_Error *
-testWithDuplicateLeaf(
-        PKIX_PL_Cert *trustedCert,
-        PKIX_List *listOfCerts,
-        PKIX_PL_Cert *targetCert,
-        PKIX_List *certStores,
-        PKIX_Boolean testValid,
-        void* plContext)
-{
-        PKIX_UInt32 numCerts = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_TrustAnchor *anchor = NULL;
-        PKIX_List *anchors = NULL;
-        PKIX_List *hintCerts = NULL;
-        PKIX_List *revCheckers = NULL;
-        PKIX_List *certs = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_ComCertSelParams *certSelParams = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_PL_PublicKey *trustedPubKey = NULL;
-        PKIX_RevocationChecker *revChecker = NULL;
-        PKIX_BuildResult *buildResult = NULL;
-        PRPollDesc *pollDesc = NULL;
-        void *state = NULL;
-        char *asciiResult = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        /* create processing params with list of trust anchors */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
-                (trustedCert, &anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (anchors, (PKIX_PL_Object *)anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
-                (anchors, &procParams, plContext));
-
-        /* create CertSelector with target certificate in params */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate
-                (certSelParams, targetCert, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
-                (certSelector, certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
-                (procParams, certSelector, plContext));
-
-        /* create hintCerts */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
-                ((PKIX_PL_Object *)listOfCerts,
-                (PKIX_PL_Object **)&hintCerts,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetHintCerts
-                (procParams, hintCerts, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
-                (procParams, certStores, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
-                (trustedCert, &trustedPubKey, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (listOfCerts, &numCerts, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize
-                (certStores,
-                NULL, /* testDate, may be NULL */
-                trustedPubKey,
-                numCerts,
-                &revChecker,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (revCheckers, (PKIX_PL_Object *)revChecker, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
-                (procParams, revCheckers, plContext));
-
-#ifdef debuggingWithoutRevocation
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
-                (procParams, PKIX_FALSE, plContext));
-#endif
-
-        /* build cert chain using processing params and return buildResult */
-
-        pkixTestErrorResult = PKIX_BuildChain
-                (procParams,
-                (void **)&pollDesc,
-                &state,
-                &buildResult,
-                NULL,
-                plContext);
-
-        while (pollDesc != NULL) {
-
-                if (PR_Poll(pollDesc, 1, 0) < 0) {
-                        testError("PR_Poll failed");
-                }
-
-                pkixTestErrorResult = PKIX_BuildChain
-                        (procParams,
-                        (void **)&pollDesc,
-                        &state,
-                        &buildResult,
-                        NULL,
-                        plContext);
-        }
-
-        if (pkixTestErrorResult) {
-                if (testValid == PKIX_FALSE) { /* EE */
-                        (void) printf("EXPECTED ERROR RECEIVED!\n");
-                } else { /* ENE */
-                        testError("UNEXPECTED ERROR RECEIVED");
-                }
-                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
-                goto cleanup;
-        }
-
-        if (testValid == PKIX_TRUE) { /* ENE */
-                (void) printf("EXPECTED NON-ERROR RECEIVED!\n");
-        } else { /* EE */
-                (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n");
-        }
-
-        if (buildResult) {
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_BuildResult_GetCertChain
-                        (buildResult, &certs, plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_GetLength(certs, &numCerts, plContext));
-
-                printf("\n");
-
-                for (i = 0; i < numCerts; i++) {
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_GetItem
-                                (certs,
-                                i,
-                                (PKIX_PL_Object**)&cert,
-                                plContext));
-
-                        asciiResult = PKIX_Cert2ASCII(cert);
-
-                        printf("CERT[%d]:\n%s\n", i, asciiResult);
-
-                        /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Free(asciiResult, NULL));
-                        asciiResult = NULL;
-
-                        PKIX_TEST_DECREF_BC(cert);
-                }
-        }
-
-cleanup:
-        PKIX_PL_Free(asciiResult, NULL);
-
-        PKIX_TEST_DECREF_AC(state);
-        PKIX_TEST_DECREF_AC(buildResult);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(revCheckers);
-        PKIX_TEST_DECREF_AC(revChecker);
-        PKIX_TEST_DECREF_AC(certSelParams);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(anchors);
-        PKIX_TEST_DECREF_AC(anchor);
-        PKIX_TEST_DECREF_AC(hintCerts);
-        PKIX_TEST_DECREF_AC(trustedPubKey);
-        PKIX_TEST_DECREF_AC(certs);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_RETURN();
-
-        return (pkixTestErrorResult);
-
-}
-
-/* Test with all Certs except the leaf in the partial list */
-static PKIX_Error *
-testWithLeafAndChain(
-        PKIX_PL_Cert *trustedCert,
-        PKIX_List *listOfCerts,
-        PKIX_PL_Cert *targetCert,
-        PKIX_List *certStores,
-        PKIX_Boolean testValid,
-        void* plContext)
-{
-        PKIX_UInt32 numCerts = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_TrustAnchor *anchor = NULL;
-        PKIX_List *anchors = NULL;
-        PKIX_List *hintCerts = NULL;
-        PKIX_List *revCheckers = NULL;
-        PKIX_List *certs = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_ComCertSelParams *certSelParams = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_PL_PublicKey *trustedPubKey = NULL;
-        PKIX_RevocationChecker *revChecker = NULL;
-        PKIX_BuildResult *buildResult = NULL;
-        PRPollDesc *pollDesc = NULL;
-        void *state = NULL;
-        char *asciiResult = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        /* create processing params with list of trust anchors */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
-                (trustedCert, &anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (anchors, (PKIX_PL_Object *)anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
-                (anchors, &procParams, plContext));
-
-        /* create CertSelector with target certificate in params */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificate
-                (certSelParams, targetCert, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
-                (certSelector, certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
-                (procParams, certSelector, plContext));
-
-        /* create hintCerts */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
-                ((PKIX_PL_Object *)listOfCerts,
-                (PKIX_PL_Object **)&hintCerts,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem
-                (hintCerts, 0, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetHintCerts
-                (procParams, hintCerts, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
-                (procParams, certStores, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
-                (trustedCert, &trustedPubKey, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (listOfCerts, &numCerts, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_DefaultRevChecker_Initialize
-                (certStores,
-                NULL, /* testDate, may be NULL */
-                trustedPubKey,
-                numCerts,
-                &revChecker,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (revCheckers, (PKIX_PL_Object *)revChecker, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
-                (procParams, revCheckers, plContext));
-
-#ifdef debuggingWithoutRevocation
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
-                (procParams, PKIX_FALSE, plContext));
-#endif
-
-        /* build cert chain using processing params and return buildResult */
-
-        pkixTestErrorResult = PKIX_BuildChain
-                (procParams,
-                (void **)&pollDesc,
-                &state,
-                &buildResult,
-                NULL,
-                plContext);
-
-        while (pollDesc != NULL) {
-
-                if (PR_Poll(pollDesc, 1, 0) < 0) {
-                        testError("PR_Poll failed");
-                }
-
-                pkixTestErrorResult = PKIX_BuildChain
-                        (procParams,
-                        (void **)&pollDesc,
-                        &state,
-                        &buildResult,
-                        NULL,
-                        plContext);
-        }
-
-        if (pkixTestErrorResult) {
-                if (testValid == PKIX_FALSE) { /* EE */
-                        (void) printf("EXPECTED ERROR RECEIVED!\n");
-                } else { /* ENE */
-                        testError("UNEXPECTED ERROR RECEIVED");
-                }
-                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
-                goto cleanup;
-        }
-
-        if (testValid == PKIX_TRUE) { /* ENE */
-                (void) printf("EXPECTED NON-ERROR RECEIVED!\n");
-        } else { /* EE */
-                (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n");
-        }
-
-        if (buildResult) {
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_BuildResult_GetCertChain
-                        (buildResult, &certs, plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_GetLength(certs, &numCerts, plContext));
-
-                printf("\n");
-
-                for (i = 0; i < numCerts; i++) {
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_GetItem
-                                (certs,
-                                i,
-                                (PKIX_PL_Object**)&cert,
-                                plContext));
-
-                        asciiResult = PKIX_Cert2ASCII(cert);
-
-                        printf("CERT[%d]:\n%s\n", i, asciiResult);
-
-                        /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Free(asciiResult, NULL));
-                        asciiResult = NULL;
-
-                        PKIX_TEST_DECREF_BC(cert);
-                }
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(state);
-        PKIX_TEST_DECREF_AC(buildResult);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(revCheckers);
-        PKIX_TEST_DECREF_AC(revChecker);
-        PKIX_TEST_DECREF_AC(certSelParams);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(anchors);
-        PKIX_TEST_DECREF_AC(anchor);
-        PKIX_TEST_DECREF_AC(hintCerts);
-        PKIX_TEST_DECREF_AC(trustedPubKey);
-        PKIX_TEST_DECREF_AC(certs);
-        PKIX_TEST_DECREF_AC(cert);
-
-        PKIX_TEST_RETURN();
-
-        return (pkixTestErrorResult);
-
-}
-
-int test_buildchain_partialchain(int argc, char *argv[])
-{
-        PKIX_UInt32 actualMinorVersion = 0;
-        PKIX_UInt32 j = 0;
-        PKIX_UInt32 k = 0;
-        PKIX_Boolean ene = PKIX_TRUE; /* expect no error */
-        PKIX_List *listOfCerts = NULL;
-        PKIX_List *certStores = NULL;
-        PKIX_PL_Cert *dirCert = NULL;
-        PKIX_PL_Cert *trusted = NULL;
-        PKIX_PL_Cert *target = NULL;
-        PKIX_CertStore *ldapCertStore = NULL;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_PL_String *dirNameString = NULL;
-        char *dirName = NULL;
-
-        PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT; /* blocking */
-        /* PRIntervalTime timeout = PR_INTERVAL_NO_WAIT; =0 for non-blocking */
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 5) {
-                printUsage();
-                return (0);
-        }
-
-        startTests("BuildChain");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        /*
-         * arguments:
-         * [optional] -arenas
-         * [optional] usebind
-         *            servername or servername:port ( - for no server)
-         *            testname
-         *            EE or ENE
-         *            cert directory
-         *            target cert (end entity)
-         *            intermediate certs
-         *            trust anchor
-         */
-
-        /* optional argument "usebind" for Ldap CertStore */
-        if (argv[j + 1]) {
-                if (PORT_Strcmp(argv[j + 1], "usebind") == 0) {
-                        usebind = PKIX_TRUE;
-                        j++;
-                }
-        }
-
-        if (PORT_Strcmp(argv[++j], "-") == 0) {
-                useLDAP = PKIX_FALSE;
-        } else {
-                serverName = argv[j];
-                useLDAP = PKIX_TRUE;
-        }
-
-        subTest(argv[++j]);
-
-        /* ENE = expect no error; EE = expect error */
-        if (PORT_Strcmp(argv[++j], "ENE") == 0) {
-                ene = PKIX_TRUE;
-        } else if (PORT_Strcmp(argv[j], "EE") == 0) {
-                ene = PKIX_FALSE;
-        } else {
-                printUsage();
-                return (0);
-        }
-
-        dirName = argv[++j];
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&listOfCerts, plContext));
-
-        for (k = ++j; k < ((PKIX_UInt32)argc); k++) {
-
-                dirCert = createCert(dirName, argv[k], plContext);
-
-                if (k == ((PKIX_UInt32)(argc - 1))) {
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
-                                ((PKIX_PL_Object *)dirCert, plContext));
-                        trusted = dirCert;
-                } else {
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_AppendItem
-                                (listOfCerts,
-                                (PKIX_PL_Object *)dirCert,
-                                plContext));
-
-                        if (k == j) {
-                                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
-                                        ((PKIX_PL_Object *)dirCert, plContext));
-                                target = dirCert;
-                        }
-                }
-
-                PKIX_TEST_DECREF_BC(dirCert);
-        }
-
-        /* create CertStores */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, dirName, 0, &dirNameString, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
-
-        if (useLDAP == PKIX_TRUE) {
-                PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore
-                        (serverName, timeout, &ldapCertStore, plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_AppendItem
-                        (certStores,
-                        (PKIX_PL_Object *)ldapCertStore,
-                        plContext));
-        } else {
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_PL_CollectionCertStore_Create
-                        (dirNameString, &certStore, plContext));
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_AppendItem
-                        (certStores, (PKIX_PL_Object *)certStore, plContext));
-        }
-
-        subTest("testWithNoLeaf");
-        PKIX_TEST_EXPECT_NO_ERROR(testWithNoLeaf
-                (trusted, listOfCerts, target, certStores, ene, plContext));
-
-        subTest("testWithDuplicateLeaf");
-        PKIX_TEST_EXPECT_NO_ERROR(testWithDuplicateLeaf
-                (trusted, listOfCerts, target, certStores, ene, plContext));
-
-        subTest("testWithLeafAndChain");
-        PKIX_TEST_EXPECT_NO_ERROR(testWithLeafAndChain
-                (trusted, listOfCerts, target, certStores, ene, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(listOfCerts);
-        PKIX_TEST_DECREF_AC(certStores);
-        PKIX_TEST_DECREF_AC(ldapCertStore);
-        PKIX_TEST_DECREF_AC(certStore);
-        PKIX_TEST_DECREF_AC(dirNameString);
-        PKIX_TEST_DECREF_AC(trusted);
-        PKIX_TEST_DECREF_AC(target);
-
-        PKIX_TEST_RETURN();
-
-        PKIX_Shutdown(plContext);
-
-        endTests("BuildChain");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_buildchain_resourcelimits.c b/security/nss/cmd/libpkix/pkix/top/test_buildchain_resourcelimits.c
deleted file mode 100644
index 76ddaf327..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_buildchain_resourcelimits.c
+++ /dev/null
@@ -1,530 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_buildchain_resourcelimits.c
- *
- * Test BuildChain function with constraints on resources
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-#define PKIX_TESTUSERCHECKER_TYPE (PKIX_NUMTYPES+30)
-
-static void *plContext = NULL;
-static PKIX_Boolean usebind = PKIX_FALSE;
-static PKIX_Boolean useLDAP = PKIX_FALSE;
-static char buf[PR_NETDB_BUF_SIZE];
-static char *serverName = NULL;
-
-static void printUsage(void) {
-    (void) printf("\nUSAGE:\ttest_buildchain_resourcelimits [-arenas] "
-        "[usebind] servername[:port]\\\n\t\t<testName> [ENE|EE]"
-        " <certStoreDirectory>\\\n\t\t<targetCert>"
-        " <intermediate Certs...> <trustedCert>\n\n");
-    (void) printf
-        ("Builds a chain of certificates from <targetCert> to <trustedCert>\n"
-        "using the certs and CRLs in <certStoreDirectory>. "
-        "servername[:port] gives\n"
-        "the address of an LDAP server. If port is not"
-        " specified, port 389 is used.\n\"-\" means no LDAP server.\n\n"
-        "If ENE is specified, then an Error is Not Expected.\n"
-        "EE indicates an Error is Expected.\n");
-}
-
-static PKIX_Error *
-createLdapCertStore(
-        char *hostname,
-        PRIntervalTime timeout,
-        PKIX_CertStore **pLdapCertStore,
-        void* plContext)
-{
-        PRIntn backlog = 0;
-
-        char *bindname = "";
-        char *auth = "";
-
-        LDAPBindAPI bindAPI;
-        LDAPBindAPI *bindPtr = NULL;
-        PKIX_PL_LdapDefaultClient *ldapClient = NULL;
-        PKIX_CertStore *ldapCertStore = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (usebind) {
-                bindPtr = &bindAPI;
-                bindAPI.selector = SIMPLE_AUTH;
-                bindAPI.chooser.simple.bindName = bindname;
-                bindAPI.chooser.simple.authentication = auth;
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapDefaultClient_CreateByName
-                (hostname, timeout, bindPtr, &ldapClient, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapCertStore_Create
-                ((PKIX_PL_LdapClient *)ldapClient, &ldapCertStore, plContext));
-
-        *pLdapCertStore = ldapCertStore;
-cleanup:
-
-        PKIX_TEST_DECREF_AC(ldapClient);
-
-        PKIX_TEST_RETURN();
-
-        return (pkixTestErrorResult);
-
-}
-
-static void Test_BuildResult(
-        PKIX_ProcessingParams *procParams,
-        PKIX_Boolean testValid,
-        PKIX_List *expectedCerts,
-        void *plContext)
-{
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_List *certs = NULL;
-        PKIX_PL_String *actualCertsString = NULL;
-        PKIX_PL_String *expectedCertsString = NULL;
-        PKIX_BuildResult *buildResult = NULL;
-        PKIX_Boolean result;
-        PKIX_Boolean supportForward = PKIX_FALSE;
-        PKIX_UInt32 numCerts, i;
-        char *asciiResult = NULL;
-        char *actualCertsAscii = NULL;
-        char *expectedCertsAscii = NULL;
-        void *state = NULL;
-        PRPollDesc *pollDesc = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        pkixTestErrorResult = PKIX_BuildChain
-                (procParams,
-                (void **)&pollDesc,
-                &state,
-                &buildResult,
-                NULL,
-                plContext);
-
-        while (pollDesc != NULL) {
-
-                if (PR_Poll(pollDesc, 1, 0) < 0) {
-                        testError("PR_Poll failed");
-                }
-
-                pkixTestErrorResult = PKIX_BuildChain
-                        (procParams,
-                        (void **)&pollDesc,
-                        &state,
-                        &buildResult,
-                        NULL,
-                        plContext);
-        }
-
-        if (pkixTestErrorResult) {
-                if (testValid == PKIX_FALSE) { /* EE */
-                        (void) printf("EXPECTED ERROR RECEIVED!\n");
-                } else { /* ENE */
-                        testError("UNEXPECTED ERROR RECEIVED!\n");
-                }
-                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
-                goto cleanup;
-        }
-
-        if (testValid == PKIX_TRUE) { /* ENE */
-                (void) printf("EXPECTED NON-ERROR RECEIVED!\n");
-        } else { /* EE */
-                testError("UNEXPECTED NON-ERROR RECEIVED!\n");
-        }
-
-        if (buildResult){
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_BuildResult_GetCertChain
-                        (buildResult, &certs, NULL));
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_GetLength(certs, &numCerts, plContext));
-
-                printf("\n");
-
-                for (i = 0; i < numCerts; i++){
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_GetItem
-                                (certs,
-                                i,
-                                (PKIX_PL_Object**)&cert,
-                                plContext));
-
-                        asciiResult = PKIX_Cert2ASCII(cert);
-
-                        printf("CERT[%d]:\n%s\n", i, asciiResult);
-
-                        /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Free(asciiResult, NULL));
-                        asciiResult = NULL;
-
-                        PKIX_TEST_DECREF_BC(cert);
-                }
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_PL_Object_Equals
-                        ((PKIX_PL_Object*)certs,
-                        (PKIX_PL_Object*)expectedCerts,
-                        &result,
-                        plContext));
-
-                if (!result){
-                        testError("BUILT CERTCHAIN IS "
-                                    "NOT THE ONE THAT WAS EXPECTED");
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Object_ToString
-                                ((PKIX_PL_Object *)certs,
-                                &actualCertsString,
-                                plContext));
-
-                        actualCertsAscii = PKIX_String2ASCII
-                                (actualCertsString, plContext);
-                        if (actualCertsAscii == NULL){
-                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
-                                goto cleanup;
-                        }
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Object_ToString
-                                ((PKIX_PL_Object *)expectedCerts,
-                                &expectedCertsString,
-                                plContext));
-
-                        expectedCertsAscii = PKIX_String2ASCII
-                                (expectedCertsString, plContext);
-                        if (expectedCertsAscii == NULL){
-                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
-                                goto cleanup;
-                        }
-
-                        (void) printf("Actual value:\t%s\n", actualCertsAscii);
-                        (void) printf("Expected value:\t%s\n",
-                                        expectedCertsAscii);
-                }
-
-        }
-
-cleanup:
-
-        PKIX_PL_Free(asciiResult, NULL);
-        PKIX_PL_Free(actualCertsAscii, plContext);
-        PKIX_PL_Free(expectedCertsAscii, plContext);
-        PKIX_TEST_DECREF_AC(state);
-        PKIX_TEST_DECREF_AC(buildResult);
-        PKIX_TEST_DECREF_AC(certs);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(actualCertsString);
-        PKIX_TEST_DECREF_AC(expectedCertsString);
-
-        PKIX_TEST_RETURN();
-
-}
-
-int test_buildchain_resourcelimits(int argc, char *argv[])
-{
-        PKIX_ComCertSelParams *certSelParams = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_TrustAnchor *anchor = NULL;
-        PKIX_List *anchors = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_CertChainChecker *checker = NULL;
-        PKIX_ResourceLimits *resourceLimits = NULL;
-        char *dirName = NULL;
-        PKIX_PL_String *dirNameString = NULL;
-        PKIX_PL_Cert *trustedCert = NULL;
-        PKIX_PL_Cert *targetCert = NULL;
-        PKIX_PL_Cert *dirCert = NULL;
-        PKIX_UInt32 actualMinorVersion = 0;
-        PKIX_UInt32 j = 0;
-        PKIX_UInt32 k = 0;
-        PKIX_CertStore *ldapCertStore = NULL;
-        PRIntervalTime timeout = 0; /* 0 for non-blocking */
-        PKIX_CertStore *certStore = NULL;
-        PKIX_List *certStores = NULL;
-        PKIX_List *expectedCerts = NULL;
-        PKIX_Boolean testValid = PKIX_FALSE;
-        PKIX_Boolean usebind = PKIX_FALSE;
-        PKIX_Boolean useLDAP = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 5){
-                printUsage();
-                return (0);
-        }
-
-        startTests("BuildChain_ResourceLimits");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        /*
-         * arguments:
-         * [optional] -arenas
-         * [optional] usebind
-         *            servername or servername:port ( - for no server)
-         *            testname
-         *            EE or ENE
-         *            cert directory
-         *            target cert (end entity)
-         *            intermediate certs
-         *            trust anchor
-         */
-
-        /* optional argument "usebind" for Ldap CertStore */
-        if (argv[j + 1]) {
-                if (PORT_Strcmp(argv[j + 1], "usebind") == 0) {
-                        usebind = PKIX_TRUE;
-                        j++;
-                }
-        }
-
-        if (PORT_Strcmp(argv[++j], "-") == 0) {
-                useLDAP = PKIX_FALSE;
-        } else {
-                serverName = argv[j];
-        }
-
-        subTest(argv[++j]);
-
-        /* ENE = expect no error; EE = expect error */
-        if (PORT_Strcmp(argv[++j], "ENE") == 0) {
-                testValid = PKIX_TRUE;
-        } else if (PORT_Strcmp(argv[j], "EE") == 0) {
-                testValid = PKIX_FALSE;
-        } else {
-                printUsage();
-                return (0);
-        }
-
-        dirName = argv[++j];
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
-
-        for (k = ++j; k < argc; k++) {
-
-                dirCert = createCert(dirName, argv[k], plContext);
-
-                if (k == (argc - 1)) {
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
-                                ((PKIX_PL_Object *)dirCert, plContext));
-                        trustedCert = dirCert;
-                } else {
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_AppendItem
-                                (expectedCerts,
-                                (PKIX_PL_Object *)dirCert,
-                                plContext));
-
-                        if (k == j) {
-                                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
-                                        ((PKIX_PL_Object *)dirCert, plContext));
-                                targetCert = dirCert;
-                        }
-                }
-
-                PKIX_TEST_DECREF_BC(dirCert);
-        }
-
-        /* create processing params with list of trust anchors */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
-                                    (trustedCert, &anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_AppendItem
-                (anchors, (PKIX_PL_Object *)anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
-                                    (anchors, &procParams, plContext));
-
-        /* create CertSelector with target certificate in params */
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetCertificate
-                (certSelParams, targetCert, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
-                                (certSelector, certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_SetTargetCertConstraints
-                (procParams, certSelector, plContext));
-
-        /* create CertStores */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_ESCASCII,
-                                    dirName,
-                                    0,
-                                    &dirNameString,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                                    (dirNameString, &certStore, plContext));
-
-#if 0
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
-                                    (&certStore, plContext));
-#endif
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
-
-        if (useLDAP == PKIX_TRUE) {
-                PKIX_TEST_EXPECT_NO_ERROR(createLdapCertStore
-                        (serverName, timeout, &ldapCertStore, plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_AppendItem
-                        (certStores,
-                        (PKIX_PL_Object *)ldapCertStore,
-                        plContext));
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_AppendItem
-                (certStores, (PKIX_PL_Object *)certStore, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
-                                    (procParams, certStores, plContext));
-
-        /* set resource limits */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_Create
-                (&resourceLimits, plContext));
-
-        /* need longer time when running dbx for memory leak checking */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime
-                (resourceLimits, 60, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
-                (resourceLimits, 2, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
-                (resourceLimits, 2, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetResourceLimits
-                                    (procParams, resourceLimits, plContext));
-
-        /* build cert chain using processing params and return buildResult */
-
-        subTest("Testing ResourceLimits MaxFanout & MaxDepth - <pass>");
-        Test_BuildResult
-                (procParams,
-                testValid,
-                expectedCerts,
-                plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
-                (resourceLimits, 1, plContext));
-
-        subTest("Testing ResourceLimits MaxFanout - <fail>");
-        Test_BuildResult
-                (procParams,
-                PKIX_FALSE,
-                expectedCerts,
-                plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
-                (resourceLimits, 2, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
-                (resourceLimits, 1, plContext));
-
-        subTest("Testing ResourceLimits MaxDepth - <fail>");
-        Test_BuildResult
-                (procParams,
-                PKIX_FALSE,
-                expectedCerts,
-                plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxFanout
-                (resourceLimits, 0, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxDepth
-                (resourceLimits, 0, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ResourceLimits_SetMaxTime
-                (resourceLimits, 0, plContext));
-
-        subTest("Testing ResourceLimits No checking - <pass>");
-        Test_BuildResult
-                (procParams,
-                testValid,
-                expectedCerts,
-                plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(expectedCerts);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(certStores);
-        PKIX_TEST_DECREF_AC(certStore);
-        PKIX_TEST_DECREF_AC(ldapCertStore);
-        PKIX_TEST_DECREF_AC(dirNameString);
-        PKIX_TEST_DECREF_AC(trustedCert);
-        PKIX_TEST_DECREF_AC(targetCert);
-        PKIX_TEST_DECREF_AC(anchors);
-        PKIX_TEST_DECREF_AC(anchor);
-        PKIX_TEST_DECREF_AC(certSelParams);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(checker);
-        PKIX_TEST_DECREF_AC(resourceLimits);
-
-        PKIX_TEST_RETURN();
-
-        PKIX_Shutdown(plContext);
-
-        endTests("BuildChain_UserChecker");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_buildchain_uchecker.c b/security/nss/cmd/libpkix/pkix/top/test_buildchain_uchecker.c
deleted file mode 100644
index b133f2366..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_buildchain_uchecker.c
+++ /dev/null
@@ -1,406 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_buildchain_uchecker.c
- *
- * Test BuildChain User Checker function
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-static PKIX_UInt32 numUserCheckerCalled = 0;
-
-static
-void printUsage(void){
-        (void) printf("\nUSAGE:\ttest_buildchain_uchecker [ENE|EE] "
-                    "[-|[F]<userOID>] "
-                    "<trustedCert> <targetCert> <certStoreDirectory>\n\n");
-        (void) printf
-                ("Builds a chain of certificates between "
-                "<trustedCert> and <targetCert>\n"
-                "using the certs and CRLs in <certStoreDirectory>.\n"
-                "If <userOID> is not an empty string, its value is used as\n"
-                "user defined checker's critical extension OID.\n"
-                "A - for <userOID> is no OID and F is for supportingForward.\n"
-                "If ENE is specified, then an Error is Not Expected.\n"
-                "If EE is specified, an Error is Expected.\n");
-}
-
-static PKIX_Error *
-testUserChecker(
-        PKIX_CertChainChecker *checker,
-        PKIX_PL_Cert *cert,
-        PKIX_List *unresExtOIDs,
-        void **pNBIOContext,
-        void *plContext)
-{
-        numUserCheckerCalled++;
-        return(0);
-}
-
-int test_buildchain_uchecker(int argc, char *argv[])
-{
-        PKIX_BuildResult *buildResult = NULL;
-        PKIX_ComCertSelParams *certSelParams = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_TrustAnchor *anchor = NULL;
-        PKIX_List *anchors = NULL;
-        PKIX_List *certs = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_CertChainChecker *checker = NULL;
-        char *dirName = NULL;
-        PKIX_PL_String *dirNameString = NULL;
-        PKIX_PL_Cert *trustedCert = NULL;
-        PKIX_PL_Cert *targetCert = NULL;
-        PKIX_UInt32 numCerts = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 j = 0;
-        PKIX_UInt32 k = 0;
-        PKIX_UInt32 chainLength = 0;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_List *certStores = NULL;
-        char * asciiResult = NULL;
-        PKIX_Boolean result;
-        PKIX_Boolean testValid = PKIX_TRUE;
-        PKIX_Boolean supportForward = PKIX_FALSE;
-        PKIX_List *expectedCerts = NULL;
-        PKIX_List *userOIDs = NULL;
-        PKIX_PL_OID *oid = NULL;
-        PKIX_PL_Cert *dirCert = NULL;
-        PKIX_PL_String *actualCertsString = NULL;
-        PKIX_PL_String *expectedCertsString = NULL;
-        char *actualCertsAscii = NULL;
-        char *expectedCertsAscii = NULL;
-        char *oidString = NULL;
-        void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */
-        void *nbioContext = NULL; /* needed by pkix_build for non-blocking I/O */
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 5){
-                printUsage();
-                return (0);
-        }
-
-        startTests("BuildChain_UserChecker");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        /* ENE = expect no error; EE = expect error */
-        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
-                testValid = PKIX_TRUE;
-        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
-                testValid = PKIX_FALSE;
-        } else {
-                printUsage();
-                return (0);
-        }
-
-        /* OID specified at argv[3+j] */
-
-        if (*argv[3+j] != '-') {
-
-                if (*argv[3+j] == 'F') {
-                        supportForward = PKIX_TRUE;
-                        oidString = argv[3+j]+1;
-                } else {
-                        oidString = argv[3+j];
-                }
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
-                                (&userOIDs, plContext));
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                                (oidString, &oid, plContext));
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                (userOIDs, (PKIX_PL_Object *)oid, plContext));
-                PKIX_TEST_DECREF_BC(oid);
-        }
-
-        subTest(argv[1+j]);
-
-        dirName = argv[4+j];
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&expectedCerts, plContext));
-
-        chainLength = argc - j - 5;
-
-        for (k = 0; k < chainLength; k++){
-
-                dirCert = createCert(dirName, argv[5+k+j], plContext);
-
-                if (k == (chainLength - 1)){
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Object_IncRef
-                                ((PKIX_PL_Object *)dirCert, plContext));
-                        trustedCert = dirCert;
-                } else {
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_AppendItem
-                                (expectedCerts,
-                                (PKIX_PL_Object *)dirCert,
-                                plContext));
-
-                        if (k == 0){
-                                PKIX_TEST_EXPECT_NO_ERROR
-                                        (PKIX_PL_Object_IncRef
-                                        ((PKIX_PL_Object *)dirCert,
-                                        plContext));
-                                targetCert = dirCert;
-                        }
-                }
-
-                PKIX_TEST_DECREF_BC(dirCert);
-        }
-
-        /* create processing params with list of trust anchors */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
-                                    (trustedCert, &anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_AppendItem
-                (anchors, (PKIX_PL_Object *)anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
-                                    (anchors, &procParams, plContext));
-
-        /* create CertSelector with target certificate in params */
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetCertificate
-                (certSelParams, targetCert, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
-                                (certSelector, certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_SetTargetCertConstraints
-                (procParams, certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertChainChecker_Create
-                                    (testUserChecker,
-                                    supportForward,
-                                    PKIX_FALSE,
-                                    userOIDs,
-                                    NULL,
-                                    &checker,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertChainChecker
-                                  (procParams, checker, plContext));
-
-
-        /* create CertStores */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_ESCASCII,
-                                    dirName,
-                                    0,
-                                    &dirNameString,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                                    (dirNameString, &certStore, plContext));
-
-#if 0
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
-                                    (&certStore, plContext));
-#endif
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_AppendItem
-                (certStores, (PKIX_PL_Object *)certStore, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
-                                    (procParams, certStores, plContext));
-
-        /* build cert chain using processing params and return buildResult */
-
-        pkixTestErrorResult = PKIX_BuildChain
-                (procParams,
-                &nbioContext,
-                &buildState,
-                &buildResult,
-                NULL,
-                plContext);
-
-        if (testValid == PKIX_TRUE) { /* ENE */
-                if (pkixTestErrorResult){
-                        (void) printf("UNEXPECTED RESULT RECEIVED!\n");
-                } else {
-                        (void) printf("EXPECTED RESULT RECEIVED!\n");
-                        PKIX_TEST_DECREF_BC(pkixTestErrorResult);
-                }
-        } else { /* EE */
-                if (pkixTestErrorResult){
-                        (void) printf("EXPECTED RESULT RECEIVED!\n");
-                        PKIX_TEST_DECREF_BC(pkixTestErrorResult);
-                } else {
-                        testError("UNEXPECTED RESULT RECEIVED");
-                }
-        }
-
-        if (buildResult){
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_BuildResult_GetCertChain
-                        (buildResult, &certs, NULL));
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_GetLength(certs, &numCerts, plContext));
-
-                printf("\n");
-
-                for (i = 0; i < numCerts; i++){
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_GetItem
-                                (certs,
-                                i,
-                                (PKIX_PL_Object**)&cert,
-                                plContext));
-
-                        asciiResult = PKIX_Cert2ASCII(cert);
-
-                        printf("CERT[%d]:\n%s\n", i, asciiResult);
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Free(asciiResult, plContext));
-                        asciiResult = NULL;
-
-                        PKIX_TEST_DECREF_BC(cert);
-                }
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_PL_Object_Equals
-                        ((PKIX_PL_Object*)certs,
-                        (PKIX_PL_Object*)expectedCerts,
-                        &result,
-                        plContext));
-
-                if (!result){
-                        testError("BUILT CERTCHAIN IS "
-                                    "NOT THE ONE THAT WAS EXPECTED");
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Object_ToString
-                                ((PKIX_PL_Object *)certs,
-                                &actualCertsString,
-                                plContext));
-
-                        actualCertsAscii = PKIX_String2ASCII
-                                (actualCertsString, plContext);
-                        if (actualCertsAscii == NULL){
-                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
-                                goto cleanup;
-                        }
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Object_ToString
-                                ((PKIX_PL_Object *)expectedCerts,
-                                &expectedCertsString,
-                                plContext));
-
-                        expectedCertsAscii = PKIX_String2ASCII
-                                (expectedCertsString, plContext);
-                        if (expectedCertsAscii == NULL){
-                                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
-                                goto cleanup;
-                        }
-
-                        (void) printf("Actual value:\t%s\n", actualCertsAscii);
-                        (void) printf("Expected value:\t%s\n",
-                                        expectedCertsAscii);
-
-                        if (chainLength - 1 != numUserCheckerCalled) {
-                                pkixTestErrorMsg =
-                                    "PKIX user defined checker not called";
-                        }
-
-                        goto cleanup;
-                }
-
-        }
-
-cleanup:
-        PKIX_PL_Free(asciiResult, plContext);
-        PKIX_PL_Free(actualCertsAscii, plContext);
-        PKIX_PL_Free(expectedCertsAscii, plContext);
-
-        PKIX_TEST_DECREF_AC(actualCertsString);
-        PKIX_TEST_DECREF_AC(expectedCertsString);
-        PKIX_TEST_DECREF_AC(expectedCerts);
-        PKIX_TEST_DECREF_AC(certs);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(certStore);
-        PKIX_TEST_DECREF_AC(certStores);
-        PKIX_TEST_DECREF_AC(dirNameString);
-        PKIX_TEST_DECREF_AC(trustedCert);
-        PKIX_TEST_DECREF_AC(targetCert);
-        PKIX_TEST_DECREF_AC(anchor);
-        PKIX_TEST_DECREF_AC(anchors);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(certSelParams);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(buildResult);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(userOIDs);
-        PKIX_TEST_DECREF_AC(checker);
-
-        PKIX_TEST_RETURN();
-
-        PKIX_Shutdown(plContext);
-
-        endTests("BuildChain_UserChecker");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_customcrlchecker.c b/security/nss/cmd/libpkix/pkix/top/test_customcrlchecker.c
deleted file mode 100644
index fed86f278..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_customcrlchecker.c
+++ /dev/null
@@ -1,497 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_customcrlchecker.c
- *
- * Test Custom CRL Checking
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-#define PKIX_TEST_MAX_CERTS     10
-#define PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS 5
-
-static void *plContext = NULL;
-char *dirName = NULL; /* also used in callback */
-
-static
-void printUsage1(char *pName){
-        printf("\nUSAGE: %s test-purpose [ENE|EE] ", pName);
-        printf("cert [certs].\n");
-}
-
-static
-void printUsageMax(PKIX_UInt32 numCerts){
-        printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
-                numCerts, PKIX_TEST_MAX_CERTS);
-}
-
-static PKIX_Error *
-getCRLCallback(
-        PKIX_CertStore *store,
-        PKIX_CRLSelector *crlSelector,
-        void **pNBIOContext,
-        PKIX_List **pCrlList,
-        void *plContext)
-{
-        char *crlFileNames[] = {"chem.crl",
-                                "phys.crl",
-                                "prof.crl",
-                                "sci.crl",
-                                "test.crl",
-                                0 };
-        PKIX_PL_CRL *crl = NULL;
-        PKIX_List *crlList = NULL;
-        PKIX_UInt32 i = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&crlList, plContext));
-
-        while (crlFileNames[i]) {
-
-                crl = createCRL(dirName, crlFileNames[i++], plContext);
-
-                if (crl != NULL) {
-
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                (crlList, (PKIX_PL_Object *)crl, plContext));
-
-                        PKIX_TEST_DECREF_BC(crl);
-                }
-        }
-
-        *pCrlList = crlList;
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-        return (0); /* this function is called by libpkix */
-
-}
-
-static PKIX_Error *
-getCRLContinue(
-        PKIX_CertStore *store,
-        PKIX_CRLSelector *crlSelector,
-        void **pNBIOContext,
-        PKIX_List **pCrlList,
-        void *plContext)
-{
-        return (NULL);
-}
-
-static PKIX_Error *
-getCertCallback(
-        PKIX_CertStore *store,
-        PKIX_CertSelector *certSelector,
-        void **pNBIOContext,
-        PKIX_List **pCerts,
-        void *plContext)
-{
-        return (NULL);
-}
-
-static PKIX_Error *
-getCertContinue(
-        PKIX_CertStore *store,
-        PKIX_CertSelector *certSelector,
-        void **pNBIOContext,
-        PKIX_List **pCerts,
-        void *plContext)
-{
-        return (NULL);
-}
-
-static PKIX_Error *
-testCRLSelectorMatchCallback(
-        PKIX_CRLSelector *selector,
-        PKIX_PL_CRL *crl,
-        void *plContext)
-{
-        PKIX_ComCRLSelParams *comCrlSelParams = NULL;
-        PKIX_List *issuerList = NULL;
-        PKIX_PL_X500Name *issuer = NULL;
-        PKIX_PL_X500Name *crlIssuer = NULL;
-        PKIX_UInt32 numIssuers = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_Boolean result = PKIX_FALSE;
-        PKIX_Error *error = NULL;
-        char *errorText = "Not an error, CRL Select mismatch";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Custom_Selector_MatchCallback");
-
-        if (selector != NULL) {
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_CRLSelector_GetCommonCRLSelectorParams
-                        (selector, &comCrlSelParams, plContext));
-        }
-
-        if (crl != NULL) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetIssuer
-                        (crl, &crlIssuer, plContext));
-        }
-
-        if (comCrlSelParams != NULL) {
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_ComCRLSelParams_GetIssuerNames
-                        (comCrlSelParams, &issuerList, plContext));
-        }
-
-        if (issuerList != NULL) {
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                    (issuerList, &numIssuers, plContext));
-
-                for (i = 0; i < numIssuers; i++){
-
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                                    (issuerList,
-                                    i, (PKIX_PL_Object **)&issuer,
-                                    plContext));
-
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                                    ((PKIX_PL_Object *)crlIssuer,
-                                    (PKIX_PL_Object *)issuer,
-                                    &result,
-                                    plContext));
-
-                        if (result != PKIX_TRUE) {
-                                break;
-                        }
-
-                        if (i == numIssuers-1) {
-
-                                PKIX_TEST_EXPECT_NO_ERROR
-                                        (PKIX_Error_Create
-                                        (0,
-                                        NULL,
-                                        NULL,
-                                        PKIX_TESTNOTANERRORCRLSELECTMISMATCH,
-                                        &error,
-                                        plContext));
-
-                                PKIX_TEST_DECREF_AC(issuer);
-                                issuer = NULL;
-                                break;
-                        }
-
-                        PKIX_TEST_DECREF_AC(issuer);
-
-                }
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(comCrlSelParams);
-        PKIX_TEST_DECREF_AC(crlIssuer);
-        PKIX_TEST_DECREF_AC(issuer);
-        PKIX_TEST_DECREF_AC(issuerList);
-
-        PKIX_TEST_RETURN();
-
-        return (error);
-
-}
-
-static PKIX_Error *
-testAddIssuerName(PKIX_ComCRLSelParams *comCrlSelParams, char *issuerName)
-{
-        PKIX_PL_String *issuerString = NULL;
-        PKIX_PL_X500Name *issuer = NULL;
-        PKIX_UInt32 length = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_ComCRLSelParams_AddIssuerName");
-
-        length = PL_strlen(issuerName);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_UTF8,
-                                    issuerName,
-                                    length,
-                                    &issuerString,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Create(issuerString,
-                                    &issuer,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_AddIssuerName
-                                    (comCrlSelParams, issuer, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(issuerString);
-        PKIX_TEST_DECREF_AC(issuer);
-
-        PKIX_TEST_RETURN();
-
-        return (0);
-}
-
-static PKIX_Error *
-testCustomCertStore(PKIX_ValidateParams *valParams)
-{
-        PKIX_CertStore_CRLCallback crlCallback;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        char *issuerName1 = "cn=science,o=mit,c=us";
-        char *issuerName2 = "cn=physics,o=mit,c=us";
-        char *issuerName3 = "cn=prof noall,o=mit,c=us";
-        char *issuerName4 = "cn=testing CRL,o=test,c=us";
-        PKIX_ComCRLSelParams *comCrlSelParams = NULL;
-        PKIX_CRLSelector *crlSelector = NULL;
-        PKIX_List *crlList = NULL;
-        PKIX_UInt32 numCrl = 0;
-        void *nbioContext = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_CollectionCertStore_Create");
-
-        /* Create CRLSelector, link in CollectionCertStore */
-
-        subTest("PKIX_ComCRLSelParams_AddIssuerNames");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create
-                                    (&comCrlSelParams, plContext));
-
-
-        testAddIssuerName(comCrlSelParams, issuerName1);
-        testAddIssuerName(comCrlSelParams, issuerName2);
-        testAddIssuerName(comCrlSelParams, issuerName3);
-        testAddIssuerName(comCrlSelParams, issuerName4);
-
-
-        subTest("PKIX_CRLSelector_SetCommonCRLSelectorParams");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
-                                    (testCRLSelectorMatchCallback,
-                                    NULL,
-                                    &crlSelector,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_SetCommonCRLSelectorParams
-                                    (crlSelector, comCrlSelParams, plContext));
-
-        /* Create CertStore, link in CRLSelector */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
-                                    (valParams, &procParams, plContext));
-
-        subTest("PKIX_CertStore_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_Create
-                                    (getCertCallback,
-                                    getCRLCallback,
-                                    getCertContinue,
-                                    getCRLContinue,
-                                    NULL,       /* trustCallback */
-                                    (PKIX_PL_Object *)crlSelector, /* fake */
-                                    PKIX_FALSE, /* cacheFlag */
-                                    PKIX_TRUE,  /* localFlag */
-                                    &certStore,
-                                    plContext));
-
-
-        subTest("PKIX_ProcessingParams_AddCertStore");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore
-                                    (procParams, certStore, plContext));
-
-        subTest("PKIX_ProcessingParams_SetRevocationEnabled");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
-                                    (procParams, PKIX_TRUE, plContext));
-
-        subTest("PKIX_CertStore_GetCRLCallback");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback
-                                    (certStore,
-                                    &crlCallback,
-                                    NULL));
-
-        subTest("Getting CRL by CRL Callback");
-        PKIX_TEST_EXPECT_NO_ERROR(crlCallback
-                                    (certStore,
-                                    crlSelector,
-                                    &nbioContext,
-                                    &crlList,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                                    (crlList,
-                                    &numCrl,
-                                    plContext));
-
-        if (numCrl != PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS) {
-                pkixTestErrorMsg = "unexpected CRL number mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(crlList);
-        PKIX_TEST_DECREF_AC(comCrlSelParams);
-        PKIX_TEST_DECREF_AC(crlSelector);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(certStore);
-
-        PKIX_TEST_RETURN();
-
-        return (0);
-}
-
-/*
- * Validate Certificate Chain with Certificate Revocation List
- *      Certificate Chain is built based on input certs' sequence.
- *      CRL is fetched from the directory specified in CollectionCertStore.
- *      while CollectionCertStore is linked in CertStore Object which then
- *      linked in ProcessParam. During validation, CRLChecker will invoke
- *      the crlCallback (this test uses PKIX_PL_CollectionCertStore_GetCRL)
- *      to get CRL data for revocation check.
- *      This test set criteria in CRLSelector which is linked in
- *      CommonCRLSelectorParam. When CRL data is fetched into cache for
- *      revocation check, CRL's are filtered based on the criteria set.
- */
-
-int test_customcrlchecker(int argc, char *argv[]){
-
-        PKIX_List *chain = NULL;
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        char *certNames[PKIX_TEST_MAX_CERTS];
-        PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
-	PKIX_VerifyNode *verifyTree = NULL;
-	PKIX_PL_String *verifyString = NULL;
-        PKIX_UInt32 chainLength = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 j = 0;
-        PKIX_Boolean testValid = PKIX_TRUE;
-        char *anchorName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 5) {
-                printUsage1(argv[0]);
-                return (0);
-        }
-
-        startTests("CRL Checker");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        /* ENE = expect no error; EE = expect error */
-        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
-                testValid = PKIX_TRUE;
-        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
-                testValid = PKIX_FALSE;
-        } else {
-                printUsage1(argv[0]);
-                return (0);
-        }
-
-        chainLength = (argc - j) - 5;
-        if (chainLength > PKIX_TEST_MAX_CERTS) {
-                printUsageMax(chainLength);
-        }
-
-        for (i = 0; i < chainLength; i++) {
-
-                certNames[i] = argv[(5 + j) +i];
-                certs[i] = NULL;
-        }
-
-        dirName = argv[3+j];
-
-        subTest(argv[1+j]);
-
-        subTest("Custom-CRL-Checker - Create Cert Chain");
-
-        chain = createCertChainPlus
-                (dirName, certNames, certs, chainLength, plContext);
-
-        subTest("Custom-CRL-Checker - Create Params");
-
-        anchorName = argv[4+j];
-
-        valParams = createValidateParams
-                (dirName,
-                anchorName,
-                NULL,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        subTest("Custom-CRL-Checker - Set Processing Params for CertStore");
-
-        testCustomCertStore(valParams);
-
-        subTest("Custom-CRL-Checker - Validate Chain");
-
-        if (testValid == PKIX_TRUE) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
-                        (valParams, &valResult, &verifyTree, plContext));
-        } else {
-                PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
-                        (valParams, &valResult, &verifyTree, plContext));
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(verifyString);
-        PKIX_TEST_DECREF_AC(verifyTree);
-        PKIX_TEST_DECREF_AC(chain);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("CRL Checker");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_defaultcrlchecker2stores.c b/security/nss/cmd/libpkix/pkix/top/test_defaultcrlchecker2stores.c
deleted file mode 100644
index dc763a1d3..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_defaultcrlchecker2stores.c
+++ /dev/null
@@ -1,274 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_defaultcrlchecker2stores.c
- *
- * Test Default CRL with multiple CertStore Checking
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-#define PKIX_TEST_MAX_CERTS     10
-
-static void *plContext = NULL;
-
-static
-void printUsage1(char *pName){
-        printf("\nUSAGE: %s test-purpose [ENE|EE] ", pName);
-        printf("crl-directory cert [certs].\n");
-}
-
-static
-void printUsageMax(PKIX_UInt32 numCerts){
-        printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
-                numCerts, PKIX_TEST_MAX_CERTS);
-}
-
-static PKIX_Error *
-getCertCallback(
-        PKIX_CertStore *store,
-        PKIX_CertSelector *certSelector,
-        PKIX_List **pCerts,
-        void *plContext)
-{
-        return (NULL);
-}
-
-static PKIX_Error *
-testDefaultMultipleCertStores(PKIX_ValidateParams *valParams,
-                        char *crlDir1,
-                        char *crlDir2)
-{
-        PKIX_PL_String *dirString1 = NULL;
-        PKIX_PL_String *dirString2 = NULL;
-        PKIX_CertStore *certStore1 = NULL;
-        PKIX_CertStore *certStore2 = NULL;
-        PKIX_List *certStoreList = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_CollectionCertStore_Create");
-
-        /* Create CollectionCertStore */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_ESCASCII,
-                                    crlDir1,
-                                    0,
-                                    &dirString1,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                                    (dirString1,
-                                    &certStore1,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_ESCASCII,
-                                    crlDir2,
-                                    0,
-                                    &dirString2,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                                    (dirString2,
-                                    &certStore2,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
-                                    (valParams, &procParams, plContext));
-
-        /* Add multiple CollectionCertStores */
-
-        subTest("PKIX_ProcessingParams_SetCertStores");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStoreList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                    (certStoreList, (PKIX_PL_Object *)certStore1, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
-                    (procParams, certStoreList, plContext));
-
-        subTest("PKIX_ProcessingParams_AddCertStore");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore
-                    (procParams, certStore2, plContext));
-
-        subTest("PKIX_ProcessingParams_SetRevocationEnabled");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
-                                    (procParams, PKIX_TRUE, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(dirString1);
-        PKIX_TEST_DECREF_AC(dirString2);
-        PKIX_TEST_DECREF_AC(certStore1);
-        PKIX_TEST_DECREF_AC(certStore2);
-        PKIX_TEST_DECREF_AC(certStoreList);
-        PKIX_TEST_DECREF_AC(procParams);
-
-        PKIX_TEST_RETURN();
-
-        return (0);
-}
-
-/*
- * Validate Certificate Chain with Certificate Revocation List
- *      Certificate Chain is build based on input certs' sequence.
- *      CRL is fetched from the directory specified in CollectionCertStore.
- *      while CollectionCertStore is linked in CertStore Object which then
- *      linked in ProcessParam. During validation, CRLChecker will invoke
- *      the crlCallback (this test uses PKIX_PL_CollectionCertStore_GetCRL)
- *      to get CRL data for revocation check.
- *      This test gets CRL's from two CertStores, each has a valid CRL
- *      required for revocation check to pass.
- */
-
-int test_defaultcrlchecker2stores(int argc, char *argv[]){
-
-        PKIX_List *chain = NULL;
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        char *certNames[PKIX_TEST_MAX_CERTS];
-        PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
-	PKIX_VerifyNode *verifyTree = NULL;
-	PKIX_PL_String *verifyString = NULL;
-        PKIX_UInt32 chainLength = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 j = 0;
-        PKIX_Boolean testValid = PKIX_TRUE;
-        char *dirName = NULL;
-        char *anchorName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 6) {
-                printUsage1(argv[0]);
-                return (0);
-        }
-
-        startTests("CRL Checker");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        /* ENE = expect no error; EE = expect error */
-        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
-                testValid = PKIX_TRUE;
-        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
-                testValid = PKIX_FALSE;
-        } else {
-                printUsage1(argv[0]);
-                return (0);
-        }
-
-        chainLength = (argc - j) - 7;
-        if (chainLength > PKIX_TEST_MAX_CERTS) {
-                printUsageMax(chainLength);
-        }
-
-        for (i = 0; i < chainLength; i++) {
-
-                certNames[i] = argv[(7+j)+i];
-                certs[i] = NULL;
-        }
-
-
-        subTest(argv[1+j]);
-
-        subTest("Default-CRL-Checker");
-
-        subTest("Default-CRL-Checker - Create Cert Chain");
-
-        dirName = argv[3+j];
-
-        chain = createCertChainPlus
-                (dirName, certNames, certs, chainLength, plContext);
-
-        subTest("Default-CRL-Checker - Create Params");
-
-        anchorName = argv[6+j];
-
-        valParams = createValidateParams
-                (dirName,
-                anchorName,
-                NULL,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        subTest("Multiple-CertStores");
-
-        testDefaultMultipleCertStores(valParams, argv[4+j], argv[5+j]);
-
-        subTest("Default-CRL-Checker - Validate Chain");
-
-        if (testValid == PKIX_TRUE) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
-                        (valParams, &valResult, &verifyTree, plContext));
-        } else {
-                PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
-                        (valParams, &valResult, &verifyTree, plContext));
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
-        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(verifyString);
-        PKIX_TEST_DECREF_AC(verifyTree);
-
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-        PKIX_TEST_DECREF_AC(chain);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("CRL Checker");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_ocsp.c b/security/nss/cmd/libpkix/pkix/top/test_ocsp.c
deleted file mode 100644
index 4a4d9fe59..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_ocsp.c
+++ /dev/null
@@ -1,349 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_ocspchecker.c
- *
- * Test OcspChecker function
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static
-void printUsage(void){
-        (void) printf("\nUSAGE:\nOcspChecker -d <certStoreDirectory> TestName "
-                      "[ENE|EE] <certLocationDirectory> <trustedCert> "
-                      "<targetCert>\n\n");
-        (void) printf
-                ("Validates a chain of certificates between "
-                "<trustedCert> and <targetCert>\n"
-                "using the certs and CRLs in <certLocationDirectory> and "
-                "pkcs11 db from <certStoreDirectory>. "
-                "If ENE is specified,\n"
-                "then an Error is Not Expected. "
-                "If EE is specified, an Error is Expected.\n");
-}
-
-static
-char *createFullPathName(
-        char *dirName,
-        char *certFile,
-        void *plContext)
-{
-        PKIX_UInt32 certFileLen;
-        PKIX_UInt32 dirNameLen;
-        char *certPathName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        certFileLen = PL_strlen(certFile);
-        dirNameLen = PL_strlen(dirName);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
-                (dirNameLen + certFileLen + 2,
-                (void **)&certPathName,
-                plContext));
-
-        PL_strcpy(certPathName, dirName);
-        PL_strcat(certPathName, "/");
-        PL_strcat(certPathName, certFile);
-        printf("certPathName = %s\n", certPathName);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-        return (certPathName);
-}
-
-static PKIX_Error *
-testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir)
-{
-        PKIX_PL_String *dirString = NULL;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_PL_Date *validity = NULL; 
-        PKIX_List *revCheckers = NULL;
-        PKIX_RevocationChecker *revChecker = NULL;
-	PKIX_PL_Object *revCheckerContext = NULL;
-        PKIX_OcspChecker *ocspChecker = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_CollectionCertStoreContext_Create");
-
-        /* Create CollectionCertStore */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, crlDir, 0, &dirString, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                (dirString, &certStore, plContext));
-
-        /* Create CertStore */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
-                (valParams, &procParams, plContext));
-
-        subTest("PKIX_ProcessingParams_AddCertStore");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore
-                (procParams, certStore, plContext));
-
-        subTest("PKIX_ProcessingParams_SetRevocationEnabled");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
-                (procParams, PKIX_FALSE, plContext));
-
-        /* create current Date */
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime
-                (PR_Now(), &validity, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
-
-        /* create revChecker */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Initialize
-                (validity,
-                NULL,        /* pwArg */
-                NULL,        /* Use default responder */
-                &revChecker,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_RevocationChecker_GetRevCheckerContext
-                (revChecker, &revCheckerContext, plContext));
-
-        /* Check that this object is a ocsp checker */
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_CheckType
-                    (revCheckerContext, PKIX_OCSPCHECKER_TYPE, plContext));
-
-        ocspChecker = (PKIX_OcspChecker *)revCheckerContext;
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_SetVerifyFcn
-                (ocspChecker,
-                PKIX_PL_OcspResponse_UseBuildChain,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (revCheckers, (PKIX_PL_Object *)revChecker, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
-                (procParams, revCheckers, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(dirString);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(certStore);
-        PKIX_TEST_DECREF_AC(revCheckers);
-        PKIX_TEST_DECREF_AC(revChecker);
-        PKIX_TEST_DECREF_AC(ocspChecker);
-        PKIX_TEST_DECREF_AC(validity);
-
-        PKIX_TEST_RETURN();
-
-        return (0);
-}
-
-int test_ocsp(int argc, char *argv[]){
-
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_ComCertSelParams *certSelParams = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-        PKIX_UInt32 k = 0;
-        PKIX_UInt32 chainLength = 0;
-        PKIX_Boolean testValid = PKIX_TRUE;
-        PKIX_List *chainCerts = NULL;
-	PKIX_VerifyNode *verifyTree = NULL;
-	PKIX_PL_String *verifyString = NULL;
-        PKIX_PL_Cert *dirCert = NULL;
-        PKIX_PL_Cert *trustedCert = NULL;
-        PKIX_PL_Cert *targetCert = NULL;
-        PKIX_TrustAnchor *anchor = NULL;
-        PKIX_List *anchors = NULL;
-        char *dirCertName = NULL;
-        char *anchorCertName = NULL;
-        char *dirName = NULL;
-        char *databaseDir = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 5) {
-                printUsage();
-                return (0);
-        }
-
-        startTests("OcspChecker");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        /* ENE = expect no error; EE = expect error */
-        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
-                testValid = PKIX_TRUE;
-        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
-                testValid = PKIX_FALSE;
-        } else {
-                printUsage();
-                return (0);
-        }
-
-        subTest(argv[1+j]);
-
-        dirName = argv[3+j];
-
-        chainLength = argc - j - 5;
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext));
-
-        for (k = 0; k < chainLength; k++) {
-
-                dirCert = createCert(dirName, argv[5+k+j], plContext);
-
-                if (k == 0) {
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
-                                ((PKIX_PL_Object *)dirCert, plContext));
-                        targetCert = dirCert;
-                }
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_AppendItem
-                        (chainCerts, (PKIX_PL_Object *)dirCert, plContext));
-
-                PKIX_TEST_DECREF_BC(dirCert);
-        }
-
-        /* create processing params with list of trust anchors */
-
-        anchorCertName = argv[4+j];
-        trustedCert = createCert(dirName, anchorCertName, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
-                (trustedCert, &anchor, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_AppendItem
-                (anchors, (PKIX_PL_Object *)anchor, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
-                (anchors, &procParams, plContext));
-
-        /* create CertSelector with target certificate in params */
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetCertificate
-                (certSelParams, targetCert, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
-                (certSelector, certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_SetTargetCertConstraints
-                (procParams, certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create
-                (procParams, chainCerts, &valParams, plContext));
-
-        testDefaultCertStore(valParams, dirName);
-
-        pkixTestErrorResult = PKIX_ValidateChain
-                (valParams, &valResult, &verifyTree, plContext);
-
-
-        if (pkixTestErrorResult) {
-                if (testValid == PKIX_FALSE) { /* EE */
-                        (void) printf("EXPECTED ERROR RECEIVED!\n");
-                } else { /* ENE */
-                        testError("UNEXPECTED ERROR RECEIVED");
-                }
-                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
-        } else {
-	        if (testValid == PKIX_TRUE) { /* ENE */
-        	        (void) printf("EXPECTED SUCCESSFUL VALIDATION!\n");
-	        } else { /* EE */
-        	        (void) printf("UNEXPECTED SUCCESSFUL VALIDATION!\n");
-	        }
-	}
-
-        subTest("Displaying VerifyTree");
-
-	if (verifyTree == NULL) {
-                (void) printf("VerifyTree is NULL\n");
-	} else {
-	        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-        	    ((PKIX_PL_Object *)verifyTree, &verifyString, plContext));
-                (void) printf("verifyTree is\n%s\n",
-                    verifyString->escAsciiString);
-                PKIX_TEST_DECREF_BC(verifyString);
-                PKIX_TEST_DECREF_BC(verifyTree);
-	}
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(certSelParams);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(chainCerts);
-        PKIX_TEST_DECREF_AC(anchors);
-        PKIX_TEST_DECREF_AC(anchor);
-        PKIX_TEST_DECREF_AC(trustedCert);
-        PKIX_TEST_DECREF_AC(targetCert);
-        PKIX_TEST_DECREF_AC(valResult);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("OcspChecker");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_policychecker.c b/security/nss/cmd/libpkix/pkix/top/test_policychecker.c
deleted file mode 100644
index e2593c81d..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_policychecker.c
+++ /dev/null
@@ -1,595 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_policychecker.c
- *
- * Test Policy Checking
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-#define PKIX_TEST_MAX_CERTS     10
-
-static void *plContext = NULL;
-
-static
-void printUsage(char *testname) {
-        char *fmt =
-                "USAGE: %s testname"
-                " [ENE|EE] \"{OID[:OID]*}\" [A|E|P] cert [cert]*\n"
-                "(The quotes are needed around the OID argument for dbx.)\n"
-                "(The optional arg A indicates initialAnyPolicyInhibit.)\n"
-                "(The optional arg E indicates initialExplicitPolicy.)\n"
-                "(The optional arg P indicates initialPolicyMappingInhibit.)\n";
-        printf(fmt, testname);
-}
-
-static
-void printUsageMax(PKIX_UInt32 numCerts)
-{
-        printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
-                numCerts, PKIX_TEST_MAX_CERTS);
-}
-
-static
-PKIX_List *policySetParse(char *policyString)
-{
-        char *p = NULL;
-        char *oid = NULL;
-        char c = '\0';
-        PKIX_Boolean validString = PKIX_FALSE;
-        PKIX_PL_OID *plOID = NULL;
-        PKIX_List *policySet = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        p = policyString;
-
-        /*
-         * There may or may not be quotes around the initial-policy-set
-         * string. If they are omitted, dbx will strip off the curly braces.
-         * If they are included, dbx will strip off the quotes, but if you
-         * are running directly from a script, without dbx, the quotes will
-         * not be stripped. We need to be able to handle both cases.
-         */
-        if (*p == '"') {
-                p++;
-        }
-
-        if ('{' != *p++) {
-                return (NULL);
-        }
-        oid = p;
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&policySet, plContext));
-
-        /* scan to the end of policyString */
-        while (!validString) {
-                /* scan to the end of the current OID string */
-                c = *oid;
-                while ((c != '\0') && (c != ':') && (c != '}')) {
-                        c = *++oid;
-                }
-
-                if ((c != ':') || (c != '}')) {
-                        *oid = '\0'; /* store a null terminator */
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                                (p, &plOID, plContext));
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_AppendItem
-                                (policySet,
-                                (PKIX_PL_Object *)plOID,
-                                plContext));
-
-                        PKIX_TEST_DECREF_BC(plOID);
-                        plOID = NULL;
-                        if (c == '}') {
-                                /*
-                                * Any exit but this one means
-                                * we were given a badly-formed string.
-                                */
-                                validString = PKIX_TRUE;
-                        }
-                        p = ++oid;
-                }
-        }
-
-
-cleanup:
-        if (!validString) {
-                PKIX_TEST_DECREF_AC(plOID);
-                PKIX_TEST_DECREF_AC(policySet);
-                policySet = NULL;
-        }
-
-        PKIX_TEST_RETURN();
-
-        return (policySet);
-}
-
-/*
- * FUNCTION: treeToStringHelper
- *  This function obtains the string representation of a PolicyNode
- *  Tree and compares it to the expected value.
- * PARAMETERS:
- *  "parent" - a PolicyNode, the root of a PolicyNodeTree;
- *      must be non-NULL.
- *  "expected" - the desired string.
- * THREAD SAFETY:
- *  Thread Safe
- *
- *  Multiple threads can safely call this function without worrying
- *  about conflicts, even if they're operating on the same object.
- * RETURNS:
- *  Nothing.
- */
-static void
-treeToStringHelper(PKIX_PolicyNode *parent, char *expected)
-{
-        PKIX_PL_String *stringRep = NULL;
-        char *actual = NULL;
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                        ((PKIX_PL_Object *)parent, &stringRep, plContext));
-
-        actual = PKIX_String2ASCII(stringRep, plContext);
-        if (actual == NULL){
-                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
-                goto cleanup;
-        }
-
-        if (PL_strcmp(actual, expected) != 0){
-                testError("unexpected mismatch");
-                (void) printf("Actual value:\t%s\n", actual);
-                (void) printf("Expected value:\t%s\n", expected);
-        }
-
-cleanup:
-
-        PKIX_PL_Free(actual, plContext);
-
-        PKIX_TEST_DECREF_AC(stringRep);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testPass(char *dirName, char *goodInput, char *diffInput, char *dateAscii){
-
-        PKIX_List *chain = NULL;
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Basic-Common-Fields <pass>");
-        /*
-         * Tests the Expiration, NameChaining, and Signature Checkers
-         */
-
-        chain = createCertChain(dirName, goodInput, diffInput, plContext);
-
-        valParams = createValidateParams
-                (dirName,
-                goodInput,
-                diffInput,
-                dateAscii,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
-                                    (valParams, &valResult, NULL, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(chain);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testNistTest1(char *dirName)
-{
-#define PKIX_TEST_NUM_CERTS     2
-        char *trustAnchor =
-                "TrustAnchorRootCertificate.crt";
-        char *intermediateCert =
-                "GoodCACert.crt";
-        char *endEntityCert =
-                "ValidCertificatePathTest1EE.crt";
-        char *certNames[PKIX_TEST_NUM_CERTS];
-        char *asciiAnyPolicy = "2.5.29.32.0";
-        PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL };
-
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_List *chain = NULL;
-        PKIX_PL_OID *anyPolicyOID = NULL;
-        PKIX_List *initialPolicies = NULL;
-        char *anchorName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("testNistTest1: Creating the cert chain");
-        /*
-         * Create a chain, but don't include the first certName.
-         * That's the anchor, and is supplied separately from
-         * the chain.
-         */
-        certNames[0] = intermediateCert;
-        certNames[1] = endEntityCert;
-        chain = createCertChainPlus
-                (dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext);
-
-        subTest("testNistTest1: Creating the Validate Parameters");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                (asciiAnyPolicy, &anyPolicyOID, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_Create(&initialPolicies, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (initialPolicies, (PKIX_PL_Object *)anyPolicyOID, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
-                (initialPolicies, plContext));
-
-        valParams = createValidateParams
-                (dirName,
-                trustAnchor,
-                NULL,
-                NULL,
-                initialPolicies,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        subTest("testNistTest1: Validating the chain");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
-                (valParams, &valResult, NULL, plContext));
-
-
-cleanup:
-
-        PKIX_PL_Free(anchorName, plContext);
-
-        PKIX_TEST_DECREF_AC(anyPolicyOID);
-        PKIX_TEST_DECREF_AC(initialPolicies);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-        PKIX_TEST_DECREF_AC(chain);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testNistTest2(char *dirName)
-{
-#define PKIX_TEST_NUM_CERTS     2
-        char *trustAnchor =
-                "TrustAnchorRootCertificate.crt";
-        char *intermediateCert =
-                "GoodCACert.crt";
-        char *endEntityCert =
-                "ValidCertificatePathTest1EE.crt";
-        char *certNames[PKIX_TEST_NUM_CERTS];
-        char *asciiNist1Policy = "2.16.840.1.101.3.2.1.48.1";
-        PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL };
-
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_List *chain = NULL;
-        PKIX_PL_OID *Nist1PolicyOID = NULL;
-        PKIX_List *initialPolicies = NULL;
-        char *anchorName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("testNistTest2: Creating the cert chain");
-        /*
-         * Create a chain, but don't include the first certName.
-         * That's the anchor, and is supplied separately from
-         * the chain.
-         */
-        certNames[0] = intermediateCert;
-        certNames[1] = endEntityCert;
-        chain = createCertChainPlus
-                (dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext);
-
-        subTest("testNistTest2: Creating the Validate Parameters");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                (asciiNist1Policy, &Nist1PolicyOID, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_Create(&initialPolicies, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (initialPolicies, (PKIX_PL_Object *)Nist1PolicyOID, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
-                (initialPolicies, plContext));
-
-        valParams = createValidateParams
-                (dirName,
-                trustAnchor,
-                NULL,
-                NULL,
-                initialPolicies,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        subTest("testNistTest2: Validating the chain");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
-                (valParams, &valResult, NULL, plContext));
-
-
-cleanup:
-
-        PKIX_PL_Free(anchorName, plContext);
-
-        PKIX_TEST_DECREF_AC(Nist1PolicyOID);
-        PKIX_TEST_DECREF_AC(initialPolicies);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-        PKIX_TEST_DECREF_AC(chain);
-
-        PKIX_TEST_RETURN();
-}
-
-static void printValidPolicyTree(PKIX_ValidateResult *valResult)
-{
-        PKIX_PolicyNode* validPolicyTree = NULL;
-        PKIX_PL_String *treeString = NULL;
-
-        PKIX_TEST_STD_VARS();
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPolicyTree
-                (valResult, &validPolicyTree, plContext));
-        if (validPolicyTree) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                        ((PKIX_PL_Object*)validPolicyTree,
-                        &treeString,
-                        plContext));
-                (void) printf("validPolicyTree is\n\t%s\n",
-                        treeString->escAsciiString);
-        } else {
-                (void) printf("validPolicyTree is NULL\n");
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(validPolicyTree);
-        PKIX_TEST_DECREF_AC(treeString);
-
-        PKIX_TEST_RETURN();
-}
-
-int test_policychecker(int argc, char *argv[])
-{
-
-        PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
-        PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
-        PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
-        PKIX_Boolean expectedResult = PKIX_FALSE;
-        PKIX_UInt32 chainLength = 0;
-        PKIX_UInt32 initArgs = 0;
-        PKIX_UInt32 firstCert = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_Int32  j = 0;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_ProcessingParams *procParams = NULL;
-        char *firstTrustAnchor = "yassir2yassir";
-        char *secondTrustAnchor = "yassir2bcn";
-        char *dateAscii = "991201000000Z";
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_List *userInitialPolicySet = NULL; /* List of PKIX_PL_OID */
-        char *certNames[PKIX_TEST_MAX_CERTS];
-        PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
-        PKIX_List *chain = NULL;
-        PKIX_Error *validationError = NULL;
-	PKIX_VerifyNode *verifyTree = NULL;
-	PKIX_PL_String *verifyString = NULL;
-        char *dirName = NULL;
-        char *dataCentralDir = NULL;
-        char *anchorName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        /*
-         * Perform hard-coded tests if no command line args.
-         * If command line args are provided, they must be:
-         * arg[1]: test name
-         * arg[2]: "ENE" or "EE", for "expect no error" or "expect error"
-         * arg[3]: directory for certificates
-         * arg[4]: user-initial-policy-set, consisting of braces
-         *      containing zero or more OID sequences, separated by commas
-         * arg[5]: (optional) "E", indicating initialExplicitPolicy
-         * arg[firstCert]: the path and filename of the trust anchor certificate
-         * arg[firstCert+1..(n-1)]: successive certificates in the chain
-         * arg[n]: the end entity certificate
-         *
-         * Example: test_policychecker test1EE ENE
-         *      {2.5.29.32.0,2.5.29.32.3.6} Anchor CA EndEntity
-         */
-
-        dirName = argv[3+j];
-        dataCentralDir = argv[4+j];
-
-        if (argc <= 5 || ((6 == argc) && (j))) {
-
-                testPass
-                    (dataCentralDir,
-                    firstTrustAnchor,
-                    secondTrustAnchor,
-                    dateAscii);
-
-                testNistTest1(dirName);
-
-                testNistTest2(dirName);
-
-                goto cleanup;
-        }
-
-        if (argc < (7 + j)) {
-                printUsage(argv[0]);
-                pkixTestErrorMsg = "Invalid command line arguments.";
-                goto cleanup;
-        }
-
-        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
-                expectedResult = PKIX_TRUE;
-        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
-                expectedResult = PKIX_FALSE;
-        } else {
-                printUsage(argv[0]);
-                pkixTestErrorMsg = "Invalid command line arguments.";
-                goto cleanup;
-        }
-
-        userInitialPolicySet = policySetParse(argv[5+j]);
-        if (!userInitialPolicySet) {
-                printUsage(argv[0]);
-                pkixTestErrorMsg = "Invalid command line arguments.";
-                goto cleanup;
-        }
-
-        for (initArgs = 0; initArgs < 3; initArgs++) {
-                if (PORT_Strcmp(argv[6+j+initArgs], "A") == 0) {
-                        initialAnyPolicyInhibit = PKIX_TRUE;
-                } else if (PORT_Strcmp(argv[6+j+initArgs], "E") == 0) {
-                        initialExplicitPolicy = PKIX_TRUE;
-                } else if (PORT_Strcmp(argv[6+j+initArgs], "P") == 0) {
-                        initialPolicyMappingInhibit = PKIX_TRUE;
-                } else {
-                        break;
-                }
-        }
-
-        firstCert = initArgs + j + 6;
-        chainLength = argc - (firstCert + 1);
-        if (chainLength > PKIX_TEST_MAX_CERTS) {
-                printUsageMax(chainLength);
-                pkixTestErrorMsg = "Invalid command line arguments.";
-                goto cleanup;
-        }
-
-        /*
-         * Create a chain, but don't include the first certName.
-         * That's the anchor, and is supplied separately from
-         * the chain.
-         */
-        for (i = 0; i < chainLength; i++) {
-
-                certNames[i] = argv[i + (firstCert + 1)];
-                certs[i] = NULL;
-        }
-        chain = createCertChainPlus
-                (dirName, certNames, certs, chainLength, plContext);
-
-        subTest(argv[1+j]);
-
-        valParams = createValidateParams
-                (dirName,
-                argv[firstCert],
-                NULL,
-                NULL,
-                userInitialPolicySet,
-                initialPolicyMappingInhibit,
-                initialAnyPolicyInhibit,
-                initialExplicitPolicy,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        if (expectedResult == PKIX_TRUE) {
-                subTest("   (expecting successful validation)");
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
-                        (valParams, &valResult, &verifyTree, plContext));
-
-                printValidPolicyTree(valResult);
-
-        } else {
-                subTest("   (expecting validation to fail)");
-                validationError = PKIX_ValidateChain
-                        (valParams, &valResult, &verifyTree, plContext);
-                if (!validationError) {
-                        printValidPolicyTree(valResult);
-                        pkixTestErrorMsg = "Should have thrown an error here.";
-                }
-                PKIX_TEST_DECREF_BC(validationError);
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
-        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
-
-cleanup:
-
-        PKIX_PL_Free(anchorName, plContext);
-
-        PKIX_TEST_DECREF_AC(verifyString);
-        PKIX_TEST_DECREF_AC(verifyTree);
-        PKIX_TEST_DECREF_AC(userInitialPolicySet);
-        PKIX_TEST_DECREF_AC(chain);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-        PKIX_TEST_DECREF_AC(validationError);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("PolicyChecker");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c b/security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c
deleted file mode 100644
index ceeddab67..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_subjaltnamechecker.c
+++ /dev/null
@@ -1,299 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_subjaltnamechecker.c
- *
- * Test Subject Alternative Name Checking
- *
- */
-
-/*
- * There is no subjaltnamechecker. Instead, targetcertchecker is doing
- * the job for checking subject alternative names' validity. For testing,
- * in order to enter names with various type, we create this test excutable
- * to parse different scenario.
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-#define PKIX_TEST_MAX_CERTS     10
-
-static void *plContext = NULL;
-
-static
-void printUsage1(char *pName){
-        printf("\nUSAGE: %s test-name [ENE|EE] ", pName);
-        printf("cert [certs].\n");
-}
-
-static
-void printUsage2(char *name) {
-        printf("\ninvalid test-name syntax - %s", name);
-        printf("\ntest-name syntax: [01][DNORU]:<name>+...");
-        printf("\n             [01] 1 - match all; 0 - match one");
-        printf("\n    name - type can be specified as");
-        printf("\n          [DNORU] D-Directory name");
-        printf("\n                  N-DNS name");
-        printf("\n                  O-OID name");
-        printf("\n                  R-RFC822 name");
-        printf("\n                  U-URI name");
-        printf("\n                + separator for more names\n\n");
-}
-
-static
-void printUsageMax(PKIX_UInt32 numCerts){
-        printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
-                numCerts, PKIX_TEST_MAX_CERTS);
-}
-
-static
-PKIX_UInt32 getNameType(char *name){
-        PKIX_UInt32 nameType;
-
-        PKIX_TEST_STD_VARS();
-
-        switch (*name) {
-        case 'D':
-                nameType = PKIX_DIRECTORY_NAME;
-                break;
-        case 'N':
-                nameType = PKIX_DNS_NAME;
-                break;
-        case 'O':
-                nameType = PKIX_OID_NAME;
-                break;
-        case 'R':
-                nameType = PKIX_RFC822_NAME;
-                break;
-        case 'U':
-                nameType = PKIX_URI_NAME;
-                break;
-        default:
-                printUsage2(name);
-                nameType = 0xFFFF;
-        }
-
-        goto cleanup;
-
-cleanup:
-        PKIX_TEST_RETURN();
-        return (nameType);
-}
-
-int test_subjaltnamechecker(int argc, char *argv[]){
-
-        PKIX_List *chain = NULL;
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *selParams = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_PL_GeneralName *name = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        char *certNames[PKIX_TEST_MAX_CERTS];
-        PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
-        PKIX_UInt32 chainLength = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 j = 0;
-        char *nameStr;
-        char *nameEnd;
-        char *names[PKIX_TEST_MAX_CERTS];
-        PKIX_UInt32 numNames = 0;
-        PKIX_UInt32 nameType;
-        PKIX_Boolean matchAll = PKIX_TRUE;
-        PKIX_Boolean testValid = PKIX_TRUE;
-        char *dirName = NULL;
-        char *anchorName = NULL;
-	PKIX_VerifyNode *verifyTree = NULL;
-	PKIX_PL_String *verifyString = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 5) {
-                printUsage1(argv[0]);
-                return (0);
-        }
-
-        startTests("SubjAltNameConstraintChecker");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-	j++; /* skip test-purpose string */
-
-        /* ENE = expect no error; EE = expect error */
-        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
-                testValid = PKIX_TRUE;
-        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
-                testValid = PKIX_FALSE;
-        } else {
-                printUsage1(argv[0]);
-                return (0);
-        }
-
-        /* taking out leading and trailing ", if any */
-        nameStr = argv[1+j];
-        subTest(nameStr);
-        if (*nameStr == '"'){
-                nameStr++;
-                nameEnd = nameStr;
-                while (*nameEnd != '"' && *nameEnd != '\0') {
-                        nameEnd++;
-                }
-                *nameEnd = '\0';
-        }
-
-        /* extract first [0|1] inidcating matchAll or not */
-        matchAll = (*nameStr == '0')?PKIX_FALSE:PKIX_TRUE;
-        nameStr++;
-
-        numNames = 0;
-        while (*nameStr != '\0') {
-                names[numNames++] = nameStr;
-                while (*nameStr != '+' && *nameStr != '\0') {
-                        nameStr++;
-                }
-                if (*nameStr == '+') {
-                        *nameStr = '\0';
-                        nameStr++;
-                }
-        }
-
-        chainLength = (argc - j) - 4;
-        if (chainLength > PKIX_TEST_MAX_CERTS) {
-                printUsageMax(chainLength);
-        }
-
-        for (i = 0; i < chainLength; i++) {
-                certNames[i] = argv[(4+j)+i];
-                certs[i] = NULL;
-        }
-
-        /* SubjAltName for validation */
-
-        subTest("Add Subject Alt Name for NameConstraint checking");
-
-        subTest("Create Selector and ComCertSelParams");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&selParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, selParams, plContext));
-
-        subTest("PKIX_ComCertSelParams_SetMatchAllSubjAltNames");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetMatchAllSubjAltNames
-                (selParams, matchAll, plContext));
-
-        subTest("PKIX_ComCertSelParams_AddSubjAltName(s)");
-        for (i = 0; i < numNames; i++) {
-                nameType = getNameType(names[i]);
-                if (nameType == 0xFFFF) {
-                        return (0);
-                }
-                nameStr = names[i] + 2;
-                name = createGeneralName(nameType, nameStr, plContext);
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_AddSubjAltName
-                        (selParams, name, plContext));
-                PKIX_TEST_DECREF_BC(name);
-        }
-
-        subTest("SubjAltName-Constraints - Create Cert Chain");
-
-        dirName = argv[3+j];
-
-        chain = createCertChainPlus
-                (dirName, certNames, certs, chainLength, plContext);
-
-        subTest("SubjAltName-Constraints - Create Params");
-
-        valParams = createValidateParams
-                (dirName,
-                argv[4+j],
-                NULL,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        subTest("PKIX_ValidateParams_getProcessingParams");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
-                (valParams, &procParams, plContext));
-
-        subTest("PKIX_ProcessingParams_SetTargetCertConstraints");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
-                (procParams, selector, plContext));
-
-        subTest("Subject Alt Name - Validate Chain");
-
-        if (testValid == PKIX_TRUE) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
-                        (valParams, &valResult, &verifyTree, plContext));
-        } else {
-                PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
-                        (valParams, &valResult, &verifyTree, plContext));
-        }
-
-cleanup:
-
-        PKIX_PL_Free(anchorName, plContext);
-
-        PKIX_TEST_DECREF_AC(verifyString);
-        PKIX_TEST_DECREF_AC(verifyTree);
-        PKIX_TEST_DECREF_AC(chain);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-        PKIX_TEST_DECREF_AC(selector);
-        PKIX_TEST_DECREF_AC(selParams);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(name);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("SubjAltNameConstraintsChecker");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_validatechain.c b/security/nss/cmd/libpkix/pkix/top/test_validatechain.c
deleted file mode 100644
index 196c345ad..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_validatechain.c
+++ /dev/null
@@ -1,265 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_validatechain.c
- *
- * Test ValidateChain function
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static
-void printUsage(void){
-        (void) printf("\nUSAGE:\nvalidateChain TestName [ENE|EE] "
-                    "<certStoreDirectory> <trustedCert> <targetCert>\n\n");
-        (void) printf
-                ("Validates a chain of certificates between "
-                "<trustedCert> and <targetCert>\n"
-                "using the certs and CRLs in <certStoreDirectory>. "
-                "If ENE is specified,\n"
-                "then an Error is Not Expected. "
-                "If EE is specified, an Error is Expected.\n");
-}
-
-static
-char *createFullPathName(
-        char *dirName,
-        char *certFile,
-        void *plContext)
-{
-        PKIX_UInt32 certFileLen;
-        PKIX_UInt32 dirNameLen;
-        char *certPathName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        certFileLen = PL_strlen(certFile);
-        dirNameLen = PL_strlen(dirName);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
-                (dirNameLen + certFileLen + 2,
-                (void **)&certPathName,
-                plContext));
-
-        PL_strcpy(certPathName, dirName);
-        PL_strcat(certPathName, "/");
-        PL_strcat(certPathName, certFile);
-        printf("certPathName = %s\n", certPathName);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-        return (certPathName);
-}
-
-static PKIX_Error *
-testDefaultCertStore(PKIX_ValidateParams *valParams, char *crlDir)
-{
-        PKIX_PL_String *dirString = NULL;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_PL_Date *validity = NULL; 
-        PKIX_List *revCheckers = NULL;
-        PKIX_RevocationChecker *ocspChecker = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_CollectionCertStoreContext_Create");
-
-        /* Create CollectionCertStore */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, crlDir, 0, &dirString, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                (dirString, &certStore, plContext));
-
-        /* Create CertStore */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
-                (valParams, &procParams, plContext));
-
-        subTest("PKIX_ProcessingParams_AddCertStore");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore
-                (procParams, certStore, plContext));
-
-        subTest("PKIX_ProcessingParams_SetRevocationEnabled");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
-                (procParams, PKIX_TRUE, plContext));
-
-        /* create current Date */
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime
-                (PR_Now(), &validity, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&revCheckers, plContext));
-
-        /* create revChecker */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_OcspChecker_Initialize
-                (validity,
-                NULL,        /* pwArg */
-                NULL,        /* Use default responder */
-                &ocspChecker,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (revCheckers, (PKIX_PL_Object *)ocspChecker, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationCheckers
-                (procParams, revCheckers, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(dirString);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(certStore);
-        PKIX_TEST_DECREF_AC(revCheckers);
-        PKIX_TEST_DECREF_AC(ocspChecker);
-
-        PKIX_TEST_RETURN();
-
-        return (0);
-}
-
-int test_validatechain(int argc, char *argv[]){
-
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-        PKIX_UInt32 k = 0;
-        PKIX_UInt32 chainLength = 0;
-        PKIX_Boolean testValid = PKIX_TRUE;
-        PKIX_List *chainCerts = NULL;
-        PKIX_PL_Cert *dirCert = NULL;
-	PKIX_VerifyNode *verifyTree = NULL;
-	PKIX_PL_String *verifyString = NULL;
-        char *dirCertName = NULL;
-        char *anchorCertName = NULL;
-        char *dirName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 5) {
-                printUsage();
-                return (0);
-        }
-
-        startTests("ValidateChain");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        /* ENE = expect no error; EE = expect error */
-        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
-                testValid = PKIX_TRUE;
-        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
-                testValid = PKIX_FALSE;
-        } else {
-                printUsage();
-                return (0);
-        }
-
-        subTest(argv[1+j]);
-
-        dirName = argv[3+j];
-
-        chainLength = argc - j - 5;
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext));
-
-        for (k = 0; k < chainLength; k++) {
-
-                dirCert = createCert(dirName, argv[5+k+j], plContext);
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_AppendItem
-                        (chainCerts, (PKIX_PL_Object *)dirCert, plContext));
-
-                PKIX_TEST_DECREF_BC(dirCert);
-        }
-
-        valParams = createValidateParams
-                (dirName,
-                argv[4+j],
-                NULL,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chainCerts,
-                plContext);
-
-        testDefaultCertStore(valParams, dirName);
-
-        if (testValid == PKIX_TRUE) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
-                        (valParams, &valResult, &verifyTree, plContext));
-        } else {
-                PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
-                        (valParams, &valResult, &verifyTree, plContext));
-        }
-
-        subTest("Displaying VerifyNode objects");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
-        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
-
-cleanup:
-        PKIX_TEST_DECREF_AC(verifyString);
-        PKIX_TEST_DECREF_AC(verifyTree);
-
-        PKIX_TEST_DECREF_AC(chainCerts);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("ValidateChain");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_validatechain_NB.c b/security/nss/cmd/libpkix/pkix/top/test_validatechain_NB.c
deleted file mode 100644
index 5dd5ca0c8..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_validatechain_NB.c
+++ /dev/null
@@ -1,402 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_validatechain_NB.c
- *
- * Test ValidateChain (nonblocking I/O) function
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static
-void printUsage(void){
-        (void) printf("\nUSAGE:\ntest_validateChain_NB TestName [ENE|EE] "
-                    "<certStoreDirectory> <trustedCert> <targetCert>\n\n");
-        (void) printf
-                ("Validates a chain of certificates between "
-                "<trustedCert> and <targetCert>\n"
-                "using the certs and CRLs in <certStoreDirectory>. "
-                "If ENE is specified,\n"
-                "then an Error is Not Expected. "
-                "If EE is specified, an Error is Expected.\n");
-}
-
-static
-char *createFullPathName(
-        char *dirName,
-        char *certFile,
-        void *plContext)
-{
-        PKIX_UInt32 certFileLen;
-        PKIX_UInt32 dirNameLen;
-        char *certPathName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        certFileLen = PL_strlen(certFile);
-        dirNameLen = PL_strlen(dirName);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
-                (dirNameLen + certFileLen + 2,
-                (void **)&certPathName,
-                plContext));
-
-        PL_strcpy(certPathName, dirName);
-        PL_strcat(certPathName, "/");
-        PL_strcat(certPathName, certFile);
-        printf("certPathName = %s\n", certPathName);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-        return (certPathName);
-}
-
-static PKIX_Error *
-testSetupCertStore(PKIX_ValidateParams *valParams, char *ldapName)
-{
-        PKIX_PL_String *dirString = NULL;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_PL_LdapDefaultClient *ldapClient = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_CollectionCertStoreContext_Create");
-
-        /* Create LDAPCertStore */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapDefaultClient_CreateByName
-                (ldapName,
-                0,      /* timeout */
-                NULL,   /* bindPtr */
-                &ldapClient,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_LdapCertStore_Create
-                ((PKIX_PL_LdapClient *)ldapClient,
-                &certStore,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
-                (valParams, &procParams, plContext));
-
-        subTest("PKIX_ProcessingParams_AddCertStore");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_AddCertStore
-                (procParams, certStore, plContext));
-
-        subTest("PKIX_ProcessingParams_SetRevocationEnabled");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
-                (procParams, PKIX_TRUE, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(dirString);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(certStore);
-        PKIX_TEST_DECREF_AC(ldapClient);
-
-        PKIX_TEST_RETURN();
-
-        return (0);
-}
-
-static char *levels[] = {
-        "None", "Fatal Error", "Error", "Warning", "Debug", "Trace"
-};
-
-static PKIX_Error *loggerCallback(
-        PKIX_Logger *logger,
-        PKIX_PL_String *message,
-        PKIX_UInt32 logLevel,
-        PKIX_ERRORCLASS logComponent,
-        void *plContext)
-{
-#define resultSize 150
-        char *msg = NULL;
-        char result[resultSize];
-
-        PKIX_TEST_STD_VARS();
-
-        msg = PKIX_String2ASCII(message, plContext);
-        PR_snprintf(result, resultSize,
-            "Logging %s (%s): %s",
-	    levels[logLevel],
-	    PKIX_ERRORCLASSNAMES[logComponent],
-	    msg);
-        subTest(result);
-
-cleanup:
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(msg, plContext));
-        PKIX_TEST_RETURN();
-}
-
-static
-void testLogErrors(
-	PKIX_ERRORCLASS module,
-	PKIX_UInt32 loggingLevel,
-        PKIX_List *loggers,
-	void *plContext)
-{
-        PKIX_Logger *logger = NULL;
-        PKIX_PL_String *component = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_Create
-                (loggerCallback, NULL, &logger, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetLoggingComponent
-                (logger, module, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetMaxLoggingLevel
-                (logger, loggingLevel, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (loggers, (PKIX_PL_Object *) logger, plContext));
-
-cleanup:
-        PKIX_TEST_DECREF_AC(logger);
-        PKIX_TEST_DECREF_AC(component);
-
-        PKIX_TEST_RETURN();
-}
-
-int test_validatechain_NB(int argc, char *argv[]){
-
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-        PKIX_UInt32 k = 0;
-        PKIX_UInt32 chainLength = 0;
-        PKIX_Boolean testValid = PKIX_TRUE;
-        PKIX_List *chainCerts = NULL;
-        PKIX_PL_Cert *dirCert = NULL;
-        char *dirCertName = NULL;
-        char *anchorCertName = NULL;
-        char *dirName = NULL;
-        PKIX_UInt32 certIndex = 0;
-        PKIX_UInt32 anchorIndex = 0;
-        PKIX_UInt32 checkerIndex = 0;
-        PKIX_Boolean revChecking = PKIX_FALSE;
-        PKIX_List *checkers = NULL;
-        PRPollDesc *pollDesc = NULL;
-        PRErrorCode errorCode = 0;
-        PKIX_PL_Socket *socket = NULL;
-        char *ldapName = NULL;
-	PKIX_VerifyNode *verifyTree = NULL;
-	PKIX_PL_String *verifyString = NULL;
-
-        PKIX_List *loggers = NULL;
-        PKIX_Logger *logger = NULL;
-        char *logging = NULL;
-        PKIX_PL_String *component = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 5) {
-                printUsage();
-                return (0);
-        }
-
-        startTests("ValidateChain_NB");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        /* ENE = expect no error; EE = expect error */
-        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
-                testValid = PKIX_TRUE;
-        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
-                testValid = PKIX_FALSE;
-        } else {
-                printUsage();
-                return (0);
-        }
-
-        subTest(argv[1+j]);
-
-        dirName = argv[3+j];
-
-        chainLength = argc - j - 5;
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&chainCerts, plContext));
-
-        for (k = 0; k < chainLength; k++){
-
-                dirCert = createCert(dirName, argv[5+k+j], plContext);
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_AppendItem
-                        (chainCerts, (PKIX_PL_Object *)dirCert, plContext));
-
-                PKIX_TEST_DECREF_BC(dirCert);
-        }
-
-        valParams = createValidateParams
-                (dirName,
-                argv[4+j],
-                NULL,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chainCerts,
-                plContext);
-
-        ldapName = PR_GetEnv("LDAP");
-        /* Is LDAP set in the environment? */
-        if ((ldapName == NULL) || (*ldapName == '\0')) {
-                testError("LDAP not set in environment");
-                goto cleanup;
-        }
-
-        pkixTestErrorResult = pkix_pl_Socket_CreateByName
-                (PKIX_FALSE,       /* isServer */
-                PR_SecondsToInterval(30), /* try 30 secs for connect */
-                ldapName,
-                &errorCode,
-                &socket,
-                plContext);
-
-        if (pkixTestErrorResult != NULL) {
-                PKIX_PL_Object_DecRef
-                        ((PKIX_PL_Object *)pkixTestErrorResult, plContext);
-                pkixTestErrorResult = NULL;
-                testError("Unable to connect to LDAP Server");
-                goto cleanup;
-        }
-
-        PKIX_TEST_DECREF_BC(socket);
-
-        testSetupCertStore(valParams, ldapName);
-
-        logging = PR_GetEnv("LOGGING");
-        /* Is LOGGING set in the environment? */
-        if ((logging != NULL) && (*logging != '\0')) {
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_Create(&loggers, plContext));
-
-		testLogErrors
-			(PKIX_VALIDATE_ERROR, 2, loggers, plContext);
-		testLogErrors
-			(PKIX_CERTCHAINCHECKER_ERROR, 2, loggers, plContext);
-		testLogErrors
-			(PKIX_LDAPDEFAULTCLIENT_ERROR, 2, loggers, plContext);
-		testLogErrors
-			(PKIX_CERTSTORE_ERROR, 2, loggers, plContext);
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_SetLoggers(loggers, plContext));
-
-        }
-
-        pkixTestErrorResult = PKIX_ValidateChain_NB
-                (valParams,
-                &certIndex,
-                &anchorIndex,
-                &checkerIndex,
-                &revChecking,
-                &checkers,
-                (void **)&pollDesc,
-                &valResult,
-		&verifyTree,
-                plContext);
-
-        while (pollDesc != NULL) {
-
-                if (PR_Poll(pollDesc, 1, 0) < 0) {
-                        testError("PR_Poll failed");
-                }
-
-                pkixTestErrorResult = PKIX_ValidateChain_NB
-                        (valParams,
-                        &certIndex,
-                        &anchorIndex,
-                        &checkerIndex,
-                        &revChecking,
-                        &checkers,
-                        (void **)&pollDesc,
-                        &valResult,
-			&verifyTree,
-                        plContext);
-        }
-
-        if (pkixTestErrorResult) {
-                if (testValid == PKIX_FALSE) { /* EE */
-                        (void) printf("EXPECTED ERROR RECEIVED!\n");
-                } else { /* ENE */
-                        testError("UNEXPECTED ERROR RECEIVED");
-                }
-                PKIX_TEST_DECREF_BC(pkixTestErrorResult);
-        } else {
-
-	        if (testValid == PKIX_TRUE) { /* ENE */
-        	        (void) printf("EXPECTED NON-ERROR RECEIVED!\n");
-	        } else { /* EE */
-        	        (void) printf("UNEXPECTED NON-ERROR RECEIVED!\n");
-	        }
-        }
-
-cleanup:
-
-	if (verifyTree) {
-	        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-        	    ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
-	        (void) printf("verifyTree is\n%s\n",
-		    verifyString->escAsciiString);
-	}
-
-        PKIX_TEST_DECREF_AC(verifyString);
-        PKIX_TEST_DECREF_AC(verifyTree);
-        PKIX_TEST_DECREF_AC(checkers);
-        PKIX_TEST_DECREF_AC(chainCerts);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("ValidateChain_NB");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/top/test_validatechain_bc.c b/security/nss/cmd/libpkix/pkix/top/test_validatechain_bc.c
deleted file mode 100644
index fc0c533fe..000000000
--- a/security/nss/cmd/libpkix/pkix/top/test_validatechain_bc.c
+++ /dev/null
@@ -1,289 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * validateChainBasicConstraints.c
- *
- * Tests Cert Chain Validation
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stddef.h>
-
-#include "pkix_pl_generalname.h"
-#include "pkix_pl_cert.h"
-#include "pkix.h"
-#include "testutil.h"
-#include "prlong.h"
-#include "plstr.h"
-#include "prthread.h"
-#include "nspr.h"
-#include "prtypes.h"
-#include "prtime.h"
-#include "pk11func.h"
-#include "secasn1.h"
-#include "cert.h"
-#include "cryptohi.h"
-#include "secoid.h"
-#include "certdb.h"
-#include "secitem.h"
-#include "keythi.h"
-#include "nss.h"
-
-static void *plContext = NULL;
-
-static
-void printUsage(void){
-        printf("\nUSAGE: incorrect.\n");
-}
-
-static PKIX_PL_Cert *
-createCert(char *inFileName)
-{
-        PKIX_PL_ByteArray *byteArray = NULL;
-        void *buf = NULL;
-        PRFileDesc *inFile = NULL;
-        PKIX_UInt32 len;
-        SECItem certDER;
-        SECStatus rv;
-        /* default: NULL cert (failure case) */
-        PKIX_PL_Cert *cert = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        certDER.data = NULL;
-
-        inFile = PR_Open(inFileName, PR_RDONLY, 0);
-
-        if (!inFile){
-                pkixTestErrorMsg = "Unable to open cert file";
-                goto cleanup;
-        } else {
-                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
-                if (!rv){
-                        buf = (void *)certDER.data;
-                        len = certDER.len;
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_ByteArray_Create
-                                (buf, len, &byteArray, plContext));
-
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create
-                                                (byteArray, &cert, plContext));
-
-                        SECITEM_FreeItem(&certDER, PR_FALSE);
-                } else {
-                        pkixTestErrorMsg = "Unable to read DER from cert file";
-                        goto cleanup;
-                }
-        }
-
-cleanup:
-
-        if (inFile){
-                PR_Close(inFile);
-        }
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                SECITEM_FreeItem(&certDER, PR_FALSE);
-        }
-
-        PKIX_TEST_DECREF_AC(byteArray);
-
-        PKIX_TEST_RETURN();
-
-        return (cert);
-}
-
-int test_validatechain_bc(int argc, char *argv[])
-{
-
-        PKIX_TrustAnchor *anchor = NULL;
-        PKIX_List *anchors = NULL;
-        PKIX_List *certs = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_PL_X500Name *subject = NULL;
-        PKIX_ComCertSelParams *certSelParams = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-
-        char *trustedCertFile = NULL;
-        char *chainCertFile = NULL;
-        PKIX_PL_Cert *trustedCert = NULL;
-        PKIX_PL_Cert *chainCert = NULL;
-        PKIX_UInt32 chainLength = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 j = 0;
-        PKIX_UInt32 actualMinorVersion;
-	PKIX_VerifyNode *verifyTree = NULL;
-	PKIX_PL_String *verifyString = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 3){
-                printUsage();
-                return (0);
-        }
-
-        startTests("ValidateChainBasicConstraints");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        chainLength = (argc - j) - 2;
-
-        /* create processing params with list of trust anchors */
-        trustedCertFile = argv[1+j];
-        trustedCert = createCert(trustedCertFile);
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
-                    (certSelParams, -1, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
-                                    (certSelector, certSelParams, plContext));
-
-        PKIX_TEST_DECREF_BC(subject);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
-                                    (trustedCert, &anchor, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_AppendItem
-                (anchors, (PKIX_PL_Object *)anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
-                                    (anchors, &procParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
-                                    (procParams, PKIX_FALSE, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                    (PKIX_ProcessingParams_SetTargetCertConstraints
-                    (procParams, certSelector, plContext));
-
-        PKIX_TEST_DECREF_BC(certSelector);
-
-        /* create cert chain */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
-        for (i = 0; i < chainLength; i++){
-                chainCertFile = argv[i + (2+j)];
-                chainCert = createCert(chainCertFile);
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                        (certs, (PKIX_PL_Object *)chainCert, plContext));
-
-                PKIX_TEST_DECREF_BC(chainCert);
-        }
-
-        /* create validate params with processing params and cert chain */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create
-                                    (procParams, certs, &valParams, plContext));
-
-
-        /* validate cert chain using processing params and return valResult */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
-                (valParams, &valResult, &verifyTree, plContext));
-
-        if (valResult != NULL){
-                printf("SUCCESSFULLY VALIDATED with Basic Constraint ");
-                printf("Cert Selector minimum path length to be -1\n");
-                PKIX_TEST_DECREF_BC(valResult);
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
-        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
-        PKIX_TEST_DECREF_BC(verifyString);
-        PKIX_TEST_DECREF_BC(verifyTree);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
-                    (certSelParams, 6, plContext));
-
-        /* validate cert chain using processing params and return valResult */
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
-                (valParams, &valResult, &verifyTree, plContext));
-
-        if (valResult != NULL){
-                printf("SUCCESSFULLY VALIDATED with Basic Constraint ");
-                printf("Cert Selector minimum path length to be 6\n");
-        }
-
-        PKIX_TEST_DECREF_BC(trustedCert);
-        PKIX_TEST_DECREF_BC(anchor);
-        PKIX_TEST_DECREF_BC(anchors);
-        PKIX_TEST_DECREF_BC(certs);
-        PKIX_TEST_DECREF_BC(procParams);
-
-cleanup:
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                printf("FAILED TO VALIDATE\n");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
-        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
-        PKIX_TEST_DECREF_AC(verifyString);
-        PKIX_TEST_DECREF_AC(verifyTree);
-
-        PKIX_TEST_DECREF_AC(certSelParams);
-        PKIX_TEST_DECREF_AC(valResult);
-        PKIX_TEST_DECREF_AC(valParams);
-
-        PKIX_TEST_RETURN();
-
-        PKIX_Shutdown(plContext);
-
-        endTests("ValidateChainBasicConstraints");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix/util/Makefile b/security/nss/cmd/libpkix/pkix/util/Makefile
deleted file mode 100755
index 3f1484b02..000000000
--- a/security/nss/cmd/libpkix/pkix/util/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix/util/manifest.mn b/security/nss/cmd/libpkix/pkix/util/manifest.mn
deleted file mode 100755
index f63ead6f4..000000000
--- a/security/nss/cmd/libpkix/pkix/util/manifest.mn
+++ /dev/null
@@ -1,56 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ../..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = test_error.c \
-	test_list.c \
-	test_list2.c \
-	test_logger.c \
-	$(NULL)
-
-LIBRARY_NAME=pkixtoolutil
-
-SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix/util/test_error.c b/security/nss/cmd/libpkix/pkix/util/test_error.c
deleted file mode 100644
index 776c4bab1..000000000
--- a/security/nss/cmd/libpkix/pkix/util/test_error.c
+++ /dev/null
@@ -1,450 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_error.c
- *
- * Tests Error Object Creation, ToString, Callbacks and Destroy
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static
-void createErrors(
-        PKIX_Error **error,
-        PKIX_Error **error2,
-        PKIX_Error **error3,
-        PKIX_Error **error5,
-        PKIX_Error **error6,
-        PKIX_Error **error7,
-        char *infoChar)
-
-{
-        PKIX_PL_String *infoString = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
-                                        PKIX_ESCASCII,
-                                        infoChar,
-                                        PL_strlen(infoChar),
-                                        &infoString,
-                                        plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
-                                  (PKIX_MEM_ERROR,
-                                   NULL,
-                                   NULL,
-                                   PKIX_TESTANOTHERERRORMESSAGE,
-                                   error2,
-                                   plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
-                                    (PKIX_OBJECT_ERROR,
-                                    *error2,
-                                    (PKIX_PL_Object*)infoString,
-                                     PKIX_TESTERRORMESSAGE,
-                                    error,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
-                                    (PKIX_OBJECT_ERROR,
-                                    *error2,
-                                    (PKIX_PL_Object*)infoString,
-                                     PKIX_TESTERRORMESSAGE,
-                                    error3,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
-                                    (PKIX_OBJECT_ERROR,
-                                    NULL,
-                                    (PKIX_PL_Object*)infoString,
-                                    0,
-                                    error5,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
-                                    (PKIX_MEM_ERROR,
-                                    *error5,
-                                    (PKIX_PL_Object*)infoString,
-                                    0,
-                                    error6,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_Create
-                                    (PKIX_OBJECT_ERROR,
-                                    *error6,
-                                    (PKIX_PL_Object*)infoString,
-                                    0,
-                                    error7,
-                                    plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(infoString);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testGetErrorClass(PKIX_Error *error, PKIX_Error *error2)
-{
-        PKIX_ERRORCLASS errClass;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_Error_GetErrorClass(error, &errClass, plContext));
-
-        if (errClass != PKIX_OBJECT_ERROR) {
-                testError("Incorrect Class Returned");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_Error_GetErrorClass(error2, &errClass, plContext));
-
-        if (errClass != PKIX_MEM_ERROR) {
-                testError("Incorrect Class Returned");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_GetErrorClass(PKIX_ALLOC_ERROR(),
-                                            &errClass, plContext));
-        if (errClass != PKIX_FATAL_ERROR) {
-                testError("Incorrect Class Returned");
-        }
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static
-void testGetDescription(
-        PKIX_Error *error,
-        PKIX_Error *error2,
-        PKIX_Error *error3,
-        char *descChar,
-        char *descChar2)
-{
-
-        PKIX_PL_String *targetString = NULL;
-        char *temp = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_GetDescription
-                                (error, &targetString, plContext));
-        temp = PKIX_String2ASCII(targetString, plContext);
-        PKIX_TEST_DECREF_BC(targetString);
-
-        if (temp){
-                if (PL_strcmp(temp, descChar) != 0) {
-                        testError("Incorrect description returned");
-                }
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_GetDescription
-                    (error2, &targetString, plContext));
-        temp = PKIX_String2ASCII(targetString, plContext);
-        PKIX_TEST_DECREF_BC(targetString);
-
-        if (temp){
-                if (PL_strcmp(temp, descChar2) != 0) {
-                        testError("Incorrect description returned");
-                }
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_GetDescription
-                    (error3, &targetString, plContext));
-        temp = PKIX_String2ASCII(targetString, plContext);
-        PKIX_TEST_DECREF_BC(targetString);
-
-        if (temp){
-                if (PL_strcmp(temp, descChar) != 0) {
-                        testError("Incorrect description returned");
-                }
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void testGetCause(PKIX_Error *error, PKIX_Error *error2, PKIX_Error *error3)
-{
-
-        PKIX_Error *error4 = NULL;
-        PKIX_PL_String *targetString = NULL;
-        char *temp = NULL;
-        PKIX_Boolean boolResult;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_Error_GetCause(error, &error4, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                    ((PKIX_PL_Object*)error2,
-                    (PKIX_PL_Object*)error4,
-                    &boolResult, plContext));
-        if (!boolResult)
-                testError("Incorrect Cause returned");
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_ToString((PKIX_PL_Object*)error4,
-                                        &targetString, plContext));
-
-        temp = PKIX_String2ASCII(targetString, plContext);
-        if (temp){
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-        PKIX_TEST_DECREF_BC(targetString);
-        PKIX_TEST_DECREF_BC(error4);
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_Error_GetCause(error3, &error4, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                    ((PKIX_PL_Object*)error2,
-                    (PKIX_PL_Object*)error4,
-                    &boolResult, plContext));
-        if (!boolResult)
-                testError("Incorrect Cause returned");
-
-        PKIX_TEST_DECREF_BC(error4);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-
-}
-
-static
-void testGetSupplementaryInfo(PKIX_Error *error, char *infoChar)
-{
-
-        PKIX_PL_Object *targetString = NULL;
-        char *temp = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Error_GetSupplementaryInfo
-                    (error, &targetString, plContext));
-        temp = PKIX_String2ASCII((PKIX_PL_String*)targetString, plContext);
-        PKIX_TEST_DECREF_BC(targetString);
-
-        if (temp){
-                if (PL_strcmp(temp, infoChar) != 0) {
-                        testError("Incorrect info returned");
-                }
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-
-}
-
-static void
-testPrimitiveError(void)
-{
-        PKIX_PL_String *targetString = NULL;
-        PKIX_PL_String *targetStringCopy = NULL;
-        char *temp = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                    ((PKIX_PL_Object*)PKIX_ALLOC_ERROR(),
-                    &targetString, plContext));
-
-        temp = PKIX_String2ASCII(targetString, plContext);
-        if (temp){
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-        targetStringCopy = targetString;
-
-        PKIX_TEST_DECREF_BC(targetString);
-
-        /*
-         *  We need to DECREF twice, b/c the PKIX_ALLOC_ERROR object
-         *  which holds a cached copy of the stringRep can never be DECREF'd
-         */
-        PKIX_TEST_DECREF_BC(targetStringCopy);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testChaining(PKIX_Error *error7)
-{
-        PKIX_PL_String *targetString = NULL;
-        PKIX_Error *tempError = NULL;
-        char *temp = NULL;
-        PKIX_UInt32 i;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_ToString((PKIX_PL_Object*)error7,
-                                        &targetString, plContext));
-
-        temp = PKIX_String2ASCII(targetString, plContext);
-        if (temp){
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-
-        for (i = 0, tempError = error7; i < 2; i++) {
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_Error_GetCause(tempError, &tempError, plContext));
-                if (tempError == NULL) {
-                        testError("Unexpected end to error chain");
-                        break;
-                }
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_PL_Object_DecRef
-                        ((PKIX_PL_Object*)tempError, plContext));
-        }
-
-        PKIX_TEST_DECREF_BC(targetString);
-
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testDestroy(PKIX_Error *error)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_DECREF_BC(error);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-int test_error(int argc, char *argv[]) 
-{
-
-        PKIX_Error *error, *error2, *error3, *error5, *error6, *error7;
-        char *descChar = "Error Message";
-        char *descChar2 = "Another Error Message";
-        char *infoChar = "Auxiliary Info";
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Errors");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest("PKIX_Error_Create");
-        createErrors
-                (&error,
-                &error2,
-                &error3,
-                &error5,
-                &error6,
-                &error7,
-                infoChar);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (error,
-                error,
-                error2,
-                NULL,
-                Error,
-                PKIX_TRUE);
-
-        subTest("PKIX_Error_GetErrorClass");
-        testGetErrorClass(error, error2);
-
-        subTest("PKIX_Error_GetDescription");
-        testGetDescription(error, error2, error3, descChar, descChar2);
-
-        subTest("PKIX_Error_GetCause");
-        testGetCause(error, error2, error3);
-
-        subTest("PKIX_Error_GetSupplementaryInfo");
-        testGetSupplementaryInfo(error, infoChar);
-
-        subTest("Primitive Error Type");
-        testPrimitiveError();
-
-        subTest("Error Chaining");
-        testChaining(error7);
-
-        subTest("PKIX_Error_Destroy");
-        testDestroy(error);
-        testDestroy(error2);
-        testDestroy(error3);
-        testDestroy(error5);
-        testDestroy(error6);
-        testDestroy(error7);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Errors");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix/util/test_list.c b/security/nss/cmd/libpkix/pkix/util/test_list.c
deleted file mode 100644
index eb145c0b1..000000000
--- a/security/nss/cmd/libpkix/pkix/util/test_list.c
+++ /dev/null
@@ -1,878 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_list.c
- *
- * Tests List Objects
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-createLists(PKIX_List **list, PKIX_List **list2)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(list, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(list2, plContext));
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testReverseList(void)
-{
-        PKIX_List *firstList = NULL;
-        PKIX_List *reverseList = NULL;
-        PKIX_UInt32 length, i;
-        char *testItemString = "one";
-        char *testItemString2 = "two";
-        PKIX_PL_String *testItem = NULL;
-        PKIX_PL_String *testItem2 = NULL;
-        PKIX_PL_Object *retrievedItem1 = NULL;
-        PKIX_PL_Object *retrievedItem2 = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&firstList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_ReverseList
-                                    (firstList, &reverseList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                                    (reverseList, &length, plContext));
-        if (length != 0){
-                testError("Incorrect Length returned");
-        }
-
-        PKIX_TEST_DECREF_BC(reverseList);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_ESCASCII,
-                                    testItemString,
-                                    0,
-                                    &testItem,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_ESCASCII,
-                                    testItemString2,
-                                    0,
-                                    &testItem2,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                    (firstList,
-                                    (PKIX_PL_Object*)testItem,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_ReverseList
-                                    (firstList, &reverseList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                                    (reverseList, &length, plContext));
-        if (length != 1){
-                testError("Incorrect Length returned");
-        }
-
-        PKIX_TEST_DECREF_BC(reverseList);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                    (firstList,
-                                    (PKIX_PL_Object*)testItem2,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                    (firstList,
-                                    (PKIX_PL_Object*)testItem,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                    (firstList,
-                                    (PKIX_PL_Object*)testItem2,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_ReverseList
-                                    (firstList, &reverseList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                                    (reverseList, &length, plContext));
-        if (length != 4){
-                testError("Incorrect Length returned");
-        }
-
-        for (i = 0; i < length; i++){
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                                            (firstList,
-                                            i,
-                                            &retrievedItem1,
-                                            plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                                            (reverseList,
-                                            (length - 1) - i,
-                                            &retrievedItem2,
-                                            plContext));
-
-                testEqualsHelper
-                        (retrievedItem1, retrievedItem2, PKIX_TRUE, plContext);
-
-                PKIX_TEST_DECREF_BC(retrievedItem1);
-                PKIX_TEST_DECREF_BC(retrievedItem2);
-
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(firstList);
-        PKIX_TEST_DECREF_AC(reverseList);
-
-        PKIX_TEST_DECREF_AC(testItem);
-        PKIX_TEST_DECREF_AC(testItem2);
-
-        PKIX_TEST_DECREF_AC(retrievedItem1);
-        PKIX_TEST_DECREF_AC(retrievedItem2);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testZeroLengthList(PKIX_List *list)
-{
-        PKIX_UInt32 length;
-        PKIX_Boolean empty;
-        char *testItemString = "hello";
-        PKIX_PL_String *testItem = NULL;
-        PKIX_PL_String *retrievedItem = NULL;
-        PKIX_List *diffList = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&diffList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetLength(list, &length, plContext));
-
-        if (length != 0){
-                testError("Incorrect Length returned");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsEmpty(list, &empty, plContext));
-        if (!empty){
-                testError("Incorrect result for PKIX_List_IsEmpty");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_ESCASCII,
-                                    testItemString,
-                                    0,
-                                    &testItem,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_List_InsertItem
-                            (list, 0, (PKIX_PL_Object *)testItem, plContext));
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_List_SetItem
-                            (list, 0, (PKIX_PL_Object *)testItem, plContext));
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_List_GetItem
-                            (list,
-                            0,
-                            (PKIX_PL_Object **)&retrievedItem,
-                            plContext));
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem(list, 0, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                    (diffList,
-                                    (PKIX_PL_Object*)testItem,
-                                    plContext));
-
-        testDuplicateHelper((PKIX_PL_Object *)diffList, plContext);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (list, list, diffList, "(EMPTY)", List, PKIX_TRUE);
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetLength(diffList, &length, plContext));
-        if (length != 1){
-                testError("Incorrect Length returned");
-        }
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem(list, 1, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_DeleteItem(diffList, 0, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetLength(diffList, &length, plContext));
-        if (length != 0){
-                testError("Incorrect Length returned");
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(testItem);
-        PKIX_TEST_DECREF_AC(diffList);
-        PKIX_TEST_RETURN();
-}
-
-static void
-testGetLength(PKIX_List *list)
-{
-        PKIX_UInt32 length;
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetLength(list, &length, plContext));
-
-        if (length != 3){
-                testError("Incorrect Length returned");
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testGetSetItem(
-        PKIX_List *list,
-        char *testItemString,
-        char *testItemString2,
-        char *testItemString3,
-        PKIX_PL_String **testItem,
-        PKIX_PL_String **testItem2,
-        PKIX_PL_String **testItem3)
-{
-        PKIX_PL_Object *tempItem = NULL;
-        char *temp = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                        (PKIX_ESCASCII,
-                                        testItemString,
-                                        PL_strlen(testItemString),
-                                        testItem,
-                                        plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                        (PKIX_ESCASCII,
-                                        testItemString2,
-                                        PL_strlen(testItemString2),
-                                        testItem2,
-                                        plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                        (PKIX_ESCASCII,
-                                        testItemString3,
-                                        PL_strlen(testItemString3),
-                                        testItem3,
-                                        plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_AppendItem
-                (list, (PKIX_PL_Object*)*testItem, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_AppendItem
-                (list, (PKIX_PL_Object*)*testItem, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_AppendItem
-                (list, (PKIX_PL_Object*)*testItem, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem
-                    (list, 0, (PKIX_PL_Object*)*testItem, plContext));
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem
-                    (list, 1, (PKIX_PL_Object*)*testItem2, plContext));
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem
-                    (list, 2, (PKIX_PL_Object*)*testItem3, plContext));
-
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem(list, 0, &tempItem, plContext));
-
-        temp = PKIX_String2ASCII((PKIX_PL_String*)tempItem, plContext);
-        if (temp){
-                if (PL_strcmp(testItemString, temp) != 0)
-                testError("GetItem from list is incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-        PKIX_TEST_DECREF_BC(tempItem);
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem(list, 1, &tempItem, plContext));
-
-        temp = PKIX_String2ASCII((PKIX_PL_String*)tempItem, plContext);
-        if (temp){
-                if (PL_strcmp(testItemString2, temp) != 0)
-                        testError("GetItem from list is incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(tempItem);
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem(list, 2, &tempItem, plContext));
-
-        temp = PKIX_String2ASCII((PKIX_PL_String*)tempItem, plContext);
-        if (temp){
-                if (PL_strcmp(testItemString3, temp) != 0)
-                        testError("GetItem from list is incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(tempItem);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem
-                    (list, 0, (PKIX_PL_Object*)*testItem3, plContext));
-        temp = PKIX_String2ASCII(*testItem3, plContext);
-        if (temp){
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem(list, 0, &tempItem, plContext));
-
-        temp = PKIX_String2ASCII((PKIX_PL_String*)tempItem, plContext);
-        if (temp){
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-        temp = PKIX_String2ASCII((PKIX_PL_String*)tempItem, plContext);
-        if (temp){
-                if (PL_strcmp(testItemString3, temp) != 0)
-                        testError("GetItem from list is incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(tempItem);
-
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testInsertItem(
-        PKIX_List *list,
-        PKIX_PL_String *testItem,
-        char *testItemString)
-{
-        PKIX_PL_Object *tempItem = NULL;
-        PKIX_PL_String *outputString = NULL;
-        char *temp = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_InsertItem
-                (list, 0, (PKIX_PL_Object*)testItem, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem(list, 0, &tempItem, plContext));
-
-        temp = PKIX_String2ASCII((PKIX_PL_String*)tempItem, plContext);
-        if (temp){
-                if (PL_strcmp(testItemString, temp) != 0)
-                        testError("GetItem from list is incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(tempItem);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object*)list,
-                                        &outputString,
-                                        plContext));
-
-        temp = PKIX_String2ASCII(outputString, plContext);
-        if (temp){
-                if (PL_strcmp("(a, c, b, c)", temp) != 0)
-                        testError("List toString is Incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-        PKIX_TEST_DECREF_BC(outputString);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testAppendItem(PKIX_List *list, PKIX_PL_String *testItem)
-{
-        PKIX_UInt32 length2;
-        PKIX_PL_String *outputString = NULL;
-        char *temp = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetLength(list, &length2, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(list,
-                                        (PKIX_PL_Object*)testItem,
-                                        plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object*)list,
-                                        &outputString,
-                                        plContext));
-
-        temp = PKIX_String2ASCII(outputString, plContext);
-        if (temp){
-                if (PL_strcmp("(a, c, b, c, a)", temp) != 0)
-                        testError("List toString is Incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-        PKIX_TEST_DECREF_BC(outputString);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testNestedLists(
-        PKIX_List *list,
-        PKIX_List *list2,
-        PKIX_PL_String *testItem,
-        PKIX_PL_String *testItem2)
-{
-        PKIX_PL_String *outputString = NULL;
-        char *temp = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_AppendItem
-                (list2, (PKIX_PL_Object*)testItem, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(list2,
-                                        (PKIX_PL_Object*)NULL,
-                                        plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem(list2,
-                                        (PKIX_PL_Object*)testItem,
-                                        plContext));
-
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_ToString((PKIX_PL_Object*)list2,
-                                        &outputString,
-                                        plContext));
-
-        temp = PKIX_String2ASCII(outputString, plContext);
-        if (temp){
-                if (PL_strcmp("(a, (null), a)", temp) != 0)
-                        testError("List toString is Incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(outputString);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_InsertItem(list, 1,
-                                        (PKIX_PL_Object*)list2,
-                                        plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object*)list,
-                                        &outputString,
-                                        plContext));
-
-        temp = PKIX_String2ASCII(outputString, plContext);
-        if (temp){
-                if (PL_strcmp("(a, (a, (null), a), c, b, c, a)", temp) != 0)
-                        testError("List toString is Incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(outputString);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testDeleteItem(
-        PKIX_List *list,
-        PKIX_List *list2,
-        PKIX_PL_String *testItem2,
-        PKIX_PL_String *testItem3)
-{
-        PKIX_PL_String *outputString = NULL;
-        char *temp = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(list, 5, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                                    ((PKIX_PL_Object*)list,
-                                    &outputString,
-                                    plContext));
-
-        temp = PKIX_String2ASCII(outputString, plContext);
-        if (temp){
-                if (PL_strcmp("(a, (a, (null), a), c, b, c)", temp) != 0)
-                        testError("List toString is Incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(outputString);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(list, 1, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                                    ((PKIX_PL_Object*)list,
-                                    &outputString,
-                                    plContext));
-
-        temp = PKIX_String2ASCII(outputString, plContext);
-        if (temp){
-                if (PL_strcmp("(a, c, b, c)", temp) != 0)
-                        testError("List toString is Incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(outputString);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(list, 0, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object*)list,
-                                        &outputString,
-                                        plContext));
-
-        temp = PKIX_String2ASCII(outputString, plContext);
-        if (temp){
-                if (PL_strcmp("(c, b, c)", temp) != 0)
-                        testError("List toString is Incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(outputString);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(list2, 1, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_ToString((PKIX_PL_Object*)list2,
-                                        &outputString,
-                                        plContext));
-        temp = PKIX_String2ASCII(outputString, plContext);
-        if (temp){
-                if (PL_strcmp("(a, a)", temp) != 0)
-                        testError("List toString is Incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(outputString);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                    (list2,
-                    (PKIX_PL_Object*)testItem2,
-                    plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_ToString((PKIX_PL_Object*)list2,
-                                        &outputString,
-                                        plContext));
-
-        temp = PKIX_String2ASCII(outputString, plContext);
-        if (temp){
-                if (PL_strcmp("(a, a, b)", temp) != 0)
-                        testError("List toString is Incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(outputString);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_DeleteItem(list2, 2, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_ToString((PKIX_PL_Object*)list2,
-                                        &outputString,
-                                        plContext));
-
-        temp = PKIX_String2ASCII(outputString, plContext);
-        if (temp){
-                if (PL_strcmp("(a, a)", temp) != 0)
-                        testError("List toString is Incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(outputString);
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                    (list2,
-                    (PKIX_PL_Object*)testItem3,
-                    plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_ToString((PKIX_PL_Object*)list2,
-                                        &outputString,
-                                        plContext));
-        temp = PKIX_String2ASCII(outputString, plContext);
-        if (temp){
-                if (PL_strcmp("(a, a, c)", temp) != 0)
-                        testError("List toString is Incorrect");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(outputString);
-
-
-        PKIX_TEST_DECREF_BC(list2);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-#if testContainsFunction
-/* This test requires pkix_List_Contains to be in nss.def */
-static void
-testContains(void)
-{
-
-        PKIX_List *list;
-        PKIX_PL_String *testItem, *testItem2, *testItem3, *testItem4;
-        char *testItemString = "a";
-        char *testItemString2 = "b";
-        char *testItemString3 = "c";
-        char *testItemString4 = "d";
-        PKIX_Boolean found = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-        subTest("pkix_ListContains");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII,
-                testItemString,
-                PL_strlen(testItemString),
-                &testItem,
-                plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII,
-                testItemString2,
-                PL_strlen(testItemString2),
-                &testItem2,
-                plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII,
-                testItemString3,
-                PL_strlen(testItemString3),
-                &testItem3,
-                plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII,
-                testItemString4,
-                PL_strlen(testItemString4),
-                &testItem4,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (list, (PKIX_PL_Object*)testItem, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (list, (PKIX_PL_Object*)testItem2, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (list, (PKIX_PL_Object*)testItem3, plContext));
-
-        subTest("pkix_List_Contains <object missing>");
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_List_Contains
-                (list, (PKIX_PL_Object *)testItem4, &found, plContext));
-
-        if (found){
-                testError("Contains found item that wasn't there!");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (list, (PKIX_PL_Object*)testItem4, plContext));
-
-        subTest("pkix_List_Contains <object present>");
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_List_Contains
-                (list, (PKIX_PL_Object *)testItem4, &found, plContext));
-
-        if (!found){
-                testError("Contains missed item that was present!");
-        }
-
-        PKIX_TEST_DECREF_BC(list);
-        PKIX_TEST_DECREF_BC(testItem);
-        PKIX_TEST_DECREF_BC(testItem2);
-        PKIX_TEST_DECREF_BC(testItem3);
-        PKIX_TEST_DECREF_BC(testItem4);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-#endif
-
-static void
-testErrorHandling(void)
-{
-        PKIX_List *emptylist = NULL;
-        PKIX_List *list = NULL;
-        PKIX_PL_Object *tempItem = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext));
-
-        PKIX_TEST_EXPECT_ERROR
-                (PKIX_List_GetItem(list, 4, &tempItem, plContext));
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_List_GetItem(list, 1, NULL, plContext));
-        PKIX_TEST_EXPECT_ERROR(PKIX_List_SetItem(list, 4, tempItem, plContext));
-        PKIX_TEST_EXPECT_ERROR(PKIX_List_SetItem(NULL, 1, tempItem, plContext));
-        PKIX_TEST_EXPECT_ERROR
-                (PKIX_List_InsertItem(list, 4, tempItem, plContext));
-
-        PKIX_TEST_EXPECT_ERROR
-                (PKIX_List_InsertItem(NULL, 1, tempItem, plContext));
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_List_AppendItem(NULL, tempItem, plContext));
-        PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem(list, 5, plContext));
-        PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem(NULL, 1, plContext));
-        PKIX_TEST_EXPECT_ERROR(PKIX_List_GetLength(list, NULL, plContext));
-
-        PKIX_TEST_DECREF_BC(list);
-        PKIX_TEST_DECREF_BC(emptylist);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testDestroy(PKIX_List *list)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_DECREF_BC(list);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-int test_list(int argc, char *argv[]) {
-
-        PKIX_List *list, *list2;
-        PKIX_PL_String *testItem, *testItem2, *testItem3;
-        char *testItemString = "a";
-        char *testItemString2 = "b";
-        char *testItemString3 = "c";
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Lists");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest("PKIX_List_Create");
-        createLists(&list, &list2);
-
-        subTest("pkix_List_ReverseList");
-        testReverseList();
-
-        subTest("Zero-length List");
-        testZeroLengthList(list);
-
-        subTest("PKIX_List_Get/SetItem");
-        testGetSetItem
-                (list,
-                testItemString,
-                testItemString2,
-                testItemString3,
-                &testItem,
-                &testItem2,
-                &testItem3);
-
-        subTest("PKIX_List_GetLength");
-        testGetLength(list);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (list,
-                list,
-                list2,
-                "(c, b, c)",
-                List,
-                PKIX_TRUE);
-
-        subTest("PKIX_List_InsertItem");
-        testInsertItem(list, testItem, testItemString);
-
-        subTest("PKIX_List_AppendItem");
-        testAppendItem(list, testItem);
-
-        subTest("Nested Lists");
-        testNestedLists(list, list2, testItem, testItem2);
-
-        subTest("PKIX_List_DeleteItem");
-        testDeleteItem(list, list2, testItem2, testItem3);
-
-        PKIX_TEST_DECREF_BC(testItem);
-        PKIX_TEST_DECREF_BC(testItem2);
-        PKIX_TEST_DECREF_BC(testItem3);
-
-#if testContainsFunction
-/* This test requires pkix_List_Contains to be in nss.def */
-        testContains();
-#endif
-
-        subTest("PKIX_List Error Handling");
-        testErrorHandling();
-
-        subTest("PKIX_List_Destroy");
-        testDestroy(list);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Lists");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix/util/test_list2.c b/security/nss/cmd/libpkix/pkix/util/test_list2.c
deleted file mode 100644
index 3dffef26e..000000000
--- a/security/nss/cmd/libpkix/pkix/util/test_list2.c
+++ /dev/null
@@ -1,154 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_list2.c
- *
- * Performs an in-place sort on a list
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-int test_list2(int argc, char *argv[]) {
-
-        PKIX_List *list;
-        char *temp;
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 j = 0;
-        PKIX_Int32 cmpResult;
-        PKIX_PL_OID *testOID;
-        PKIX_PL_String *testString;
-        PKIX_PL_Object *obj, *obj2;
-        PKIX_UInt32 size = 10;
-        char *testOIDString[10] = {
-                "2.9.999.1.20",
-                "1.2.3.4.5.6.7",
-                "0.1",
-                "1.2.3.5",
-                "0.39",
-                "1.2.3.4.7",
-                "1.2.3.4.6",
-                "0.39.1",
-                "1.2.3.4.5",
-                "0.39.1.300"
-        };
-        PKIX_UInt32 actualMinorVersion;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("List Sorting");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest("Creating Unsorted Lists");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&list, plContext));
-        for (i = 0; i < size; i++) {
-                /* Create a new OID object */
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create(
-                                                testOIDString[i],
-                                                &testOID,
-                                                plContext));
-                /* Insert it into the list */
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                            (list, (PKIX_PL_Object*)testOID, plContext));
-                /* Decref the string object */
-                PKIX_TEST_DECREF_BC(testOID);
-        }
-
-        subTest("Outputting Unsorted List");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object*)list,
-                                            &testString,
-                                            plContext));
-        temp = PKIX_String2ASCII(testString, plContext);
-        if (temp){
-                (void) printf("%s \n", temp);
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-        PKIX_TEST_DECREF_BC(testString);
-
-        subTest("Performing Bubble Sort");
-
-        for (i = 0; i < size; i++)
-                for (j = 9; j > i; j--) {
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_GetItem(list, j, &obj, plContext));
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_GetItem
-                                (list, j-1, &obj2, plContext));
-
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare
-                                    (obj, obj2, &cmpResult, plContext));
-                        if (cmpResult < 0) {
-                                /* Exchange the items */
-                                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem
-                                            (list, j, obj2, plContext));
-                                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem
-                                            (list, j-1, obj, plContext));
-                        }
-                        /* DecRef objects */
-                        PKIX_TEST_DECREF_BC(obj);
-                        PKIX_TEST_DECREF_BC(obj2);
-                }
-
-        subTest("Outputting Sorted List");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString((PKIX_PL_Object*)list,
-                                            &testString,
-                                            plContext));
-        temp = PKIX_String2ASCII(testString, plContext);
-        if (temp){
-                (void) printf("%s \n", temp);
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(testString);
-        PKIX_TEST_DECREF_AC(list);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("List Sorting");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix/util/test_logger.c b/security/nss/cmd/libpkix/pkix/util/test_logger.c
deleted file mode 100644
index d481ab1a3..000000000
--- a/security/nss/cmd/libpkix/pkix/util/test_logger.c
+++ /dev/null
@@ -1,366 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_logger.c
- *
- * Tests Logger Objects
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static char *levels[] = {
-        "None",
-        "Fatal Error",
-        "Error",
-        "Warning",
-        "Debug",
-        "Trace"
-};
-
-static
-PKIX_Error *testLoggerCallback(
-        PKIX_Logger *logger,
-        PKIX_PL_String *message,
-        PKIX_UInt32 logLevel,
-        PKIX_ERRORCLASS logComponent,
-        void *plContext)
-{
-        char *comp = NULL;
-        char *msg = NULL;
-        char result[100];
-        static int callCount = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        msg = PKIX_String2ASCII(message, plContext);
-        PR_snprintf(result, 100, "Logging %s (%s): %s",
-                levels[logLevel], PKIX_ERRORCLASSNAMES[logComponent], msg);
-        subTest(result);
-
-        callCount++;
-        if (callCount > 1) {
-                testError("Incorrect number of Logger Callback <expect 1>");
-        }
-
-cleanup:
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(msg, plContext));
-        PKIX_TEST_RETURN();
-}
-
-static
-PKIX_Error *testLoggerCallback2(
-        PKIX_Logger *logger,
-        PKIX_PL_String *message,
-        PKIX_UInt32 logLevel,
-        PKIX_ERRORCLASS logComponent,
-        void *plContext)
-{
-        char *comp = NULL;
-        char *msg = NULL;
-        char result[100];
-
-        PKIX_TEST_STD_VARS();
-
-        msg = PKIX_String2ASCII(message, plContext);
-        PR_snprintf(result, 100, "Logging %s (%s): %s",
-                levels[logLevel], PKIX_ERRORCLASSNAMES[logComponent], msg);
-        subTest(result);
-
-cleanup:
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(msg, plContext));
-        PKIX_TEST_RETURN();
-}
-
-static void
-createLogger(PKIX_Logger **logger,
-        PKIX_PL_Object *context,
-        PKIX_Logger_LogCallback cb)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_Create
-                (cb, context, logger, plContext));
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testContextCallback(PKIX_Logger *logger, PKIX_Logger *logger2)
-{
-        PKIX_Logger_LogCallback cb = NULL;
-        PKIX_PL_Object *context = NULL;
-        PKIX_Boolean cmpResult = PKIX_FALSE;
-        PKIX_UInt32 length;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_Logger_GetLoggerContext");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_GetLoggerContext
-                (logger2, &context, plContext));
-
-        testEqualsHelper
-                ((PKIX_PL_Object *)logger, context, PKIX_TRUE, plContext);
-
-        subTest("PKIX_Logger_GetLogCallback");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_GetLogCallback
-                (logger, &cb, plContext));
-
-        if (cb != testLoggerCallback) {
-                testError("Incorrect Logger Callback returned");
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(context);
-        PKIX_TEST_RETURN();
-}
-
-static void
-testComponent(PKIX_Logger *logger)
-{
-        PKIX_ERRORCLASS compName = (PKIX_ERRORCLASS)NULL;
-        PKIX_ERRORCLASS compNameReturn = (PKIX_ERRORCLASS)NULL;
-        PKIX_Boolean cmpResult = PKIX_FALSE;
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_Logger_GetLoggingComponent");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_GetLoggingComponent
-                (logger, &compName, plContext));
-
-        if (compName != (PKIX_ERRORCLASS)NULL) {
-                testError("Incorrect Logger Component returned. expect <NULL>");
-        }
-
-        subTest("PKIX_Logger_SetLoggingComponent");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetLoggingComponent
-                (logger, PKIX_LIST_ERROR, plContext));
-
-        subTest("PKIX_Logger_GetLoggingComponent");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_GetLoggingComponent
-                (logger, &compNameReturn, plContext));
-
-        if (compNameReturn != PKIX_LIST_ERROR) {
-                testError("Incorrect Logger Component returned.");
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testMaxLoggingLevel(PKIX_Logger *logger)
-{
-        PKIX_UInt32 level = 0;
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_Logger_GetMaxLoggingLevel");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_GetMaxLoggingLevel
-                (logger, &level, plContext));
-
-        if (level != 0) {
-                testError("Incorrect Logger MaxLoggingLevel returned");
-        }
-
-        subTest("PKIX_Logger_SetMaxLoggingLevel");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetMaxLoggingLevel
-                (logger, 3, plContext));
-
-        subTest("PKIX_Logger_GetMaxLoggingLevel");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_GetMaxLoggingLevel
-                (logger, &level, plContext));
-
-        if (level != 3) {
-                testError("Incorrect Logger MaxLoggingLevel returned");
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testLogger(PKIX_Logger *logger, PKIX_Logger *logger2)
-{
-        PKIX_List *loggerList = NULL;
-        PKIX_List *checkList = NULL;
-        PKIX_UInt32 length;
-        PKIX_Boolean cmpResult = PKIX_FALSE;
-        char *expectedAscii = "[\n"
-                "\tLogger: \n"
-                "\tContext:          (null)\n"
-                "\tMaximum Level:    3\n"
-                "\tComponent Name:   LIST\n"
-                "]\n";
-
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_GetLoggers");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_GetLoggers(&loggerList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (loggerList, &length, plContext));
-        if (length != 0){
-                testError("Incorrect Logger List returned");
-        }
-        PKIX_TEST_DECREF_BC(loggerList);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&loggerList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (loggerList, (PKIX_PL_Object *) logger, plContext));
-
-        subTest("PKIX_SetLoggers");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_SetLoggers(loggerList, plContext));
-
-        subTest("PKIX_Logger_SetLoggingComponent");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetLoggingComponent
-                (logger2, PKIX_MUTEX_ERROR, plContext));
-
-        subTest("PKIX_Logger_SetMaxLoggingLevel");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Logger_SetMaxLoggingLevel
-                (logger2, 5, plContext));
-
-        subTest("PKIX_AddLogger");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_AddLogger(logger2, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&checkList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (checkList, (PKIX_PL_Object *) logger, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (checkList, (PKIX_PL_Object *) logger2, plContext));
-
-        PKIX_TEST_DECREF_BC(loggerList);
-
-        subTest("PKIX_GetLoggers");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_GetLoggers(&loggerList, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (loggerList, &length, plContext));
-
-        subTest("pkix_Loggers_Equals");
-        testEqualsHelper
-                ((PKIX_PL_Object *) loggerList,
-                (PKIX_PL_Object *) checkList,
-                PKIX_TRUE,
-                plContext);
-
-        subTest("pkix_Loggers_Duplicate");
-        testDuplicateHelper((PKIX_PL_Object *)logger, plContext);
-
-        subTest("pkix_Loggers_Hashcode");
-        testHashcodeHelper((PKIX_PL_Object *) logger,
-                           (PKIX_PL_Object *) logger,
-                           PKIX_TRUE,
-                           plContext);
-
-        subTest("pkix_Loggers_ToString");
-        testToStringHelper((PKIX_PL_Object *) logger, expectedAscii, plContext);
-
-        subTest("PKIX Logger Callback");
-        subTest("Expect to have ***Fatal Error (List): Null argument*** once");
-        PKIX_TEST_EXPECT_ERROR(PKIX_List_AppendItem
-                (NULL, (PKIX_PL_Object *) NULL, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(loggerList);
-        PKIX_TEST_DECREF_AC(checkList);
-        PKIX_TEST_RETURN();
-}
-
-static void
-testDestroy(PKIX_Logger *logger)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_DECREF_BC(logger);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-int test_logger(int argc, char *argv[]) {
-
-        PKIX_Logger *logger, *logger2;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Loggers");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest("PKIX_Logger_Create");
-        createLogger(&logger, NULL, testLoggerCallback);
-        createLogger(&logger2, (PKIX_PL_Object *)logger, testLoggerCallback2);
-
-        subTest("Logger Context and Callback");
-        testContextCallback(logger, logger2);
-
-        subTest("Logger Component");
-        testComponent(logger);
-
-        subTest("Logger MaxLoggingLevel");
-        testMaxLoggingLevel(logger);
-
-        subTest("Logger List operations");
-        testLogger(logger, logger2);
-
-        subTest("PKIX_Logger_Destroy");
-        testDestroy(logger);
-        testDestroy(logger2);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Loggers");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/Makefile b/security/nss/cmd/libpkix/pkix_pl/Makefile
deleted file mode 100755
index 2b004b29e..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/Makefile
+++ /dev/null
@@ -1,81 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
-
diff --git a/security/nss/cmd/libpkix/pkix_pl/manifest.mn b/security/nss/cmd/libpkix/pkix_pl/manifest.mn
deleted file mode 100755
index 836b74316..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/manifest.mn
+++ /dev/null
@@ -1,44 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ./..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-DIRS =  module  pki  system \
-	$(NULL)
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/Makefile b/security/nss/cmd/libpkix/pkix_pl/module/Makefile
deleted file mode 100755
index 3f1484b02..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/module/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/manifest.mn b/security/nss/cmd/libpkix/pkix_pl/module/manifest.mn
deleted file mode 100755
index 42edb9d62..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/module/manifest.mn
+++ /dev/null
@@ -1,57 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ../..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = test_colcertstore.c \
-	test_ekuchecker.c \
-	test_pk11certstore.c \
-	test_socket.c \
-	test_httpcertstore.c \
-	$(NULL)
-
-LIBRARY_NAME=pkixtoolmodule
-
-SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/test_colcertstore.c b/security/nss/cmd/libpkix/pkix_pl/module/test_colcertstore.c
deleted file mode 100644
index 5e3316c9b..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/module/test_colcertstore.c
+++ /dev/null
@@ -1,285 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_colcertstore.c
- *
- * Test CollectionCertStore Type
- *
- */
-
-#include "testutil.h"
-
-#include "testutil_nss.h"
-
-/* When CRL IDP is supported, change NUM_CRLS to 9 */
-#define PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS 4
-#define PKIX_TEST_COLLECTIONCERTSTORE_NUM_CERTS 15
-
-static void *plContext = NULL;
-
-static PKIX_Error *
-testCRLSelectorMatchCallback(
-        PKIX_CRLSelector *selector,
-        PKIX_PL_CRL *crl,
-	PKIX_Boolean *pMatch,
-        void *plContext)
-{
-	*pMatch = PKIX_TRUE;
-
-        return (0);
-}
-
-static PKIX_Error *
-testCertSelectorMatchCallback(
-        PKIX_CertSelector *selector,
-        PKIX_PL_Cert *cert,
-        PKIX_Boolean *pResult,
-        void *plContext)
-{
-        *pResult = PKIX_TRUE;
-
-        return (0);
-}
-
-static PKIX_Error *
-getCertCallback(
-        PKIX_CertStore *store,
-        PKIX_CertSelector *certSelector,
-        PKIX_List **pCerts,
-        void *plContext)
-{
-        return (0);
-}
-
-static char *catDirName(char *platform, char *dir, void *plContext)
-{
-        char *pathName = NULL;
-        PKIX_UInt32 dirLen;
-        PKIX_UInt32 platformLen;
-
-        PKIX_TEST_STD_VARS();
-
-        dirLen = PL_strlen(dir);
-        platformLen = PL_strlen(platform);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
-                (platformLen + dirLen + 2, (void **)&pathName, plContext));
-
-        PL_strcpy(pathName, platform);
-        PL_strcat(pathName, "/");
-        PL_strcat(pathName, dir);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-        return (pathName);
-}
-
-static 
-void testGetCRL(char *crlDir)
-{
-        PKIX_PL_String *dirString = NULL;
-        PKIX_CertStore_CRLCallback crlCallback;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_CRLSelector *crlSelector = NULL;
-        PKIX_List *crlList = NULL;
-        PKIX_UInt32 numCrl = 0;
-	void *nbioContext = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_ESCASCII,
-                                    crlDir,
-                                    0,
-                                    &dirString,
-                                    plContext));
-
-        subTest("PKIX_PL_CollectionCertStore_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                                    (dirString,
-                                    &certStore,
-                                    plContext));
-
-        subTest("PKIX_CRLSelector_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
-                                    (testCRLSelectorMatchCallback,
-                                    NULL,
-                                    &crlSelector,
-                                    plContext));
-
-        subTest("PKIX_CertStore_GetCRLCallback");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback
-                                    (certStore, &crlCallback, NULL));
-
-        subTest("Getting data from CRL Callback");
-        PKIX_TEST_EXPECT_NO_ERROR(crlCallback
-                                    (certStore,
-                                    crlSelector,
-                                    &nbioContext,
-                                    &crlList,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                                    (crlList,
-                                    &numCrl,
-                                    plContext));
-
-        if (numCrl != PKIX_TEST_COLLECTIONCERTSTORE_NUM_CRLS) {
-                pkixTestErrorMsg = "unexpected CRL number mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(dirString);
-        PKIX_TEST_DECREF_AC(crlList);
-        PKIX_TEST_DECREF_AC(crlSelector);
-        PKIX_TEST_DECREF_AC(certStore);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void testGetCert(char *certDir)
-{
-        PKIX_PL_String *dirString = NULL;
-        PKIX_CertStore_CertCallback certCallback;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_List *certList = NULL;
-        PKIX_UInt32 numCert = 0;
-	void *nbioContext = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_ESCASCII,
-                                    certDir,
-                                    0,
-                                    &dirString,
-                                    plContext));
-
-        subTest("PKIX_PL_CollectionCertStore_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                                    (dirString,
-                                    &certStore,
-                                    plContext));
-
-        subTest("PKIX_CertSelector_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                                    (testCertSelectorMatchCallback,
-                                    NULL,
-                                    &certSelector,
-                                    plContext));
-
-        subTest("PKIX_CertStore_GetCertCallback");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
-                                    (certStore, &certCallback, NULL));
-
-        subTest("Getting data from Cert Callback");
-        PKIX_TEST_EXPECT_NO_ERROR(certCallback
-                                    (certStore,
-                                    certSelector,
-                                    &nbioContext,
-                                    &certList,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                                    (certList,
-                                    &numCert,
-                                    plContext));
-
-        if (numCert != PKIX_TEST_COLLECTIONCERTSTORE_NUM_CERTS) {
-                pkixTestErrorMsg = "unexpected Cert number mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(dirString);
-        PKIX_TEST_DECREF_AC(certList);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(certStore);
-
-        PKIX_TEST_RETURN();
-}
-
-static void printUsage(char *pName){
-        printf("\nUSAGE: %s test-purpose <data-dir> <platform-dir>\n\n", pName);
-}
-
-/* Functional tests for CollectionCertStore public functions */
-
-int test_colcertstore(int argc, char *argv[]) {
-
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-        char *platformDir = NULL;
-        char *dataDir = NULL;
-        char *combinedDir = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("CollectionCertStore");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < (3 + j)) {
-                printUsage(argv[0]);
-                return (0);
-        }
-
-        dataDir = argv[2 + j];
-        platformDir = argv[3 + j];
-	combinedDir = catDirName(platformDir, dataDir, plContext);
-
-        testGetCRL(combinedDir);
-        testGetCert(combinedDir);
-
-cleanup:
-
-        pkixTestErrorResult = PKIX_PL_Free(combinedDir, plContext);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("CollectionCertStore");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/test_ekuchecker.c b/security/nss/cmd/libpkix/pkix_pl/module/test_ekuchecker.c
deleted file mode 100644
index 0a6e7e8fb..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/module/test_ekuchecker.c
+++ /dev/null
@@ -1,321 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_ekuchecker.c
- *
- * Test Extend Key Usage Checker
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-#define PKIX_TEST_MAX_CERTS     10
-
-static void *plContext = NULL;
-
-static 
-void printUsage1(char *pName){
-        printf("\nUSAGE: %s test-purpose [ENE|EE] ", pName);
-        printf("[E]oid[,oid]* <data-dir> cert [certs].\n");
-}
-
-static void printUsageMax(PKIX_UInt32 numCerts){
-        printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
-                numCerts, PKIX_TEST_MAX_CERTS);
-}
-
-static PKIX_Error *
-testCertSelectorMatchCallback(
-        PKIX_CertSelector *selector,
-        PKIX_PL_Cert *cert,
-        PKIX_Boolean *pResult,
-        void *plContext)
-{
-        *pResult = PKIX_TRUE;
-
-        return (0);
-}
-
-static PKIX_Error *
-testEkuSetup(
-        PKIX_ValidateParams *valParams,
-        char *ekuOidString,
-        PKIX_Boolean *only4EE)
-{
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_List *ekuList = NULL;
-        PKIX_PL_OID *ekuOid = NULL;
-        PKIX_ComCertSelParams *selParams = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_Boolean last_token = PKIX_FALSE;
-        PKIX_UInt32 i, tokeni;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_ValidateParams_GetProcessingParams");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
-                                    (valParams, &procParams, plContext));
-
-        /* Get extended key usage OID(s) from command line, separated by ","  */
-
-        if (ekuOidString[0] == '"') {
-                /* erase doble quotes, if any */
-                i = 1;
-                while (ekuOidString[i] != '"' && ekuOidString[i] != '\0') {
-                        ekuOidString[i-1] = ekuOidString[i];
-                        i++;
-                }
-                ekuOidString[i-1] = '\0';
-        }
-
-        if (ekuOidString[0] == '\0') {
-                ekuList = NULL;
-        } else {
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create
-                        (&ekuList, plContext));
-
-                /* if OID string start with E, only check for last cert */
-                if (ekuOidString[0] == 'E') {
-                        *only4EE = PKIX_TRUE;
-                        tokeni = 2;
-                        i = 1;
-                } else {
-                        *only4EE = PKIX_FALSE;
-                        tokeni = 1;
-                        i = 0;
-                }
-
-                while (last_token != PKIX_TRUE) {
-                    while (ekuOidString[tokeni] != ',' &&
-                            ekuOidString[tokeni] != '\0') {
-                        tokeni++;
-                    }
-                    if (ekuOidString[tokeni] == '\0') {
-                        last_token = PKIX_TRUE;
-                    } else {
-                        ekuOidString[tokeni] = '\0';
-                        tokeni++;
-                    }
-
-                    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
-                        (&ekuOidString[i], &ekuOid, plContext));
-
-                    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                            (ekuList, (PKIX_PL_Object *)ekuOid, plContext));
-
-                    PKIX_TEST_DECREF_BC(ekuOid);
-                    i = tokeni;
-
-                }
-
-        }
-
-        /* Set extended key usage link to processing params */
-
-        subTest("PKIX_ComCertSelParams_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                        (&selParams, plContext));
-
-        subTest("PKIX_ComCertSelParams_SetExtendedKeyUsage");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetExtendedKeyUsage
-                        (selParams, ekuList, plContext));
-
-        subTest("PKIX_CertSelector_Create");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                        (testCertSelectorMatchCallback,
-                        NULL,
-                        &certSelector,
-                        plContext));
-
-        subTest("PKIX_CertSelector_SetCommonCertSelectorParams");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
-                        (certSelector, selParams, plContext));
-
-        subTest("PKIX_ProcessingParams_SetTargetCertConstraints");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetTargetCertConstraints
-                        (procParams, certSelector, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(selParams);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(ekuOid);
-        PKIX_TEST_DECREF_AC(ekuList);
-
-        PKIX_TEST_RETURN();
-
-        return (0);
-}
-
-static PKIX_Error *
-testEkuChecker(
-        PKIX_ValidateParams *valParams,
-        PKIX_Boolean only4EE)
-{
-        PKIX_ProcessingParams *procParams = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_GetProcessingParams
-                                    (valParams, &procParams, plContext));
-
-        subTest("PKIX_ProcessingParams_SetRevocationEnabled - disable");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
-                                    (procParams, PKIX_FALSE, plContext));
-
-        if (only4EE == PKIX_FALSE) {
-                subTest("PKIX_PL_EkuChecker_Create");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_EkuChecker_Create
-                                    (procParams, plContext));
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(procParams);
-
-        PKIX_TEST_RETURN();
-
-        return (0);
-}
-
-int test_ekuchecker(int argc, char *argv[]){
-        PKIX_List *chain = NULL;
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        char *certNames[PKIX_TEST_MAX_CERTS];
-        char *dirName = NULL;
-        PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
-        PKIX_UInt32 chainLength = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 j = 0;
-        PKIX_Boolean testValid = PKIX_FALSE;
-        PKIX_Boolean only4EE = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 5) {
-                printUsage1(argv[0]);
-                return (0);
-        }
-
-        startTests("EKU Checker");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        /* ENE = expect no error; EE = expect error */
-        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
-                testValid = PKIX_TRUE;
-        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
-                testValid = PKIX_FALSE;
-        } else {
-                printUsage1(argv[0]);
-                return (0);
-        }
-
-        dirName = argv[4+j];
-
-        chainLength = (argc - j) - 6;
-        if (chainLength > PKIX_TEST_MAX_CERTS) {
-                printUsageMax(chainLength);
-        }
-
-        for (i = 0; i < chainLength; i++) {
-
-                certNames[i] = argv[6+i+j];
-                certs[i] = NULL;
-        }
-
-        subTest(argv[1+j]);
-
-        subTest("Extended-Key-Usage-Checker");
-
-        subTest("Extended-Key-Usage-Checker - Create Cert Chain");
-
-        chain = createCertChainPlus
-                (dirName, certNames, certs, chainLength, plContext);
-
-        subTest("Extended-Key-Usage-Checker - Create Params");
-
-        valParams = createValidateParams
-                (dirName,
-                argv[5+j],
-                NULL,
-                NULL,
-                NULL,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                PKIX_FALSE,
-                chain,
-                plContext);
-
-        subTest("Default CertStore");
-
-        testEkuSetup(valParams, argv[3+j], &only4EE);
-
-        testEkuChecker(valParams, only4EE);
-
-        subTest("Extended-Key-Usage-Checker - Validate Chain");
-
-        if (testValid == PKIX_TRUE) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
-                                    (valParams, &valResult, NULL, plContext));
-        } else {
-                PKIX_TEST_EXPECT_ERROR(PKIX_ValidateChain
-                                    (valParams, &valResult, NULL, plContext));
-        }
-
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(chain);
-        PKIX_TEST_DECREF_AC(valParams);
-        PKIX_TEST_DECREF_AC(valResult);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("EKU Checker");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/test_httpcertstore.c b/security/nss/cmd/libpkix/pkix_pl/module/test_httpcertstore.c
deleted file mode 100644
index 6a45c4776..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/module/test_httpcertstore.c
+++ /dev/null
@@ -1,324 +0,0 @@
-/*
- * test_httpcertstore.c
- *
- * Test Httpcertstore Type
- *
- * Copyright 2004-2005 Sun Microsystems, Inc.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- *   1. Redistribution of source code must retain the above copyright notice,
- *      this list of conditions and the following disclaimer.
- *
- *   2. Redistribution in binary form must reproduce the above copyright
- *      notice, this list of conditions and the following disclaimer in the
- *      documentation and/or other materials provided with the distribution.
- *
- * Neither the name of Sun Microsystems, Inc. or the names of contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * This software is provided "AS IS," without a warranty of any kind. ALL
- * EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
- * ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
- * OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. SUN MICROSYSTEMS, INC. ("SUN")
- * AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE
- * AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS
- * DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST
- * REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL,
- * INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY
- * OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THIS SOFTWARE,
- * EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
- *
- * You acknowledge that this software is not designed or intended for use in
- * the design, construction, operation or maintenance of any nuclear facility.
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-#include "pkix_pl_common.h"
-
-static void *plContext = NULL;
-
-static
-void printUsage(char *testname) 
-{
-        char *fmt =
-		"USAGE: %s [-arenas] certDir certName\n";
-        printf(fmt, "test_httpcertstore");
-}
-
-/* Functional tests for Socket public functions */
-static
-void do_other_work(void) { /* while waiting for nonblocking I/O to complete */
-        (void) PR_Sleep(2*60);
-}
-
-PKIX_Error *
-PKIX_PL_HttpCertStore_Create(
-        PKIX_PL_HttpClient *client, /* if NULL, use default Client */
-        PKIX_PL_GeneralName *location,
-        PKIX_CertStore **pCertStore,
-        void *plContext);
-
-PKIX_Error *
-pkix_pl_HttpCertStore_CreateWithAsciiName(
-        PKIX_PL_HttpClient *client, /* if NULL, use default Client */
-        char *location,
-        PKIX_CertStore **pCertStore,
-        void *plContext);
-
-static PKIX_Error *
-getLocation(
-	PKIX_PL_Cert *certWithAia,
-	PKIX_PL_GeneralName **pLocation,
-	void *plContext)
-{
-	PKIX_List *aiaList = NULL;
-	PKIX_UInt32 size = 0;
-        PKIX_PL_InfoAccess *aia = NULL;
-        PKIX_UInt32 iaType = PKIX_INFOACCESS_LOCATION_UNKNOWN;
-	PKIX_PL_GeneralName *location = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Getting Authority Info Access");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityInfoAccess
-                (certWithAia, &aiaList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (aiaList, &size, plContext));
-
-        if (size != 1) {
-                pkixTestErrorMsg = "unexpected number of AIA";
-                goto cleanup;
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (aiaList, 0, (PKIX_PL_Object **) &aia, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_InfoAccess_GetLocationType
-                (aia, &iaType, plContext));
-
-        if (iaType != PKIX_INFOACCESS_LOCATION_HTTP) {
-                pkixTestErrorMsg = "unexpected location type in AIA";
-                goto cleanup;
-
-	}
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_InfoAccess_GetLocation
-                (aia, &location, plContext));
-
-	*pLocation = location;
-
-cleanup:
-	PKIX_TEST_DECREF_AC(aiaList);
-	PKIX_TEST_DECREF_AC(aia);
-
-        PKIX_TEST_RETURN();
-
-        return (NULL);
-}
-
-int test_httpcertstore(int argc, char *argv[]) 
-{
-
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 numCerts = 0;
-        PKIX_UInt32 numCrls = 0;
-        int j = 0;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 length = 0;
-
-        char *certName = NULL;
-        char *certDir = NULL;
-	PKIX_PL_Cert *cmdLineCert = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-	PKIX_CertStore *certStore = NULL;
-	PKIX_CertStore *crlStore = NULL;
-	PKIX_PL_GeneralName *location = NULL;
-	PKIX_CertStore_CertCallback getCerts = NULL;
-	PKIX_List *certs = NULL;
-        char *asciiResult = NULL;
-	void *nbio = NULL;
-
-        PKIX_PL_CRL *crl = NULL;
-        PKIX_CRLSelector *crlSelector = NULL;
-	char *crlLocation = "http://betty.nist.gov/pathdiscoverytestsuite/CRL"
-		"files/BasicHTTPURIPeer2CACRL.crl";
-	PKIX_CertStore_CRLCallback getCrls = NULL;
-	PKIX_List *crls = NULL;
-	PKIX_PL_String *crlString = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("HttpCertStore");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc != (j + 3)) {
-                printUsage(argv[0]);
-                pkixTestErrorMsg = "Missing command line argument.";
-                goto cleanup;
-        }
-
-	certDir = argv[++j];
-	certName = argv[++j];
-
-	cmdLineCert = createCert(certDir, certName, plContext);
-	if (cmdLineCert == NULL) {
-                pkixTestErrorMsg = "Unable to create Cert";
-		goto cleanup;
-	}
-
-        /* muster arguments to create HttpCertStore */
-	PKIX_TEST_EXPECT_NO_ERROR(getLocation
-		(cmdLineCert, &location, plContext));
-
-	if (location == NULL) {
-                pkixTestErrorMsg = "Give me a cert with an HTTP URI!";
-                goto cleanup;
-	}
-
-        /* create HttpCertStore */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HttpCertStore_Create
-                (NULL, location, &certStore, plContext));
-
-	/* get the GetCerts callback */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
-		(certStore, &getCerts, plContext));
-
-	/* create a CertSelector */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-	/* Get the certs */
-	PKIX_TEST_EXPECT_NO_ERROR(getCerts
-		(certStore, certSelector, &nbio, &certs, plContext));
-
-	while (nbio != NULL) {
-		/* poll for a completion */
-
-		PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_CertContinue
-			(certStore, certSelector, &nbio, &certs, plContext));
-	}
-
-        if (certs) {
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_GetLength(certs, &numCerts, plContext));
-
-		if (numCerts == 0) {
-			printf("HttpCertStore returned an empty Cert list\n");
-			goto cleanup;
-		}
-
-                for (i = 0; i < numCerts; i++) {
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_GetItem
-                                (certs,
-                                i,
-                                (PKIX_PL_Object**)&cert,
-                                plContext));
-
-                        asciiResult = PKIX_Cert2ASCII(cert);
-
-                        printf("CERT[%d]:\n%s\n", i, asciiResult);
-
-                        /* PKIX_Cert2ASCII used PKIX_PL_Malloc(...,,NULL) */
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Free(asciiResult, NULL));
-                        asciiResult = NULL;
-
-                        PKIX_TEST_DECREF_BC(cert);
-                }
-	} else {
-		printf("HttpCertStore returned a NULL Cert list\n");
-	}
-
-        /* create HttpCertStore */
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_HttpCertStore_CreateWithAsciiName
-                (NULL, crlLocation, &crlStore, plContext));
-
-	/* get the GetCrls callback */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback
-		(crlStore, &getCrls, plContext));
-
-	/* create a CrlSelector */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
-                (NULL, NULL, &crlSelector, plContext));
-
-	/* Get the crls */
-	PKIX_TEST_EXPECT_NO_ERROR(getCrls
-		(crlStore, crlSelector, &nbio, &crls, plContext));
-
-	while (nbio != NULL) {
-		/* poll for a completion */
-
-		PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_CrlContinue
-			(crlStore, crlSelector, &nbio, &crls, plContext));
-	}
-
-        if (crls) {
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_GetLength(crls, &numCrls, plContext));
-
-		if (numCrls == 0) {
-			printf("HttpCertStore returned an empty CRL list\n");
-			goto cleanup;
-		}
-
-                for (i = 0; i < numCrls; i++) {
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_List_GetItem
-                                (crls,
-                                i,
-                                (PKIX_PL_Object**)&crl,
-                                plContext));
-
-			PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString(
-                                (PKIX_PL_Object *)crl,
-                                &crlString,
-                                plContext));
-
-	                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded
-                                (crlString,
-                                PKIX_ESCASCII,
-                                (void **)&asciiResult,
-                                &length,
-                                plContext));
-
-                        printf("CRL[%d]:\n%s\n", i, asciiResult);
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_Free(asciiResult, plContext));
-        		PKIX_TEST_DECREF_BC(crlString);
-                        PKIX_TEST_DECREF_BC(crl);
-                }
-	} else {
-		printf("HttpCertStore returned a NULL CRL list\n");
-	}
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(cert);
-	PKIX_TEST_DECREF_AC(cmdLineCert);
-	PKIX_TEST_DECREF_AC(certStore);
-	PKIX_TEST_DECREF_AC(crlStore);
-	PKIX_TEST_DECREF_AC(location);
-	PKIX_TEST_DECREF_AC(certs);
-        PKIX_TEST_DECREF_AC(crl);
-        PKIX_TEST_DECREF_AC(crlString);
-	PKIX_TEST_DECREF_AC(crls);
-
-        PKIX_TEST_RETURN();
-
-        endTests("HttpDefaultClient");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/test_pk11certstore.c b/security/nss/cmd/libpkix/pkix_pl/module/test_pk11certstore.c
deleted file mode 100644
index a2f54aec9..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/module/test_pk11certstore.c
+++ /dev/null
@@ -1,664 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_pk11certstore.c
- *
- * Test Pk11CertStore Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-
-static void *plContext = NULL;
-
-/*
- * This function creates a certSelector with ComCertSelParams set up to
- * select entries whose Subject Name matches that in the given Cert and
- * whose validity window includes the Date specified by "validityDate".
- */
-static
-void test_makeSubjectCertSelector(
-        PKIX_PL_Cert *certNameToMatch,
-        PKIX_PL_Date *validityDate,
-        PKIX_CertSelector **pSelector,
-        void *plContext)
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *subjParams = NULL;
-        PKIX_PL_X500Name *subjectName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&subjParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
-                (certNameToMatch, &subjectName, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
-                (subjParams, subjectName, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetCertificateValid
-                (subjParams, validityDate, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, subjParams, plContext));
-        *pSelector = selector;
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(subjParams);
-        PKIX_TEST_DECREF_AC(subjectName);
-
-        PKIX_TEST_RETURN();
-}
-
-/*
- * This function creates a certSelector with ComCertSelParams set up to
- * select entries containing a Basic Constraints extension with a path
- * length of at least the specified "minPathLength".
- */
-static 
-void test_makePathCertSelector(
-        PKIX_Int32 minPathLength,
-        PKIX_CertSelector **pSelector,
-        void *plContext)
-{
-        PKIX_CertSelector *selector = NULL;
-        PKIX_ComCertSelParams *pathParams = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_Create
-                (&pathParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetBasicConstraints
-                (pathParams, minPathLength, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_SetCommonCertSelectorParams
-                (selector, pathParams, plContext));
-        *pSelector = selector;
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(pathParams);
-
-        PKIX_TEST_RETURN();
-}
-
-/*
- * This function reads a directory-file cert specified by "desiredSubjectCert",
- * and decodes the SubjectName. It uses that name to set up the CertSelector
- * for a Subject Name match, and then queries the database for matching entries.
- * It is intended to test a "smart" database query.
- */
-static
-void testMatchCertSubject(
-        char *crlDir,
-        char *desiredSubjectCert,
-        char *expectedAscii,
-        PKIX_PL_Date *validityDate,
-        void *plContext)
-{
-        PKIX_UInt32 numCert = 0;
-        PKIX_PL_Cert *certWithDesiredSubject = NULL;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_List *certList = NULL;
-        PKIX_CertStore_CertCallback getCert = NULL;
-	void *nbioContext = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        certWithDesiredSubject = createCert
-                (crlDir, desiredSubjectCert, plContext);
-
-        test_makeSubjectCertSelector
-                (certWithDesiredSubject,
-                validityDate,
-                &certSelector,
-                plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
-                (&certStore, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
-                (certStore, &getCert, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(getCert
-                (certStore,
-		certSelector,
-		&nbioContext,
-		&certList,
-		plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (certList, &numCert, plContext));
-
-        if (numCert > 0) {
-                /* List should be immutable */
-                PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem
-                (certList, 0, plContext));
-        }
-
-        if (expectedAscii) {
-                testToStringHelper
-                        ((PKIX_PL_Object *)certList, expectedAscii, plContext);
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(certWithDesiredSubject);
-        PKIX_TEST_DECREF_AC(certStore);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(certList);
-
-        PKIX_TEST_RETURN();
-}
-
-/*
- * This function uses the minimum path length specified by "minPath" to set up
- * a CertSelector for a BasicConstraints match, and then queries the database
- * for matching entries. It is intended to test the case where there
- * is no "smart" database query, so the database will be asked for all
- * available certs and the filtering will be done by the interaction of the
- * certstore and the selector.
- */
-static 
-void testMatchCertMinPath(
-        PKIX_Int32 minPath,
-        char *expectedAscii,
-        void *plContext)
-{
-        PKIX_CertStore *certStore = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_List *certList = NULL;
-        PKIX_CertStore_CertCallback getCert = NULL;
-	void *nbioContext = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Searching Certs for minPath");
-
-        test_makePathCertSelector
-                (minPath, &certSelector, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
-                (&certStore, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCertCallback
-                (certStore, &getCert, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(getCert
-                (certStore,
-		certSelector,
-		&nbioContext,
-		&certList,
-		plContext));
-
-        if (expectedAscii) {
-                testToStringHelper
-                        ((PKIX_PL_Object *)certList, expectedAscii, plContext);
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(certStore);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(certList);
-
-        PKIX_TEST_RETURN();
-}
-
-/*
- * This function creates a crlSelector with ComCrlSelParams set up to
- * select entries whose Issuer Name matches that in the given Crl.
- */
-static
-void test_makeIssuerCRLSelector(
-        PKIX_PL_CRL *crlNameToMatch,
-        PKIX_CRLSelector **pSelector,
-        void *plContext)
-{
-        PKIX_CRLSelector *selector = NULL;
-        PKIX_ComCRLSelParams *issuerParams = NULL;
-        PKIX_PL_X500Name *issuerName = NULL;
-        PKIX_List *names = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create
-                (&issuerParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetIssuer
-                (crlNameToMatch, &issuerName, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&names, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (names, (PKIX_PL_Object *)issuerName, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetIssuerNames
-                (issuerParams, names, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CRLSelector_SetCommonCRLSelectorParams
-                (selector, issuerParams, plContext));
-        *pSelector = selector;
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(issuerParams);
-        PKIX_TEST_DECREF_AC(issuerName);
-        PKIX_TEST_DECREF_AC(names);
-
-        PKIX_TEST_RETURN();
-}
-
-/*
- * This function creates a crlSelector with ComCrlSelParams set up to
- * select entries that would be valid at the Date specified by the Date
- * criterion.
- */
-static 
-void test_makeDateCRLSelector(
-        PKIX_PL_Date *dateToMatch,
-        PKIX_CRLSelector **pSelector,
-        void *plContext)
-{
-        PKIX_CRLSelector *selector = NULL;
-        PKIX_ComCRLSelParams *dateParams = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CRLSelector_Create
-                (NULL, NULL, &selector, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_Create
-                (&dateParams, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCRLSelParams_SetDateAndTime
-                (dateParams, dateToMatch, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CRLSelector_SetCommonCRLSelectorParams
-                (selector, dateParams, plContext));
-        *pSelector = selector;
-
-cleanup:
-        PKIX_TEST_DECREF_AC(dateParams);
-
-        PKIX_TEST_RETURN();
-}
-
-/*
- * This function reads a directory-file crl specified by "desiredIssuerCrl",
- * and decodes the IssuerName. It uses that name to set up the CrlSelector
- * for a Issuer Name match, and then queries the database for matching entries.
- * It is intended to test the case of a "smart" database query.
- */
-static 
-void testMatchCrlIssuer(
-        char *crlDir,
-        char *desiredIssuerCrl,
-        char *expectedAscii,
-        void *plContext)
-{
-        PKIX_UInt32 numCrl = 0;
-        PKIX_PL_CRL *crlWithDesiredIssuer = NULL;
-        PKIX_CertStore *crlStore = NULL;
-        PKIX_CRLSelector *crlSelector = NULL;
-        PKIX_List *crlList = NULL;
-        PKIX_CertStore_CRLCallback getCrl = NULL;
-	void *nbioContext = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Searching CRLs for matching Issuer");
-
-        crlWithDesiredIssuer = createCRL(crlDir, desiredIssuerCrl, plContext);
-
-        test_makeIssuerCRLSelector
-                (crlWithDesiredIssuer, &crlSelector, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
-                (&crlStore, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback
-                (crlStore, &getCrl, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(getCrl
-                (crlStore,
-		crlSelector,
-                &nbioContext,
-		&crlList,
-		plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (crlList, &numCrl, plContext));
-
-        if (numCrl > 0) {
-                /* List should be immutable */
-                PKIX_TEST_EXPECT_ERROR(PKIX_List_DeleteItem
-                (crlList, 0, plContext));
-        }
-
-        if (expectedAscii) {
-                testToStringHelper
-                        ((PKIX_PL_Object *)crlList, expectedAscii, plContext);
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(crlWithDesiredIssuer);
-        PKIX_TEST_DECREF_AC(crlStore);
-        PKIX_TEST_DECREF_AC(crlSelector);
-        PKIX_TEST_DECREF_AC(crlList);
-
-        PKIX_TEST_RETURN();
-}
-
-/*
- * This function uses the date specified by "matchDate" to set up the
- * CrlSelector for a Date match. It is intended to test the case where there
- * is no "smart" database query, so the CertStore should throw an error
- * rather than ask the database for all available CRLs and then filter the
- * results using the selector.
- */
-static 
-void testMatchCrlDate(
-        char *dateMatch,
-        char *expectedAscii,
-        void *plContext)
-{
-        PKIX_PL_Date *dateCriterion = NULL;
-        PKIX_CertStore *crlStore = NULL;
-        PKIX_CRLSelector *crlSelector = NULL;
-        PKIX_List *crlList = NULL;
-        PKIX_CertStore_CRLCallback getCrl = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("Searching CRLs for matching Date");
-
-        dateCriterion = createDate(dateMatch, plContext);
-        test_makeDateCRLSelector(dateCriterion, &crlSelector, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Pk11CertStore_Create
-                (&crlStore, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertStore_GetCRLCallback
-                (crlStore, &getCrl, plContext));
-
-        PKIX_TEST_EXPECT_ERROR(getCrl
-                (crlStore, crlSelector, NULL, &crlList, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(dateCriterion);
-        PKIX_TEST_DECREF_AC(crlStore);
-        PKIX_TEST_DECREF_AC(crlSelector);
-        PKIX_TEST_DECREF_AC(crlList);
-
-        PKIX_TEST_RETURN();
-}
-
-static 
-void printUsage(char *pName){
-        printf("\nUSAGE: %s <-d data-dir> <database-dir>\n\n", pName);
-}
-
-/* Functional tests for Pk11CertStore public functions */
-
-int test_pk11certstore(int argc, char *argv[]) {
-
-        PKIX_UInt32 j = 0;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_PL_Date *validityDate = NULL;
-        PKIX_PL_Date *betweenDate = NULL;
-        char *crlDir = NULL;
-        char *expectedProfAscii = "([\n"
-                "\tVersion:         v3\n"
-                "\tSerialNumber:    00ca\n"
-                "\tIssuer:          CN=chemistry,O=mit,C=us\n"
-                "\tSubject:         CN=prof noall,O=mit,C=us\n"
-                "\tValidity: [From: Fri Feb 11 14:14:06 2005\n"
-                "\t           To:   Mon Jan 18, 2105]\n"
-                "\tSubjectAltNames: (null)\n"
-                "\tAuthorityKeyId:  (null)\n"
-                "\tSubjectKeyId:    (null)\n"
-                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
-                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
-                "\tExtKeyUsages:    (null)\n"
-                "\tBasicConstraint: CA(6)\n"
-                "\tCertPolicyInfo:  (null)\n"
-                "\tPolicyMappings:  (null)\n"
-                "\tExplicitPolicy:  -1\n"
-                "\tInhibitMapping:  -1\n"
-                "\tInhibitAnyPolicy:-1\n"
-                "\tNameConstraints: (null)\n"
-                "]\n"
-                ", [\n"
-                "\tVersion:         v3\n"
-                "\tSerialNumber:    03\n"
-                "\tIssuer:          CN=physics,O=mit,C=us\n"
-                "\tSubject:         CN=prof noall,O=mit,C=us\n"
-                "\tValidity: [From: Fri Feb 11 12:52:26 2005\n"
-                "\t           To:   Mon Jan 18, 2105]\n"
-                "\tSubjectAltNames: (null)\n"
-                "\tAuthorityKeyId:  (null)\n"
-                "\tSubjectKeyId:    (null)\n"
-                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
-                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
-                "\tExtKeyUsages:    (null)\n"
-                "\tBasicConstraint: CA(0)\n"
-                "\tCertPolicyInfo:  (null)\n"
-                "\tPolicyMappings:  (null)\n"
-                "\tExplicitPolicy:  -1\n"
-                "\tInhibitMapping:  -1\n"
-                "\tInhibitAnyPolicy:-1\n"
-                "\tNameConstraints: (null)\n"
-                "]\n"
-                ")";
-        char *expectedValidityAscii = "([\n"
-                "\tVersion:         v3\n"
-                "\tSerialNumber:    03\n"
-                "\tIssuer:          CN=physics,O=mit,C=us\n"
-                "\tSubject:         CN=prof noall,O=mit,C=us\n"
-                "\tValidity: [From: Fri Feb 11 12:52:26 2005\n"
-                "\t           To:   Mon Jan 18, 2105]\n"
-                "\tSubjectAltNames: (null)\n"
-                "\tAuthorityKeyId:  (null)\n"
-                "\tSubjectKeyId:    (null)\n"
-                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
-                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
-                "\tExtKeyUsages:    (null)\n"
-                "\tBasicConstraint: CA(0)\n"
-                "\tCertPolicyInfo:  (null)\n"
-                "\tPolicyMappings:  (null)\n"
-                "\tExplicitPolicy:  -1\n"
-                "\tInhibitMapping:  -1\n"
-                "\tInhibitAnyPolicy:-1\n"
-                "\tNameConstraints: (null)\n"
-                "]\n"
-                ")";
-        char *expectedMinPathAscii = "([\n"
-                "\tVersion:         v3\n"
-                "\tSerialNumber:    01\n"
-                "\tIssuer:          CN=science,O=mit,C=us\n"
-                "\tSubject:         CN=science,O=mit,C=us\n"
-                "\tValidity: [From: Fri Feb 11 12:47:58 2005\n"
-                "\t           To:   Mon Jan 18, 2105]\n"
-                "\tSubjectAltNames: (null)\n"
-                "\tAuthorityKeyId:  (null)\n"
-                "\tSubjectKeyId:    (null)\n"
-                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
-                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
-                "\tExtKeyUsages:    (null)\n"
-                "\tBasicConstraint: CA(10)\n"
-                "\tCertPolicyInfo:  (null)\n"
-                "\tPolicyMappings:  (null)\n"
-                "\tExplicitPolicy:  -1\n"
-                "\tInhibitMapping:  -1\n"
-                "\tInhibitAnyPolicy:-1\n"
-                "\tNameConstraints: (null)\n"
-                "]\n"
-                ")";
-        char *expectedIssuerAscii = "([\n"
-                "\tVersion:         v2\n"
-                "\tIssuer:          CN=physics,O=mit,C=us\n"
-                "\tUpdate:   [Last: Fri Feb 11 13:51:38 2005\n"
-                "\t           Next: Mon Jan 18, 2105]\n"
-                "\tSignatureAlgId:  1.2.840.10040.4.3\n"
-                "\tCRL Number     : (null)\n"
-                "\n"
-                "\tEntry List:      (\n"
-                "\t[\n"
-                "\tSerialNumber:    67\n"
-                "\tReasonCode:      257\n"
-                "\tRevocationDate:  Fri Feb 11 13:51:38 2005\n"
-                "\tCritExtOIDs:     (EMPTY)\n"
-                "\t]\n"
-                "\t)\n"
-                "\n"
-                "\tCritExtOIDs:     (EMPTY)\n"
-                "]\n"
-                ")";
-        char *expectedDateAscii = "([\n"
-                "\tVersion:         v2\n"
-                "\tIssuer:          CN=science,O=mit,C=us\n"
-                "\tUpdate:   [Last: Fri Feb 11 13:34:40 2005\n"
-                "\t           Next: Mon Jan 18, 2105]\n"
-                "\tSignatureAlgId:  1.2.840.10040.4.3\n"
-                "\tCRL Number     : (null)\n"
-                "\n"
-                "\tEntry List:      (\n"
-                "\t[\n"
-                "\tSerialNumber:    65\n"
-                "\tReasonCode:      260\n"
-                "\tRevocationDate:  Fri Feb 11 13:34:40 2005\n"
-                "\tCritExtOIDs:     (EMPTY)\n"
-                "\t]\n"
-                "\t)\n"
-                "\n"
-                "\tCritExtOIDs:     (EMPTY)\n"
-                "]\n"
-                ", [\n"
-                "\tVersion:         v2\n"
-                "\tIssuer:          CN=testing CRL,O=test,C=us\n"
-                "\tUpdate:   [Last: Fri Feb 11 13:14:38 2005\n"
-                "\t           Next: Mon Jan 18, 2105]\n"
-                "\tSignatureAlgId:  1.2.840.10040.4.3\n"
-                "\tCRL Number     : (null)\n"
-                "\n"
-                "\tEntry List:      (\n"
-                "\t[\n"
-                "\tSerialNumber:    67\n"
-                "\tReasonCode:      258\n"
-                "\tRevocationDate:  Fri Feb 11 13:14:38 2005\n"
-                "\tCritExtOIDs:     (EMPTY)\n"
-                "\t]\n"
-                "\t)\n"
-                "\n"
-                "\tCritExtOIDs:     (EMPTY)\n"
-                "]\n"
-                ")";
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Pk11CertStore");
-
-        if (argc < 3) {
-                printUsage(argv[0]);
-                return (0);
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        crlDir = argv[j+2];
-
-        /* Two certs for prof should be valid now */
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Date_CreateFromPRTime
-                (PR_Now(), &validityDate, plContext));
-
-        subTest("Searching Certs for Subject");
-
-        testMatchCertSubject
-                (crlDir,
-                "phy2prof.crt",
-                NULL, /* expectedProfAscii, */
-                validityDate,
-                plContext);
-
-        /* One of the certs was not yet valid at this time. */
-        betweenDate = createDate("050210184000Z", plContext);
-
-        subTest("Searching Certs for Subject and Validity");
-
-        testMatchCertSubject
-                (crlDir,
-                "phy2prof.crt",
-                NULL, /* expectedValidityAscii, */
-                betweenDate,
-                plContext);
-
-        testMatchCertMinPath
-                (9,
-                NULL, /* expectedMinPathAscii, */
-        	plContext);
-
-        testMatchCrlIssuer
-                (crlDir,
-                "phys.crl",
-                NULL, /* expectedIssuerAscii, */
-                plContext);
-
-        testMatchCrlDate
-                ("050211184000Z",
-                NULL, /* expectedDateAscii, */
-                plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(validityDate);
-        PKIX_TEST_DECREF_AC(betweenDate);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Pk11CertStore");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/module/test_socket.c b/security/nss/cmd/libpkix/pkix_pl/module/test_socket.c
deleted file mode 100644
index 8e25c144b..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/module/test_socket.c
+++ /dev/null
@@ -1,600 +0,0 @@
-/*
- * test_socket.c
- *
- * Test Socket Type
- *
- * Copyright 2004-2005 Sun Microsystems, Inc.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- *   1. Redistribution of source code must retain the above copyright notice,
- *      this list of conditions and the following disclaimer.
- *
- *   2. Redistribution in binary form must reproduce the above copyright
- *      notice, this list of conditions and the following disclaimer in the
- *      documentation and/or other materials provided with the distribution.
- *
- * Neither the name of Sun Microsystems, Inc. or the names of contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * This software is provided "AS IS," without a warranty of any kind. ALL
- * EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
- * ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
- * OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. SUN MICROSYSTEMS, INC. ("SUN")
- * AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE
- * AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS
- * DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST
- * REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL,
- * INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY
- * OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THIS SOFTWARE,
- * EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
- *
- * You acknowledge that this software is not designed or intended for use in
- * the design, construction, operation or maintenance of any nuclear facility.
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-#include "pkix_pl_common.h"
-
-#define LDAP_PORT 389
-
-static void *plContext = NULL;
-
-typedef enum {
-        SERVER_LISTENING,
-        SERVER_RECV1,
-        SERVER_POLL1,
-        SERVER_SEND2,
-        SERVER_POLL2,
-        SERVER_RECV3,
-        SERVER_POLL3,
-        SERVER_SEND4,
-        SERVER_POLL4,
-        SERVER_DONE,
-        SERVER_FAILED
-} SERVER_STATE;
-
-typedef enum {
-        CLIENT_WAITFORCONNECT,
-        CLIENT_SEND1,
-        CLIENT_POLL1,
-        CLIENT_RECV2,
-        CLIENT_POLL2,
-        CLIENT_SEND3,
-        CLIENT_POLL3,
-        CLIENT_RECV4,
-        CLIENT_POLL4,
-        CLIENT_DONE,
-        CLIENT_FAILED
-} CLIENT_STATE;
-
-SERVER_STATE serverState;
-CLIENT_STATE clientState;
-PKIX_PL_Socket *sSock = NULL;
-PKIX_PL_Socket *cSock = NULL;
-PKIX_PL_Socket *rendezvousSock = NULL;
-PKIX_PL_Socket_Callback *sCallbackList;
-PKIX_PL_Socket_Callback *cCallbackList;
-PKIX_PL_Socket_Callback *rvCallbackList;
-PRNetAddr serverNetAddr;
-PRNetAddr clientNetAddr;
-PRIntn backlog = 0;
-PRIntervalTime timeout = 0;
-char *sendBuf1 = "Hello, world!";
-char *sendBuf2 = "Ack";
-char *sendBuf3 = "What do you mean, \"Ack\"?";
-char *sendBuf4 = "What do you mean, \"What do you mean, \'Ack\'?\"?";
-char rcvBuf1[100];
-char rcvBuf2[100];
-
-static 
-void printUsage(char *testname) 
-{
-        char *fmt = "USAGE: %s [-arenas] server:port\n";
-        printf(fmt, testname);
-}
-
-/* Functional tests for Socket public functions */
-static 
-void do_other_work(void) 
-{ /* while waiting for nonblocking I/O to complete */
-        (void) PR_Sleep(2*60);
-}
-
-static 
-PKIX_Boolean server()
-{
-        PKIX_Int32 bytesRead = 0;
-        PKIX_Int32 bytesWritten = 0;
-        PKIX_Boolean keepGoing = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-
-        switch (serverState) {
-        case SERVER_LISTENING:
-                subTest("SERVER_LISTENING");
-                PKIX_TEST_EXPECT_NO_ERROR(sCallbackList->acceptCallback
-                        (sSock, &rendezvousSock, plContext));
-                if (rendezvousSock) {
-                        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_GetCallbackList
-                                (rendezvousSock, &rvCallbackList, plContext));
-
-                        serverState = SERVER_RECV1;
-                }
-                break;
-        case SERVER_RECV1:
-                subTest("SERVER_RECV1");
-                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->recvCallback
-                        (rendezvousSock,
-                        rcvBuf1,
-                        sizeof(rcvBuf1),
-                        &bytesRead,
-                        plContext));
-
-                if (bytesRead > 0) {
-                        /* confirm that rcvBuf1 = sendBuf1 */
-                        if ((bytesRead != (PRInt32)PL_strlen(sendBuf1) + 1) ||
-                            (strncmp(sendBuf1, rcvBuf1, bytesRead) != 0)) {
-                                testError("Receive buffer mismatch\n");
-                        }
-
-                        serverState = SERVER_SEND2;
-                        keepGoing = PKIX_TRUE;
-                } else {
-                        serverState = SERVER_POLL1;
-                }
-                break;
-        case SERVER_POLL1:
-                subTest("SERVER_POLL1");
-                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->pollCallback
-                        (rendezvousSock, NULL, &bytesRead, plContext));
-
-                if (bytesRead > 0) {
-                        /* confirm that rcvBuf1 = sendBuf1 */
-                        if ((bytesRead != (PRInt32)PL_strlen(sendBuf1) + 1) ||
-                            (strncmp(sendBuf1, rcvBuf1, bytesRead) != 0)) {
-                                testError("Receive buffer mismatch\n");
-                        }
-
-                        serverState = SERVER_SEND2;
-                        keepGoing = PKIX_TRUE;
-                }
-                break;
-        case SERVER_SEND2:
-                subTest("SERVER_SEND2");
-                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->sendCallback
-                        (rendezvousSock,
-                        sendBuf2,
-                        strlen(sendBuf2) + 1,
-                        &bytesWritten,
-                        plContext));
-                if (bytesWritten > 0) {
-                        serverState = SERVER_RECV3;
-                } else {
-                        serverState = SERVER_POLL2;
-                }
-                break;
-        case SERVER_POLL2:
-                subTest("SERVER_POLL2");
-                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->pollCallback
-                        (rendezvousSock, &bytesWritten, NULL, plContext));
-                if (bytesWritten > 0) {
-                        serverState = SERVER_RECV3;
-                }
-                break;
-        case SERVER_RECV3:
-                subTest("SERVER_RECV3");
-                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->recvCallback
-                        (rendezvousSock,
-                        rcvBuf1,
-                        sizeof(rcvBuf1),
-                        &bytesRead,
-                        plContext));
-
-                if (bytesRead > 0) {
-                        serverState = SERVER_SEND4;
-                        keepGoing = PKIX_TRUE;
-                } else {
-                        serverState = SERVER_POLL3;
-                }
-                break;
-        case SERVER_POLL3:
-                subTest("SERVER_POLL3");
-                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->pollCallback
-                        (rendezvousSock, NULL, &bytesRead, plContext));
-                if (bytesRead > 0) {
-                        serverState = SERVER_SEND4;
-                        keepGoing = PKIX_TRUE;
-                }
-                break;
-        case SERVER_SEND4:
-                subTest("SERVER_SEND4");
-                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->sendCallback
-                        (rendezvousSock,
-                        sendBuf4,
-                        strlen(sendBuf4) + 1,
-                        &bytesWritten,
-                        plContext));
-
-                if (bytesWritten > 0) {
-                        PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->shutdownCallback
-                                (rendezvousSock, plContext));
-                        PKIX_TEST_DECREF_BC(sSock);
-                        PKIX_TEST_DECREF_BC(rendezvousSock);
-                        serverState = SERVER_DONE;
-                } else {
-                        serverState = SERVER_POLL4;
-                }
-                break;
-        case SERVER_POLL4:
-                subTest("SERVER_POLL4");
-                PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->pollCallback
-                        (rendezvousSock, &bytesWritten, NULL, plContext));
-                if (bytesWritten > 0) {
-                        PKIX_TEST_EXPECT_NO_ERROR(rvCallbackList->shutdownCallback
-                                (rendezvousSock, plContext));
-                        PKIX_TEST_DECREF_BC(sSock);
-                        PKIX_TEST_DECREF_BC(rendezvousSock);
-                        serverState = SERVER_DONE;
-                }
-                break;
-        case SERVER_DONE:
-        default:
-                subTest("SERVER_DONE");
-                break;
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-        return (keepGoing);
-}
-
-static 
-PKIX_Boolean client() 
-{
-        PKIX_Boolean keepGoing = PKIX_FALSE;
-        PKIX_Int32 bytesRead = 0;
-        PKIX_Int32 bytesWritten = 0;
-        PRErrorCode cStat = 0;
-
-        /* At 2 seconds each cycle, this should suffice! */
-        PKIX_UInt32 giveUpCount = 10;
-
-        PKIX_TEST_STD_VARS();
-
-        switch (clientState) {
-        case CLIENT_WAITFORCONNECT:
-                subTest("CLIENT_WAITFORCONNECT");
-                clientState = CLIENT_FAILED;
-                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->connectcontinueCallback
-                        (cSock, &cStat, plContext));
-                if (cStat == 0) {
-                        clientState = CLIENT_SEND1;
-                        keepGoing = PKIX_TRUE;
-                } else {
-                    clientState = CLIENT_WAITFORCONNECT;
-                    if (--giveUpCount == 0) {
-                        testError("Client unable to connect");
-                    }
-                }
-                break;
-        case CLIENT_SEND1:
-                subTest("CLIENT_SEND1");
-                clientState = CLIENT_FAILED;
-                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->sendCallback
-                        (cSock,
-                        sendBuf1,
-                        strlen(sendBuf1) + 1,
-                        &bytesWritten,
-                        plContext));
-                if (bytesWritten > 0) {
-                        clientState = CLIENT_RECV2;
-                } else {
-                        clientState = CLIENT_POLL1;
-                }
-                break;
-        case CLIENT_POLL1:
-                subTest("CLIENT_POLL1");
-                clientState = CLIENT_FAILED;
-                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->pollCallback
-                        (cSock, &bytesWritten, NULL, plContext));
-                if (bytesWritten > 0) {
-                        clientState = CLIENT_RECV2;
-                } else {
-                        clientState = CLIENT_POLL1;
-                }
-                break;
-        case CLIENT_RECV2:
-                subTest("CLIENT_RECV2");
-                clientState = CLIENT_FAILED;
-                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->recvCallback
-                        (cSock,
-                        rcvBuf2,
-                        sizeof(rcvBuf2),
-                        &bytesRead,
-                        plContext));
-
-                if (bytesRead > 0) {
-                        /* confirm that rcvBuf2 = sendBuf2 */
-                        if ((bytesRead != (PRInt32)PL_strlen(sendBuf2) + 1) ||
-                            (strncmp(sendBuf2, rcvBuf2, bytesRead) != 0)) {
-                                testError("Receive buffer mismatch\n");
-                        }
-                        clientState = CLIENT_SEND3;
-                        keepGoing = PKIX_TRUE;
-                } else {
-                        clientState = CLIENT_POLL2;
-                }
-                break;
-        case CLIENT_POLL2:
-                subTest("CLIENT_POLL2");
-                clientState = CLIENT_FAILED;
-                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->pollCallback
-                        (cSock, NULL, &bytesRead, plContext));
-                if (bytesRead > 0) {
-                        /* confirm that rcvBuf2 = sendBuf2 */
-                        if ((bytesRead != (PRInt32)PL_strlen(sendBuf2) + 1) ||
-                            (strncmp(sendBuf2, rcvBuf2, bytesRead) != 0)) {
-                                testError("Receive buffer mismatch\n");
-                        }
-                        clientState = CLIENT_SEND3;
-                } else {
-                        clientState = CLIENT_POLL2;
-                }
-                break;
-        case CLIENT_SEND3:
-                subTest("CLIENT_SEND3");
-                clientState = CLIENT_FAILED;
-                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->sendCallback
-                        (cSock,
-                        sendBuf3,
-                        strlen(sendBuf3) + 1,
-                        &bytesWritten,
-                        plContext));
-
-                if (bytesWritten > 0) {
-                        clientState = CLIENT_RECV4;
-                } else {
-                        clientState = CLIENT_POLL3;
-                }
-                break;
-        case CLIENT_POLL3:
-                subTest("CLIENT_POLL3");
-                clientState = CLIENT_FAILED;
-                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->pollCallback
-                        (cSock, &bytesWritten, NULL, plContext));
-                if (bytesWritten > 0) {
-                        clientState = CLIENT_RECV4;
-                } else {
-                        clientState = CLIENT_POLL3;
-                }
-                break;
-        case CLIENT_RECV4:
-                subTest("CLIENT_RECV4");
-                clientState = CLIENT_FAILED;
-                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->recvCallback
-                        (cSock,
-                        rcvBuf2,
-                        sizeof(rcvBuf2),
-                        &bytesRead,
-                        plContext));
-
-                if (bytesRead > 0) {
-                        PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->shutdownCallback
-                                (cSock, plContext));
-                        PKIX_TEST_DECREF_BC(cSock);
-                        clientState = CLIENT_DONE;
-                } else {
-                        clientState = CLIENT_POLL4;
-                }
-                break;
-        case CLIENT_POLL4:
-                subTest("CLIENT_POLL4");
-                clientState = CLIENT_FAILED;
-                PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->pollCallback
-                        (cSock, NULL, &bytesRead, plContext));
-                if (bytesRead > 0) {
-                        PKIX_TEST_EXPECT_NO_ERROR(cCallbackList->shutdownCallback
-                                (cSock, plContext));
-                        PKIX_TEST_DECREF_BC(cSock);
-                        clientState = CLIENT_DONE;
-                } else {
-                    clientState = CLIENT_POLL4;
-                }
-                break;
-        case CLIENT_DONE:
-        default:
-                subTest("CLIENT_DONE");
-                break;
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-        return (keepGoing);
-}
-
-static
-void dispatcher()
-{
-        PKIX_Boolean keepGoing = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-
-        do {
-                if (serverState < SERVER_DONE) {
-                        do {
-                                keepGoing = server();
-                        } while (keepGoing == PKIX_TRUE);
-                }
-                if (clientState < CLIENT_DONE) {
-                        do {
-                                keepGoing = client();
-                        } while (keepGoing == PKIX_TRUE);
-                }
-                do_other_work();
-        
-        } while ((serverState < SERVER_DONE) || (clientState < CLIENT_DONE));
-
-        PKIX_TEST_RETURN();
-}
-
-int test_socket(int argc, char *argv[]) 
-{
-
-        int j = 0;
-        PKIX_UInt32 actualMinorVersion;
-        char buf[PR_NETDB_BUF_SIZE];
-        char *serverName = NULL;
-        char *sepPtr = NULL;
-        PRHostEnt hostent;
-        PRUint16 portNum = 0;
-        PRStatus prstatus = PR_FAILURE;
-        PRErrorCode cStat = 0;
-        void *ipaddr = NULL;
-        PKIX_Error *bindError = NULL;
-        PRIntn hostenum;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Socket");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc != (j + 2)) {
-                printUsage(argv[0]);
-                pkixTestErrorMsg = "Missing command line argument.";
-                goto cleanup;
-        }
-
-        serverName = argv[j + 1];
-
-        subTest("Using pkix_pl_Socket_CreateByName");
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_CreateByName
-                (PKIX_TRUE, timeout, serverName, &cStat, &sSock, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_GetCallbackList
-            (sSock, &sCallbackList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(sCallbackList->listenCallback
-            (sSock, backlog, plContext));
-
-        serverState = SERVER_LISTENING;
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_CreateByName
-                (PKIX_FALSE, timeout, serverName, &cStat, &cSock, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_GetCallbackList
-            (cSock, &cCallbackList, plContext));
-
-        if ((timeout == 0) && (cStat == PR_IN_PROGRESS_ERROR)) {
-            clientState = CLIENT_WAITFORCONNECT;
-        } else {
-            clientState = CLIENT_SEND1;
-        }
-
-        dispatcher();
-
-        subTest("Using pkix_pl_Socket_Create");
-
-        sepPtr = strchr(serverName, ':');
-        /* First strip off the portnum, if present, from the end of the name */
-        if (sepPtr) {
-                *sepPtr++ = '\0';
-                portNum = (PRUint16)atoi(sepPtr);
-        } else {
-                portNum = (PRUint16)LDAP_PORT;
-        }
-        /*
-         * The hostname may be a fully-qualified name. Just
-         * use the leftmost component in our lookup.
-         */
-        sepPtr = strchr(serverName, '.');
-        if (sepPtr) {
-                *sepPtr++ = '\0';
-        }
-        prstatus = PR_GetHostByName(serverName, buf, sizeof(buf), &hostent);
-
-        if ((prstatus != PR_SUCCESS) || (hostent.h_length != 4)) {
-                printUsage(argv[0]);
-                pkixTestErrorMsg =
-                        "PR_GetHostByName rejects command line argument.";
-                goto cleanup;
-        }
-
-        serverNetAddr.inet.family = PR_AF_INET;
-        serverNetAddr.inet.port = PR_htons(portNum);
-        serverNetAddr.inet.ip = PR_INADDR_ANY;
-
-        hostenum = PR_EnumerateHostEnt(0, &hostent, portNum, &clientNetAddr);
-        if (hostenum == -1) {
-                pkixTestErrorMsg =
-                    "PR_EnumerateHostEnt failed.";
-                goto cleanup;
-        }
-
-        backlog = 5;
-
-        /* timeout = PR_INTERVAL_NO_TIMEOUT; */
-        /* timeout = 0; nonblocking */
-        timeout = 0;
-
-        bindError = pkix_pl_Socket_Create
-            (PKIX_TRUE, timeout, &serverNetAddr, &cStat, &sSock, plContext);
-
-        /* If PR_Bind can't handle INADDR_ANY, try it with the real name */
-        if (bindError) {
-                PKIX_TEST_DECREF_BC(bindError);
-                serverNetAddr.inet.ip = PR_htonl(*(PRUint32 *)ipaddr); 
-
-                PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_Create
-                        (PKIX_TRUE,
-                        timeout,
-                        &serverNetAddr,
-                        &cStat,
-                        &sSock,
-                        plContext));
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_GetCallbackList
-            (sSock, &sCallbackList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(sCallbackList->listenCallback
-            (sSock, backlog, plContext));
-
-        serverState = SERVER_LISTENING;
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_Create
-            (PKIX_FALSE, timeout, &clientNetAddr, &cStat, &cSock, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(pkix_pl_Socket_GetCallbackList
-            (cSock, &cCallbackList, plContext));
-
-        if ((timeout == 0) && (cStat == PR_IN_PROGRESS_ERROR)) {
-            clientState = CLIENT_WAITFORCONNECT;
-        } else {
-            clientState = CLIENT_SEND1;
-        }
-
-        dispatcher();
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(sSock);
-        PKIX_TEST_DECREF_AC(cSock);
-        PKIX_TEST_DECREF_AC(rendezvousSock);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Socket");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/Makefile b/security/nss/cmd/libpkix/pkix_pl/pki/Makefile
deleted file mode 100755
index 3f1484b02..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/pki/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/manifest.mn b/security/nss/cmd/libpkix/pkix_pl/pki/manifest.mn
deleted file mode 100755
index 69d2289ff..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/pki/manifest.mn
+++ /dev/null
@@ -1,61 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ../..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = test_cert.c \
-	test_crl.c \
-	test_crlentry.c \
-	test_date.c \
-	test_generalname.c \
-	test_nameconstraints.c \
-	test_x500name.c \
-	test_authorityinfoaccess.c \
-	test_subjectinfoaccess.c \
-	$(NULL)
-
-LIBRARY_NAME=pkixtoolpki
-
-SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_authorityinfoaccess.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_authorityinfoaccess.c
deleted file mode 100644
index faae34899..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/pki/test_authorityinfoaccess.c
+++ /dev/null
@@ -1,148 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_authorityinfoaccess.c
- *
- * Test Authority InfoAccess Type
- *
- */
-
-
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-int test_authorityinfoaccess(int argc, char *argv[]) {
-
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_PL_Cert *certDiff = NULL;
-        PKIX_List *aiaList = NULL;
-        PKIX_List *siaList = NULL;
-        PKIX_PL_InfoAccess *aia = NULL;
-        PKIX_PL_InfoAccess *aiaDup = NULL;
-        PKIX_PL_InfoAccess *aiaDiff = NULL;
-        char *certPathName = NULL;
-        char *dirName = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 size, i;
-        PKIX_UInt32 j = 0;
-        char *expectedAscii = "[method:caIssuers, location:ldap:"
-                "//betty.nist.gov/cn=CA,ou=Basic%20LDAP%20URI%20OU1,"
-                "o=Test%20Certificates,c=US?cACertificate;binary,"
-                "crossCertificatePair;binary]";
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("AuthorityInfoAccess");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 5+j) {
-                printf("Usage: %s <test-purpose> <cert> <diff-cert>\n", argv[0]);
-        }
-
-        dirName = argv[2+j];
-        certPathName = argv[3+j];
-
-        subTest("Creating Cert with Authority Info Access");
-        cert = createCert(dirName, certPathName, plContext);
-
-        certPathName = argv[4+j];
-
-        subTest("Creating Cert with Subject Info Access");
-        certDiff = createCert(dirName, certPathName, plContext);
-
-        subTest("Getting Authority Info Access");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityInfoAccess
-                (cert, &aiaList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (aiaList, &size, plContext));
-
-        if (size != 1) {
-                pkixTestErrorMsg = "unexpected number of AIA";
-                goto cleanup;
-        }
- 
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (aiaList, 0, (PKIX_PL_Object **) &aia, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (aiaList, 0, (PKIX_PL_Object **) &aiaDup, plContext));
-
-        subTest("Getting Subject Info Access as difference comparison");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectInfoAccess
-                (certDiff, &siaList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (siaList, &size, plContext));
-
-        if (size != 1) {
-                pkixTestErrorMsg = "unexpected number of AIA";
-                goto cleanup;
-        }
- 
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (siaList, 0, (PKIX_PL_Object **) &aiaDiff, plContext));
-
-        subTest("Checking: Equal, Hash and ToString");
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (aia, aiaDup, aiaDiff, expectedAscii, InfoAccess, PKIX_FALSE);
-
-
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(aia);
-        PKIX_TEST_DECREF_AC(aiaDup);
-        PKIX_TEST_DECREF_AC(aiaDiff);
-        PKIX_TEST_DECREF_AC(aiaList);
-        PKIX_TEST_DECREF_AC(siaList);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(certDiff);
-     
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Authorityinfoaccess");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_cert.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_cert.c
deleted file mode 100644
index 5d036658d..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/pki/test_cert.c
+++ /dev/null
@@ -1,2360 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_cert.c
- *
- * Test Cert Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static PKIX_PL_Cert *altNameNoneCert = NULL;
-static PKIX_PL_Cert *altNameOtherCert = NULL;
-static PKIX_PL_Cert *altNameOtherCert_diff = NULL;
-static PKIX_PL_Cert *altNameRfc822Cert = NULL;
-static PKIX_PL_Cert *altNameRfc822Cert_diff = NULL;
-static PKIX_PL_Cert *altNameDnsCert = NULL;
-static PKIX_PL_Cert *altNameDnsCert_diff = NULL;
-static PKIX_PL_Cert *altNameX400Cert = NULL;
-static PKIX_PL_Cert *altNameX400Cert_diff = NULL;
-static PKIX_PL_Cert *altNameDnCert = NULL;
-static PKIX_PL_Cert *altNameDnCert_diff = NULL;
-static PKIX_PL_Cert *altNameEdiCert = NULL;
-static PKIX_PL_Cert *altNameEdiCert_diff = NULL;
-static PKIX_PL_Cert *altNameUriCert = NULL;
-static PKIX_PL_Cert *altNameUriCert_diff = NULL;
-static PKIX_PL_Cert *altNameIpCert = NULL;
-static PKIX_PL_Cert *altNameIpCert_diff = NULL;
-static PKIX_PL_Cert *altNameOidCert = NULL;
-static PKIX_PL_Cert *altNameOidCert_diff = NULL;
-static PKIX_PL_Cert *altNameMultipleCert = NULL;
-
-static void *plContext = NULL;
-
-static void createCerts(
-        char *dataCentralDir,
-        char *goodInput,
-        char *diffInput,
-        PKIX_PL_Cert **goodObject,
-        PKIX_PL_Cert **equalObject,
-        PKIX_PL_Cert **diffObject)
-{
-        subTest("PKIX_PL_Cert_Create <goodObject>");
-        *goodObject = createCert(dataCentralDir, goodInput, plContext);
-
-        subTest("PKIX_PL_Cert_Create <equalObject>");
-        *equalObject = createCert(dataCentralDir, goodInput, plContext);
-
-        subTest("PKIX_PL_Cert_Create <diffObject>");
-        *diffObject = createCert(dataCentralDir, diffInput, plContext);
-}
-
-
-static void
-createCertsWithSubjectAltNames(char *dataCentralDir)
-{
-        subTest("PKIX_PL_Cert_Create <altNameDNS>");
-        altNameDnsCert = createCert
-                (dataCentralDir, "generalName/altNameDnsCert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameDNS_diff>");
-        altNameDnsCert_diff = createCert
-                (dataCentralDir, "generalName/altNameDnsCert_diff", plContext);
-
-
-        subTest("PKIX_PL_Cert_Create <altNameRFC822>");
-        altNameRfc822Cert = createCert
-                (dataCentralDir, "generalName/altNameRfc822Cert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameRFC822_diff>");
-        altNameRfc822Cert_diff = createCert
-                (dataCentralDir, "generalName/altNameRfc822Cert_diff", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameX400Cert>");
-        altNameX400Cert = createCert
-                (dataCentralDir, "generalName/altNameX400Cert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameX400_diff>");
-        altNameX400Cert_diff = createCert
-                (dataCentralDir, "generalName/altNameX400Cert_diff", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameDN>");
-        altNameDnCert = createCert
-                (dataCentralDir, "generalName/altNameDnCert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameDN_diff>");
-        altNameDnCert_diff = createCert
-                (dataCentralDir, "generalName/altNameDnCert_diff", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameEdiCert>");
-        altNameEdiCert = createCert
-                (dataCentralDir, "generalName/altNameEdiCert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameEdi_diff>");
-        altNameEdiCert_diff = createCert
-                (dataCentralDir, "generalName/altNameEdiCert_diff", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameURI>");
-        altNameUriCert = createCert
-                (dataCentralDir, "generalName/altNameUriCert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameURI_diff>");
-        altNameUriCert_diff = createCert
-                (dataCentralDir, "generalName/altNameUriCert_diff", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameIP>");
-        altNameIpCert = createCert
-                (dataCentralDir, "generalName/altNameIpCert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameIP_diff>");
-        altNameIpCert_diff = createCert
-                (dataCentralDir, "generalName/altNameIpCert_diff", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameOID>");
-        altNameOidCert = createCert
-                (dataCentralDir, "generalName/altNameOidCert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameOID_diff>");
-        altNameOidCert_diff = createCert
-                (dataCentralDir, "generalName/altNameOidCert_diff", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameOther>");
-        altNameOtherCert = createCert
-                (dataCentralDir, "generalName/altNameOtherCert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameOther_diff>");
-        altNameOtherCert_diff = createCert
-                (dataCentralDir, "generalName/altNameOtherCert_diff", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameNone>");
-        altNameNoneCert = createCert
-                (dataCentralDir, "generalName/altNameNoneCert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <altNameMultiple>");
-        altNameMultipleCert = createCert
-                (dataCentralDir, "generalName/altNameRfc822DnsCert", plContext);
-}
-
-static void testGetVersion(
-        PKIX_PL_Cert *goodObject)
-{
-        PKIX_UInt32 goodVersion;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_GetVersion");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetVersion
-                (goodObject, &goodVersion, plContext));
-
-        if (goodVersion != 2){
-                testError("unexpected mismatch");
-                (void) printf("Actual value:\t%d\n", goodVersion);
-                (void) printf("Expected value:\t2\n");
-                goto cleanup;
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void testGetSerialNumber(
-        PKIX_PL_Cert *goodObject,
-        PKIX_PL_Cert *equalObject,
-        PKIX_PL_Cert *diffObject)
-{
-        PKIX_PL_BigInt *goodSN = NULL;
-        PKIX_PL_BigInt *equalSN = NULL;
-        PKIX_PL_BigInt *diffSN = NULL;
-        char *expectedAscii = "37bc66ec";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_GetSerialNumber");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSerialNumber
-                (goodObject, &goodSN, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSerialNumber
-                (equalObject, &equalSN, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSerialNumber
-                (diffObject, &diffSN, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodSN, equalSN, diffSN, expectedAscii, BigInt, PKIX_TRUE);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodSN);
-        PKIX_TEST_DECREF_AC(equalSN);
-        PKIX_TEST_DECREF_AC(diffSN);
-
-        PKIX_TEST_RETURN();
-}
-
-
-static void testGetSubject(
-        PKIX_PL_Cert *goodObject,
-        PKIX_PL_Cert *equalObject,
-        PKIX_PL_Cert *diffObject)
-{
-        PKIX_PL_X500Name *goodSubject = NULL;
-        PKIX_PL_X500Name *equalSubject = NULL;
-        PKIX_PL_X500Name *diffSubject = NULL;
-        char *expectedAscii = "OU=bcn,OU=east,O=sun,C=us";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_GetSubject");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
-                (goodObject, &goodSubject, plContext));
-
-        if (!goodSubject){
-                testError("Certificate Subject should not be NULL");
-                goto cleanup;
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
-                (equalObject, &equalSubject, plContext));
-
-        if (!equalSubject){
-                testError("Certificate Subject should not be NULL");
-                goto cleanup;
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
-                (diffObject, &diffSubject, plContext));
-
-        if (!diffSubject){
-                testError("Certificate Subject should not be NULL");
-                goto cleanup;
-        }
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodSubject,
-                equalSubject,
-                diffSubject,
-                expectedAscii,
-                X500Name,
-                PKIX_TRUE);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodSubject);
-        PKIX_TEST_DECREF_AC(equalSubject);
-        PKIX_TEST_DECREF_AC(diffSubject);
-
-        PKIX_TEST_RETURN();
-}
-
-static void testGetIssuer(
-        PKIX_PL_Cert *goodObject,
-        PKIX_PL_Cert *equalObject,
-        PKIX_PL_Cert *diffObject)
-{
-        PKIX_PL_X500Name *goodIssuer = NULL;
-        PKIX_PL_X500Name *equalIssuer = NULL;
-        PKIX_PL_X500Name *diffIssuer = NULL;
-        char *expectedAscii = "CN=yassir,OU=bcn,OU=east,O=sun,C=us";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_GetIssuer");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetIssuer
-                (goodObject, &goodIssuer, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetIssuer
-                (equalObject, &equalIssuer, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetIssuer
-                (diffObject, &diffIssuer, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodIssuer,
-                equalIssuer,
-                diffIssuer,
-                expectedAscii,
-                X500Name,
-                PKIX_TRUE);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodIssuer);
-        PKIX_TEST_DECREF_AC(equalIssuer);
-        PKIX_TEST_DECREF_AC(diffIssuer);
-
-        PKIX_TEST_RETURN();
-}
-
-static void testAltNames(
-        PKIX_PL_Cert *goodCert,
-        PKIX_PL_Cert *diffCert,
-        char *expectedAscii)
-{
-        PKIX_List *goodAltNames = NULL;
-        PKIX_List *diffAltNames = NULL;
-        PKIX_PL_GeneralName *goodAltName = NULL;
-        PKIX_PL_GeneralName *diffAltName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames
-                                    (goodCert, &goodAltNames, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                                (goodAltNames,
-                                0,
-                                (PKIX_PL_Object **)&goodAltName,
-                                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames
-                                    (diffCert, &diffAltNames, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                                (diffAltNames,
-                                0,
-                                (PKIX_PL_Object **)&diffAltName,
-                                plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodAltName, goodAltName, diffAltName,
-                expectedAscii, GeneralName, PKIX_TRUE);
-
-cleanup:
-        PKIX_TEST_DECREF_AC(goodAltNames);
-        PKIX_TEST_DECREF_AC(goodAltName);
-        PKIX_TEST_DECREF_AC(diffAltNames);
-        PKIX_TEST_DECREF_AC(diffAltName);
-        PKIX_TEST_RETURN();
-}
-
-static void testAltNamesNone(PKIX_PL_Cert *cert){
-
-        PKIX_List *altNames = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames
-                                    (cert, &altNames, plContext));
-
-        if (altNames != NULL){
-                testError("unexpected mismatch");
-                (void) printf("Actual value:\t%p\n", (void *)altNames);
-                (void) printf("Expected value:\tNULL\n");
-                goto cleanup;
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(altNames);
-        PKIX_TEST_RETURN();
-
-}
-static void testAltNamesMultiple(){
-        PKIX_List *altNames = NULL;
-        PKIX_PL_GeneralName *firstAltName = NULL;
-        PKIX_Int32 firstExpectedType = PKIX_RFC822_NAME;
-        PKIX_PL_GeneralName *secondAltName = NULL;
-        PKIX_Int32 secondExpectedType = PKIX_DNS_NAME;
-
-
-        char *expectedAscii =
-                "[\n"
-                "\tVersion:         v3\n"
-                "\tSerialNumber:    2d\n"
-                "\tIssuer:          OU=labs,O=sun,C=us\n"
-                "\tSubject:         CN=yassir,OU=labs,O=sun,C=us\n"
-                "\tValidity: [From: Mon Feb 09, 2004\n"
-        /*      "\tValidity: [From: Mon Feb 09 14:43:52 2004\n" */
-                "\t           To:   Mon Feb 09, 2004]\n"
-        /*      "\t           To:   Mon Feb 09 14:43:52 2004]\n" */
-                "\tSubjectAltNames: (yassir@sun.com, sunray.sun.com)\n"
-                "\tAuthorityKeyId:  (null)\n"
-                "\tSubjectKeyId:    (null)\n"
-                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
-                "\tCritExtOIDs:     (EMPTY)\n"
-                "\tExtKeyUsages:    (null)\n"
-                "\tBasicConstraint: (null)\n"
-                "\tCertPolicyInfo:  (null)\n"
-                "\tPolicyMappings:  (null)\n"
-                "\tExplicitPolicy:  -1\n"
-                "\tInhibitMapping:  -1\n"
-                "\tInhibitAnyPolicy:-1\n"
-                "\tNameConstraints: (null)\n"
-                "\tAuthorityInfoAccess: (null)\n"
-                "\tSubjectInfoAccess: (null)\n"
-                "\tCacheFlag:       0\n"
-                "]\n";
-
-        PKIX_TEST_STD_VARS();
-
-        testToStringHelper
-                ((PKIX_PL_Object *)altNameMultipleCert,
-                expectedAscii,
-                plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames
-                (altNameMultipleCert, &altNames, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (altNames, 0, (PKIX_PL_Object **)&firstAltName, plContext));
-
-        if (firstAltName->type != firstExpectedType){
-                testError("unexpected mismatch");
-                (void) printf("Actual value:\t%d\n", firstAltName->type);
-                (void) printf("Expected value:\t%d\n", firstExpectedType);
-                goto cleanup;
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (altNames, 1, (PKIX_PL_Object **)&secondAltName, plContext));
-
-        if (secondAltName->type != secondExpectedType){
-                testError("unexpected mismatch");
-                (void) printf("Actual value:\t%d\n", secondAltName->type);
-                (void) printf("Expected value:\t%d\n", secondExpectedType);
-                goto cleanup;
-        }
-
-cleanup:
-        PKIX_TEST_DECREF_AC(altNames);
-        PKIX_TEST_DECREF_AC(firstAltName);
-        PKIX_TEST_DECREF_AC(secondAltName);
-        PKIX_TEST_RETURN();
-}
-
-static void testGetSubjectAltNames(char *dataCentralDir){
-
-        char *expectedAscii = NULL;
-
-        createCertsWithSubjectAltNames(dataCentralDir);
-
-        subTest("PKIX_PL_Cert_GetSubjectAltNames <DNS>");
-        expectedAscii = "east.sun.com";
-        testAltNames(altNameDnsCert, altNameDnsCert_diff, expectedAscii);
-
-        subTest("PKIX_PL_Cert_GetSubjectAltNames <RFC822>");
-        expectedAscii = "alice.barnes@bcn.east.sun.com";
-        testAltNames(altNameRfc822Cert, altNameRfc822Cert_diff, expectedAscii);
-
-        /*
-         *this should work once bugzilla bug #233586 is fixed.
-         *subTest("PKIX_PL_Cert_GetSubjectAltNames <X400Address>");
-         *expectedAscii = "X400Address: <DER-encoded value>";
-         *testAltNames(altNameX400Cert, altNameX400Cert_diff, expectedAscii);
-         */
-
-        subTest("PKIX_PL_Cert_GetSubjectAltNames <DN>");
-        expectedAscii = "CN=elley,OU=labs,O=sun,C=us";
-        testAltNames(altNameDnCert, altNameDnCert_diff, expectedAscii);
-
-        /*
-         * this should work once bugzilla bug #233586 is fixed.
-         * subTest("PKIX_PL_Cert_GetSubjectAltNames <EdiPartyName>");
-         * expectedAscii = "EDIPartyName: <DER-encoded value>";
-         * testAltNames(altNameEdiCert, altNameEdiCert_diff, expectedAscii);
-         */
-
-        subTest("PKIX_PL_Cert_GetSubjectAltNames <URI>");
-        expectedAscii = "http://www.sun.com";
-        testAltNames(altNameUriCert, altNameUriCert_diff, expectedAscii);
-
-        subTest("PKIX_PL_Cert_GetSubjectAltNames <IP>");
-        expectedAscii = "1.2.3.4";
-        testAltNames(altNameIpCert, altNameIpCert_diff, expectedAscii);
-
-        subTest("PKIX_PL_Cert_GetSubjectAltNames <OID>");
-        expectedAscii = "1.2.39";
-        testAltNames(altNameOidCert, altNameOidCert_diff, expectedAscii);
-
-        subTest("PKIX_PL_Cert_GetSubjectAltNames <Other>");
-        expectedAscii = "1.7.26.97";
-        testAltNames(altNameOtherCert, altNameOtherCert_diff, expectedAscii);
-
-        subTest("PKIX_PL_Cert_GetSubjectAltNames <none>");
-        testAltNamesNone(altNameNoneCert);
-
-        subTest("PKIX_PL_Cert_GetSubjectAltNames <Multiple>");
-        testAltNamesMultiple();
-}
-
-static void testGetSubjectPublicKey(
-        PKIX_PL_Cert *goodObject,
-        PKIX_PL_Cert *equalObject,
-        PKIX_PL_Cert *diffObject)
-{
-        PKIX_PL_PublicKey *goodPubKey = NULL;
-        PKIX_PL_PublicKey *equalPubKey = NULL;
-        PKIX_PL_PublicKey *diffPubKey = NULL;
-        char *expectedAscii = "ANSI X9.57 DSA Signature";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_GetSubjectPublicKey");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
-                (goodObject, &goodPubKey, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
-                (equalObject, &equalPubKey, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
-                (diffObject, &diffPubKey, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodPubKey, equalPubKey, diffPubKey,
-                expectedAscii, PublicKey, PKIX_TRUE);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodPubKey);
-        PKIX_TEST_DECREF_AC(equalPubKey);
-        PKIX_TEST_DECREF_AC(diffPubKey);
-
-        PKIX_TEST_RETURN();
-}
-
-static void testGetSubjectPublicKeyAlgId(PKIX_PL_Cert *goodObject){
-        PKIX_PL_OID *pkixPubKeyOID = NULL;
-        char *expectedAscii = "1.2.840.10040.4.1";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_GetSubjectPublicKeyAlgId");
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_GetSubjectPublicKeyAlgId
-                (goodObject, &pkixPubKeyOID, plContext));
-
-        testToStringHelper
-                ((PKIX_PL_Object *)pkixPubKeyOID, expectedAscii, plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(pkixPubKeyOID);
-        PKIX_TEST_RETURN();
-}
-
-static void
-testCritExtensionsPresent(PKIX_PL_Cert *cert)
-{
-        PKIX_List *critOIDList = NULL;
-        char *firstOIDAscii = "2.5.29.15";
-        PKIX_PL_OID *firstOID = NULL;
-        char *secondOIDAscii = "2.5.29.19";
-        PKIX_PL_OID *secondOID = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetCriticalExtensionOIDs
-                (cert, &critOIDList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (critOIDList, 0, (PKIX_PL_Object **)&firstOID, plContext));
-        testToStringHelper
-                ((PKIX_PL_Object *)firstOID, firstOIDAscii, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (critOIDList, 1, (PKIX_PL_Object **)&secondOID, plContext));
-
-        testToStringHelper
-                ((PKIX_PL_Object *)secondOID, secondOIDAscii, plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(critOIDList);
-        PKIX_TEST_DECREF_AC(firstOID);
-        PKIX_TEST_DECREF_AC(secondOID);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testCritExtensionsAbsent(PKIX_PL_Cert *cert)
-{
-        PKIX_List *oidList = NULL;
-        PKIX_Boolean empty;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetCriticalExtensionOIDs
-                                    (cert, &oidList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_IsEmpty(oidList, &empty, plContext));
-
-        if (!empty){
-                pkixTestErrorMsg = "unexpected mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(oidList);
-        PKIX_TEST_RETURN();
-}
-
-
-static void
-testAllExtensionsAbsent(char *dataCentralDir)
-{
-        PKIX_List *oidList = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_Boolean empty;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_Create <noExtensionsCert>");
-        cert = createCert(dataCentralDir, "noExtensionsCert", plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetCriticalExtensionOIDs
-                                    (cert, &oidList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_IsEmpty(oidList, &empty, plContext));
-
-        if (!empty){
-                pkixTestErrorMsg = "unexpected mismatch";
-        }
-
-cleanup:
-        PKIX_TEST_DECREF_AC(oidList);
-        PKIX_TEST_DECREF_AC(cert);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testGetCriticalExtensionOIDs(char *dataCentralDir, PKIX_PL_Cert *goodObject)
-{
-        subTest("PKIX_PL_Cert_GetCriticalExtensionOIDs "
-                "<CritExtensionsPresent>");
-        testCritExtensionsPresent(goodObject);
-
-
-        subTest("PKIX_PL_Cert_GetCriticalExtensionOIDs "
-                "<CritExtensionsAbsent>");
-        testCritExtensionsAbsent(altNameOidCert);
-
-
-        subTest("PKIX_PL_Cert_GetCriticalExtensionOIDs "
-                "<AllExtensionsAbsent>");
-        testAllExtensionsAbsent(dataCentralDir);
-}
-
-static void
-testKeyIdentifiersMatching(char *dataCentralDir)
-{
-        PKIX_PL_Cert *subjKeyIDCert = NULL;
-        PKIX_PL_Cert *authKeyIDCert = NULL;
-        PKIX_PL_ByteArray *subjKeyID = NULL;
-        PKIX_PL_ByteArray *authKeyID = NULL;
-        PKIX_PL_ByteArray *subjKeyID_diff = NULL;
-
-        char *expectedAscii =
-                "[116, 021, 213, 036, 028, 189, 094, 101, 136, 031, 225,"
-                " 139, 009, 126, 127, 234, 025, 072, 078, 097]";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_Create <subjKeyIDCert>");
-        subjKeyIDCert = createCert
-                (dataCentralDir, "keyIdentifier/subjKeyIDCert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <authKeyIDCert>");
-        authKeyIDCert = createCert
-                (dataCentralDir, "keyIdentifier/authKeyIDCert", plContext);
-
-        subTest("PKIX_PL_Cert_GetSubjectKeyIdentifier <good>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier
-                                    (subjKeyIDCert, &subjKeyID, plContext));
-
-        subTest("PKIX_PL_Cert_GetAuthorityKeyIdentifier <equal>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier
-                                    (authKeyIDCert, &authKeyID, plContext));
-
-        subTest("PKIX_PL_Cert_GetSubjectKeyIdentifier <diff>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_GetSubjectKeyIdentifier
-                (authKeyIDCert, &subjKeyID_diff, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-            (subjKeyID,
-            authKeyID,
-            subjKeyID_diff,
-            expectedAscii,
-            ByteArray,
-            PKIX_TRUE);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(subjKeyIDCert);
-        PKIX_TEST_DECREF_AC(authKeyIDCert);
-        PKIX_TEST_DECREF_AC(subjKeyID);
-        PKIX_TEST_DECREF_AC(authKeyID);
-        PKIX_TEST_DECREF_AC(subjKeyID_diff);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testKeyIdentifierAbsent(PKIX_PL_Cert *cert)
-{
-        PKIX_PL_ByteArray *subjKeyID = NULL;
-        PKIX_PL_ByteArray *authKeyID = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier
-                                    (cert, &subjKeyID, plContext));
-
-        if (subjKeyID != NULL){
-                pkixTestErrorMsg = "unexpected mismatch";
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier
-                                    (cert, &authKeyID, plContext));
-
-        if (authKeyID != NULL){
-                pkixTestErrorMsg = "unexpected mismatch";
-        }
-
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(subjKeyID);
-        PKIX_TEST_DECREF_AC(authKeyID);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testGetKeyIdentifiers(char *dataCentralDir, PKIX_PL_Cert *goodObject)
-{
-        testKeyIdentifiersMatching(dataCentralDir);
-        testKeyIdentifierAbsent(goodObject);
-}
-
-static void
-testVerifyKeyUsage(
-        char *dataCentralDir,
-        char *dataDir,
-        PKIX_PL_Cert *multiKeyUsagesCert)
-{
-        PKIX_PL_Cert *encipherOnlyCert = NULL;
-        PKIX_PL_Cert *decipherOnlyCert = NULL;
-        PKIX_PL_Cert *noKeyUsagesCert = NULL;
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_Create <encipherOnlyCert>");
-        encipherOnlyCert = createCert
-                (dataCentralDir, "keyUsage/encipherOnlyCert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <decipherOnlyCert>");
-        decipherOnlyCert = createCert
-                (dataCentralDir, "keyUsage/decipherOnlyCert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <noKeyUsagesCert>");
-        noKeyUsagesCert = createCert
-                (dataCentralDir, "keyUsage/noKeyUsagesCert", plContext);
-
-        subTest("PKIX_PL_Cert_VerifyKeyUsage <key_cert_sign>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_VerifyKeyUsage
-                (multiKeyUsagesCert, PKIX_KEY_CERT_SIGN, plContext));
-
-        subTest("PKIX_PL_Cert_VerifyKeyUsage <multiKeyUsages>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_VerifyKeyUsage
-                                (multiKeyUsagesCert,
-                                PKIX_KEY_CERT_SIGN | PKIX_DIGITAL_SIGNATURE,
-                                plContext));
-
-        subTest("PKIX_PL_Cert_VerifyKeyUsage <encipher_only>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_VerifyKeyUsage
-                (encipherOnlyCert, PKIX_ENCIPHER_ONLY, plContext));
-
-        subTest("PKIX_PL_Cert_VerifyKeyUsage <noKeyUsages>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_VerifyKeyUsage
-                (noKeyUsagesCert, PKIX_ENCIPHER_ONLY, plContext));
-
-        subTest("PKIX_PL_Cert_VerifyKeyUsage <decipher_only>");
-        PKIX_TEST_EXPECT_ERROR
-                (PKIX_PL_Cert_VerifyKeyUsage
-                (decipherOnlyCert, PKIX_DECIPHER_ONLY, plContext));
-
-cleanup:
-        PKIX_TEST_DECREF_AC(encipherOnlyCert);
-        PKIX_TEST_DECREF_AC(decipherOnlyCert);
-        PKIX_TEST_DECREF_AC(noKeyUsagesCert);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testGetExtendedKeyUsage(char *dataCentralDir)
-{
-
-        PKIX_PL_Cert *codeSigningEKUCert = NULL;
-        PKIX_PL_Cert *multiEKUCert = NULL;
-        PKIX_PL_Cert *noEKUCert = NULL;
-        PKIX_List *firstExtKeyUsage = NULL;
-        PKIX_List *secondExtKeyUsage = NULL;
-        PKIX_List *thirdExtKeyUsage = NULL;
-        PKIX_PL_OID *firstOID = NULL;
-        char *oidAscii = "1.3.6.1.5.5.7.3.3";
-        PKIX_PL_OID *secondOID = NULL;
-        char *secondOIDAscii = "1.3.6.1.5.5.7.3.1";
-        PKIX_PL_OID *thirdOID = NULL;
-        char *thirdOIDAscii = "1.3.6.1.5.5.7.3.2";
-        PKIX_PL_OID *fourthOID = NULL;
-        PKIX_UInt32 length = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_Create <codeSigningEKUCert>");
-        codeSigningEKUCert = createCert
-                (dataCentralDir, "extKeyUsage/codeSigningEKUCert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <multiEKUCert>");
-        multiEKUCert = createCert
-                (dataCentralDir, "extKeyUsage/multiEKUCert", plContext);
-
-        subTest("PKIX_PL_Cert_Create <noEKUCert>");
-        noEKUCert = createCert
-                (dataCentralDir, "extKeyUsage/noEKUCert", plContext);
-
-        subTest("PKIX_PL_Cert_ExtendedKeyUsage <codeSigningEKU>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetExtendedKeyUsage
-                (codeSigningEKUCert, &firstExtKeyUsage, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (firstExtKeyUsage, 0, (PKIX_PL_Object **)&firstOID, plContext));
-        testToStringHelper((PKIX_PL_Object *)firstOID, oidAscii, plContext);
-
-        subTest("PKIX_PL_Cert_ExtendedKeyUsage <multiEKU>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetExtendedKeyUsage
-                (multiEKUCert, &secondExtKeyUsage, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (secondExtKeyUsage, &length, plContext));
-
-        if (length != 3){
-                testError("unexpected mismatch");
-                (void) printf("Actual value:\t%d\n", length);
-                (void) printf("Expected value:\t3\n");
-                goto cleanup;
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem
-                (secondExtKeyUsage,
-                0,
-                (PKIX_PL_Object **)&secondOID,
-                plContext));
-
-        testToStringHelper((PKIX_PL_Object *)secondOID, oidAscii, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem
-                (secondExtKeyUsage,
-                1,
-                (PKIX_PL_Object **)&thirdOID,
-                plContext));
-
-        testToStringHelper
-                ((PKIX_PL_Object *)thirdOID, secondOIDAscii, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem
-                (secondExtKeyUsage,
-                2,
-                (PKIX_PL_Object **)&fourthOID,
-                plContext));
-
-        testToStringHelper
-                ((PKIX_PL_Object *)fourthOID, thirdOIDAscii, plContext);
-
-        subTest("PKIX_PL_Cert_ExtendedKeyUsage <noEKU>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetExtendedKeyUsage
-                (noEKUCert, &thirdExtKeyUsage, plContext));
-
-        if (thirdExtKeyUsage != NULL){
-                testError("unexpected mismatch");
-                (void) printf("Actual value:\t%p\n", (void *)thirdExtKeyUsage);
-                (void) printf("Expected value:\tNULL\n");
-                goto cleanup;
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(firstOID);
-        PKIX_TEST_DECREF_AC(secondOID);
-        PKIX_TEST_DECREF_AC(thirdOID);
-        PKIX_TEST_DECREF_AC(fourthOID);
-
-        PKIX_TEST_DECREF_AC(firstExtKeyUsage);
-        PKIX_TEST_DECREF_AC(secondExtKeyUsage);
-        PKIX_TEST_DECREF_AC(thirdExtKeyUsage);
-
-        PKIX_TEST_DECREF_AC(codeSigningEKUCert);
-        PKIX_TEST_DECREF_AC(multiEKUCert);
-        PKIX_TEST_DECREF_AC(noEKUCert);
-
-        PKIX_TEST_RETURN();
-}
-
-static void testMakeInheritedDSAPublicKey(char *dataCentralDir){
-        PKIX_PL_PublicKey *firstKey = NULL;
-        PKIX_PL_PublicKey *secondKey = NULL;
-        PKIX_PL_PublicKey *resultKeyPositive = NULL;
-        PKIX_PL_PublicKey *resultKeyNegative = NULL;
-        PKIX_PL_Cert *firstCert = NULL;
-        PKIX_PL_Cert *secondCert = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_Create <dsaWithoutParams>");
-        firstCert = createCert
-                (dataCentralDir, "publicKey/dsaWithoutParams", plContext);
-
-        subTest("PKIX_PL_Cert_Create <dsaWithParams>");
-        secondCert = createCert
-                (dataCentralDir, "publicKey/dsaWithParams", plContext);
-
-        subTest("PKIX_PL_Cert_GetSubjectPublicKey <firstKey>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_GetSubjectPublicKey
-                (firstCert, &firstKey, plContext));
-
-        subTest("PKIX_PL_Cert_GetSubjectPublicKey <secondKey>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
-                (secondCert, &secondKey, plContext));
-
-        subTest("PKIX_PL_PublicKey_MakeInheritedDSAPublicKey <positive>");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
-                (firstKey, secondKey, &resultKeyPositive, plContext));
-
-        if (resultKeyPositive == NULL){
-                testError("PKIX_PL_PublicKey_MakeInheritedDSAPublicKey failed");
-        }
-
-        subTest("PKIX_PL_PublicKey_MakeInheritedDSAPublicKey <negative>");
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
-                (firstKey, firstKey, &resultKeyNegative, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(firstCert);
-        PKIX_TEST_DECREF_AC(secondCert);
-
-        PKIX_TEST_DECREF_AC(firstKey);
-        PKIX_TEST_DECREF_AC(secondKey);
-        PKIX_TEST_DECREF_AC(resultKeyPositive);
-        PKIX_TEST_DECREF_AC(resultKeyNegative);
-
-        PKIX_TEST_RETURN();
-}
-
-static void testVerifySignature(char *dataCentralDir){
-        PKIX_PL_Cert *firstCert = NULL;
-        PKIX_PL_Cert *secondCert = NULL;
-        PKIX_PL_PublicKey *firstPubKey = NULL;
-        PKIX_PL_PublicKey *secondPubKey = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_Create <labs2yassir>");
-        firstCert = createCert(dataCentralDir, "publicKey/labs2yassir", plContext);
-
-        subTest("PKIX_PL_Cert_Create <yassir2labs>");
-        secondCert = createCert(dataCentralDir, "publicKey/yassir2labs", plContext);
-
-        subTest("PKIX_PL_Cert_GetSubjectPublicKey <labs2yassir>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_GetSubjectPublicKey
-                (firstCert, &firstPubKey, plContext));
-
-        subTest("PKIX_PL_Cert_GetSubjectPublicKey <yassir2labs>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_GetSubjectPublicKey
-                (secondCert, &secondPubKey, plContext));
-
-        subTest("PKIX_PL_Cert_VerifySignature <positive>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_VerifySignature
-                (secondCert, firstPubKey, plContext));
-
-        subTest("PKIX_PL_Cert_VerifySignature <negative>");
-        PKIX_TEST_EXPECT_ERROR
-                (PKIX_PL_Cert_VerifySignature
-                (secondCert, secondPubKey, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(firstCert);
-        PKIX_TEST_DECREF_AC(secondCert);
-        PKIX_TEST_DECREF_AC(firstPubKey);
-        PKIX_TEST_DECREF_AC(secondPubKey);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testCheckValidity(
-        PKIX_PL_Cert *olderCert,
-        PKIX_PL_Cert *newerCert)
-{
-        /*
-         * olderCert has the following Validity:
-         *  notBefore = August 19, 1999: 20:19:56 GMT
-         *  notAfter  = August 18, 2000: 20:19:56 GMT
-         *
-         * newerCert has the following Validity:
-         *  notBefore = November 13, 2003: 16:46:03 GMT
-         *  notAfter  = February 13, 2009: 16:46:03 GMT
-         */
-
-        /*  olderDateAscii = March    29, 2000: 13:48:47 GMT */
-        char *olderAscii = "000329134847Z";
-        PKIX_PL_String *olderString = NULL;
-        PKIX_PL_Date *olderDate = NULL;
-
-        /*  newerDateAscii = March    29, 2004: 13:48:47 GMT */
-        char *newerAscii = "040329134847Z";
-        PKIX_PL_String *newerString = NULL;
-        PKIX_PL_Date *newerDate = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_CheckValidity <creating Dates>");
-
-        /* create newer date when newer cert is valid but older cert is not */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-            (PKIX_ESCASCII, newerAscii, 0, &newerString, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Date_Create_UTCTime
-                (newerString, &newerDate, plContext));
-
-        /* create older date when older cert is valid but newer cert is not */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-            (PKIX_ESCASCII, olderAscii, 0, &olderString, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Date_Create_UTCTime
-                (olderString, &olderDate, plContext));
-
-        /* check validity of both certificates using olderDate */
-        subTest("PKIX_PL_Cert_CheckValidity <olderDate:positive>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_CheckValidity(olderCert, olderDate, plContext));
-
-        subTest("PKIX_PL_Cert_CheckValidity <olderDate:negative>");
-        PKIX_TEST_EXPECT_ERROR
-                (PKIX_PL_Cert_CheckValidity(newerCert, olderDate, plContext));
-
-        /* check validity of both certificates using newerDate */
-        subTest("PKIX_PL_Cert_CheckValidity <newerDate:positive>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_CheckValidity(newerCert, newerDate, plContext));
-
-        subTest("PKIX_PL_Cert_CheckValidity <newerDate:negative>");
-        PKIX_TEST_EXPECT_ERROR
-                (PKIX_PL_Cert_CheckValidity(olderCert, newerDate, plContext));
-
-        /*
-         * check validity of both certificates using current time
-         * NOTE: these "now" tests will not work when the current
-         * time is after newerCert.notAfter (~ February 13, 2009)
-         */
-        subTest("PKIX_PL_Cert_CheckValidity <now:positive>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_CheckValidity(newerCert, NULL, plContext));
-
-        subTest("PKIX_PL_Cert_CheckValidity <now:negative>");
-        PKIX_TEST_EXPECT_ERROR
-                (PKIX_PL_Cert_CheckValidity(olderCert, NULL, plContext));
-
-cleanup:
-        PKIX_TEST_DECREF_AC(olderString);
-        PKIX_TEST_DECREF_AC(newerString);
-        PKIX_TEST_DECREF_AC(olderDate);
-        PKIX_TEST_DECREF_AC(newerDate);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-readCertBasicConstraints(
-        char *dataDir,
-        char *goodCertName,
-        char *diffCertName,
-        PKIX_PL_CertBasicConstraints **goodBasicConstraints,
-        PKIX_PL_CertBasicConstraints **equalBasicConstraints,
-        PKIX_PL_CertBasicConstraints **diffBasicConstraints){
-
-        PKIX_PL_Cert *goodCert = NULL;
-        PKIX_PL_Cert *equalCert = NULL;
-        PKIX_PL_Cert *diffCert = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        createCerts(dataDir, goodCertName, diffCertName,
-                &goodCert, &equalCert, &diffCert);
-        /*
-         * Warning: pointer will be NULL if BasicConstraints
-         * extension is not present in the certificate. */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints
-                (goodCert, goodBasicConstraints, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints
-                (equalCert, equalBasicConstraints, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints
-                (diffCert, diffBasicConstraints, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodCert);
-        PKIX_TEST_DECREF_AC(equalCert);
-        PKIX_TEST_DECREF_AC(diffCert);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testBasicConstraintsHelper(
-        char *dataDir,
-        char *goodCertName,
-        char *diffCertName,
-        char *expectedAscii)
-{
-        PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL;
-        PKIX_PL_CertBasicConstraints *equalBasicConstraints = NULL;
-        PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        readCertBasicConstraints
-                (dataDir,
-                goodCertName,
-                diffCertName,
-                &goodBasicConstraints,
-                &equalBasicConstraints,
-                &diffBasicConstraints);
-
-        /*
-         * The standard test macro is applicable only
-         * if BasicConstraint extension is present
-         * in the certificate. Otherwise some
-         * pointers will be null.
-         */
-        if ((goodBasicConstraints) &&
-            (equalBasicConstraints) &&
-            (diffBasicConstraints)) {
-                PKIX_TEST_EQ_HASH_TOSTR_DUP
-                        (goodBasicConstraints,
-                        equalBasicConstraints,
-                        diffBasicConstraints,
-                        expectedAscii,
-                        BasicConstraints,
-                        PKIX_TRUE);
-        } else {
-            /* Test what we can */
-            if (goodBasicConstraints) {
-                if (!equalBasicConstraints) {
-                    testError
-                        ("Unexpected NULL value of equalBasicConstraints");
-                    goto cleanup;
-                }
-                subTest("PKIX_PL_BasicConstraints_Equals   <match>");
-                testEqualsHelper
-                    ((PKIX_PL_Object *)(goodBasicConstraints),
-                    (PKIX_PL_Object *)(equalBasicConstraints),
-                    PKIX_TRUE,
-                    plContext);
-                subTest("PKIX_PL_BasicConstraints_Hashcode <match>");
-                testHashcodeHelper
-                    ((PKIX_PL_Object *)(goodBasicConstraints),
-                    (PKIX_PL_Object *)(equalBasicConstraints),
-                    PKIX_TRUE,
-                    plContext);
-                if (diffBasicConstraints) {
-                    subTest("PKIX_PL_BasicConstraints_Equals   <non-match>");
-                    testEqualsHelper
-                        ((PKIX_PL_Object *)(goodBasicConstraints),
-                        (PKIX_PL_Object *)(diffBasicConstraints),
-                        PKIX_FALSE,
-                        plContext);
-                    subTest("PKIX_PL_BasicConstraints_Hashcode <non-match>");
-                    testHashcodeHelper
-                        ((PKIX_PL_Object *)(goodBasicConstraints),
-                        (PKIX_PL_Object *)(diffBasicConstraints),
-                        PKIX_FALSE,
-                        plContext);
-                }
-                subTest("PKIX_PL_BasicConstraints_Duplicate");
-                testDuplicateHelper
-                        ((PKIX_PL_Object *)goodBasicConstraints, plContext);
-            }
-            if (expectedAscii) {
-                subTest("PKIX_PL_BasicConstraints_ToString");
-                testToStringHelper
-                    ((PKIX_PL_Object *)(goodBasicConstraints),
-                    expectedAscii,
-                    plContext);
-            }
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodBasicConstraints);
-        PKIX_TEST_DECREF_AC(equalBasicConstraints);
-        PKIX_TEST_DECREF_AC(diffBasicConstraints);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testBasicConstraints_GetCAFlag(char *dataCentralDir)
-{
-        /*
-         * XXX  When we have a certificate with a non-null Basic
-         * Constraints field and a value of FALSE for CAFlag,
-         * this test should be modified to use that
-         * certificate for diffCertName, and to verify that
-         * GetCAFlag returns a FALSE value. But our certificates for
-         * non-CAs are created with no BasicConstraints extension.
-         */
-        PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL;
-        PKIX_PL_CertBasicConstraints *equalBasicConstraints = NULL;
-        PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL;
-        char *goodCertName = "yassir2yassir";
-        char *diffCertName = "nss2alice";
-        PKIX_Boolean goodCAFlag = PKIX_FALSE;
-        PKIX_Boolean diffCAFlag = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_BasicConstraints_GetCAFlag");
-
-        readCertBasicConstraints
-                (dataCentralDir,
-                goodCertName,
-                diffCertName,
-                &goodBasicConstraints,
-                &equalBasicConstraints,
-                &diffBasicConstraints);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetCAFlag
-                (goodBasicConstraints, &goodCAFlag, plContext));
-        if (!goodCAFlag) {
-                testError("BasicConstraint CAFlag unexpectedly FALSE");
-                goto cleanup;
-        }
-
-        if (diffBasicConstraints) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetCAFlag
-                        (diffBasicConstraints, &diffCAFlag, plContext));
-                if (diffCAFlag) {
-                        testError("BasicConstraint CAFlag unexpectedly TRUE");
-                        goto cleanup;
-                }
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodBasicConstraints);
-        PKIX_TEST_DECREF_AC(equalBasicConstraints);
-        PKIX_TEST_DECREF_AC(diffBasicConstraints);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testBasicConstraints_GetPathLenConstraint(char *dataCentralDir)
-{
-        PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL;
-        PKIX_PL_CertBasicConstraints *equalBasicConstraints = NULL;
-        PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL;
-        char *goodCertName = "yassir2yassir";
-        char *diffCertName = "sun2sun";
-        PKIX_Int32 goodPathLen = 0;
-        PKIX_Int32 diffPathLen = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_BasicConstraints_GetPathLenConstraint");
-
-        readCertBasicConstraints
-                (dataCentralDir,
-                goodCertName,
-                diffCertName,
-                &goodBasicConstraints,
-                &equalBasicConstraints,
-                &diffBasicConstraints);
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_BasicConstraints_GetPathLenConstraint
-                (goodBasicConstraints, &goodPathLen, plContext));
-        if (0 != goodPathLen) {
-                testError("unexpected basicConstraint pathLen");
-                (void) printf("Actual value:\t%d\n", goodPathLen);
-                (void) printf("Expected value:\t0\n");
-                goto cleanup;
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_BasicConstraints_GetPathLenConstraint
-                (diffBasicConstraints, &diffPathLen, plContext));
-        if (1 != diffPathLen) {
-                testError("unexpected basicConstraint pathLen");
-                (void) printf("Actual value:\t%d\n", diffPathLen);
-                (void) printf("Expected value:\t1\n");
-                goto cleanup;
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodBasicConstraints);
-        PKIX_TEST_DECREF_AC(equalBasicConstraints);
-        PKIX_TEST_DECREF_AC(diffBasicConstraints);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testGetBasicConstraints(char *dataCentralDir)
-{
-        char *goodCertName = NULL;
-        char *diffCertName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_GetBasicConstraints <CA(0) and non-CA>");
-        goodCertName = "yassir2yassir";
-        diffCertName = "nss2alice";
-        testBasicConstraintsHelper
-                (dataCentralDir, goodCertName, diffCertName, "CA(0)");
-
-        subTest("PKIX_PL_Cert_GetBasicConstraints <non-CA and CA(1)>");
-        goodCertName = "nss2alice";
-        diffCertName = "sun2sun";
-        testBasicConstraintsHelper
-                (dataCentralDir, goodCertName, diffCertName, NULL);
-
-        subTest("PKIX_PL_Cert_GetBasicConstraints <CA(0) and CA(1)>");
-        goodCertName = "yassir2bcn";
-        diffCertName = "sun2sun";
-        testBasicConstraintsHelper
-                (dataCentralDir, goodCertName, diffCertName, "CA(0)");
-
-        subTest("PKIX_PL_Cert_GetBasicConstraints <CA(-1) and CA(1)>");
-        goodCertName = "anchor2dsa";
-        diffCertName = "sun2sun";
-        testBasicConstraintsHelper
-                (dataCentralDir, goodCertName, diffCertName, "CA(-1)");
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testGetPolicyInformation(char *dataDir)
-{
-
-        char *goodCertName =
-                "UserNoticeQualifierTest15EE.crt";
-        char *equalCertName =
-                "UserNoticeQualifierTest15EE.crt";
-        char *diffCertName =
-                "UserNoticeQualifierTest17EE.crt";
-        PKIX_Boolean isImmutable = PKIX_FALSE;
-        PKIX_PL_Cert *goodCert = NULL;
-        PKIX_PL_Cert *equalCert = NULL;
-        PKIX_PL_Cert *diffCert = NULL;
-        PKIX_List* goodPolicyInfo = NULL;
-        PKIX_List* equalPolicyInfo = NULL;
-        PKIX_List* diffPolicyInfo = NULL;
-        PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
-        PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
-        PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_PL_Cert_GetPolicyInformation");
-
-        /*
-         * Get the cert, then the list of policyInfos.
-         * Take the first policyInfo from the list.
-         */
-
-        /* Get the PolicyInfo objects */
-        goodCert = createCert(dataDir, goodCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (goodCert, &goodPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext));
-
-        equalCert = createCert(dataDir, equalCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (equalCert, &equalPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem
-                (equalPolicyInfo,
-                0,
-                (PKIX_PL_Object **)&equalPolicy,
-                plContext));
-
-        diffCert = createCert(dataDir, diffCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (diffCert, &diffPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodPolicy,
-                equalPolicy,
-                diffPolicy,
-                NULL,
-                CertPolicyInfo,
-                PKIX_FALSE);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable
-                (goodPolicyInfo, &isImmutable, plContext));
-
-        if (isImmutable != PKIX_TRUE) {
-                testError("PolicyInfo List is not immutable");
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodPolicy);
-        PKIX_TEST_DECREF_AC(equalPolicy);
-        PKIX_TEST_DECREF_AC(diffPolicy);
-        PKIX_TEST_DECREF_AC(goodPolicyInfo);
-        PKIX_TEST_DECREF_AC(equalPolicyInfo);
-        PKIX_TEST_DECREF_AC(diffPolicyInfo);
-        PKIX_TEST_DECREF_AC(goodCert);
-        PKIX_TEST_DECREF_AC(equalCert);
-        PKIX_TEST_DECREF_AC(diffCert);
-        PKIX_TEST_RETURN();
-}
-
-static void
-testCertPolicy_GetPolicyId(char *dataDir)
-{
-        char *goodCertName =
-                "UserNoticeQualifierTest15EE.crt";
-        char *equalCertName =
-                "UserNoticeQualifierTest16EE.crt";
-        char *diffCertName =
-                "UserNoticeQualifierTest17EE.crt";
-        PKIX_PL_Cert *goodCert = NULL;
-        PKIX_PL_Cert *equalCert = NULL;
-        PKIX_PL_Cert *diffCert = NULL;
-        PKIX_List* goodPolicyInfo = NULL;
-        PKIX_List* equalPolicyInfo = NULL;
-        PKIX_List* diffPolicyInfo = NULL;
-        PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
-        PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
-        PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
-        PKIX_PL_OID *goodID = NULL;
-        PKIX_PL_OID *equalID = NULL;
-        PKIX_PL_OID *diffID = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_PL_CertPolicyInfo_GetPolicyId");
-
-        /*
-         * Get the cert, then the list of policyInfos.
-         * Take the first policyInfo from the list.
-         * Finally, get the policyInfo's ID.
-         */
-
-        /* Get the PolicyInfo objects */
-        goodCert = createCert(dataDir, goodCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (goodCert, &goodPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
-                (goodPolicy, &goodID, plContext));
-
-        equalCert = createCert(dataDir, equalCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (equalCert, &equalPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (equalPolicyInfo,
-                0,
-                (PKIX_PL_Object **)&equalPolicy,
-                plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
-                (equalPolicy, &equalID, plContext));
-
-        diffCert = createCert(dataDir, diffCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (diffCert, &diffPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId
-                (diffPolicy, &diffID, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodID, equalID, diffID, NULL, OID, PKIX_FALSE);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodID);
-        PKIX_TEST_DECREF_AC(equalID);
-        PKIX_TEST_DECREF_AC(diffID);
-        PKIX_TEST_DECREF_AC(goodPolicy);
-        PKIX_TEST_DECREF_AC(equalPolicy);
-        PKIX_TEST_DECREF_AC(diffPolicy);
-        PKIX_TEST_DECREF_AC(goodPolicyInfo);
-        PKIX_TEST_DECREF_AC(equalPolicyInfo);
-        PKIX_TEST_DECREF_AC(diffPolicyInfo);
-        PKIX_TEST_DECREF_AC(goodCert);
-        PKIX_TEST_DECREF_AC(equalCert);
-        PKIX_TEST_DECREF_AC(diffCert);
-        PKIX_TEST_RETURN();
-}
-
-static void
-testCertPolicy_GetPolQualifiers(char *dataDir)
-{
-        char *goodCertName =
-                "UserNoticeQualifierTest15EE.crt";
-        char *equalCertName =
-                "UserNoticeQualifierTest16EE.crt";
-        char *diffCertName =
-                "UserNoticeQualifierTest18EE.crt";
-        PKIX_Boolean isImmutable = PKIX_FALSE;
-        PKIX_PL_Cert *goodCert = NULL;
-        PKIX_PL_Cert *equalCert = NULL;
-        PKIX_PL_Cert *diffCert = NULL;
-        PKIX_List* goodPolicyInfo = NULL;
-        PKIX_List* equalPolicyInfo = NULL;
-        PKIX_List* diffPolicyInfo = NULL;
-        PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
-        PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
-        PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
-        PKIX_List* goodQuals = NULL;
-        PKIX_List* equalQuals = NULL;
-        PKIX_List* diffQuals = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_PL_CertPolicyInfo_GetPolQualifiers");
-
-        /*
-         * Get the cert, then the list of policyInfos.
-         * Take the first policyInfo from the list.
-         * Get its list of PolicyQualifiers.
-         */
-
-        /* Get the PolicyInfo objects */
-        goodCert = createCert(dataDir, goodCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (goodCert, &goodPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
-                (goodPolicy, &goodQuals, plContext));
-
-        equalCert = createCert(dataDir, equalCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (equalCert, &equalPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem
-                (equalPolicyInfo,
-                0,
-                (PKIX_PL_Object **)&equalPolicy,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
-                (equalPolicy, &equalQuals, plContext));
-
-        diffCert = createCert(dataDir, diffCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (diffCert, &diffPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
-                (diffPolicy, &diffQuals, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodQuals,
-                equalQuals,
-                diffQuals,
-                NULL,
-                List,
-                PKIX_FALSE);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable
-                (goodQuals, &isImmutable, plContext));
-
-        if (isImmutable != PKIX_TRUE) {
-                testError("PolicyQualifier List is not immutable");
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodCert);
-        PKIX_TEST_DECREF_AC(goodPolicyInfo);
-        PKIX_TEST_DECREF_AC(goodPolicy);
-        PKIX_TEST_DECREF_AC(goodQuals);
-        PKIX_TEST_DECREF_AC(equalCert);
-        PKIX_TEST_DECREF_AC(equalPolicyInfo);
-        PKIX_TEST_DECREF_AC(equalQuals);
-        PKIX_TEST_DECREF_AC(equalPolicy);
-        PKIX_TEST_DECREF_AC(diffCert);
-        PKIX_TEST_DECREF_AC(diffPolicyInfo);
-        PKIX_TEST_DECREF_AC(diffPolicy);
-        PKIX_TEST_DECREF_AC(diffQuals);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testPolicyQualifier_GetQualifier(char *dataDir)
-{
-        char *goodCertName =
-                "UserNoticeQualifierTest15EE.crt";
-        char *equalCertName =
-                "UserNoticeQualifierTest16EE.crt";
-        char *diffCertName =
-                "UserNoticeQualifierTest18EE.crt";
-        PKIX_PL_Cert *goodCert = NULL;
-        PKIX_PL_Cert *equalCert = NULL;
-        PKIX_PL_Cert *diffCert = NULL;
-        PKIX_List* goodPolicyInfo = NULL;
-        PKIX_List* equalPolicyInfo = NULL;
-        PKIX_List* diffPolicyInfo = NULL;
-        PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
-        PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
-        PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
-        PKIX_List* goodQuals = NULL;
-        PKIX_List* equalQuals = NULL;
-        PKIX_List* diffQuals = NULL;
-        PKIX_PL_CertPolicyQualifier *goodPolQualifier = NULL;
-        PKIX_PL_CertPolicyQualifier *equalPolQualifier = NULL;
-        PKIX_PL_CertPolicyQualifier *diffPolQualifier = NULL;
-        PKIX_PL_ByteArray *goodArray = NULL;
-        PKIX_PL_ByteArray *equalArray = NULL;
-        PKIX_PL_ByteArray *diffArray = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_PL_PolicyQualifier_GetQualifier");
-
-        /*
-         * Get the cert, then the list of policyInfos.
-         * Take the first policyInfo from the list.
-         * Get its list of PolicyQualifiers.
-         * Take the first policyQualifier from the list.
-         * Finally, get the policyQualifier's ByteArray.
-         */
-
-        /* Get the PolicyInfo objects */
-        goodCert = createCert(dataDir, goodCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (goodCert, &goodPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
-                (goodPolicy, &goodQuals, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem
-                (goodQuals,
-                0,
-                (PKIX_PL_Object **)&goodPolQualifier,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetQualifier
-                (goodPolQualifier, &goodArray, plContext));
-
-        equalCert = createCert(dataDir, equalCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (equalCert, &equalPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (equalPolicyInfo,
-                0,
-                (PKIX_PL_Object **)&equalPolicy,
-                plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
-                (equalPolicy, &equalQuals, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem
-                (equalQuals,
-                0,
-                (PKIX_PL_Object **)&equalPolQualifier,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetQualifier
-                (equalPolQualifier, &equalArray, plContext));
-
-        diffCert = createCert(dataDir, diffCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (diffCert, &diffPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
-                (diffPolicy, &diffQuals, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem
-                (diffQuals,
-                0,
-                (PKIX_PL_Object **)&diffPolQualifier,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetQualifier
-                (diffPolQualifier, &diffArray, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodArray, equalArray, diffArray, NULL, ByteArray, PKIX_FALSE);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodArray);
-        PKIX_TEST_DECREF_AC(equalArray);
-        PKIX_TEST_DECREF_AC(diffArray);
-        PKIX_TEST_DECREF_AC(goodPolQualifier);
-        PKIX_TEST_DECREF_AC(equalPolQualifier);
-        PKIX_TEST_DECREF_AC(diffPolQualifier);
-        PKIX_TEST_DECREF_AC(goodQuals);
-        PKIX_TEST_DECREF_AC(equalQuals);
-        PKIX_TEST_DECREF_AC(diffQuals);
-        PKIX_TEST_DECREF_AC(goodPolicy);
-        PKIX_TEST_DECREF_AC(equalPolicy);
-        PKIX_TEST_DECREF_AC(diffPolicy);
-        PKIX_TEST_DECREF_AC(goodPolicyInfo);
-        PKIX_TEST_DECREF_AC(equalPolicyInfo);
-        PKIX_TEST_DECREF_AC(diffPolicyInfo);
-        PKIX_TEST_DECREF_AC(goodCert);
-        PKIX_TEST_DECREF_AC(equalCert);
-        PKIX_TEST_DECREF_AC(diffCert);
-        PKIX_TEST_RETURN();
-}
-
-static void
-testPolicyQualifier_GetPolicyQualifierId(char *dataDir)
-{
-        char *goodCertName =
-                "UserNoticeQualifierTest15EE.crt";
-        char *equalCertName =
-                "UserNoticeQualifierTest16EE.crt";
-        char *diffCertName =
-                "CPSPointerQualifierTest20EE.crt";
-        PKIX_PL_Cert *goodCert = NULL;
-        PKIX_PL_Cert *equalCert = NULL;
-        PKIX_PL_Cert *diffCert = NULL;
-        PKIX_List* goodPolicyInfo = NULL;
-        PKIX_List* equalPolicyInfo = NULL;
-        PKIX_List* diffPolicyInfo = NULL;
-        PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
-        PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
-        PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
-        PKIX_List* goodQuals = NULL;
-        PKIX_List* equalQuals = NULL;
-        PKIX_List* diffQuals = NULL;
-        PKIX_PL_CertPolicyQualifier *goodPolQualifier = NULL;
-        PKIX_PL_CertPolicyQualifier *equalPolQualifier = NULL;
-        PKIX_PL_CertPolicyQualifier *diffPolQualifier = NULL;
-        PKIX_PL_OID *goodID = NULL;
-        PKIX_PL_OID *equalID = NULL;
-        PKIX_PL_OID *diffID = NULL;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_PL_PolicyQualifier_GetPolicyQualifierId");
-
-        /*
-         * Get the cert, then the list of policyInfos.
-         * Take the first policyInfo from the list.
-         * Get its list of PolicyQualifiers.
-         * Take the first policyQualifier from the list.
-         * Finally, get the policyQualifier's ID.
-         */
-
-        /* Get the PolicyQualifier objects */
-        goodCert = createCert(dataDir, goodCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (goodCert, &goodPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
-                (goodPolicy, &goodQuals, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem
-                (goodQuals,
-                0,
-                (PKIX_PL_Object **)&goodPolQualifier,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetPolicyQualifierId
-                (goodPolQualifier, &goodID, plContext));
-
-        equalCert = createCert(dataDir, equalCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (equalCert, &equalPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (equalPolicyInfo,
-                0,
-                (PKIX_PL_Object **)&equalPolicy,
-                plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
-                (equalPolicy, &equalQuals, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem
-                (equalQuals,
-                0,
-                (PKIX_PL_Object **)&equalPolQualifier,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetPolicyQualifierId
-                (equalPolQualifier, &equalID, plContext));
-
-        diffCert = createCert(dataDir, diffCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation
-                (diffCert, &diffPolicyInfo, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers
-                (diffPolicy, &diffQuals, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetItem
-                (diffQuals,
-                0,
-                (PKIX_PL_Object **)&diffPolQualifier,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetPolicyQualifierId
-                (diffPolQualifier, &diffID, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodID, equalID, diffID, NULL, OID, PKIX_FALSE);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodID);
-        PKIX_TEST_DECREF_AC(equalID);
-        PKIX_TEST_DECREF_AC(diffID);
-        PKIX_TEST_DECREF_AC(goodPolQualifier);
-        PKIX_TEST_DECREF_AC(equalPolQualifier);
-        PKIX_TEST_DECREF_AC(diffPolQualifier);
-        PKIX_TEST_DECREF_AC(goodQuals);
-        PKIX_TEST_DECREF_AC(equalQuals);
-        PKIX_TEST_DECREF_AC(diffQuals);
-        PKIX_TEST_DECREF_AC(goodPolicy);
-        PKIX_TEST_DECREF_AC(equalPolicy);
-        PKIX_TEST_DECREF_AC(diffPolicy);
-        PKIX_TEST_DECREF_AC(goodPolicyInfo);
-        PKIX_TEST_DECREF_AC(equalPolicyInfo);
-        PKIX_TEST_DECREF_AC(diffPolicyInfo);
-        PKIX_TEST_DECREF_AC(goodCert);
-        PKIX_TEST_DECREF_AC(equalCert);
-        PKIX_TEST_DECREF_AC(diffCert);
-        PKIX_TEST_RETURN();
-}
-
-static void
-testAreCertPoliciesCritical(char *dataCentralDir, char *dataDir)
-{
-
-        char *trueCertName = "CertificatePoliciesCritical.crt";
-        char *falseCertName = "UserNoticeQualifierTest15EE.crt";
-        PKIX_PL_Cert *trueCert = NULL;
-        PKIX_PL_Cert *falseCert = NULL;
-        PKIX_Boolean trueVal = PKIX_FALSE;
-        PKIX_Boolean falseVal = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_PL_Cert_AreCertPoliciesCritical - <true>");
-
-        trueCert = createCert(dataCentralDir, trueCertName, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_AreCertPoliciesCritical
-                (trueCert, &trueVal, plContext));
-
-        if (trueVal != PKIX_TRUE) {
-                testError("unexpected mismatch");
-                (void) printf("Actual value:\t%d\n", trueVal);
-                (void) printf("Expected value:\t1\n");
-                goto cleanup;
-        }
-
-        subTest("PKIX_PL_Cert_AreCertPoliciesCritical - <false>");
-
-        falseCert = createCert(dataDir, falseCertName, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_AreCertPoliciesCritical
-                (falseCert, &falseVal, plContext));
-
-        if (falseVal != PKIX_FALSE) {
-                testError("unexpected mismatch");
-                (void) printf("Actual value:\t%d\n", falseVal);
-                (void) printf("Expected value:\t0\n");
-                goto cleanup;
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(trueCert);
-        PKIX_TEST_DECREF_AC(falseCert);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testCertPolicyConstraints(char *dataDir)
-{
-        char *requireExplicitPolicy2CertName =
-                "requireExplicitPolicy2CACert.crt";
-        char *inhibitPolicyMapping5CertName =
-                "inhibitPolicyMapping5CACert.crt";
-        char *inhibitAnyPolicy5CertName =
-                "inhibitAnyPolicy5CACert.crt";
-        char *inhibitAnyPolicy0CertName =
-                "inhibitAnyPolicy0CACert.crt";
-        PKIX_PL_Cert *requireExplicitPolicy2Cert = NULL;
-        PKIX_PL_Cert *inhibitPolicyMapping5Cert = NULL;
-        PKIX_PL_Cert *inhibitAnyPolicy5Cert = NULL;
-        PKIX_PL_Cert *inhibitAnyPolicy0Cert = NULL;
-        PKIX_Int32 skipCerts = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_GetRequireExplicitPolicy");
-        requireExplicitPolicy2Cert = createCert
-                (dataDir, requireExplicitPolicy2CertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetRequireExplicitPolicy
-                (requireExplicitPolicy2Cert, &skipCerts, NULL));
-        PR_ASSERT(skipCerts == 2);
-
-        subTest("PKIX_PL_Cert_GetPolicyMappingInhibited");
-        inhibitPolicyMapping5Cert = createCert
-                (dataDir, inhibitPolicyMapping5CertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyMappingInhibited
-                (inhibitPolicyMapping5Cert, &skipCerts, NULL));
-        PR_ASSERT(skipCerts == 5);
-
-        subTest("PKIX_PL_Cert_GetInhibitAnyPolicy");
-        inhibitAnyPolicy5Cert = createCert
-                (dataDir, inhibitAnyPolicy5CertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetInhibitAnyPolicy
-                (inhibitAnyPolicy5Cert, &skipCerts, NULL));
-        PR_ASSERT(skipCerts == 5);
-
-        inhibitAnyPolicy0Cert = createCert
-                (dataDir, inhibitAnyPolicy0CertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetInhibitAnyPolicy
-                (inhibitAnyPolicy0Cert, &skipCerts, NULL));
-        PR_ASSERT(skipCerts == 0);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(requireExplicitPolicy2Cert);
-        PKIX_TEST_DECREF_AC(inhibitPolicyMapping5Cert);
-        PKIX_TEST_DECREF_AC(inhibitAnyPolicy5Cert);
-        PKIX_TEST_DECREF_AC(inhibitAnyPolicy0Cert);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testCertPolicyMaps(char *dataDir)
-{
-        char *policyMappingsCertName =
-                "P1Mapping1to234CACert.crt";
-        char *expectedAscii =
-                "2.16.840.1.101.3.2.1.48.1=>2.16.840.1.101.3.2.1.48.2";
-
-        PKIX_PL_Cert *policyMappingsCert = NULL;
-        PKIX_List *mappings = NULL;
-        PKIX_PL_CertPolicyMap *goodMap = NULL;
-        PKIX_PL_CertPolicyMap *equalMap = NULL;
-        PKIX_PL_CertPolicyMap *diffMap = NULL;
-        PKIX_PL_OID *goodOID = NULL;
-        PKIX_PL_OID *equalOID = NULL;
-        PKIX_PL_OID *diffOID = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_GetPolicyMappings");
-
-        policyMappingsCert = createCert
-                (dataDir, policyMappingsCertName, plContext);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyMappings
-                (policyMappingsCert, &mappings, NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (mappings, 0, (PKIX_PL_Object **)&goodMap, NULL));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (mappings, 0, (PKIX_PL_Object **)&equalMap, NULL));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (mappings, 2, (PKIX_PL_Object **)&diffMap, NULL));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodMap,
-                equalMap,
-                diffMap,
-                expectedAscii,
-                CertPolicyMap,
-                PKIX_TRUE);
-
-        subTest("PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
-                (goodMap, &goodOID, NULL));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy
-                (diffMap, &equalOID, NULL));
-        subTest("PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy
-                (diffMap, &diffOID, NULL));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodOID,
-                equalOID,
-                diffOID,
-                "2.16.840.1.101.3.2.1.48.1",
-                OID,
-                PKIX_FALSE);
-
-        subTest("pkix_pl_CertPolicyMap_Destroy");
-        PKIX_TEST_DECREF_BC(goodMap);
-        PKIX_TEST_DECREF_BC(equalMap);
-        PKIX_TEST_DECREF_BC(diffMap);
-
-cleanup:
-        PKIX_TEST_DECREF_AC(policyMappingsCert);
-        PKIX_TEST_DECREF_AC(mappings);
-        PKIX_TEST_DECREF_AC(goodOID);
-        PKIX_TEST_DECREF_AC(equalOID);
-        PKIX_TEST_DECREF_AC(diffOID);
-
-        PKIX_TEST_RETURN();
-}
-
-
-static void
-testNameConstraints(char *dataDir)
-{
-        char *firstPname = "nameConstraintsDN3subCA2Cert.crt";
-        char *secondPname = "nameConstraintsDN4CACert.crt";
-        char *thirdPname = "nameConstraintsDN5CACert.crt";
-        char *lastPname = "InvalidDNnameConstraintsTest3EE.crt";
-        PKIX_PL_Cert *firstCert = NULL;
-        PKIX_PL_Cert *secondCert = NULL;
-        PKIX_PL_Cert *thirdCert = NULL;
-        PKIX_PL_Cert *lastCert = NULL;
-        PKIX_PL_CertNameConstraints *firstNC = NULL;
-        PKIX_PL_CertNameConstraints *secondNC = NULL;
-        PKIX_PL_CertNameConstraints *thirdNC = NULL;
-        PKIX_PL_CertNameConstraints *firstMergedNC = NULL;
-        PKIX_PL_CertNameConstraints *secondMergedNC = NULL;
-        char *firstExpectedAscii =
-                "[\n"
-                "\t\tPermitted Name:  (O=Test Certificates,C=US)\n"
-                "\t\tExcluded Name:   (OU=excludedSubtree1,O=Test Certificates,"
-                "C=US, OU=excludedSubtree2,O=Test Certificates,C=US)\n"
-                "\t]\n";
-        char *secondExpectedAscii =
-                "[\n"
-                "\t\tPermitted Name:  (O=Test Certificates,C=US, "
-                "OU=permittedSubtree1,O=Test Certificates,C=US)\n"
-                "\t\tExcluded Name:   (OU=excludedSubtree1,"
-                "O=Test Certificates,"
-                "C=US, OU=excludedSubtree2,O=Test Certificates,C=US, "
-                "OU=excludedSubtree1,OU=permittedSubtree1,"
-                "O=Test Certificates,C=US)\n"
-                "\t]\n";
-
-        PKIX_TEST_STD_VARS();
-        subTest("PKIX_PL_CertNameConstraints");
-
-        firstCert = createCert(dataDir, firstPname, plContext);
-        secondCert = createCert(dataDir, secondPname, plContext);
-        thirdCert = createCert(dataDir, thirdPname, plContext);
-        lastCert = createCert(dataDir, lastPname, plContext);
-
-        subTest("PKIX_PL_Cert_GetNameConstraints <total=3>");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
-                (firstCert, &firstNC, NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
-                (secondCert, &secondNC, NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
-                (thirdCert, &thirdNC, NULL));
-
-        subTest("PKIX_PL_Cert_MergeNameConstraints <1st and 2nd>");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_MergeNameConstraints
-                (firstNC, secondNC, &firstMergedNC, NULL));
-
-        subTest("PKIX_PL_Cert_MergeNameConstraints <1st+2nd and 3rd>");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_MergeNameConstraints
-                (firstMergedNC, thirdNC, &secondMergedNC, NULL));
-
-        testToStringHelper
-                ((PKIX_PL_Object *)firstMergedNC,
-                firstExpectedAscii,
-                plContext);
-
-        testToStringHelper
-                ((PKIX_PL_Object *)secondMergedNC,
-                secondExpectedAscii,
-                plContext);
-
-        subTest("PKIX_PL_Cert_CheckNameConstraints <permitted>");
-
-        /* Subject: CN=nameConstraints DN3 subCA2,O=Test Certificates,C=US */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_CheckNameConstraints
-                (firstCert, firstMergedNC, NULL));
-
-        subTest("PKIX_PL_Cert_CheckNameConstraints <OU in excluded>");
-
-        /*
-         * Subject: CN=Invalid DN nameConstraints EE Certificate Test3,
-         * OU=permittedSubtree1,O=Test Certificates,C=US
-         */
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckNameConstraints
-                (lastCert, secondMergedNC, NULL));
-
-        subTest("PKIX_PL_Cert_CheckNameConstraints <excluded>");
-
-        /*
-         * Subject: CN=Invalid DN nameConstraints EE Certificate Test3,
-         * OU=permittedSubtree1,O=Test Certificates,C=US
-         * SubjectAltNames: CN=Invalid DN nameConstraints EE Certificate
-         * Test3,OU=excludedSubtree1,O=Test Certificates,C=US
-         */
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckNameConstraints
-                (lastCert, firstMergedNC, NULL));
-
-        subTest("PKIX_PL_Cert_CheckNameConstraints <excluded>");
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckNameConstraints
-                (firstCert, secondMergedNC, NULL));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(firstCert);
-        PKIX_TEST_DECREF_AC(secondCert);
-        PKIX_TEST_DECREF_AC(thirdCert);
-        PKIX_TEST_DECREF_AC(lastCert);
-        PKIX_TEST_DECREF_AC(firstNC);
-        PKIX_TEST_DECREF_AC(secondNC);
-        PKIX_TEST_DECREF_AC(thirdNC);
-        PKIX_TEST_DECREF_AC(firstMergedNC);
-        PKIX_TEST_DECREF_AC(secondMergedNC);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testDestroy(void *goodObject, void *equalObject, void *diffObject)
-{
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_Destroy");
-
-        PKIX_TEST_DECREF_BC(goodObject);
-        PKIX_TEST_DECREF_BC(equalObject);
-        PKIX_TEST_DECREF_BC(diffObject);
-
-        PKIX_TEST_DECREF_BC(altNameNoneCert);
-        PKIX_TEST_DECREF_BC(altNameOtherCert);
-        PKIX_TEST_DECREF_BC(altNameOtherCert_diff);
-        PKIX_TEST_DECREF_BC(altNameRfc822Cert);
-        PKIX_TEST_DECREF_BC(altNameRfc822Cert_diff);
-        PKIX_TEST_DECREF_BC(altNameDnsCert);
-        PKIX_TEST_DECREF_BC(altNameDnsCert_diff);
-        PKIX_TEST_DECREF_BC(altNameX400Cert);
-        PKIX_TEST_DECREF_BC(altNameX400Cert_diff);
-        PKIX_TEST_DECREF_BC(altNameDnCert);
-        PKIX_TEST_DECREF_BC(altNameDnCert_diff);
-        PKIX_TEST_DECREF_BC(altNameEdiCert);
-        PKIX_TEST_DECREF_BC(altNameEdiCert_diff);
-        PKIX_TEST_DECREF_BC(altNameUriCert);
-        PKIX_TEST_DECREF_BC(altNameUriCert_diff);
-        PKIX_TEST_DECREF_BC(altNameIpCert);
-        PKIX_TEST_DECREF_BC(altNameIpCert_diff);
-        PKIX_TEST_DECREF_BC(altNameOidCert);
-        PKIX_TEST_DECREF_BC(altNameOidCert_diff);
-        PKIX_TEST_DECREF_BC(altNameMultipleCert);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-static
-void printUsage(void) {
-        (void) printf("\nUSAGE:\ttest_cert <test-purpose> <data-central-dir> <data-dir>\n\n");
-}
-
-int test_cert(int argc, char *argv[]) {
-
-        PKIX_PL_Cert *goodObject = NULL;
-        PKIX_PL_Cert *equalObject = NULL;
-        PKIX_PL_Cert *diffObject = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        char *dataCentralDir = NULL;
-        char *dataDir = NULL;
-        char *goodInput = "yassir2bcn";
-        char *diffInput = "nss2alice";
-
-        char *expectedAscii =
-                "[\n"
-                "\tVersion:         v3\n"
-                "\tSerialNumber:    37bc66ec\n"
-                "\tIssuer:          CN=yassir,OU=bcn,OU=east,O=sun,C=us\n"
-                "\tSubject:         OU=bcn,OU=east,O=sun,C=us\n"
-                "\tValidity: [From: Thu Aug 19, 1999\n"
-        /*      "\tValidity: [From: Thu Aug 19 16:19:56 1999\n"  */
-                "\t           To:   Fri Aug 18, 2000]\n"
-        /*      "\t           To:   Fri Aug 18 16:19:56 2000]\n" */
-                "\tSubjectAltNames: (null)\n"
-                "\tAuthorityKeyId:  (null)\n"
-                "\tSubjectKeyId:    (null)\n"
-                "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
-                "\tCritExtOIDs:     (2.5.29.15, 2.5.29.19)\n"
-                "\tExtKeyUsages:    (null)\n"
-                "\tBasicConstraint: CA(0)\n"
-                "\tCertPolicyInfo:  (null)\n"
-                "\tPolicyMappings:  (null)\n"
-                "\tExplicitPolicy:  -1\n"
-                "\tInhibitMapping:  -1\n"
-                "\tInhibitAnyPolicy:-1\n"
-                "\tNameConstraints: (null)\n"
-                "\tAuthorityInfoAccess: (null)\n"
-                "\tSubjectInfoAccess: (null)\n"
-                "\tCacheFlag:       0\n"
-                "]\n";
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Cert");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 3+j) {
-                printUsage();
-                return (0);
-        }
-
-        dataCentralDir = argv[2+j];
-        dataDir = argv[3+j];
-
-        createCerts
-                (dataCentralDir,
-                goodInput,
-                diffInput,
-                &goodObject,
-                &equalObject,
-                &diffObject);
-
-        testToStringHelper
-                ((PKIX_PL_Object*)goodObject, expectedAscii, plContext);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodObject,
-                equalObject,
-                diffObject,
-                expectedAscii,
-                Cert,
-                PKIX_TRUE);
-
-        testVerifyKeyUsage(dataCentralDir, dataDir, goodObject);
-
-
-        testGetExtendedKeyUsage(dataCentralDir);
-        testGetKeyIdentifiers(dataCentralDir, goodObject);
-
-        testGetVersion(goodObject);
-        testGetSerialNumber(goodObject, equalObject, diffObject);
-
-        testGetSubject(goodObject, equalObject, diffObject);
-        testGetIssuer(goodObject, equalObject, diffObject);
-
-        testGetSubjectAltNames(dataCentralDir);
-        testGetCriticalExtensionOIDs(dataCentralDir, goodObject);
-
-        testGetSubjectPublicKey(goodObject, equalObject, diffObject);
-        testGetSubjectPublicKeyAlgId(goodObject);
-        testMakeInheritedDSAPublicKey(dataCentralDir);
-
-        testCheckValidity(goodObject, diffObject);
-
-        testBasicConstraints_GetCAFlag(dataCentralDir);
-        testBasicConstraints_GetPathLenConstraint(dataCentralDir);
-        testGetBasicConstraints(dataCentralDir);
-
-        /* Basic Policy Processing */
-        testGetPolicyInformation(dataDir);
-        testCertPolicy_GetPolicyId(dataDir);
-        testCertPolicy_GetPolQualifiers(dataDir);
-        testPolicyQualifier_GetPolicyQualifierId(dataDir);
-        testPolicyQualifier_GetQualifier(dataDir);
-        testAreCertPoliciesCritical(dataCentralDir, dataDir);
-
-        /* Advanced Policy Processing */
-        testCertPolicyConstraints(dataDir);
-        testCertPolicyMaps(dataDir);
-
-        testNameConstraints(dataDir);
-
-        testVerifySignature(dataCentralDir);
-
-        testDestroy(goodObject, equalObject, diffObject);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Cert");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_crl.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_crl.c
deleted file mode 100644
index 87fb31bc1..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/pki/test_crl.c
+++ /dev/null
@@ -1,341 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_crl.c
- *
- * Test CRL Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static
-void createCRLs(
-        char *dataDir,
-        char *goodInput,
-        char *diffInput,
-        PKIX_PL_CRL **goodObject,
-        PKIX_PL_CRL **equalObject,
-        PKIX_PL_CRL **diffObject)
-{
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_CRL_Create <goodObject>");
-        *goodObject = createCRL(dataDir, goodInput, plContext);
-
-        subTest("PKIX_PL_CRL_Create <equalObject>");
-        *equalObject = createCRL(dataDir, goodInput, plContext);
-
-        subTest("PKIX_PL_CRL_Create <diffObject>");
-        *diffObject = createCRL(dataDir, diffInput, plContext);
-
-        PKIX_TEST_RETURN();
-}
-
-static void testGetCRLEntryForSerialNumber(
-        PKIX_PL_CRL *goodObject)
-{
-        PKIX_PL_BigInt *bigInt;
-        PKIX_PL_String *bigIntString = NULL;
-        PKIX_PL_CRLEntry *crlEntry = NULL;
-        PKIX_PL_String *crlEntryString = NULL;
-        char *snAscii = "3039";
-        char *expectedAscii =
-                "\n\t[\n"
-                "\tSerialNumber:    3039\n"
-                "\tReasonCode:      257\n"
-                "\tRevocationDate:  Fri Jan 07, 2005\n"
-        /*      "\tRevocationDate:  Fri Jan 07 15:09:10 2005\n" */
-                "\tCritExtOIDs:     (EMPTY)\n"
-                "\t]\n\t";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_CRL_GetCRLEntryForSerialNumber");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
-                                    PKIX_ESCASCII,
-                                    snAscii,
-                                    PL_strlen(snAscii),
-                                    &bigIntString,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create(
-                            bigIntString,
-                            &bigInt,
-                            plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetCRLEntryForSerialNumber(
-                            goodObject, bigInt, &crlEntry, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString(
-                                    (PKIX_PL_Object *)crlEntry,
-                                    &crlEntryString,
-                                    plContext));
-
-        testToStringHelper((PKIX_PL_Object *)crlEntryString,
-                            expectedAscii, plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(bigIntString);
-        PKIX_TEST_DECREF_AC(bigInt);
-        PKIX_TEST_DECREF_AC(crlEntryString);
-        PKIX_TEST_DECREF_AC(crlEntry);
-        PKIX_TEST_RETURN();
-}
-
-static void testGetIssuer(
-        PKIX_PL_CRL *goodObject,
-        PKIX_PL_CRL *equalObject,
-        PKIX_PL_CRL *diffObject)
-{
-        PKIX_PL_X500Name *goodIssuer = NULL;
-        PKIX_PL_X500Name *equalIssuer = NULL;
-        PKIX_PL_X500Name *diffIssuer = NULL;
-        char *expectedAscii = "CN=hanfeiyu,O=sun,C=us";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_CRL_GetIssuer");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-                PKIX_PL_CRL_GetIssuer(goodObject, &goodIssuer, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-                PKIX_PL_CRL_GetIssuer(equalObject, &equalIssuer, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-                PKIX_PL_CRL_GetIssuer(diffObject, &diffIssuer, plContext));
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodIssuer,
-                equalIssuer,
-                diffIssuer,
-                expectedAscii,
-                X500Name,
-                PKIX_TRUE);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodIssuer);
-        PKIX_TEST_DECREF_AC(equalIssuer);
-        PKIX_TEST_DECREF_AC(diffIssuer);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testCritExtensionsAbsent(PKIX_PL_CRL *crl)
-{
-        PKIX_List *oidList = NULL;
-        PKIX_UInt32 numOids = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetCriticalExtensionOIDs
-                                    (crl, &oidList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                                    (oidList, &numOids, plContext));
-        if (numOids != 0){
-                pkixTestErrorMsg = "unexpected mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(oidList);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testGetCriticalExtensionOIDs(PKIX_PL_CRL *goodObject)
-{
-        subTest("PKIX_PL_CRL_GetCriticalExtensionOIDs "
-                "<0 element>");
-        testCritExtensionsAbsent(goodObject);
-
-}
-
-static void testVerifySignature(char *dataCentralDir, PKIX_PL_CRL *crl){
-        PKIX_PL_Cert *firstCert = NULL;
-        PKIX_PL_Cert *secondCert = NULL;
-        PKIX_PL_PublicKey *firstPubKey = NULL;
-        PKIX_PL_PublicKey *secondPubKey = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Cert_Create <hanfeiyu2hanfeiyu>");
-        firstCert = createCert(dataCentralDir, "hanfeiyu2hanfeiyu", plContext);
-
-        subTest("PKIX_PL_Cert_Create <hy2hy-bc0>");
-        secondCert = createCert(dataCentralDir, "hy2hy-bc0", plContext);
-
-        subTest("PKIX_PL_Cert_GetSubjectPublicKey <hanfeiyu2hanfeiyu>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_GetSubjectPublicKey
-                (firstCert, &firstPubKey, plContext));
-
-        subTest("PKIX_PL_Cert_GetSubjectPublicKey <hanfei2hanfei>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_GetSubjectPublicKey
-                (secondCert, &secondPubKey, plContext));
-
-        subTest("PKIX_PL_CRL_VerifySignature <positive>");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_CRL_VerifySignature(crl, firstPubKey, plContext));
-
-        subTest("PKIX_PL_CRL_VerifySignature <negative>");
-        PKIX_TEST_EXPECT_ERROR
-                (PKIX_PL_CRL_VerifySignature(crl, secondPubKey, plContext));
-
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(firstCert);
-        PKIX_TEST_DECREF_AC(secondCert);
-        PKIX_TEST_DECREF_AC(firstPubKey);
-        PKIX_TEST_DECREF_AC(secondPubKey);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void printUsage(void) {
-        (void) printf("\nUSAGE:\ttest_crl <test-purpose> <data-central-dir>\n\n");
-}
-
-/* Functional tests for CRL public functions */
-
-int test_crl(int argc, char *argv[]) {
-        PKIX_PL_CRL *goodObject = NULL;
-        PKIX_PL_CRL *equalObject = NULL;
-        PKIX_PL_CRL *diffObject = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        char *dataCentralDir = NULL;
-        char *goodInput = "crlgood.crl";
-        char *diffInput = "crldiff.crl";
-        char *expectedAscii =
-                "[\n"
-                "\tVersion:         v2\n"
-                "\tIssuer:          CN=hanfeiyu,O=sun,C=us\n"
-                "\tUpdate:   [Last: Fri Jan 07, 2005\n"
-        /*      "\tUpdate:   [Last: Fri Jan 07 15:09:10 2005\n" */
-                "\t           Next: Sat Jan 07, 2006]\n"
-        /*      "\t           Next: Sat Jan 07 15:09:10 2006]\n" */
-                "\tSignatureAlgId:  1.2.840.10040.4.3\n"
-                "\tCRL Number     : (null)\n"
-                "\n\tEntry List:      (\n"
-                "\t[\n"
-                "\tSerialNumber:    010932\n"
-                "\tReasonCode:      260\n"
-                "\tRevocationDate:  Fri Jan 07, 2005\n"
-        /*      "\tRevocationDate:  Fri Jan 07 15:09:10 2005\n" */
-                "\tCritExtOIDs:     (EMPTY)\n"
-                "\t]\n\t"
-                ", "
-                "\n\t[\n"
-                "\tSerialNumber:    3039\n"
-                "\tReasonCode:      257\n"
-                "\tRevocationDate:  Fri Jan 07, 2005\n"
-        /*      "\tRevocationDate:  Fri Jan 07 15:09:10 2005\n" */
-                "\tCritExtOIDs:     (EMPTY)\n"
-                "\t]\n\t"
-                ")"
-                "\n\n"
-                "\tCritExtOIDs:     (EMPTY)\n"
-                "]\n";
-        /* Note XXX serialnumber and reasoncode need debug */
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("CRL");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 3+j) {
-                printUsage();
-                return (0);
-        }
-
-        dataCentralDir = argv[2+j];
-
-        createCRLs
-                (dataCentralDir,
-                goodInput,
-                diffInput,
-                &goodObject,
-                &equalObject,
-                &diffObject);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodObject,
-                equalObject,
-                diffObject,
-                expectedAscii,
-                CRL,
-                PKIX_TRUE);
-
-        testGetIssuer(goodObject, equalObject, diffObject);
-
-        testGetCriticalExtensionOIDs(goodObject);
-
-        testGetCRLEntryForSerialNumber(goodObject);
-
-        testVerifySignature(dataCentralDir, goodObject);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodObject);
-        PKIX_TEST_DECREF_AC(equalObject);
-        PKIX_TEST_DECREF_AC(diffObject);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("CRL");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_crlentry.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_crlentry.c
deleted file mode 100644
index fb1e07002..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/pki/test_crlentry.c
+++ /dev/null
@@ -1,244 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_crlentry.c
- *
- * Test CRLENTRY Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static
-void createCRLEntries(
-        char *dataDir,
-        char *crlInput,
-        PKIX_PL_CRL **pCrl,
-        PKIX_PL_CRLEntry **goodObject,
-        PKIX_PL_CRLEntry **equalObject,
-        PKIX_PL_CRLEntry **diffObject)
-{
-        PKIX_PL_CRL *crl = NULL;
-        PKIX_PL_BigInt *firstSNBigInt = NULL;
-        PKIX_PL_BigInt *secondSNBigInt = NULL;
-        PKIX_PL_String *firstSNString = NULL;
-        PKIX_PL_String *secondSNString = NULL;
-        char *firstSNAscii = "010932";
-        char *secondSNAscii = "3039";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_CRL_Create <crl>");
-        crl = createCRL(dataDir, crlInput, plContext);
-
-        subTest("PKIX_PL_CRL_GetCRLEntryForSerialNumber");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
-                                    PKIX_ESCASCII,
-                                    firstSNAscii,
-                                    PL_strlen(firstSNAscii),
-                                    &firstSNString,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create(
-                            firstSNString,
-                            &firstSNBigInt,
-                            plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetCRLEntryForSerialNumber(
-                            crl, firstSNBigInt, goodObject, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetCRLEntryForSerialNumber(
-                            crl, firstSNBigInt, equalObject, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
-                                    PKIX_ESCASCII,
-                                    secondSNAscii,
-                                    PL_strlen(secondSNAscii),
-                                    &secondSNString,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create(
-                            secondSNString,
-                            &secondSNBigInt,
-                            plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRL_GetCRLEntryForSerialNumber(
-                            crl, secondSNBigInt, diffObject, plContext));
-
-
-
-        *pCrl = crl;
-
-cleanup:
-        PKIX_TEST_DECREF_AC(firstSNBigInt);
-        PKIX_TEST_DECREF_AC(secondSNBigInt);
-        PKIX_TEST_DECREF_AC(firstSNString);
-        PKIX_TEST_DECREF_AC(secondSNString);
-        PKIX_TEST_RETURN();
-}
-
-static void testGetReasonCode(
-        PKIX_PL_CRLEntry *goodObject)
-{
-        PKIX_Int32 reasonCode = 0;
-        PKIX_Int32 expectedReasonCode = 260;
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_CRLEntry_GetCRLEntryReasonCode");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRLEntry_GetCRLEntryReasonCode(
-                            goodObject, &reasonCode, plContext));
-
-        if (reasonCode != expectedReasonCode) {
-                testError("unexpected value of CRL Entry Reason Code");
-                (void) printf("Actual value:\t%d\n", reasonCode);
-                (void) printf("Expected value:\t%d\n", expectedReasonCode);
-                goto cleanup;
-        }
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static void
-testCritExtensionsAbsent(PKIX_PL_CRLEntry *crlEntry)
-{
-        PKIX_List *oidList = NULL;
-        PKIX_UInt32 numOids = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
-                                    (crlEntry, &oidList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                                    (oidList, &numOids, plContext));
-        if (numOids != 0){
-                pkixTestErrorMsg = "unexpected mismatch";
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(oidList);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testGetCriticalExtensionOIDs(PKIX_PL_CRLEntry *goodObject)
-{
-        subTest("PKIX_PL_CRL_GetCriticalExtensionOIDs "
-                "<CritExtensionsAbsent>");
-        testCritExtensionsAbsent(goodObject);
-
-}
-
-static
-void printUsage(void) {
-        (void) printf("\nUSAGE:\ttest_crlentry <data-dir>\n\n");
-}
-
-/* Functional tests for CRLENTRY public functions */
-
-int test_crlentry(int argc, char *argv[]) {
-        PKIX_PL_CRL *crl = NULL;
-        PKIX_PL_CRLEntry *goodObject = NULL;
-        PKIX_PL_CRLEntry *equalObject = NULL;
-        PKIX_PL_CRLEntry *diffObject = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        char *dataDir = NULL;
-        char *goodInput = "crlgood.crl";
-        char *expectedAscii =
-                "\n\t[\n"
-                "\tSerialNumber:    010932\n"
-                "\tReasonCode:      260\n"
-                "\tRevocationDate:  Fri Jan 07 15:09:10 2005\n"
-                "\tCritExtOIDs:     (EMPTY)\n"
-                "\t]\n\t";
-
-        /* Note XXX serialnumber and reasoncode need debug */
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("CRLEntry");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 1+j) {
-                printUsage();
-                return (0);
-        }
-
-        dataDir = argv[1+j];
-
-        createCRLEntries
-            (dataDir, goodInput, &crl, &goodObject, &equalObject, &diffObject);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodObject,
-                equalObject,
-                diffObject,
-                NULL, /* expectedAscii, */
-                CRLENTRY,
-                PKIX_TRUE);
-
-        testGetReasonCode(goodObject);
-
-        testGetCriticalExtensionOIDs(goodObject);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(crl);
-        PKIX_TEST_DECREF_AC(goodObject);
-        PKIX_TEST_DECREF_AC(equalObject);
-        PKIX_TEST_DECREF_AC(diffObject);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("CRLEntry");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_date.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_date.c
deleted file mode 100644
index 02ce70e5c..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/pki/test_date.c
+++ /dev/null
@@ -1,141 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_date.c
- *
- * Test Date Type
- *
- */
-
-
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-createDates(char *goodInput, char *diffInput,
-                    PKIX_PL_Date **goodDate,
-                    PKIX_PL_Date **equalDate,
-                    PKIX_PL_Date **diffDate){
-
-        subTest("PKIX_PL_Date_Create <goodDate>");
-        *goodDate = createDate(goodInput, plContext);
-
-        subTest("PKIX_PL_Date_Create <equalDate>");
-        *equalDate = createDate(goodInput, plContext);
-
-        subTest("PKIX_PL_Date_Create <diffDate>");
-        *diffDate = createDate(diffInput, plContext);
-
-}
-
-static void
-testDestroy(void *goodObject, void *equalObject, void *diffObject)
-{
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_Date_Destroy");
-
-        PKIX_TEST_DECREF_BC(goodObject);
-        PKIX_TEST_DECREF_BC(equalObject);
-        PKIX_TEST_DECREF_BC(diffObject);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-static
-void testDate(char *goodInput, char *diffInput){
-
-        PKIX_PL_Date *goodDate = NULL;
-        PKIX_PL_Date *equalDate = NULL;
-        PKIX_PL_Date *diffDate = NULL;
-
-        /*
-         * The ASCII rep of the date will vary by platform and locale
-         * This particular string was generated on a SPARC running Solaris 9
-         * in an English locale
-         */
-        /* char *expectedAscii = "Mon Mar 29 08:48:47 2004"; */
-        char *expectedAscii = "Mon Mar 29, 2004";
-
-        PKIX_TEST_STD_VARS();
-
-        createDates(goodInput, diffInput,
-                    &goodDate, &equalDate, &diffDate);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodDate, equalDate, diffDate, expectedAscii, Date, PKIX_TRUE);
-
-        testDestroy(goodDate, equalDate, diffDate);
-
-        PKIX_TEST_RETURN();
-
-}
-
-int test_date(int argc, char *argv[]) {
-
-        char *goodInput = NULL;
-        char *diffInput = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Date");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        goodInput = "040329134847Z";
-        diffInput = "050329135847Z";
-        testDate(goodInput, diffInput);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Date");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_generalname.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_generalname.c
deleted file mode 100644
index 2ee4beed4..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/pki/test_generalname.c
+++ /dev/null
@@ -1,155 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_generalname.c
- *
- * Test GeneralName Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-createGeneralNames(PKIX_UInt32 nameType, char *goodInput, char *diffInput,
-                    PKIX_PL_GeneralName **goodName,
-                    PKIX_PL_GeneralName **equalName,
-                    PKIX_PL_GeneralName **diffName){
-
-        subTest("PKIX_PL_GeneralName_Create <goodName>");
-        *goodName = createGeneralName(nameType, goodInput, plContext);
-
-        subTest("PKIX_PL_GeneralName_Create <equalName>");
-        *equalName = createGeneralName(nameType, goodInput, plContext);
-
-        subTest("PKIX_PL_GeneralName_Create <diffName>");
-        *diffName = createGeneralName(nameType, diffInput, plContext);
-
-}
-
-static void
-testDestroy(void *goodObject, void *equalObject, void *diffObject)
-{
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_GeneralName_Destroy");
-
-        PKIX_TEST_DECREF_BC(goodObject);
-        PKIX_TEST_DECREF_BC(equalObject);
-        PKIX_TEST_DECREF_BC(diffObject);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-static void testNameType
-(PKIX_UInt32 nameType, char *goodInput, char *diffInput, char *expectedAscii){
-
-        PKIX_PL_GeneralName *goodName = NULL;
-        PKIX_PL_GeneralName *equalName = NULL;
-        PKIX_PL_GeneralName *diffName = NULL;
-
-        createGeneralNames(nameType, goodInput, diffInput,
-                            &goodName, &equalName, &diffName);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (goodName,
-                equalName,
-                diffName,
-                expectedAscii,
-                GeneralName,
-                PKIX_TRUE);
-
-        testDestroy(goodName, equalName, diffName);
-}
-
-int test_generalname(int argc, char *argv[]) {
-
-        char *goodInput = NULL;
-        char *diffInput = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("GeneralName");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        goodInput = "john@sun.com";
-        diffInput = "john@labs.com";
-        testNameType(PKIX_RFC822_NAME, goodInput, diffInput, goodInput);
-
-        goodInput = "example1.com";
-        diffInput = "ex2.net";
-        testNameType(PKIX_DNS_NAME, goodInput, diffInput, goodInput);
-
-        goodInput = "cn=yassir, ou=labs, o=sun, c=us";
-        diffInput = "cn=alice, ou=labs, o=sun, c=us";
-        testNameType(PKIX_DIRECTORY_NAME,
-                    goodInput,
-                    diffInput,
-                    "CN=yassir,OU=labs,O=sun,C=us");
-
-        goodInput = "http://example1.com";
-        diffInput = "http://ex2.net";
-        testNameType(PKIX_URI_NAME, goodInput, diffInput, goodInput);
-
-        goodInput = "1.2.840.11";
-        diffInput = "1.2.840.115349";
-        testNameType(PKIX_OID_NAME, goodInput, diffInput, goodInput);
-
-        /*
-         * We don't support creating PKIX_EDIPARTY_NAME,
-         * PKIX_IP_NAME, OTHER_NAME, X400_ADDRESS from strings
-         */
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("GeneralName");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_nameconstraints.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_nameconstraints.c
deleted file mode 100644
index 14193ad6b..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/pki/test_nameconstraints.c
+++ /dev/null
@@ -1,157 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_nameconstraints.c
- *
- * Test CERT Name Constraints Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static char *catDirName(char *platform, char *dir, void *plContext)
-{
-        char *pathName = NULL;
-        PKIX_UInt32 dirLen;
-        PKIX_UInt32 platformLen;
-
-        PKIX_TEST_STD_VARS();
-
-        dirLen = PL_strlen(dir);
-        platformLen = PL_strlen(platform);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
-                (platformLen + dirLen + 2, (void **)&pathName, plContext));
-
-        PL_strcpy(pathName, platform);
-        PL_strcat(pathName, "/");
-        PL_strcat(pathName, dir);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-        return (pathName);
-}
-
-static void
-testNameConstraints(char *dataDir)
-{
-        char *goodPname = "nameConstraintsDN5CACert.crt";
-        PKIX_PL_Cert *goodCert = NULL;
-        PKIX_PL_CertNameConstraints *goodNC = NULL;
-        char *expectedAscii =
-                "[\n"
-                "\t\tPermitted Name:  (OU=permittedSubtree1,"
-                "O=Test Certificates,C=US)\n"
-                "\t\tExcluded Name:   (OU=excludedSubtree1,"
-                "OU=permittedSubtree1,O=Test Certificates,C=US)\n"
-                "\t]\n";
-
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_CertNameConstraints");
-
-        goodCert = createCert(dataDir, goodPname, plContext);
-
-        subTest("PKIX_PL_Cert_GetNameConstraints");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
-                (goodCert, &goodNC, plContext));
-
-        testToStringHelper
-                ((PKIX_PL_Object *)goodNC, expectedAscii, plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(goodNC);
-        PKIX_TEST_DECREF_AC(goodCert);
-
-        PKIX_TEST_RETURN();
-}
-
-static
-void printUsage(void) {
-        (void) printf
-		("\nUSAGE:\ttest_nameconstraints <test-purpose>"
-                 " <data-dir> <platform-prefix>\n\n");
-}
-
-/* Functional tests for CRL public functions */
-
-int test_nameconstraints(int argc, char *argv[]) {
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-        char *platformDir = NULL;
-        char *dataDir = NULL;
-        char *combinedDir = NULL;
-
-        /* Note XXX serialnumber and reasoncode need debug */
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("NameConstraints");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 3 + j) {
-                printUsage();
-                return (0);
-        }
-
-        dataDir = argv[2 + j];
-        platformDir = argv[3 + j];
-	combinedDir = catDirName(platformDir, dataDir, plContext);
-
-        testNameConstraints(combinedDir);
-
-cleanup:
-
-        pkixTestErrorResult = PKIX_PL_Free(combinedDir, plContext);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("NameConstraints");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_subjectinfoaccess.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_subjectinfoaccess.c
deleted file mode 100644
index 9f2260f93..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/pki/test_subjectinfoaccess.c
+++ /dev/null
@@ -1,166 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_subjectinfoaccess.c
- *
- * Test Subject InfoAccess Type
- *
- */
-
-
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-int test_subjectinfoaccess(int argc, char *argv[]) {
-
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_PL_Cert *certDiff = NULL;
-        PKIX_List *aiaList = NULL;
-        PKIX_List *siaList = NULL;
-        PKIX_PL_InfoAccess *sia = NULL;
-        PKIX_PL_InfoAccess *siaDup = NULL;
-        PKIX_PL_InfoAccess *siaDiff = NULL;
-        PKIX_PL_GeneralName *location = NULL;
-        char *certPathName = NULL;
-        char *dirName = NULL;
-        PKIX_UInt32 method = 0;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 size, i;
-        PKIX_UInt32 j = 0;
-        char *expectedAscii = "[method:caRepository, "
-                "location:http://betty.nist.gov/pathdiscoverytestsuite/"
-                "p7cfiles/IssuedByTrustAnchor1.p7c]";
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("SubjectInfoAccess");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        if (argc < 5+j) {
-                printf("Usage: %s <test-purpose> <cert> <diff-cert>\n", argv[0]);
-        }
-
-        dirName = argv[2+j];
-        certPathName = argv[3+j];
-
-        subTest("Creating Cert with Subject Info Access");
-        cert = createCert(dirName, certPathName, plContext);
-
-        certPathName = argv[4+j];
-
-        subTest("Creating Cert with Subject Info Access");
-        certDiff = createCert(dirName, certPathName, plContext);
-
-        subTest("Getting Subject Info Access");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectInfoAccess
-                (cert, &siaList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (siaList, &size, plContext));
-
-        if (size != 1) {
-                pkixTestErrorMsg = "unexpected number of AIA";
-                goto cleanup;
-        }
- 
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (siaList, 0, (PKIX_PL_Object **) &sia, plContext));
-
-        subTest("PKIX_PL_InfoAccess_GetMethod");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_InfoAccess_GetMethod
-                (sia, &method, plContext));
-        if (method != PKIX_INFOACCESS_CA_REPOSITORY) {
-                pkixTestErrorMsg = "unexpected method of AIA";
-                goto cleanup;
-        }
-
-        subTest("PKIX_PL_InfoAccess_GetLocation");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_InfoAccess_GetLocation
-                (sia, &location, plContext));
-        if (!location) {
-                pkixTestErrorMsg = "Cannot get AIA location";
-                goto cleanup;
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (siaList, 0, (PKIX_PL_Object **) &siaDup, plContext));
-
-        subTest("Getting Authority Info Access as difference comparison");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityInfoAccess
-                (certDiff, &aiaList, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength
-                (aiaList, &size, plContext));
-
-        if (size != 1) {
-                pkixTestErrorMsg = "unexpected number of AIA";
-                goto cleanup;
-        }
- 
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem
-                (aiaList, 0, (PKIX_PL_Object **) &siaDiff, plContext));
-
-        subTest("Checking: Equal, Hash and ToString");
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (sia, siaDup, siaDiff, expectedAscii, InfoAccess, PKIX_FALSE);
-
-
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(location);
-        PKIX_TEST_DECREF_AC(sia);
-        PKIX_TEST_DECREF_AC(siaDup);
-        PKIX_TEST_DECREF_AC(siaDiff);
-        PKIX_TEST_DECREF_AC(aiaList);
-        PKIX_TEST_DECREF_AC(siaList);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(certDiff);
-     
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Subjectinfoaccess");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/pki/test_x500name.c b/security/nss/cmd/libpkix/pkix_pl/pki/test_x500name.c
deleted file mode 100644
index 2bf098188..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/pki/test_x500name.c
+++ /dev/null
@@ -1,210 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_x500name.c
- *
- * Test X500Name Type
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static PKIX_PL_X500Name *
-createX500Name(char *asciiName, PKIX_Boolean expectedToPass){
-
-        PKIX_PL_X500Name *x500Name = NULL;
-        PKIX_PL_String *plString = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_String_Create
-                (PKIX_ESCASCII, asciiName, 0, &plString, plContext));
-
-        if (expectedToPass){
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_PL_X500Name_Create
-                        (plString, &x500Name, plContext));
-        } else {
-                PKIX_TEST_EXPECT_ERROR
-                        (PKIX_PL_X500Name_Create
-                        (plString, &x500Name, plContext));
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(plString);
-
-        PKIX_TEST_RETURN();
-
-        return (x500Name);
-}
-
-static void
-createX500Names(char *goodInput, char *diffInput, char *diffInputMatch,
-            PKIX_PL_X500Name **goodObject,
-            PKIX_PL_X500Name **equalObject,
-            PKIX_PL_X500Name **diffObject,
-            PKIX_PL_X500Name **diffObjectMatch)
-{
-        char *badAscii = "cn=yas#sir,ou=labs,o=sun,c=us";
-        PKIX_PL_X500Name *badObject = NULL;
-
-        subTest("PKIX_PL_X500Name_Create <goodObject>");
-        *goodObject = createX500Name(goodInput, PKIX_TRUE);
-
-        subTest("PKIX_PL_X500Name_Create <equalObject>");
-        *equalObject = createX500Name(goodInput, PKIX_TRUE);
-
-        subTest("PKIX_PL_X500Name_Create <diffObject>");
-        *diffObject = createX500Name(diffInput, PKIX_TRUE);
-
-        subTest("PKIX_PL_X500Name_Create <diffObjectMatch>");
-        *diffObjectMatch = createX500Name(diffInputMatch, PKIX_TRUE);
-
-        subTest("PKIX_PL_X500Name_Create <negative>");
-        badObject = createX500Name(badAscii, PKIX_FALSE);
-}
-
-static void testMatchHelper
-(PKIX_PL_X500Name *goodName, PKIX_PL_X500Name *otherName, PKIX_Boolean match)
-{
-        PKIX_Boolean cmpResult;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_X500Name_Match
-                                    (goodName,
-                                    otherName,
-                                    &cmpResult,
-                                    plContext));
-
-        if ((match && !cmpResult) || (!match && cmpResult)){
-                testError("unexpected mismatch");
-                (void) printf("Actual value:\t%d\n", cmpResult);
-                (void) printf("Expected value:\t%d\n", match);
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-static void
-testMatch(void *goodObject, void *diffObject, void *diffObjectMatch)
-{
-        subTest("PKIX_PL_X500Name_Match <match>");
-        testMatchHelper((PKIX_PL_X500Name *)diffObject,
-                        (PKIX_PL_X500Name *)diffObjectMatch,
-                        PKIX_TRUE);
-
-        subTest("PKIX_PL_X500Name_Match <non-match>");
-        testMatchHelper((PKIX_PL_X500Name *)goodObject,
-                        (PKIX_PL_X500Name *)diffObject,
-                        PKIX_FALSE);
-}
-
-static void testDestroy
-(void *goodObject, void *equalObject, void *diffObject, void *diffObjectMatch)
-{
-        PKIX_TEST_STD_VARS();
-
-        subTest("PKIX_PL_X500Name_Destroy");
-
-        PKIX_TEST_DECREF_BC(goodObject);
-        PKIX_TEST_DECREF_BC(equalObject);
-        PKIX_TEST_DECREF_BC(diffObject);
-        PKIX_TEST_DECREF_BC(diffObjectMatch);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-int test_x500name(int argc, char *argv[]) {
-
-        PKIX_PL_X500Name *goodObject = NULL;
-        PKIX_PL_X500Name *equalObject = NULL;
-        PKIX_PL_X500Name *diffObject = NULL;
-        PKIX_PL_X500Name *diffObjectMatch = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        /* goodInput is encoded in PKIX_ESCASCII */
-        char *goodInput = "cn=Strau&#x00Df;,ou=labs,o=sun,c=us";
-        char *diffInput = "cn=steve,ou=labs,o=sun,c=us";
-        char *diffInputMatch = "Cn=SteVe,Ou=lABs,o=SUn,c=uS";
-        char *expectedAscii = "CN=Strau&#x00DF;,OU=labs,O=sun,C=us";
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("X500Name");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        createX500Names
-                (goodInput, diffInput, diffInputMatch,
-                &goodObject, &equalObject, &diffObject, &diffObjectMatch);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-            (goodObject,
-            equalObject,
-            diffObject,
-            expectedAscii,
-            X500Name,
-            PKIX_TRUE);
-
-        testMatch(goodObject, diffObject, diffObjectMatch);
-
-        testDestroy(goodObject, equalObject, diffObject, diffObjectMatch);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("X500Name");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/Makefile b/security/nss/cmd/libpkix/pkix_pl/system/Makefile
deleted file mode 100755
index 3f1484b02..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/manifest.mn b/security/nss/cmd/libpkix/pkix_pl/system/manifest.mn
deleted file mode 100755
index 8d9ed0152..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/manifest.mn
+++ /dev/null
@@ -1,71 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ../..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-# test_rwlock.c is taken out, need to link to libpkix internals
-#
-# The test is using LIBPKIX PL call directly, which violates our
-# code convention.
-#
-CSRCS = test_bigint.c \
-	test_bytearray.c \
-	test_hashtable.c \
-	test_mem.c \
-	test_mutex.c \
-	test_mutex2.c \
-	test_mutex3.c \
-	test_monitorlock.c \
-	test_object.c \
-	test_oid.c \
-	stress_test.c \
-	test_string.c \
-	test_string2.c \
-	$(NULL)
-
-
-LIBRARY_NAME=pkixtoolsys
-
-SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
- 
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/stress_test.c b/security/nss/cmd/libpkix/pkix_pl/system/stress_test.c
deleted file mode 100644
index 251abe87c..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/stress_test.c
+++ /dev/null
@@ -1,188 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * stress_test.c
- *
- * Creates and deletes many objects
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-int stress_test(int argc, char *argv[]) {
-
-        PKIX_UInt32 i, k, length, hashcode;
-        PKIX_UInt32 size = 17576;
-        char temp[4];
-        PKIX_Boolean result;
-        PKIX_PL_String *strings[17576], *tempString;
-        PKIX_PL_String *utf16strings[17576];
-        PKIX_PL_ByteArray *byteArrays[17576];
-        void *dest;
-        PKIX_PL_HashTable *ht = NULL;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Stress Test");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        /* ---------------------------- */
-        subTest("Create every three letter String");
-
-        for (i = 0; i < 26; i++)
-                for (j = 0; j < 26; j++)
-                        for (k = 0; k < 26; k++) {
-                                temp[0] = (char)('a'+i);
-                                temp[1] = (char)('a'+j);
-                                temp[2] = (char)('a'+k);
-                                temp[3] = 0;
-                                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                (PKIX_ESCASCII, temp, 3,
-                                &strings[26*(i*26+j)+k], plContext));
-                        }
-
-        /* ---------------------------- */
-        subTest("Create a bytearray from each string's UTF-16 encoding");
-        for (i = 0; i < size; i++) {
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_PL_String_GetEncoded
-                        (strings[i],
-                        PKIX_UTF16,
-                        &dest,
-                        &length,
-                        plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create
-                            (dest, length, &byteArrays[i], plContext));
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
-        }
-
-        /* ---------------------------- */
-        subTest("Create a copy string from each bytearray");
-        for (i = 0; i < size; i++) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                            (PKIX_UTF16, *(void **)byteArrays[i], 6,
-                            &utf16strings[i], plContext));
-        }
-
-        /* ---------------------------- */
-        subTest("Compare each original string with the copy");
-        for (i = 0; i < size; i++) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                            ((PKIX_PL_Object*)strings[i],
-                            (PKIX_PL_Object*)utf16strings[i],
-                            &result,
-                            plContext));
-                if (result == 0)
-                        testError("Strings do not match");
-        }
-
-        /* ---------------------------- */
-        subTest("Put each string into a Hashtable");
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_HashTable_Create(size/2, 0, &ht, plContext));
-
-        for (i = 0; i < size; i++) {
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_PL_Object_Hashcode
-                        ((PKIX_PL_Object*)strings[i],
-                        &hashcode,
-                        plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
-                            (ht,
-                            (void *)&hashcode,
-                            (void*)strings[i],
-                            plContext));
-        }
-
-
-        /* ---------------------------- */
-        subTest("Compare each copy string with the hashtable entries ");
-        for (i = 0; i < size; i++) {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Hashcode
-                            ((PKIX_PL_Object*)utf16strings[i],
-                            &hashcode,
-                            plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
-                            (ht,
-                            (void *)&hashcode,
-                            (PKIX_PL_Object**)&tempString,
-                            plContext));
-
-                if (tempString == NULL)
-                        testError("String not found in hashtable");
-                else {
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                                    ((PKIX_PL_Object*)tempString,
-                                    (PKIX_PL_Object*)utf16strings[i],
-                                    &result,
-                                    plContext));
-                        if (result == 0)
-                                testError("Strings do not match");
-                        PKIX_TEST_DECREF_BC(tempString);
-                }
-        }
-
-cleanup:
-
-        /* ---------------------------- */
-        subTest("Destroy All Objects");
-
-        PKIX_TEST_DECREF_AC(ht);
-
-        for (i = 0; i < size; i++) {
-                PKIX_TEST_DECREF_AC(strings[i]);
-                PKIX_TEST_DECREF_AC(utf16strings[i]);
-                PKIX_TEST_DECREF_AC(byteArrays[i]);
-        }
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Stress Test");
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_bigint.c b/security/nss/cmd/libpkix/pkix_pl/system/test_bigint.c
deleted file mode 100644
index 236a1f295..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/test_bigint.c
+++ /dev/null
@@ -1,227 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_bigint.c
- *
- * Tests BigInt Types
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-createBigInt(
-        PKIX_PL_BigInt **bigInts,
-        char *bigIntAscii,
-        PKIX_Boolean errorHandling)
-{
-        PKIX_PL_String *bigIntString = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                                    (PKIX_ESCASCII,
-                                    bigIntAscii,
-                                    PL_strlen(bigIntAscii),
-                                    &bigIntString,
-                                    plContext));
-
-        if (errorHandling){
-                PKIX_TEST_EXPECT_ERROR(PKIX_PL_BigInt_Create
-                                            (bigIntString,
-                                            bigInts,
-                                            plContext));
-        } else {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BigInt_Create
-                                            (bigIntString,
-                                            bigInts,
-                                            plContext));
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(bigIntString);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testToString(
-        PKIX_PL_BigInt *bigInt,
-        char *expAscii)
-{
-        PKIX_PL_String *bigIntString = NULL;
-        char *temp = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                                    ((PKIX_PL_Object*)bigInt,
-                                    &bigIntString, plContext));
-
-        temp = PKIX_String2ASCII(bigIntString, plContext);
-        if (temp == plContext){
-                testError("PKIX_String2Ascii failed");
-                goto cleanup;
-        }
-
-        if (PL_strcmp(temp, expAscii) != 0) {
-                (void) printf("\tBigInt ToString: %s %s\n", temp, expAscii);
-                testError("Output string does not match source");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(bigIntString);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testCompare(
-        PKIX_PL_BigInt *firstBigInt,
-        PKIX_PL_BigInt *secondBigInt,
-        PKIX_Int32 *cmpResult)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare
-                                    ((PKIX_PL_Object*)firstBigInt,
-                                    (PKIX_PL_Object*)secondBigInt,
-                                    cmpResult, plContext));
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testDestroy(
-        PKIX_PL_BigInt *bigInt)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_DECREF_BC(bigInt);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-int test_bigint(int argc, char *argv[]) {
-
-        PKIX_UInt32 size = 4, badSize = 3, i = 0;
-        PKIX_PL_BigInt *testBigInt[4] = {NULL};
-        PKIX_Int32 cmpResult;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        char *bigIntValue[4] =
-        {
-                "03",
-                "ff",
-                "1010101010101010101010101010101010101010",
-                "1010101010101010101010101010101010101010",
-        };
-
-        char *badValue[3] = {"00ff", "fff", "-ff"};
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("BigInts");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        for (i = 0; i < badSize; i++) {
-                subTest("PKIX_PL_BigInt_Create <error_handling>");
-                createBigInt(&testBigInt[i], badValue[i], PKIX_TRUE);
-        }
-
-        for (i = 0; i < size; i++) {
-                subTest("PKIX_PL_BigInt_Create");
-                createBigInt(&testBigInt[i], bigIntValue[i], PKIX_FALSE);
-        }
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (testBigInt[2],
-                testBigInt[3],
-                testBigInt[1],
-                bigIntValue[2],
-                BigInt,
-                PKIX_TRUE);
-
-        for (i = 0; i < size; i++) {
-                subTest("PKIX_PL_BigInt_ToString");
-                testToString(testBigInt[i], bigIntValue[i]);
-        }
-
-        subTest("PKIX_PL_BigInt_Compare <gt>");
-        testCompare(testBigInt[2], testBigInt[1], &cmpResult);
-        if (cmpResult <= 0){
-                testError("Invalid Result from String Compare");
-        }
-
-        subTest("PKIX_PL_BigInt_Compare <lt>");
-        testCompare(testBigInt[1], testBigInt[2], &cmpResult);
-        if (cmpResult >= 0){
-                testError("Invalid Result from String Compare");
-        }
-
-        subTest("PKIX_PL_BigInt_Compare <eq>");
-        testCompare(testBigInt[2], testBigInt[3], &cmpResult);
-        if (cmpResult != 0){
-                testError("Invalid Result from String Compare");
-        }
-
-        for (i = 0; i < size; i++) {
-                subTest("PKIX_PL_BigInt_Destroy");
-                testDestroy(testBigInt[i]);
-        }
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        endTests("BigInt");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_bytearray.c b/security/nss/cmd/libpkix/pkix_pl/system/test_bytearray.c
deleted file mode 100644
index d59199a9c..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/test_bytearray.c
+++ /dev/null
@@ -1,274 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_bytearray.c
- *
- * Tests ByteArray types.
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-createByteArray(
-        PKIX_PL_ByteArray **byteArray,
-        char *bytes,
-        PKIX_UInt32 length)
-{
-        PKIX_TEST_STD_VARS();
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create
-                                    ((void*)bytes,
-                                    length,
-                                    byteArray,
-                                    plContext));
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-
-static void
-testZeroLength(void)
-{
-        PKIX_PL_ByteArray *byteArray = NULL;
-        void *array = NULL;
-        PKIX_UInt32 length = 2;
-
-        PKIX_TEST_STD_VARS();
-
-        createByteArray(&byteArray, NULL, 0);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_GetLength
-                                    (byteArray, &length, plContext));
-        if (length != 0){
-                testError("Length should be zero");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_GetPointer
-                                    (byteArray, &array, plContext));
-        if (array){
-                testError("Array should be NULL");
-        }
-
-        testToStringHelper((PKIX_PL_Object *)byteArray, "[]", plContext);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(byteArray);
-
-        PKIX_TEST_RETURN();
-}
-
-
-static void
-testToString(
-        PKIX_PL_ByteArray *byteArray,
-        char *expAscii)
-{
-        PKIX_PL_String *string = NULL;
-        char *temp = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                                    ((PKIX_PL_Object*)byteArray,
-                                    &string, plContext));
-
-        temp = PKIX_String2ASCII(string, plContext);
-        if (temp == NULL){
-                testError("PKIX_String2Ascii failed");
-                goto cleanup;
-        }
-
-        if (PL_strcmp(temp, expAscii) != 0) {
-                (void) printf("\tByteArray ToString: %s %s\n", temp, expAscii);
-                testError("Output string does not match source");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(string);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testGetLength(
-        PKIX_PL_ByteArray *byteArray,
-        PKIX_UInt32 expLength)
-{
-        PKIX_UInt32 arrayLength;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_GetLength
-                                    (byteArray, &arrayLength, plContext));
-
-        if (arrayLength != expLength){
-                (void) printf("\tByteArray GetLength: %d %d\n",
-                            arrayLength, expLength);
-                testError("Incorrect Array Length returned");
-        }
-
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static void
-testGetPointer(
-        PKIX_PL_ByteArray *byteArray,
-        char *expBytes,
-        PKIX_UInt32 arrayLength)
-{
-        char *temp = NULL;
-        PKIX_UInt32 j;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_GetPointer
-                                    (byteArray, (void **)&temp, plContext));
-
-        for (j = 0; j < arrayLength; j++) {
-                if (temp[j] != expBytes[j]){
-                        testError("Incorrect Byte Array Contents");
-                }
-        }
-
-cleanup:
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        PKIX_TEST_RETURN();
-}
-
-void
-testDestroy(
-        PKIX_PL_ByteArray *byteArray)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_DECREF_BC(byteArray);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-int test_bytearray(int argc, char *argv[]) {
-
-        PKIX_PL_ByteArray *testByteArray[4];
-
-        PKIX_UInt32 i, size = 4;
-        PKIX_UInt32 lengths[4] = {5, 6, 1, 5};
-        char dArray0[5] = {1, 2, 3, 4, 5};
-        unsigned char dArray1[6] = {127, 128, 129, 254, 255, 0};
-        char dArray2[1] = {100};
-        char dArray3[5] = {1, 2, 3, 4, 5};
-
-        char *expected[4] = {
-                "[001, 002, 003, 004, 005]",
-                "[127, 128, 129, 254, 255, 000]",
-                "[100]",
-                "[001, 002, 003, 004, 005]"
-        };
-
-        char *dummyArray[4];
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        dummyArray[0] = dArray0;
-        dummyArray[1] = (char*)dArray1;
-        dummyArray[2] = dArray2;
-        dummyArray[3] = dArray3;
-
-        startTests("ByteArrays");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest ("PKIX_PL_ByteArray_Create <zero length>");
-        testZeroLength();
-
-        for (i = 0; i < size; i++) {
-                subTest("PKIX_PL_ByteArray_Create");
-                createByteArray(&testByteArray[i], dummyArray[i], lengths[i]);
-        }
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (testByteArray[0],
-                testByteArray[3],
-                testByteArray[1],
-                "[001, 002, 003, 004, 005]",
-                ByteArray,
-                PKIX_TRUE);
-
-        for (i = 0; i < size; i++) {
-                subTest("PKIX_PL_ByteArray_ToString");
-                testToString(testByteArray[i], expected[i]);
-        }
-
-        for (i = 0; i < size; i++) {
-                subTest("PKIX_PL_ByteArray_GetLength");
-                testGetLength(testByteArray[i], lengths[i]);
-        }
-
-        for (i = 0; i < size; i++) {
-                subTest("PKIX_PL_ByteArray_GetPointer");
-                testGetPointer(testByteArray[i], dummyArray[i], lengths[i]);
-        }
-
-
-        for (i = 0; i < size; i++) {
-                subTest("PKIX_PL_ByteArray_Destroy");
-                testDestroy(testByteArray[i]);
-        }
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        endTests("ByteArray");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_hashtable.c b/security/nss/cmd/libpkix/pkix_pl/system/test_hashtable.c
deleted file mode 100644
index 57bcb7cc4..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/test_hashtable.c
+++ /dev/null
@@ -1,458 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_hashtable.c
- *
- * Tests Hashtables
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-createHashTables(
-        PKIX_PL_HashTable **ht,
-        PKIX_PL_HashTable **ht2,
-        PKIX_PL_HashTable **ht3,
-        PKIX_PL_HashTable **ht4)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Create
-                (1, 0, ht, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Create
-                (5, 0, ht2, plContext));
-
-        /* at most two entries per bucket */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Create
-                (1, 2, ht4, plContext));
-
-        *ht3 = *ht;
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_IncRef((PKIX_PL_Object*)*ht3, plContext));
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static void
-testAdd(
-        PKIX_PL_HashTable *ht,
-        PKIX_PL_HashTable *ht2,
-        PKIX_PL_String **testString,
-        PKIX_PL_String **testString2,
-        PKIX_PL_String **testString3,
-        PKIX_PL_OID **testOID)
-{
-        char* dummyString = "test string 1";
-        char* dummyString2 = "test string 2";
-        char* dummyString3 = "test string 3";
-        char* dummyOID = "2.11.22222.33333";
-
-        PKIX_TEST_STD_VARS();
-
-        /* Make some dummy objects */
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_String_Create(
-                                PKIX_ESCASCII,
-                                dummyString,
-                                PL_strlen(dummyString),
-                                testString,
-                                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_String_Create(
-                                PKIX_ESCASCII,
-                                dummyString2,
-                                PL_strlen(dummyString2),
-                                testString2,
-                                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_String_Create(
-                                PKIX_ESCASCII,
-                                dummyString3,
-                                PL_strlen(dummyString3),
-                                testString3,
-                                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_OID_Create(dummyOID, testOID, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
-                (ht,
-                (PKIX_PL_Object *)*testString,
-                (PKIX_PL_Object *)*testString2,
-                plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
-                (ht2,
-                (PKIX_PL_Object *)*testString,
-                (PKIX_PL_Object *)*testString2,
-                plContext));
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
-                (ht,
-                (PKIX_PL_Object *)*testString2,
-                (PKIX_PL_Object *)*testString,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
-                (ht2,
-                (PKIX_PL_Object *)*testString2,
-                (PKIX_PL_Object *)*testString,
-                plContext));
-
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
-                (ht,
-                (PKIX_PL_Object *)*testOID,
-                (PKIX_PL_Object *)*testOID,
-                plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
-                (ht2,
-                (PKIX_PL_Object *)*testOID,
-                (PKIX_PL_Object *)*testOID,
-                plContext));
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static void
-testAddFIFO(
-        PKIX_PL_HashTable *ht,
-        PKIX_PL_String **testString,
-        PKIX_PL_String **testString2,
-        PKIX_PL_String **testString3)
-{
-        PKIX_PL_String *targetString = NULL;
-        PKIX_Boolean cmpResult;
-
-        PKIX_TEST_STD_VARS();
-
-        /*
-         * ht is created as one bucket, two entries per bucket. Since we add
-         * three items to the ht, we expect the first one to be deleted.
-         */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
-                (ht,
-                (PKIX_PL_Object *)*testString,
-                (PKIX_PL_Object *)*testString,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
-                (ht,
-                (PKIX_PL_Object *)*testString2,
-                (PKIX_PL_Object *)*testString2,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Add
-                (ht,
-                (PKIX_PL_Object *)*testString3,
-                (PKIX_PL_Object *)*testString3,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
-                                    (ht,
-                                    (PKIX_PL_Object *)*testString,
-                                    (PKIX_PL_Object**)&targetString,
-                                    plContext));
-        if (targetString != NULL) {
-                testError("HashTable_Lookup retrieved a supposed deleted item");
-                PKIX_TEST_DECREF_BC(targetString);
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
-                                    (ht,
-                                    (PKIX_PL_Object *)*testString3,
-                                    (PKIX_PL_Object**)&targetString,
-                                    plContext));
-
-         PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_Equals(
-                                    (PKIX_PL_Object *)targetString,
-                                    (PKIX_PL_Object *)*testString3,
-                                    &cmpResult,
-                                    plContext));
-        if (cmpResult != PKIX_TRUE){
-                testError("HashTable_Lookup failed");
-        }
-        PKIX_TEST_DECREF_BC(targetString);
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static void
-testLookup(
-        PKIX_PL_HashTable *ht,
-        PKIX_PL_HashTable *ht2,
-        PKIX_PL_String *testString,
-        PKIX_PL_String *testString2,
-        PKIX_PL_String *testString3,
-        PKIX_PL_OID *testOID)
-{
-        PKIX_PL_String *targetString = NULL;
-        PKIX_PL_String *targetOID = NULL;
-        PKIX_Boolean cmpResult;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
-                                    (ht,
-                                    (PKIX_PL_Object *)testString,
-                                    (PKIX_PL_Object**)&targetString,
-                                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_Equals(
-                                    (PKIX_PL_Object *)targetString,
-                                    (PKIX_PL_Object *)testString2,
-                                    &cmpResult,
-                                    plContext));
-        if (cmpResult != PKIX_TRUE){
-                testError("HashTable_Lookup failed");
-        }
-        PKIX_TEST_DECREF_BC(targetString);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
-                (ht2,
-                (PKIX_PL_Object *)testString,
-                (PKIX_PL_Object**)&targetString,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_Equals(
-                                    (PKIX_PL_Object *)targetString,
-                                    (PKIX_PL_Object *)testString2,
-                                    &cmpResult,
-                                    plContext));
-        if (cmpResult != PKIX_TRUE){
-                testError("HashTable_Lookup failed");
-        }
-        PKIX_TEST_DECREF_BC(targetString);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
-                (ht2,
-                (PKIX_PL_Object *)testString2,
-                (PKIX_PL_Object**)&targetString,
-                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_Equals(
-                                    (PKIX_PL_Object *)targetString,
-                                    (PKIX_PL_Object *)testString,
-                                    &cmpResult,
-                                    plContext));
-        if (cmpResult != PKIX_TRUE){
-                testError("HashTable_Lookup failed");
-        }
-        PKIX_TEST_DECREF_BC(targetString);
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
-                (ht,
-                (PKIX_PL_Object *)testOID,
-                (PKIX_PL_Object**)&targetOID,
-                plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                ((PKIX_PL_Object*)targetOID, &targetString, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_Equals(
-                                    (PKIX_PL_Object *)targetOID,
-                                    (PKIX_PL_Object *)testOID,
-                                    &cmpResult,
-                                    plContext));
-        if (cmpResult != PKIX_TRUE){
-                testError("HashTable_Lookup failed");
-        }
-        PKIX_TEST_DECREF_BC(targetString);
-        PKIX_TEST_DECREF_BC(targetOID);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
-                (ht2,
-                (PKIX_PL_Object *)testOID,
-                (PKIX_PL_Object**)&targetOID,
-                plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                ((PKIX_PL_Object*)targetOID, &targetString, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_Equals(
-                                    (PKIX_PL_Object *)targetOID,
-                                    (PKIX_PL_Object *)testOID,
-                                    &cmpResult,
-                                    plContext));
-        if (cmpResult != PKIX_TRUE){
-                testError("HashTable_Lookup failed");
-        }
-        PKIX_TEST_DECREF_BC(targetString);
-        PKIX_TEST_DECREF_BC(targetOID);
-
-        (void) printf("Looking up item not in HashTable.\n");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Lookup
-                (ht,
-                (PKIX_PL_Object *)testString3,
-                (PKIX_PL_Object**)&targetString,
-                plContext));
-        if (targetString == NULL)
-                (void) printf("\tCorrectly returned NULL.\n");
-        else
-                testError("Hashtable did not return NULL value as expected");
-
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static void
-testRemove(
-        PKIX_PL_HashTable *ht,
-        PKIX_PL_HashTable *ht2,
-        PKIX_PL_String *testString,
-        PKIX_PL_String *testString2,
-        PKIX_PL_OID *testOID)
-{
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Remove
-                                (ht,
-                                (PKIX_PL_Object *)testString,
-                                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Remove
-                                (ht,
-                                (PKIX_PL_Object *)testOID,
-                                plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_HashTable_Remove
-                                (ht2,
-                                (PKIX_PL_Object *)testString2,
-                                plContext));
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_HashTable_Remove
-                            (ht,
-                            (PKIX_PL_Object *)testString,
-                            plContext));
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static void
-testDestroy(
-        PKIX_PL_HashTable *ht,
-        PKIX_PL_HashTable *ht2,
-        PKIX_PL_HashTable *ht3,
-        PKIX_PL_HashTable *ht4)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_DECREF_BC(ht);
-        PKIX_TEST_DECREF_BC(ht2);
-        PKIX_TEST_DECREF_BC(ht3);
-        PKIX_TEST_DECREF_BC(ht4);
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-
-
-
-int test_hashtable(int argc, char *argv[]) {
-
-        PKIX_PL_HashTable *ht, *ht2, *ht3, *ht4;
-        PKIX_PL_String *testString, *testString2, *testString3;
-        PKIX_PL_OID *testOID;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("HashTables");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest("PKIX_PL_HashTable_Create");
-        createHashTables(&ht, &ht2, &ht3, &ht4);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (ht,
-                ht3,
-                ht2,
-                NULL,
-                HashTable,
-                PKIX_FALSE);
-
-        subTest("PKIX_PL_HashTable_Add");
-        testAdd(ht, ht2, &testString, &testString2, &testString3, &testOID);
-
-        subTest("PKIX_PL_HashTable_ADD - with Bucket Size limit");
-        testAddFIFO(ht4, &testString, &testString2, &testString3);
-
-        subTest("PKIX_PL_HashTable_Lookup");
-        testLookup(ht, ht2, testString, testString2, testString3, testOID);
-
-        subTest("PKIX_PL_HashTable_Remove");
-        testRemove(ht, ht2, testString, testString2, testOID);
-
-        PKIX_TEST_DECREF_BC(testString);
-        PKIX_TEST_DECREF_BC(testString2);
-        PKIX_TEST_DECREF_BC(testString3);
-        PKIX_TEST_DECREF_BC(testOID);
-
-        subTest("PKIX_PL_HashTable_Destroy");
-        testDestroy(ht, ht2, ht3, ht4);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        endTests("BigInt");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_mem.c b/security/nss/cmd/libpkix/pkix_pl/system/test_mem.c
deleted file mode 100644
index e5a749bea..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/test_mem.c
+++ /dev/null
@@ -1,164 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_mem.c
- *
- * Tests Malloc, Realloc and Free
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static
-void testMalloc(PKIX_UInt32 **array)
-{
-        PKIX_UInt32 i, arraySize = 10;
-        PKIX_TEST_STD_VARS();
-
-        /* Create an integer array of size 10 */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc(
-                            (PKIX_UInt32)(arraySize*sizeof (unsigned int)),
-                            (void **) array, plContext));
-
-        /* Fill in some values */
-        (void) printf ("Setting array[i] = i...\n");
-        for (i = 0; i < arraySize; i++) {
-                (*array)[i] = i;
-                if ((*array)[i] != i)
-                        testError("Array has incorrect contents");
-        }
-
-        /* Memory now reflects changes */
-        (void) printf("\tArray: a[0] = %d, a[5] = %d, a[7] = %d.\n",
-                    (*array[0]), (*array)[5], (*array)[7]);
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static
-void testRealloc(PKIX_UInt32 **array)
-{
-        PKIX_UInt32 i, arraySize = 20;
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Realloc(*array,
-                            (PKIX_UInt32)(arraySize*sizeof (unsigned int)),
-                            (void **) array, plContext));
-
-        /* Fill in the new elements */
-        (void) printf ("Setting new portion of array to a[i] = i...\n");
-        for (i = arraySize/2; i < arraySize; i++) {
-                (*array)[i] = i;
-                if ((*array)[i] != i)
-                        testError("Array has incorrect contents");
-        }
-
-        /* New elements should be reflected. The old should be the same */
-        (void) printf("\tArray: a[0] = %d, a[15] = %d, a[17] = %d.\n",
-                      (*array)[0], (*array)[15], (*array)[17]);
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static
-void testFree(PKIX_UInt32 *array)
-{
-
-        PKIX_TEST_STD_VARS();
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(array, plContext));
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-int test_mem(int argc, char *argv[]) {
-
-        unsigned int *array = NULL;
-        int arraySize = 10;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Memory Allocation");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest("PKIX_PL_Malloc");
-        testMalloc(&array);
-
-        subTest("PKIX_PL_Realloc");
-        testRealloc(&array);
-
-        subTest("PKIX_PL_Free");
-        testFree(array);
-
-        /* --Negative Test Cases------------------- */
-        /* Create an integer array of size 10 */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc(
-                            (PKIX_UInt32)(arraySize*sizeof (unsigned int)),
-                            (void **) &array, plContext));
-
-        (void) printf("Attempting to reallocate 0 sized memory...\n");
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Realloc(array, 0, (void **) &array, plContext));
-
-        (void) printf("Attempting to allocate to null pointer...\n");
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_Malloc(10, NULL, plContext));
-
-        (void) printf("Attempting to reallocate to null pointer...\n");
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_Realloc(NULL, 10, NULL, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(array, plContext));
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        endTests("Memory Allocation");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_monitorlock.c b/security/nss/cmd/libpkix/pkix_pl/system/test_monitorlock.c
deleted file mode 100644
index a21a620c6..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/test_monitorlock.c
+++ /dev/null
@@ -1,144 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_monitorlock.c
- *
- * Tests basic MonitorLock object functionality. No multi-threading.
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static
-void createMonitorLockes(
-        PKIX_PL_MonitorLock **monitorLock,
-        PKIX_PL_MonitorLock **monitorLock2,
-        PKIX_PL_MonitorLock **monitorLock3)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_MonitorLock_Create
-                (monitorLock, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_MonitorLock_Create
-                (monitorLock2, plContext));
-
-        *monitorLock3 = *monitorLock;
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef
-                ((PKIX_PL_Object*)*monitorLock3, plContext));
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static
-void testLock(PKIX_PL_MonitorLock *monitorLock)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_MonitorLock_Enter
-                (monitorLock, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_MonitorLock_Enter
-                (monitorLock, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_MonitorLock_Exit
-                (monitorLock, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_MonitorLock_Exit
-                (monitorLock, plContext));
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static
-void testDestroy(
-        PKIX_PL_MonitorLock *monitorLock,
-        PKIX_PL_MonitorLock *monitorLock2,
-        PKIX_PL_MonitorLock *monitorLock3)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_DECREF_BC(monitorLock);
-        PKIX_TEST_DECREF_BC(monitorLock2);
-        PKIX_TEST_DECREF_BC(monitorLock3);
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-int test_monitorlock(int argc, char *argv[]) {
-
-        PKIX_PL_MonitorLock *monitorLock, *monitorLock2, *monitorLock3;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("MonitorLocks");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest("PKIX_PL_MonitorLock_Create");
-        createMonitorLockes(&monitorLock, &monitorLock2, &monitorLock3);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (monitorLock,
-                monitorLock3,
-                monitorLock2,
-                NULL,
-                MonitorLock,
-                PKIX_FALSE);
-
-        subTest("PKIX_PL_MonitorLock_Lock/Unlock");
-        testLock(monitorLock);
-
-        subTest("PKIX_PL_MonitorLock_Destroy");
-        testDestroy(monitorLock, monitorLock2, monitorLock3);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("MonitorLockes");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_mutex.c b/security/nss/cmd/libpkix/pkix_pl/system/test_mutex.c
deleted file mode 100644
index 981beb698..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/test_mutex.c
+++ /dev/null
@@ -1,136 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_mutex.c
- *
- * Tests basic mutex object functionality. No multi-threading.
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static
-void createMutexes(
-        PKIX_PL_Mutex **mutex,
-        PKIX_PL_Mutex **mutex2,
-        PKIX_PL_Mutex **mutex3)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Mutex_Create(mutex, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Mutex_Create(mutex2, plContext));
-
-        *mutex3 = *mutex;
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_IncRef((PKIX_PL_Object*)*mutex3, plContext));
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static
-void testLock(PKIX_PL_Mutex *mutex)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Mutex_Lock(mutex, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Mutex_Unlock(mutex, plContext));
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-static
-void testDestroy(
-        PKIX_PL_Mutex *mutex,
-        PKIX_PL_Mutex *mutex2,
-        PKIX_PL_Mutex *mutex3)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_DECREF_BC(mutex);
-        PKIX_TEST_DECREF_BC(mutex2);
-        PKIX_TEST_DECREF_BC(mutex3);
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-int test_mutex(int argc, char *argv[]) {
-
-        PKIX_PL_Mutex *mutex, *mutex2, *mutex3;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Mutexes");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest("PKIX_PL_Mutex_Create");
-        createMutexes(&mutex, &mutex2, &mutex3);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (mutex,
-                mutex3,
-                mutex2,
-                NULL,
-                Mutex,
-                PKIX_FALSE);
-
-        subTest("PKIX_PL_Mutex_Lock/Unlock");
-        testLock(mutex);
-
-        subTest("PKIX_PL_Mutex_Destroy");
-        testDestroy(mutex, mutex2, mutex3);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Mutexes");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_mutex2.c b/security/nss/cmd/libpkix/pkix_pl/system/test_mutex2.c
deleted file mode 100644
index 5edcb24ac..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/test_mutex2.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_mutex2.c
- *
- * Tests multi-threaded functionality of Mutex
- *
- */
-
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static int box1 = 0, box2 = 0, box3 = 0;
-static PKIX_PL_Mutex *mutex;
-static PRCondVar *cv;
-static void *plContext = NULL;
-
-static void consumer(/* ARGSUSED */ void* arg) {
-        PRStatus status = PR_SUCCESS;
-        PKIX_Error *errorResult;
-        int i = 0;
-        for (i = 0; i < 5; i++) {
-                (void) PKIX_PL_Mutex_Lock(mutex, plContext);
-                while (((box1 == 0) ||
-                        (box2 == 0) ||
-                        (box3 == 0)) &&
-                        (status == PR_SUCCESS))
-                        status = PR_WaitCondVar(cv, PR_INTERVAL_NO_TIMEOUT);
-
-                (void) printf("\tConsumer got Box1 = %d ", box1);
-                box1 = 0;
-                (void) printf("Box2 = %d ", box2);
-                box2 = 0;
-                (void) printf("Box3 = %d\n", box3);
-                box3 = 0;
-
-                status = PR_NotifyAllCondVar(cv);
-                if (status == PR_FAILURE)
-                        (void) printf
-                                ("Consumer error while notifying condvar\n");
-                errorResult = PKIX_PL_Mutex_Unlock(mutex, plContext);
-                if (errorResult) testError("PKIX_PL_Mutex_Unlock failed");
-        }
-        (void) printf("Consumer exiting...\n");
-}
-
-static void producer(void* arg) {
-        PRStatus status = PR_SUCCESS;
-        int value = *(int*)arg;
-        int i = 0;
-        int *box;
-        PKIX_Error *errorResult;
-        if (value == 10) box = &box1;
-        else if (value == 20) box = &box2;
-        else if (value == 30) box = &box3;
-
-        for (i = 0; i < 5; i++) {
-                (void) PKIX_PL_Mutex_Lock(mutex, plContext);
-                while ((*box != 0) && (status == PR_SUCCESS))
-                        status = PR_WaitCondVar(cv, PR_INTERVAL_NO_TIMEOUT);
-
-                *box = i+1;
-                (void) printf
-                        ("\tProducer %d put value: %d\n", value, *box);
-
-                status = PR_NotifyAllCondVar(cv);
-                if (status == PR_FAILURE)
-                        (void) printf
-                                ("Producer %d error while notifying condvar\n",
-                                value);
-                errorResult = PKIX_PL_Mutex_Unlock(mutex, plContext);
-                if (errorResult) testError("PKIX_PL_Mutex_Unlock failed");
-        }
-}
-
-int test_mutex2(int argc, char *argv[]) {
-
-        PRThread *consThread, *prodThread, *prodThread2, *prodThread3;
-        int x = 10, y = 20, z = 30;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Mutex and Threads");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        (void) printf("Attempting to create new mutex...\n");
-        subTest("Mutex Creation");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Mutex_Create(&mutex, plContext));
-
-        cv = PR_NewCondVar(*(PRLock **) mutex);
-
-        subTest("Starting consumer thread");
-        consThread = PR_CreateThread(PR_USER_THREAD,
-                            consumer,
-                            NULL,
-                            PR_PRIORITY_NORMAL,
-                            PR_LOCAL_THREAD,
-                            PR_JOINABLE_THREAD,
-                            0);
-
-        subTest("Starting producer thread 1");
-        prodThread = PR_CreateThread(PR_USER_THREAD,
-                                        producer,
-                                        &x,
-                                        PR_PRIORITY_NORMAL,
-                                        PR_LOCAL_THREAD,
-                                        PR_JOINABLE_THREAD,
-                                        0);
-
-        subTest("Starting producer thread 2");
-        prodThread2 = PR_CreateThread(PR_USER_THREAD,
-                                        producer,
-                                        &y,
-                                        PR_PRIORITY_NORMAL,
-                                        PR_LOCAL_THREAD,
-                                        PR_JOINABLE_THREAD,
-                                        0);
-
-        subTest("Starting producer thread 3");
-        prodThread3 = PR_CreateThread(PR_USER_THREAD,
-                                        producer,
-                                        &z,
-                                        PR_PRIORITY_NORMAL,
-                                        PR_LOCAL_THREAD,
-                                        PR_JOINABLE_THREAD,
-                                        0);
-
-
-        PR_JoinThread(consThread);
-
-        (void) PR_DestroyCondVar(cv);
-        PKIX_TEST_DECREF_BC(mutex);
-
-        /*
-         * Note: we should also be freeing each thread's stack, but we
-         * don't have access to the prodThread->stack variable (since
-         * it is not exported). As a result, we have 120 bytes of memory
-         * leakage.
-         */
-
-        PR_Free(prodThread);
-        PR_Free(prodThread2);
-        PR_Free(prodThread3);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Mutex and Threads");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_mutex3.c b/security/nss/cmd/libpkix/pkix_pl/system/test_mutex3.c
deleted file mode 100644
index 9eaa2cdcf..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/test_mutex3.c
+++ /dev/null
@@ -1,127 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_mutex3.c
- *
- * Tests multi-threaded functionality of Mutex
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static PKIX_PL_Mutex *mutex;
-static void *plContext = NULL;
-
-static void t1(/* ARGSUSED */ void* arg) {
-        PKIX_Error *errorResult;
-
-        (void) printf("t1 acquiring lock...\n");
-        errorResult = PKIX_PL_Mutex_Lock(mutex, plContext);
-        if (errorResult) testError("PKIX_PL_Mutex_Lock failed");
-
-        (void) printf("t1 sleeplng for 3 seconds\n");
-        PR_Sleep(PR_SecondsToInterval(3));
-        (void) printf("t1 releasing lock...\n");
-
-        errorResult = PKIX_PL_Mutex_Unlock(mutex, plContext);
-        if (errorResult) testError("PKIX_PL_Mutex_Unlock failed");
-
-        (void) printf("t1 exiting...\n");
-}
-
-static void t2(/* ARGSUSED */ void* arg) {
-        PKIX_Error *errorResult;
-
-        (void) printf("t2 acquiring lock...\n");
-        errorResult = PKIX_PL_Mutex_Lock(mutex, plContext);
-        if (errorResult) testError("PKIX_PL_Mutex_Lock failed");
-
-        (void) printf("t2 releasing lock...\n");
-        errorResult = PKIX_PL_Mutex_Unlock(mutex, plContext);
-        if (errorResult) testError("PKIX_PL_Mutex_Unlock failed");
-
-        (void) printf("t2 exiting...\n");
-}
-
-int test_mutex3(int argc, char *argv[]) {
-        PRThread *thread, *thread2;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Mutex and Threads");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest("Mutex Creation");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Mutex_Create(&mutex, plContext));
-
-        subTest("Starting thread");
-        thread = PR_CreateThread(PR_USER_THREAD,
-                                t1,
-                                NULL,
-                                PR_PRIORITY_NORMAL,
-                                PR_LOCAL_THREAD,
-                                PR_JOINABLE_THREAD,
-                                0);
-
-        thread2 = PR_CreateThread(PR_USER_THREAD,
-                                t2,
-                                NULL,
-                                PR_PRIORITY_NORMAL,
-                                PR_LOCAL_THREAD,
-                                PR_JOINABLE_THREAD,
-                                0);
-
-        PR_JoinThread(thread2);
-        PR_JoinThread(thread);
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(mutex);
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Mutex and Threads");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_object.c b/security/nss/cmd/libpkix/pkix_pl/system/test_object.c
deleted file mode 100644
index 5d83ac966..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/test_object.c
+++ /dev/null
@@ -1,322 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_object.c
- *
- * Test Object Allocation, toString, Equals, Destruction
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static PKIX_Error *
-destructor(
-        /* ARGSUSED */ PKIX_PL_Object *object,
-        /* ARGSUSED */ void *plContext)
-{
-        (void) printf("\tUser defined destructor called\n");
-        return (NULL);
-}
-
-static PKIX_Error*
-toStringCallback(
-        PKIX_PL_Object *obj,
-        PKIX_PL_String **pString,
-        /* ARGSUSED */ void* plContext) {
-
-        PKIX_Error *errorResult;
-        PKIX_UInt32 type;
-        char *format = "(addr: %x, type: %d)";
-        PKIX_PL_String *formatString = NULL;
-
-        errorResult = PKIX_PL_String_Create(
-                                        PKIX_ESCASCII,
-                                        format,
-                                        PL_strlen(format),
-                                        &formatString,
-                                        plContext);
-        if (errorResult) testError("PKIX_PL_String_Create failed");
-
-        if (pString == plContext)
-                testError("Null String");
-
-        type = (unsigned int)0;
-
-        (void) PKIX_PL_Object_GetType(obj, &type, plContext);
-
-        errorResult = PKIX_PL_Sprintf(pString, plContext,
-                                    formatString,
-                                    (int)obj, type);
-        if (errorResult) testError("PKIX_PL_Sprintf failed");
-
-
-        errorResult = PKIX_PL_Object_DecRef((PKIX_PL_Object*)formatString,
-                                        plContext);
-        if (errorResult) testError("PKIX_PL_Object_DecRef failed");
-
-        return (NULL);
-}
-
-static PKIX_Error *
-comparator(
-        PKIX_PL_Object *first,
-        PKIX_PL_Object *second,
-        PKIX_Int32 *pValue,
-        /* ARGSUSED */ void *plContext)
-{
-        if (*(char *)first > *(char *)second)
-                *pValue = 1;
-        else if (*(char *)first < *(char *)second)
-                *pValue = -1;
-        else
-                *pValue = 0;
-        return (NULL);
-}
-
-
-static PKIX_Error *
-hashcodeCallback(
-        PKIX_PL_Object *object,
-        PKIX_UInt32 *pValue,
-        /* ARGSUSED */ void *plContext)
-{
-        *pValue = 123456789;
-        return (NULL);
-}
-
-static PKIX_Error*
-equalsCallback(
-        PKIX_PL_Object *first,
-        PKIX_PL_Object *second,
-        PKIX_Boolean *result,
-        void* plContext) {
-
-        PKIX_UInt32 firstType = 0, secondType = 0;
-
-        if ((first == plContext)||(second == plContext))
-                testError("Null Object");
-
-        (void) PKIX_PL_Object_GetType(first, &firstType, plContext);
-
-        (void) PKIX_PL_Object_GetType(second, &secondType, plContext);
-
-        *result = (firstType == secondType)?PKIX_TRUE:PKIX_FALSE;
-
-        return (NULL);
-}
-
-static void
-createObjects(
-        PKIX_PL_Object **obj,
-        PKIX_PL_Object **obj2,
-        PKIX_PL_Object **obj3,
-        PKIX_PL_Object **obj4)
-{
-        PKIX_TEST_STD_VARS();
-
-#ifdef PKIX_USER_OBJECT_TYPE
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_RegisterType
-                    (1000, /* type */
-                    "thousand", /* description */
-                    NULL, /* destructor */
-                    NULL, /* equals */
-                    (PKIX_PL_HashcodeCallback)hashcodeCallback,
-                    NULL,  /* toString */
-                    NULL,  /* Comparator */
-                    NULL,
-                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Alloc
-                    (1000, /* type */
-                    12, /* size */
-                    obj,
-                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_RegisterType
-                    (2000, /* type */
-                    "two thousand" /* description */,
-                    (PKIX_PL_DestructorCallback)destructor,
-                    (PKIX_PL_EqualsCallback)equalsCallback,
-                    NULL, /* hashcode */
-                    (PKIX_PL_ToStringCallback)toStringCallback,
-                    (PKIX_PL_ComparatorCallback)comparator,
-                    NULL,
-                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Alloc
-                    (2000, /* type */
-                    1, /* size */
-                    obj2,
-                    plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Alloc
-                    (2000, /* type */
-                    1, /* size */
-                    obj4,
-                    plContext));
-
-        *obj3 = *obj;
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_IncRef(*obj3, plContext));
-
-cleanup:
-#endif /* PKIX_USER_OBJECT_TYPE */
-        PKIX_TEST_RETURN();
-}
-
-
-static void
-testGetType(
-            PKIX_PL_Object *obj,
-            PKIX_PL_Object *obj2,
-            PKIX_PL_Object *obj3)
-{
-        PKIX_UInt32 testType;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_GetType(obj, &testType, plContext));
-
-        if (testType != 1000)
-                testError("Object 1 returned the wrong type");
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_GetType(obj2, &testType, plContext));
-        if (testType != 2000)
-                testError("Object 2 returned the wrong type");
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_GetType(obj3, &testType, plContext));
-        if (testType != 1000)
-                testError("Object 3 returned the wrong type");
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testCompare(
-            PKIX_PL_Object *obj2,
-            PKIX_PL_Object *obj4)
-{
-        PKIX_Int32 cmpResult;
-        PKIX_TEST_STD_VARS();
-
-        *(char *)obj2 = 0x20;
-        *(char *)obj4 = 0x10;
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_Compare(obj2, obj4, &cmpResult, plContext));
-        if (cmpResult <= 0) testError("Invalid Result from Object Compare");
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_Compare(obj4, obj2, &cmpResult, plContext));
-        if (cmpResult >= 0) testError("Invalid Result from Object Compare");
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_Compare(obj4, obj4, &cmpResult, plContext));
-
-        *(char *)obj2 = 0x10;
-        if (cmpResult != 0) testError("Invalid Result from Object Compare");
-
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-
-static void
-testDestroy(
-            PKIX_PL_Object *obj,
-            PKIX_PL_Object *obj2,
-            PKIX_PL_Object *obj3,
-            PKIX_PL_Object *obj4)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_DECREF_BC(obj);
-        PKIX_TEST_DECREF_BC(obj2);
-        PKIX_TEST_DECREF_BC(obj3);
-        PKIX_TEST_DECREF_BC(obj4);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-int test_object(int argc, char *argv[]) {
-
-#ifdef PKIX_USER_OBJECT_TYPE
-        PKIX_PL_Object *obj, *obj2, *obj3, *obj4;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Objects");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest("PKIX_PL_Object_Create");
-        createObjects(&obj, &obj2, &obj3, &obj4);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP(obj, obj3, obj2, NULL, Object, PKIX_FALSE);
-
-        subTest("PKIX_PL_Object_GetType");
-        testGetType(obj, obj2, obj3);
-
-        subTest("PKIX_PL_Object_Compare");
-        testCompare(obj2, obj4);
-
-        subTest("PKIX_PL_Object_Destroy");
-        testDestroy(obj, obj2, obj3, obj4);
-
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        endTests("Objects");
-#endif /* PKIX_USER_OBJECT_TYPE */
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_oid.c b/security/nss/cmd/libpkix/pkix_pl/system/test_oid.c
deleted file mode 100644
index 819a95a50..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/test_oid.c
+++ /dev/null
@@ -1,246 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_oid.c
- *
- * Test OID Types
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-createOID(
-        PKIX_PL_OID **testOID,
-        char *oidAscii,
-        PKIX_Boolean errorHandling)
-{
-        PKIX_TEST_STD_VARS();
-
-        if (errorHandling){
-                PKIX_TEST_EXPECT_ERROR
-                        (PKIX_PL_OID_Create(oidAscii, testOID, plContext));
-        } else {
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_PL_OID_Create(oidAscii, testOID, plContext));
-        }
-
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testToString(
-        PKIX_PL_OID *oid,
-        char *expAscii)
-{
-        PKIX_PL_String *oidString = NULL;
-        char *temp = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                                    ((PKIX_PL_Object*)oid,
-                                    &oidString, plContext));
-
-        temp = PKIX_String2ASCII(oidString, plContext);
-        if (temp == NULL){
-                testError("PKIX_String2Ascii failed");
-                goto cleanup;
-        }
-
-        if (PL_strcmp(temp, expAscii) != 0) {
-                (void) printf("\tOid ToString: %s %s\n", temp, expAscii);
-                testError("Output string does not match source");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(oidString);
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testCompare(
-            PKIX_PL_OID *oid0,
-            PKIX_PL_OID *oid1,
-            PKIX_PL_OID *oid2,
-            PKIX_PL_OID *oid3)
-{
-        PKIX_Int32 cmpResult;
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare((PKIX_PL_Object*)oid0,
-                                            (PKIX_PL_Object*)oid1,
-                                            &cmpResult, plContext));
-        if (cmpResult <= 0) testError("Invalid Result from OID Compare");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare((PKIX_PL_Object*)oid1,
-                                        (PKIX_PL_Object*)oid0,
-                                        &cmpResult, plContext));
-        if (cmpResult >= 0) testError("Invalid Result from OID Compare");
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare((PKIX_PL_Object*)oid1,
-                                        (PKIX_PL_Object*)oid2,
-                                        &cmpResult, plContext));
-        if (cmpResult >= 0) testError("Invalid Result from OID Compare");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare((PKIX_PL_Object*)oid2,
-                                        (PKIX_PL_Object*)oid1,
-                                        &cmpResult, plContext));
-        if (cmpResult <= 0) testError("Invalid Result from OID Compare");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare((PKIX_PL_Object*)oid1,
-                                        (PKIX_PL_Object*)oid3,
-                                        &cmpResult, plContext));
-        if (cmpResult != 0) testError("Invalid Result from OID Compare");
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testDestroy(
-        PKIX_PL_OID *oid)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_DECREF_BC(oid);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-
-int test_oid(int argc, char *argv[]) {
-
-        PKIX_PL_OID *testOID[6] = {NULL};
-        PKIX_PL_OID *badTestOID = NULL;
-        PKIX_UInt32 i, size = 6;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        char* validOID[6] = {
-                "2.11.22222.33333",
-                "1.2.3.004.5.6.7",
-                "2.11.22222.33333",
-                "1.2.3.4.5.6.7",
-                "1.2.3",
-                "2.39.3"
-        };
-
-        char* expected[6] = {
-                "2.11.22222.33333",
-                "1.2.3.4.5.6.7",
-                "2.11.22222.33333",
-                "1.2.3.4.5.6.7",
-                "1.2.3",
-                "2.39.3"
-        };
-
-        char *badOID[11] = {
-                "1.2.4294967299",
-                "this. is. a. bad. oid",
-                "00a1000.002b",
-                "100.-5.10",
-                "1.2..3",
-                ".1.2.3",
-                "1.2.3.",
-                "00010.1.2.3",
-                "1.000041.2.3",
-                "000000000000000000000000000000000000000010.3.2",
-                "1"
-        };
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("OIDs");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        for (i = 0; i < size; i++) {
-                subTest("PKIX_PL_OID_Create");
-                createOID(&testOID[i], validOID[i], PKIX_FALSE);
-        }
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (testOID[0],
-                testOID[2],
-                testOID[1],
-                NULL,
-                OID,
-                PKIX_FALSE);
-
-        for (i = 0; i < size; i++) {
-                subTest("PKIX_PL_OID_ToString");
-                testToString(testOID[i], expected[i]);
-        }
-
-        subTest("PKIX_PL_OID_Compare");
-        testCompare(testOID[0], testOID[1], testOID[2], testOID[3]);
-
-        for (i = 0; i < size; i++) {
-                subTest("PKIX_PL_OID_Destroy");
-                testDestroy(testOID[i]);
-        }
-
-        for (i = 0; i < 11; i++) {
-                subTest("PKIX_PL_OID Error Handling");
-                createOID(&badTestOID, badOID[i], PKIX_TRUE);
-        }
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        endTests("OIDs");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_rwlock.c b/security/nss/cmd/libpkix/pkix_pl/system/test_rwlock.c
deleted file mode 100644
index ad48ee83a..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/test_rwlock.c
+++ /dev/null
@@ -1,227 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_rwlock.c
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static PKIX_PL_RWLock *rwlock = NULL, *rwlock2 = NULL, *rwlock3 = NULL;
-static PRThread *thread = NULL, *thread2 = NULL, *thread3 = NULL;
-static void *plContext = NULL;
-
-static void reader(void) {
-        PKIX_Error *errorResult;
-
-        errorResult = PKIX_PL_AcquireReaderLock(rwlock, NULL);
-        if (errorResult) testError("PKIX_PL_AcquireReaderLock failed");
-
-        (void) printf("\t[Thread #1 Read Lock #1.]\n");
-        (void) printf("\t[Thread #1 Sleeplng for 1 seconds.]\n");
-        PR_Sleep(PR_SecondsToInterval(1));
-        PKIX_PL_ReleaseReaderLock(rwlock, NULL);
-        if (errorResult) testError("PKIX_PL_ReleaseReaderLock failed");
-        (void) printf("\t[Thread #1 Read UNLock #1.]\n");
-}
-
-
-static void writer(void) {
-        PKIX_Error *errorResult;
-        /* This thread should stick here until lock 1 is released */
-        PKIX_PL_AcquireWriterLock(rwlock, NULL);
-        if (errorResult) testError("PKIX_PL_AcquireWriterLock failed");
-
-        (void) printf("\t[Thread #2 Write Lock #1.]\n");
-
-        PKIX_PL_AcquireWriterLock(rwlock2, NULL);
-        if (errorResult) testError("PKIX_PL_AcquireWriterLock failed");
-        (void) printf("\t[Thread #2 Write Lock #2.]\n");
-
-        (void) printf("\t[Thread #2 Sleeplng for 1 seconds.]\n");
-        PR_Sleep(PR_SecondsToInterval(1));
-
-        PKIX_PL_ReleaseWriterLock(rwlock2, NULL);
-        if (errorResult) testError("PKIX_PL_ReleaseWriterLock failed");
-        (void) printf("\t[Thread #2 Write UNLock #2.]\n");
-
-        (void) printf("\t[Thread #2 Sleeplng for 1 seconds.]\n");
-        PR_Sleep(PR_SecondsToInterval(1));
-
-        PKIX_PL_ReleaseWriterLock(rwlock, NULL);
-        if (errorResult) testError("PKIX_PL_ReleaseWriterLock failed");
-        (void) printf("\t[Thread #2 Write UNLock #1.]\n");
-
-        PR_JoinThread(thread3);
-}
-
-static void reader2(void) {
-        PKIX_Error *errorResult;
-        /* Reader 2 should yield here until the writer is done */
-
-        PKIX_PL_AcquireReaderLock(rwlock2, NULL);
-        if (errorResult) testError("PKIX_PL_AcquireReaderLock failed");
-
-        (void) printf("\t[Thread #3 Read Lock #2.]\n");
-
-        PKIX_PL_AcquireReaderLock(rwlock3, NULL);
-        if (errorResult) testError("PKIX_PL_AcquireReaderLock failed");
-        (void) printf("\t[Thread #3 Read Lock #3.]\n");
-
-        (void) printf("\t[Thread #3 Sleeplng for 1 seconds.]\n");
-        PR_Sleep(PR_SecondsToInterval(1));
-
-        PKIX_PL_ReleaseReaderLock(rwlock3, NULL);
-        if (errorResult) testError("PKIX_PL_ReleaseReaderLock failed");
-        (void) printf("\t[Thread #3 Read UNLock #3.]\n");
-
-        (void) printf("\t[Thread #3 Sleeplng for 1 seconds.]\n");
-        PR_Sleep(PR_SecondsToInterval(1));
-
-        PKIX_PL_ReleaseReaderLock(rwlock2, NULL);
-        if (errorResult) testError("PKIX_PL_ReleaseReaderLock failed");
-        (void) printf("\t[Thread #3 Read UNLock #2.]\n");
-}
-
-
-
-int test_rwlock() {
-        PKIX_PL_String* outputString = NULL;
-        PKIX_UInt32 j = 0;
-        PKIX_Boolean bool;
-        PKIX_UInt32 actualMinorVersion;
-
-        PKIX_TEST_STD_VARS();
-        startTests("RWLocks");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        (void) printf("Attempting to create new rwlock...\n");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_RWLock_Create(&rwlock, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_RWLock_Create(&rwlock2, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_RWLock_Create(&rwlock3, plContext));
-
-        /* Test toString functionality */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                ((PKIX_PL_Object*)rwlock, &outputString, plContext));
-
-        (void) printf("Testing RWLock toString: %s\n",
-                PKIX_String2ASCII(outputString));
-
-        PKIX_TEST_DECREF_BC(outputString);
-
-        /* Call Equals on two different objects */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                ((PKIX_PL_Object*)rwlock,
-                (PKIX_PL_Object*)rwlock2,
-                &bool,
-                plContext));
-
-        (void) printf("Testing RWLock Equals: %d (should be 0)\n", bool);
-
-        if (bool != 0)
-                testError("Error in RWLock_Equals");
-
-        /* Call Equals on two equal objects */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals((PKIX_PL_Object*)rwlock,
-                            (PKIX_PL_Object*)rwlock, &bool, plContext));
-
-        (void) printf("Testing RWLock Equals: %d (should be 1)\n", bool);
-        if (bool != 1)
-                testError("Error in RWLock_Equals");
-
-        subTest("Multi-Thread Read/Write Lock Testing");
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_AcquireReaderLock(rwlock, plContext));
-        (void) printf("\t[Main Thread Read Lock #1.]\n");
-
-        thread = PR_CreateThread(PR_USER_THREAD,
-                            reader,
-                            NULL,
-                            PR_PRIORITY_NORMAL,
-                            PR_LOCAL_THREAD,
-                            PR_JOINABLE_THREAD,
-                            0);
-
-        thread2 = PR_CreateThread(PR_USER_THREAD,
-                            writer,
-                            NULL,
-                            PR_PRIORITY_NORMAL,
-                            PR_LOCAL_THREAD,
-                            PR_JOINABLE_THREAD,
-                            0);
-
-        thread3 = PR_CreateThread(PR_USER_THREAD,
-                            reader2,
-                            NULL,
-                            PR_PRIORITY_NORMAL,
-                            PR_LOCAL_THREAD,
-                            PR_JOINABLE_THREAD,
-                            0);
-
-        PR_JoinThread(thread);
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ReleaseReaderLock
-                (rwlock, plContext));
-        (void) printf("\t[Main Thread Read Unlock #1.]\n");
-
-        PR_JoinThread(thread2);
-
-
-
-cleanup:
-
-        /* Test destructor */
-        subTest("Testing destructor...");
-        PKIX_TEST_DECREF_AC(rwlock);
-        PKIX_TEST_DECREF_AC(rwlock2);
-        PKIX_TEST_DECREF_AC(rwlock3);
-
-        pkixTestTempResult = PKIX_Shutdown(plContext);
-        if (pkixTestTempResult) pkixTestErrorResult = pkixTestTempResult;
-
-        PKIX_TEST_RETURN();
-
-        endTests("RWLocks");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_string.c b/security/nss/cmd/libpkix/pkix_pl/system/test_string.c
deleted file mode 100644
index ba49c18df..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/test_string.c
+++ /dev/null
@@ -1,479 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_string.c
- *
- * Tests Strings.
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-createString(
-        PKIX_PL_String **testString,
-        PKIX_UInt32 format,
-        char *stringAscii,
-        PKIX_UInt32 length)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_String_Create
-                (format, stringAscii, length, testString, plContext));
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-createStringOther(
-        PKIX_PL_String **testEscAscii,
-        PKIX_PL_String **testUtf16,
-        PKIX_PL_String **ampString,
-        PKIX_PL_String **testDebugAscii,
-        PKIX_PL_String **testNullString,
-        PKIX_UInt32 *utf16data)
-{
-        char *nullText = "Hi&#x0000; there!";
-
-        char *escAsciiString =
-                "&#x00A1;&#x00010000;&#x0FFF;&#x00100001;";
-
-        char *debugAsciiString =
-                "string with&#x000A;newlines and&#x0009;tabs";
-
-        char * utfAmp = "\x00&";
-
-        PKIX_TEST_STD_VARS();
-
-        createString(testEscAscii,
-                    PKIX_ESCASCII,
-                    escAsciiString,
-                    PL_strlen(escAsciiString));
-
-        createString(testUtf16, PKIX_UTF16, (char *)utf16data, 12);
-
-        createString(ampString, PKIX_UTF16, utfAmp, 2);
-
-        createString(testDebugAscii,
-                    PKIX_ESCASCII_DEBUG,
-                    debugAsciiString,
-                    PL_strlen(debugAsciiString));
-
-        createString(testNullString,
-                    PKIX_ESCASCII_DEBUG,
-                    nullText,
-                    PL_strlen(nullText));
-
-        goto cleanup;
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testGetEncoded(
-        PKIX_PL_String *testEscAscii,
-        PKIX_PL_String *testString0,
-        PKIX_PL_String *testDebugAscii,
-        PKIX_PL_String *testNullString,
-        PKIX_UInt32 *utf16data)
-{
-        char *temp = NULL;
-        void *dest = NULL;
-        void *dest2 = NULL;
-        char *plainText = "string with\nnewlines and\ttabs";
-        PKIX_UInt32 length, length2, i;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(testEscAscii,
-                                        PKIX_UTF16,
-                                        &dest,
-                                        &length,
-                                        plContext));
-        for (i = 0; i < length; i++) {
-                if (((char*)dest)[i] != ((char*)utf16data)[i]) {
-                        testError("UTF-16 Data Differs from Source");
-                        printf("%d-th char is different -%c-%c-\n", i,
-                               ((char*)dest)[i], ((char*)utf16data)[i]);
-                }
-        }
-
-        length = 0;
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(testNullString,
-                                        PKIX_UTF16,
-                                        &dest,
-                                        &length,
-                                        plContext));
-
-        length = 0;
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(testString0,
-                                        PKIX_ESCASCII_DEBUG,
-                                        &dest,
-                                        &length,
-                                        plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(testDebugAscii,
-                                        PKIX_ESCASCII_DEBUG,
-                                        &dest2,
-                                        &length2,
-                                        plContext));
-
-        for (i = 0; (i < length) && (i < length2); i++)
-                if (((char*)dest)[i] != ((char*)dest2)[i]) {
-                        testError("Equivalent strings are unequal");
-                        break;
-                }
-
-        length = 0;
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
-        length2 = 0;
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest2, plContext));
-
-        temp = PKIX_String2ASCII(testDebugAscii, plContext);
-        if (temp){
-                if (PL_strcmp(plainText, temp) != 0)
-                        testError("Debugged ASCII does not match "
-                                    "equivalent EscAscii");
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testSprintf(void)
-{
-        PKIX_Int32 x = 0xCAFE;
-        PKIX_Int32 y = -12345;
-        PKIX_PL_String *testString = NULL;
-        PKIX_PL_String *formatString = NULL;
-        PKIX_PL_String *sprintfString = NULL;
-        char *plainText = "Testing Sprintf";
-        char *format = "%s %x %u %d";
-        char *convertedFormat = "%s %lx %lu %ld";
-        char *temp = NULL;
-        char *temp2 = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
-                                        PKIX_ESCASCII,
-                                        plainText,
-                                        PL_strlen(plainText),
-                                        &testString,
-                                        plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
-                                        PKIX_ESCASCII,
-                                        format,
-                                        11,
-                                        &formatString,
-                                        plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Sprintf(&sprintfString,
-                                plContext,
-                                formatString,
-                                testString, x, y, y));
-        PKIX_TEST_DECREF_BC(testString);
-
-        temp = PR_smprintf(convertedFormat, plainText, x, y, y);
-        temp2 = PKIX_String2ASCII(sprintfString, plContext);
-
-        if (PL_strcmp(temp, temp2) != 0)
-                testError("Sprintf produced incorrect output");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(temp2, plContext));
-
-
-        PKIX_TEST_DECREF_BC(sprintfString);
-
-
-        PKIX_TEST_DECREF_BC(formatString);
-
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testErrorHandling(void)
-{
-        char *debugAsciiString =
-                "string with&#x000A;newlines and&#x0009;tabs";
-
-        PKIX_PL_String *testString = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
-                                        PKIX_ESCASCII,
-                                        NULL,
-                                        50,
-                                        &testString,
-                                        plContext));
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII,
-                                        "blah", 4, NULL, plContext));
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_Sprintf(&testString, plContext, NULL));
-
-        PKIX_TEST_EXPECT_ERROR
-                (PKIX_PL_GetString(0, NULL, &testString, plContext));
-
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_GetString(0, "blah", 0, plContext));
-
-        /* ---------------------------- */
-        subTest("Unicode Error Handling");
-
-        /* &#x must be followed by 4 hexadecimal digits */
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
-                                            PKIX_ESCASCII,
-                                            "&#x003k;",
-                                            7,
-                                            &testString,
-                                            plContext));
-
-        /* &#x must be followed by 4 hexadecimal digits */
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
-                                            PKIX_ESCASCII,
-                                            "abc&#x00",
-                                            8,
-                                            &testString,
-                                            plContext));
-
-        /* &#x must be between 00010000-0010FFFF */
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
-                                            PKIX_ESCASCII,
-                                            "&#x00200101;",
-                                            11,
-                                            &testString,
-                                            plContext));
-
-        /* &#x must be followed by 8 hexadecimal digits */
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
-                                            PKIX_ESCASCII,
-                                            "&#x001000",
-                                            10,
-                                            &testString,
-                                            plContext));
-
-        /* &#x must be followed by 8 hexadecimal digits */
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
-                                            PKIX_ESCASCII,
-                                            "&#x0010m00;",
-                                            10,
-                                            &testString,
-                                            plContext));
-
-        /* Byte values D800-DFFF are reserved */
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
-                                            PKIX_ESCASCII,
-                                            "&#xD800;",
-                                            7,
-                                            &testString,
-                                            plContext));
-
-        /* Can't use &#x for regular characters */
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
-                                            PKIX_ESCASCII,
-                                            "&#x0032;",
-                                            7,
-                                            &testString,
-                                            plContext));
-
-        /* Can't use non-printable characters */
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
-                                            PKIX_ESCASCII,
-                                            "\xA1",
-                                            1,
-                                            &testString,
-                                            plContext));
-
-        /* Only legal \\ characters are \\, u and U */
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
-                                            PKIX_ESCASCII,
-                                            "&blah",
-                                            5,
-                                            &testString,
-                                            plContext));
-
-
-
-        /* Surrogate pairs must be legal */
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
-                                            PKIX_UTF16,
-                                            "\xd8\x00\x0\x66",
-                                            4,
-                                            &testString,
-                                            plContext));
-
-        /* Debugged EscASCII should not be accepted as EscASCII */
-        PKIX_TEST_EXPECT_ERROR(PKIX_PL_String_Create(
-                                        PKIX_ESCASCII,
-                                        debugAsciiString,
-                                        PL_strlen(debugAsciiString),
-                                        &testString,
-                                        plContext));
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testDestroy(
-        PKIX_PL_String *string)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_DECREF_BC(string);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-
-int test_string(int argc, char *argv[]) {
-
-        PKIX_PL_String *testString[6] = {NULL};
-        PKIX_PL_String *testNullString = NULL;
-        PKIX_PL_String *testDebugAscii = NULL;
-        PKIX_PL_String *testEscAscii = NULL;
-        PKIX_PL_String *testUtf16 = NULL;
-        PKIX_PL_String *ampString = NULL;
-        unsigned char utf16Data[] = {0x00, 0xA1, 0xD8, 0x00,
-                            0xDC, 0x00, 0x0F, 0xFF,
-                            0xDB, 0xC0, 0xDC, 0x01};
-        PKIX_UInt32 i, size = 6;
-
-        char *plainText[6] = {
-                "string with\nnewlines and\ttabs",
-                "Not an escaped char: &amp;#x0012;",
-                "Encode &amp; with &amp;amp; in ASCII",
-                "&#x00A1;",
-                "&amp;",
-                "string with\nnewlines and\ttabs"
-        };
-
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Strings");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest("PKIX_PL_String_Create <ascii format>");
-        for (i = 0; i < size; i++) {
-                testString[i] = NULL;
-                createString
-                        (&testString[i],
-                        PKIX_ESCASCII,
-                        plainText[i],
-                        PL_strlen(plainText[i]));
-        }
-
-        subTest("PKIX_PL_String_Create <other formats>");
-        createStringOther
-                (&testEscAscii,
-                &testUtf16,
-                &ampString,
-                &testDebugAscii,
-                &testNullString,
-                (PKIX_UInt32 *)utf16Data);
-
-        PKIX_TEST_EQ_HASH_TOSTR_DUP
-                (testString[0],
-                testString[5],
-                testString[1],
-                plainText[0],
-                String,
-                PKIX_TRUE);
-
-        subTest("PKIX_PL_String_GetEncoded");
-        testGetEncoded
-                (testEscAscii,
-                testString[0],
-                testDebugAscii,
-                testNullString,
-                (PKIX_UInt32 *)utf16Data);
-
-        subTest("PKIX_PL_Sprintf");
-        testSprintf();
-
-        subTest("PKIX_PL_String_Create <error_handling>");
-        testErrorHandling();
-
-        subTest("PKIX_PL_String_Destroy");
-        for (i = 0; i < size; i++) {
-                testDestroy(testString[i]);
-        }
-        testDestroy(testEscAscii);
-        testDestroy(testUtf16);
-        testDestroy(ampString);
-        testDestroy(testDebugAscii);
-        testDestroy(testNullString);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("String");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkix_pl/system/test_string2.c b/security/nss/cmd/libpkix/pkix_pl/system/test_string2.c
deleted file mode 100644
index 170a945c2..000000000
--- a/security/nss/cmd/libpkix/pkix_pl/system/test_string2.c
+++ /dev/null
@@ -1,375 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * test_string2.c
- *
- * Tests International Strings
- *
- */
-
-#include "testutil.h"
-#include "testutil_nss.h"
-
-static void *plContext = NULL;
-
-static void
-createString(
-        PKIX_PL_String **vivaEspanaString,
-        PKIX_PL_String **straussString,
-        PKIX_PL_String **gorbachevString,
-        PKIX_PL_String **testUTF16String,
-        PKIX_PL_String **chineseString,
-        PKIX_PL_String **jeanRenoString)
-{
-        /* this is meant to fail - it highlights bug 0002 */
-        unsigned char utf16String[4] = { 0xF8, 0x60,
-                                        0xFC, 0x60};
-
-        unsigned char chinese[16] = { 0xe7, 0xab, 0xa0,
-                                        0xe5, 0xad, 0x90,
-                                        0xe6, 0x80, 0xa1,
-                                        0x20,
-                                        0xe4, 0xb8, 0xad,
-                                        0xe5, 0x9b, 0xbd
-        };
-
-        char* jeanReno = "Jean R\303\251no is an actor.";
-        char* gorbachev = /* This is the name "Gorbachev" in cyrllic */
-        "\xd0\x93\xd0\xbe\xd1\x80\xd0\xb1\xd0\xb0\xd1\x87\xd1\x91\xd0\xb2";
-
-        char *vivaEspana =
-                "&#x00A1;Viva Espa&#x00f1;a!";
-
-        char *strauss =
-                "Strau&#x00Df; was born in &#x00D6;sterreich";
-
-        PKIX_TEST_STD_VARS();
-
-        /* ---------------------------- */
-        subTest("String Creation");
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
-                                        PKIX_ESCASCII,
-                                        vivaEspana,
-                                        PL_strlen(vivaEspana),
-                                        vivaEspanaString,
-                                        plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
-                                        PKIX_ESCASCII,
-                                        strauss,
-                                        PL_strlen(strauss),
-                                        straussString,
-                                        plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
-                                        PKIX_UTF8,
-                                        gorbachev,
-                                        PL_strlen(gorbachev),
-                                        gorbachevString,
-                                        plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
-                                        PKIX_UTF16,
-                                        utf16String,
-                                        4,
-                                        testUTF16String,
-                                        plContext));
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
-                                        PKIX_UTF8,
-                                        chinese,
-                                        16,
-                                        chineseString,
-                                        plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(
-                                        PKIX_UTF8,
-                                        jeanReno,
-                                        PL_strlen(jeanReno),
-                                        jeanRenoString,
-                                        plContext));
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testGetEncoded(PKIX_PL_String *string, PKIX_UInt32 format)
-{
-        void *dest = NULL;
-        PKIX_UInt32 length;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded
-                                (string,
-                                format,
-                                &dest,
-                                &length,
-                                plContext));
-
-        if (dest){
-                (void) printf("\tResult: %s\n", (char *)dest);
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
-        }
-
-cleanup:
-        PKIX_TEST_RETURN();
-}
-
-
-static void
-testHTMLOutput(
-        PKIX_PL_String *vivaEspanaString,
-        PKIX_PL_String *straussString,
-        PKIX_PL_String *gorbachevString,
-        PKIX_PL_String *testUTF16String,
-        PKIX_PL_String *chineseString,
-        PKIX_PL_String *jeanRenoString)
-{
-        void *dest = NULL;
-        PKIX_UInt32 length;
-
-        FILE *htmlFile = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        /* Opening a file for output */
-        htmlFile = fopen("utf8.html", "w");
-
-        if (htmlFile != plContext) {
-                (void) fprintf(htmlFile, "<html><head>\n");
-                (void) fprintf(htmlFile, "<meta http-equiv=\"Content-Type\"");
-                (void) fprintf(htmlFile,
-                        "content = \"text/html; charset = UTF-8\">\n");
-                (void) fprintf(htmlFile, "</head><body>\n");
-                (void) fprintf(htmlFile, "<font size =\"+2\">\n");
-        } else
-                (void) printf("Could not open HTML file\n");
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(testUTF16String,
-                                            PKIX_UTF8,
-                                            &dest,
-                                            &length,
-                                            plContext));
-        if (htmlFile != plContext) {
-                (void) printf("%d bytes written to HTML file\n",
-                        fwrite(dest, length, 1, htmlFile));
-                (void) fprintf(htmlFile, "<BR>\n");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
-        dest = NULL;
-        length = 0;
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(chineseString,
-                                            PKIX_UTF8,
-                                            &dest,
-                                            &length,
-                                            plContext));
-        if (htmlFile != plContext) {
-                (void) printf("%d bytes written to HTML file\n",
-                        fwrite(dest, length, 1, htmlFile));
-                (void) fprintf(htmlFile, "<BR>\n");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
-        dest = NULL;
-        length = 0;
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(jeanRenoString,
-                                            PKIX_UTF8,
-                                            &dest,
-                                            &length,
-                                            plContext));
-        if (htmlFile != plContext) {
-                (void) printf("%d bytes written to HTML file\n",
-                        fwrite(dest, length, 1, htmlFile));
-                (void) fprintf(htmlFile, "<BR>\n");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
-        dest = NULL;
-        length = 0;
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(vivaEspanaString,
-                                            PKIX_UTF8,
-                                            &dest,
-                                            &length,
-                                            plContext));
-        if (htmlFile != plContext) {
-                (void) printf("%d bytes written to HTML file\n",
-                        fwrite(dest, length, 1, htmlFile));
-                (void) fprintf(htmlFile, "<BR>\n");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
-        dest = NULL;
-        length = 0;
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(straussString,
-                                            PKIX_UTF8,
-                                            &dest,
-                                            &length,
-                                            plContext));
-        if (htmlFile != plContext) {
-                (void) printf("%d bytes written to HTML file\n",
-                        fwrite(dest, length, 1, htmlFile));
-                (void) fprintf(htmlFile, "<BR>\n");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
-        dest = NULL;
-        length = 0;
-
-
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(straussString,
-                                            PKIX_UTF8,
-                                            &dest,
-                                            &length,
-                                            plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
-        dest = NULL;
-        length = 0;
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_GetEncoded(gorbachevString,
-                                            PKIX_UTF8,
-                                            &dest,
-                                            &length,
-                                            plContext));
-        if (htmlFile != plContext) {
-                (void) printf("%d bytes written to HTML file\n",
-                        fwrite(dest, length, 1, htmlFile));
-                (void) fprintf(htmlFile, "<BR>\n");
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(dest, plContext));
-        dest = NULL;
-        length = 0;
-
-        if (htmlFile != plContext) {
-                (void) fprintf(htmlFile, "</font>\n");
-                (void) fprintf(htmlFile, "</body></html>\n");
-                (void) fclose(htmlFile);
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-static void
-testDestroy(
-        PKIX_PL_String *string)
-{
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_DECREF_BC(string);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-int test_string2(int argc, char *argv[]) {
-
-        PKIX_PL_String *vivaEspanaString, *straussString, *testUTF16String;
-        PKIX_PL_String *chineseString, *jeanRenoString, *gorbachevString;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-
-        PKIX_TEST_STD_VARS();
-
-        startTests("Unicode Strings");
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        subTest("PKIX_PL_String_Create");
-        createString(&vivaEspanaString,
-                    &straussString,
-                    &gorbachevString,
-                    &testUTF16String,
-                    &chineseString,
-                    &jeanRenoString);
-
-        subTest("Converting UTF-16 to EscASCII");
-        testGetEncoded(testUTF16String, PKIX_ESCASCII);
-
-        subTest("Converting UTF-8 to EscASCII");
-        testGetEncoded(chineseString, PKIX_ESCASCII);
-
-        subTest("Converting UTF-8 to EscASCII");
-        testGetEncoded(jeanRenoString, PKIX_ESCASCII);
-
-        subTest("Converting EscASCII to UTF-16");
-        testGetEncoded(vivaEspanaString, PKIX_UTF16);
-
-        subTest("Converting UTF-8 to UTF-16");
-        testGetEncoded(chineseString, PKIX_UTF16);
-
-        subTest("Creating HTML Output File \'utf8.html\'");
-        testHTMLOutput(vivaEspanaString,
-                    straussString,
-                    gorbachevString,
-                    testUTF16String,
-                    chineseString,
-                    jeanRenoString);
-
-        subTest("Unicode Destructors");
-        testDestroy(testUTF16String);
-        testDestroy(chineseString);
-        testDestroy(jeanRenoString);
-        testDestroy(vivaEspanaString);
-        testDestroy(straussString);
-        testDestroy(gorbachevString);
-
-cleanup:
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("Unicode Strings");
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/pkixlibs.mk b/security/nss/cmd/libpkix/pkixlibs.mk
deleted file mode 100755
index 772fe4e8f..000000000
--- a/security/nss/cmd/libpkix/pkixlibs.mk
+++ /dev/null
@@ -1,60 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-
-ifdef NS_USE_GCC
-EXTRA_SHARED_LIBS += \
-	-L$(DIST)/lib \
-	-lpkixutil \
-	$(NULL)
-else # ! NS_USE_GCC
-EXTRA_SHARED_LIBS += \
-	$(DIST)/lib/pkixutil.lib \
-	$(NULL)
-endif # NS_USE_GCC
-
-else
-
-EXTRA_SHARED_LIBS += \
-	-L$(DIST)/lib/ \
-	-lpkixutil \
-	$(NULL)
-
-endif
-
diff --git a/security/nss/cmd/libpkix/pkixrules.mk b/security/nss/cmd/libpkix/pkixrules.mk
deleted file mode 100755
index b2c6f8b84..000000000
--- a/security/nss/cmd/libpkix/pkixrules.mk
+++ /dev/null
@@ -1,40 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
diff --git a/security/nss/cmd/libpkix/pkixutil/Makefile b/security/nss/cmd/libpkix/pkixutil/Makefile
deleted file mode 100644
index c00eeffe9..000000000
--- a/security/nss/cmd/libpkix/pkixutil/Makefile
+++ /dev/null
@@ -1,75 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/pkixutil/manifest.mn b/security/nss/cmd/libpkix/pkixutil/manifest.mn
deleted file mode 100644
index 00e174227..000000000
--- a/security/nss/cmd/libpkix/pkixutil/manifest.mn
+++ /dev/null
@@ -1,73 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = \
-	pkixutil.c \
-	$(NULL)
-
-PROGRAM = pkixutil
-
-TOOLS_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
-
-EXTRA_LIBS += \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolperf.$(LIB_SUFFIX) \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolcertsel.$(LIB_SUFFIX) \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolparams.$(LIB_SUFFIX) \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolmodule.$(LIB_SUFFIX) \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolpki.$(LIB_SUFFIX) \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolsys.$(LIB_SUFFIX) \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolresults.$(LIB_SUFFIX) \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolstore.$(LIB_SUFFIX) \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtooltop.$(LIB_SUFFIX) \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolutil.$(LIB_SUFFIX) \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolsmplapps.$(LIB_SUFFIX) \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolchecker.$(LIB_SUFFIX) \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtoolcrlsel.$(LIB_SUFFIX) \
-	$(TOOLS_LIB_DIR)/$(LIB_PREFIX)pkixtooltestutil.$(LIB_SUFFIX) \
-	$(NULL)
-
-NO_MD_RELEASE = 1
-
-USE_STATIC_LIBS = 1
-
diff --git a/security/nss/cmd/libpkix/pkixutil/pkixutil.c b/security/nss/cmd/libpkix/pkixutil/pkixutil.c
deleted file mode 100644
index 6d23c7059..000000000
--- a/security/nss/cmd/libpkix/pkixutil/pkixutil.c
+++ /dev/null
@@ -1,335 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * testwrapper.c
- *
- * Wrpper programm for libpkix tests.
- *
- */
-
-#include <stdio.h>
-
-#include "nspr.h"
-#include "plgetopt.h"
-
-#include "nss.h"
-#include "secport.h"
-
-typedef int (*mainTestFn)(int argc, char* argv[]);
-
-extern int libpkix_buildthreads(int argc, char *argv[]);
-extern int nss_threads(int argc, char *argv[]);
-extern int test_certselector(int argc, char *argv[]);
-extern int test_comcertselparams(int argc, char *argv[]);
-extern int test_certchainchecker(int argc, char *argv[]);
-extern int test_comcrlselparams(int argc, char *argv[]);
-extern int test_crlselector(int argc, char *argv[]);
-
-/* This test fails to build. Need to fix                */
-/* extern int test_buildparams(int argc, char *argv[]); */
-extern int test_procparams(int argc, char *argv[]);
-extern int test_resourcelimits(int argc, char *argv[]);
-extern int test_trustanchor(int argc, char *argv[]);
-extern int test_valparams(int argc, char *argv[]);
-extern int test_buildresult(int argc, char *argv[]);
-extern int test_policynode(int argc, char *argv[]);
-extern int test_valresult(int argc, char *argv[]);
-extern int test_verifynode(int argc, char *argv[]);
-extern int test_store(int argc, char *argv[]);
-extern int test_basicchecker(int argc, char *argv[]);
-extern int test_basicconstraintschecker(int argc, char *argv[]);
-extern int test_buildchain(int argc, char *argv[]);
-extern int test_buildchain_partialchain(int argc, char *argv[]);
-extern int test_buildchain_resourcelimits(int argc, char *argv[]);
-extern int test_buildchain_uchecker(int argc, char *argv[]);
-extern int test_customcrlchecker(int argc, char *argv[]);
-extern int test_defaultcrlchecker2stores(int argc, char *argv[]);
-extern int test_ocsp(int argc, char *argv[]);
-extern int test_policychecker(int argc, char *argv[]);
-extern int test_subjaltnamechecker(int argc, char *argv[]);
-extern int test_validatechain(int argc, char *argv[]);
-extern int test_validatechain_NB(int argc, char *argv[]);
-extern int test_validatechain_bc(int argc, char *argv[]);
-extern int test_error(int argc, char *argv[]);
-extern int test_list(int argc, char *argv[]);
-extern int test_list2(int argc, char *argv[]);
-extern int test_logger(int argc, char *argv[]);
-extern int test_colcertstore(int argc, char *argv[]);
-extern int test_ekuchecker(int argc, char *argv[]);
-extern int test_httpcertstore(int argc, char *argv[]);
-extern int test_pk11certstore(int argc, char *argv[]);
-extern int test_socket(int argc, char *argv[]);
-extern int test_authorityinfoaccess(int argc, char *argv[]);
-extern int test_cert(int argc, char *argv[]);
-extern int test_crl(int argc, char *argv[]);
-extern int test_crlentry(int argc, char *argv[]);
-extern int test_date(int argc, char *argv[]);
-extern int test_generalname(int argc, char *argv[]);
-extern int test_nameconstraints(int argc, char *argv[]);
-extern int test_subjectinfoaccess(int argc, char *argv[]);
-extern int test_x500name(int argc, char *argv[]);
-extern int stress_test(int argc, char *argv[]);
-extern int test_bigint(int argc, char *argv[]);
-extern int test_bytearray(int argc, char *argv[]);
-extern int test_hashtable(int argc, char *argv[]);
-extern int test_mem(int argc, char *argv[]);
-extern int test_monitorlock(int argc, char *argv[]);
-extern int test_mutex(int argc, char *argv[]);
-extern int test_mutex2(int argc, char *argv[]);
-extern int test_mutex3(int argc, char *argv[]);
-extern int test_object(int argc, char *argv[]);
-extern int test_oid(int argc, char *argv[]);
-
-/* Taken out. Problem with build                   */
-/* extern int test_rwlock(int argc, char *argv[]); */
-extern int test_string(int argc, char *argv[]);
-extern int test_string2(int argc, char *argv[]);
-extern int build_chain(int argc, char *argv[]);
-extern int dumpcert(int argc, char *argv[]);
-extern int dumpcrl(int argc, char *argv[]);
-extern int validate_chain(int argc, char *argv[]);
-
-
-typedef struct {
-    char *fnName;
-    mainTestFn fnPointer;
-} testFunctionRef;
-
-testFunctionRef testFnRefTable[] = {
-    {"libpkix_buildthreads",           libpkix_buildthreads},
-    {"nss_threads",                    nss_threads},
-    {"test_certselector",              test_certselector},
-    {"test_comcertselparams",          test_comcertselparams},
-    {"test_certchainchecker",          test_certchainchecker},
-    {"test_comcrlselparams",           test_comcrlselparams},
-    {"test_crlselector",               test_crlselector},
-/*  {"test_buildparams",               test_buildparams}*/
-    {"test_procparams",                test_procparams},
-    {"test_resourcelimits",            test_resourcelimits},
-    {"test_trustanchor",               test_trustanchor},
-    {"test_valparams",                 test_valparams},
-    {"test_buildresult",               test_buildresult},
-    {"test_policynode",                test_policynode},
-    {"test_valresult",                 test_valresult},
-    {"test_verifynode",                test_verifynode},
-    {"test_store",                     test_store},
-    {"test_basicchecker",              test_basicchecker},
-    {"test_basicconstraintschecker",   test_basicconstraintschecker},
-    {"test_buildchain",                test_buildchain},
-    {"test_buildchain_partialchain",   test_buildchain_partialchain},
-    {"test_buildchain_resourcelimits", test_buildchain_resourcelimits},
-    {"test_buildchain_uchecker",       test_buildchain_uchecker},
-    {"test_customcrlchecker",          test_customcrlchecker},
-    {"test_defaultcrlchecker2stores",  test_defaultcrlchecker2stores},
-    {"test_ocsp",                      test_ocsp},
-    {"test_policychecker",             test_policychecker},
-    {"test_subjaltnamechecker",        test_subjaltnamechecker},
-    {"test_validatechain",             test_validatechain},
-    {"test_validatechain_NB",          test_validatechain_NB},
-    {"test_validatechain_bc",          test_validatechain_bc},
-    {"test_error",                     test_error},
-    {"test_list",                      test_list},
-    {"test_list2",                     test_list2},
-    {"test_logger",                    test_logger},
-    {"test_colcertstore",              test_colcertstore},
-    {"test_ekuchecker",                test_ekuchecker},
-    {"test_httpcertstore",             test_httpcertstore},
-    {"test_pk11certstore",             test_pk11certstore},
-    {"test_socket",                    test_socket},
-    {"test_authorityinfoaccess",       test_authorityinfoaccess},
-    {"test_cert",                      test_cert},
-    {"test_crl",                       test_crl},
-    {"test_crlentry",                  test_crlentry},
-    {"test_date",                      test_date},
-    {"test_generalname",               test_generalname},
-    {"test_nameconstraints",           test_nameconstraints},
-    {"test_subjectinfoaccess",         test_subjectinfoaccess},
-    {"test_x500name",                  test_x500name},
-    {"stress_test",                    stress_test},
-    {"test_bigint",                    test_bigint},
-    {"test_bytearray",                 test_bytearray},
-    {"test_hashtable",                 test_hashtable},
-    {"test_mem",                       test_mem},
-    {"test_monitorlock",               test_monitorlock},
-    {"test_mutex",                     test_mutex},
-    {"test_mutex2",                    test_mutex2},
-    {"test_mutex3",                    test_mutex3},
-    {"test_object",                    test_object},
-    {"test_oid",                       test_oid},
-/*  {"test_rwlock",                    test_rwlock, }*/
-    {"test_string",                    test_string},
-    {"test_string2",                   test_string2},
-    {"build_chain",                    build_chain},
-    {"dumpcert",                       dumpcert},
-    {"dumpcrl",                        dumpcrl},
-    {"validate_chain",                 validate_chain},
-    {NULL,                             NULL },
-};
-
-static
-void printUsage(char *cmdName) {
-    int fnCounter = 0;
-
-    fprintf(stderr, "Usage: %s [test name] [arg1]...[argN]\n\n", cmdName);
-    fprintf(stderr, "List of possible names for the tests:");
-    while (testFnRefTable[fnCounter].fnName != NULL) {
-        if (fnCounter % 2 == 0) {
-            fprintf(stderr, "\n");
-        }
-        fprintf(stderr, "  %-35s ", testFnRefTable[fnCounter].fnName);
-        fnCounter += 1;
-    }
-    fprintf(stderr, "\n");
-}
-
-static SECStatus
-getTestArguments(int         argc,
-                 char      **argv,
-                 mainTestFn *ptestFn,
-                 char      **pdbPath,
-                 int        *pargc,
-                 char     ***pargv)
-{
-    PLOptState *optstate = NULL;
-    PLOptStatus status;
-    mainTestFn testFunction = NULL;
-    char **wArgv = NULL;
-    char  *dbPath = NULL;
-    char  *fnName = NULL;
-    int    wArgc = 0;
-    int    fnCounter = 0;
-    
-    if (argc < 2) {
-        printf("ERROR: insufficient number of arguments: %s.\n", fnName);
-        return SECFailure;
-    }
-
-    fnName = argv[1];
-    while (testFnRefTable[fnCounter].fnName != NULL) {
-        if (!PORT_Strcmp(fnName, testFnRefTable[fnCounter].fnName)) {
-            testFunction = testFnRefTable[fnCounter].fnPointer;
-            break;
-        }
-        fnCounter += 1;
-    }
-    if (!testFunction) {
-        printf("ERROR: unknown name of the test: %s.\n", fnName);
-        return SECFailure;
-    }
-
-    wArgv = PORT_ZNewArray(char*, argc);
-    if (!wArgv) {
-        return SECFailure;
-    }
-
-    /* set name of the function as a first arg and increment arg count. */
-    wArgv[0] = fnName;
-    wArgc += 1;
-
-    optstate = PL_CreateOptState(argc - 1, argv + 1, "d:");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-        switch (optstate->option) {
-        case 'd':
-            dbPath = (char*)optstate->value;
-            break;
-
-        default:
-            wArgv[wArgc] = (char*)optstate->value;
-            wArgc += 1;
-            break;
-        }
-    }
-    PL_DestroyOptState(optstate);
-
-    *ptestFn = testFunction;
-    *pdbPath = dbPath;
-    *pargc = wArgc;
-    *pargv = wArgv;
-    
-    return SECSuccess;
-}
-
-
-static
-int runCmd(mainTestFn fnPointer,
-           int argc,
-           char **argv,
-           char *dbPath)
-{
-    int retStat = 0;
-    
-    /*  Initialize NSPR and NSS.  */
-    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-    
-    /* if using databases, use NSS_Init and not NSS_NoDB_Init */
-    if (dbPath && PORT_Strlen(dbPath) != 0) {
-        if (NSS_Init(dbPath) != SECSuccess)
-            return SECFailure;
-    } else {
-        if (NSS_NoDB_Init(NULL) != 0)
-            return SECFailure;
-    }
-    retStat = fnPointer(argc, argv);
-
-    if (NSS_Shutdown() != SECSuccess) {
-        exit(1);
-    }
-    PR_Cleanup();
-    return retStat;
-}
-
-int main(int argc, char **argv) {
-    mainTestFn testFunction = NULL;
-    char *dbPath = NULL;
-    char **testArgv = NULL;
-    int testArgc = 0;
-    int rv = 0;
-
-    rv = getTestArguments(argc, argv, &testFunction, &dbPath,
-                          &testArgc, &testArgv);
-    if (rv != SECSuccess) {
-        printUsage(argv[0]);
-        return 1;
-    }
-    
-    rv = runCmd(testFunction, testArgc, testArgv, dbPath);
-
-    PORT_Free(testArgv);
-
-    return rv;
-}
-
diff --git a/security/nss/cmd/libpkix/sample_apps/Makefile b/security/nss/cmd/libpkix/sample_apps/Makefile
deleted file mode 100755
index ef8ff219f..000000000
--- a/security/nss/cmd/libpkix/sample_apps/Makefile
+++ /dev/null
@@ -1,79 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include $(PLAT_DEPTH)/platrules.mk
diff --git a/security/nss/cmd/libpkix/sample_apps/build_chain.c b/security/nss/cmd/libpkix/sample_apps/build_chain.c
deleted file mode 100644
index 52e7c0a83..000000000
--- a/security/nss/cmd/libpkix/sample_apps/build_chain.c
+++ /dev/null
@@ -1,298 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * buildChain.c
- *
- * Tests Cert Chain Building
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stddef.h>
-
-#include "pkix_pl_generalname.h"
-#include "pkix_pl_cert.h"
-#include "pkix.h"
-#include "testutil.h"
-#include "prlong.h"
-#include "plstr.h"
-#include "prthread.h"
-#include "nspr.h"
-#include "prtypes.h"
-#include "prtime.h"
-#include "pk11func.h"
-#include "secasn1.h"
-#include "cert.h"
-#include "cryptohi.h"
-#include "secoid.h"
-#include "certdb.h"
-#include "secitem.h"
-#include "keythi.h"
-#include "nss.h"
-
-static void *plContext = NULL;
-
-static
-void printUsage(void){
-        (void) printf("\nUSAGE:\tbuildChain "
-                        "<trustedCert> <targetCert> <certStoreDirectory>\n\n");
-        (void) printf
-                ("Builds a chain of certificates between "
-                "<trustedCert> and <targetCert>\n"
-                "using the certs and CRLs in <certStoreDirectory>.\n");
-}
-
-static PKIX_PL_Cert *
-createCert(char *inFileName)
-{
-        PKIX_PL_ByteArray *byteArray = NULL;
-        void *buf = NULL;
-        PRFileDesc *inFile = NULL;
-        PKIX_UInt32 len;
-        SECItem certDER;
-        SECStatus rv;
-        /* default: NULL cert (failure case) */
-        PKIX_PL_Cert *cert = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        certDER.data = NULL;
-
-        inFile = PR_Open(inFileName, PR_RDONLY, 0);
-
-        if (!inFile){
-                pkixTestErrorMsg = "Unable to open cert file";
-                goto cleanup;
-        } else {
-                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
-                if (!rv){
-                        buf = (void *)certDER.data;
-                        len = certDER.len;
-
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_ByteArray_Create
-                                        (buf, len, &byteArray, plContext));
-
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create
-                                        (byteArray, &cert, plContext));
-
-                        SECITEM_FreeItem(&certDER, PR_FALSE);
-                } else {
-                        pkixTestErrorMsg = "Unable to read DER from cert file";
-                        goto cleanup;
-                }
-        }
-
-cleanup:
-
-        if (inFile){
-                PR_Close(inFile);
-        }
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                SECITEM_FreeItem(&certDER, PR_FALSE);
-        }
-
-        PKIX_TEST_DECREF_AC(byteArray);
-
-        PKIX_TEST_RETURN();
-
-        return (cert);
-}
-
-int build_chain(int argc, char *argv[])
-{
-        PKIX_BuildResult *buildResult = NULL;
-        PKIX_ComCertSelParams *certSelParams = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-        PKIX_TrustAnchor *anchor = NULL;
-        PKIX_List *anchors = NULL;
-        PKIX_List *certs = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        char *trustedCertFile = NULL;
-        char *targetCertFile = NULL;
-        char *storeDirAscii = NULL;
-        PKIX_PL_String *storeDirString = NULL;
-        PKIX_PL_Cert *trustedCert = NULL;
-        PKIX_PL_Cert *targetCert = NULL;
-        PKIX_UInt32 actualMinorVersion, numCerts, i;
-        PKIX_UInt32 j = 0;
-        PKIX_CertStore *certStore = NULL;
-        PKIX_List *certStores = NULL;
-        char * asciiResult = NULL;
-        PKIX_Boolean useArenas = PKIX_FALSE;
-        void *buildState = NULL; /* needed by pkix_build for non-blocking I/O */
-        void *nbioContext = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 4){
-                printUsage();
-                return (0);
-        }
-
-        useArenas = PKIX_TEST_ARENAS_ARG(argv[1]);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_Initialize
-                                    (PKIX_TRUE, /* nssInitNeeded */
-                                    useArenas,
-                                    PKIX_MAJOR_VERSION,
-                                    PKIX_MINOR_VERSION,
-                                    PKIX_MINOR_VERSION,
-                                    &actualMinorVersion,
-                                    &plContext));
-
-        /* create processing params with list of trust anchors */
-        trustedCertFile = argv[j+1];
-        trustedCert = createCert(trustedCertFile);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
-                                    (trustedCert, &anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                            (anchors, (PKIX_PL_Object *)anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
-                            (anchors, &procParams, plContext));
-
-
-        /* create CertSelector with target certificate in params */
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
-
-        targetCertFile = argv[j+2];
-        targetCert = createCert(targetCertFile);
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_SetCertificate
-                (certSelParams, targetCert, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-            (PKIX_CertSelector_Create(NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
-                                (certSelector, certSelParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_SetTargetCertConstraints
-                (procParams, certSelector, plContext));
-
-        /* create CertStores */
-
-        storeDirAscii = argv[j+3];
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-                (PKIX_ESCASCII, storeDirAscii, 0, &storeDirString, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CollectionCertStore_Create
-                (storeDirString, &certStore, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certStores, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (certStores, (PKIX_PL_Object *)certStore, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetCertStores
-                (procParams, certStores, plContext));
-
-        /* build cert chain using processing params and return buildResult */
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_BuildChain
-                (procParams,
-                &nbioContext,
-                &buildState,
-                &buildResult,
-                NULL,
-                plContext));
-
-        /*
-         * As long as we use only CertStores with blocking I/O, we can omit
-         * checking for completion with nbioContext.
-         */
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_BuildResult_GetCertChain(buildResult, &certs, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_GetLength(certs, &numCerts, plContext));
-
-        printf("\n");
-
-        for (i = 0; i < numCerts; i++){
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_List_GetItem
-                        (certs, i, (PKIX_PL_Object**)&cert, plContext));
-
-                asciiResult = PKIX_Cert2ASCII(cert);
-
-                printf("CERT[%d]:\n%s\n", i, asciiResult);
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(asciiResult, plContext));
-                asciiResult = NULL;
-
-                PKIX_TEST_DECREF_BC(cert);
-        }
-
-cleanup:
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                (void) printf("FAILED TO BUILD CHAIN\n");
-        } else {
-                (void) printf("SUCCESSFULLY BUILT CHAIN\n");
-        }
-
-        PKIX_PL_Free(asciiResult, plContext);
-
-        PKIX_TEST_DECREF_AC(certs);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(certStore);
-        PKIX_TEST_DECREF_AC(certStores);
-        PKIX_TEST_DECREF_AC(storeDirString);
-        PKIX_TEST_DECREF_AC(trustedCert);
-        PKIX_TEST_DECREF_AC(targetCert);
-        PKIX_TEST_DECREF_AC(anchor);
-        PKIX_TEST_DECREF_AC(anchors);
-        PKIX_TEST_DECREF_AC(procParams);
-        PKIX_TEST_DECREF_AC(certSelParams);
-        PKIX_TEST_DECREF_AC(certSelector);
-        PKIX_TEST_DECREF_AC(buildResult);
-
-        PKIX_TEST_RETURN();
-
-        PKIX_Shutdown(plContext);
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/sample_apps/dumpcert.c b/security/nss/cmd/libpkix/sample_apps/dumpcert.c
deleted file mode 100644
index af1035365..000000000
--- a/security/nss/cmd/libpkix/sample_apps/dumpcert.c
+++ /dev/null
@@ -1,217 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * dumpcert.c
- *
- * dump certificate sample application
- *
- */
-
-#include <stdio.h>
-
-#include "pkix.h"
-#include "testutil.h"
-#include "prlong.h"
-#include "plstr.h"
-#include "prthread.h"
-#include "plarena.h"
-#include "seccomon.h"
-#include "secdert.h"
-#include "secasn1t.h"
-#include "certt.h"
-
-static void *plContext = NULL;
-
-static 
-void printUsage(void){
-        (void) printf("\nUSAGE:\tdumpcert <certFile>\n");
-        (void) printf("\tParses a certificate located at <certFile> "
-                "and displays it.\n");
-}
-
-static 
-void printFailure(char *msg){
-        (void) printf("FAILURE: %s\n", msg);
-}
-
-static PKIX_PL_Cert *
-createCert(char *inFileName)
-{
-        PKIX_PL_ByteArray *byteArray = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_Error *error = NULL;
-        PRFileDesc *inFile = NULL;
-        SECItem certDER;
-        void *buf = NULL;
-        PKIX_UInt32 len;
-        SECStatus rv = SECFailure;
-
-        certDER.data = NULL;
-
-        inFile = PR_Open(inFileName, PR_RDONLY, 0);
-
-        if (!inFile){
-                printFailure("Unable to open cert file");
-                goto cleanup;
-        } else {
-                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
-                if (!rv){
-                        buf = (void *)certDER.data;
-                        len = certDER.len;
-
-                        error = PKIX_PL_ByteArray_Create
-                                (buf, len, &byteArray, plContext);
-
-                        if (error){
-                                printFailure("PKIX_PL_ByteArray_Create failed");
-                                goto cleanup;
-                        }
-
-                        error = PKIX_PL_Cert_Create
-                                (byteArray, &cert, plContext);
-
-                        if (error){
-                                printFailure("PKIX_PL_Cert_Create failed");
-                                goto cleanup;
-                        }
-                } else {
-                        printFailure("Unable to read DER from cert file");
-                        goto cleanup;
-                }
-        }
-
-cleanup:
-
-        if (inFile){
-                PR_Close(inFile);
-        }
-
-        if (rv == SECSuccess){
-                SECITEM_FreeItem(&certDER, PR_FALSE);
-        }
-
-        if (byteArray){
-                PKIX_PL_Object_DecRef((PKIX_PL_Object *)(byteArray), plContext);
-        }
-
-        return (cert);
-}
-
-int dumpcert(int argc, char *argv[])
-{
-
-        PKIX_PL_String *string = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_Error *error = NULL;
-        char *ascii = NULL;
-        PKIX_UInt32 length = 0;
-        PKIX_UInt32 j = 0;
-	PKIX_Boolean useArenas = PKIX_FALSE;
-        PKIX_UInt32 actualMinorVersion;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc == 1){
-                printUsage();
-                return (0);
-        }
-
-        useArenas = PKIX_TEST_ARENAS_ARG(argv[1]);
-
-        PKIX_Initialize
-                (PKIX_TRUE, /* nssInitNeeded */
-                useArenas,
-                PKIX_MAJOR_VERSION,
-                PKIX_MINOR_VERSION,
-                PKIX_MINOR_VERSION,
-                &actualMinorVersion,
-                &plContext);
-
-        cert = createCert(argv[1+j]);
-
-        if (cert){
-
-                error = PKIX_PL_Object_ToString
-                        ((PKIX_PL_Object *)cert, &string, plContext);
-
-                if (error){
-                        printFailure("Unable to get string representation "
-                                    "of cert");
-                        goto cleanup;
-                }
-
-                error = PKIX_PL_String_GetEncoded
-                        (string,
-                        PKIX_ESCASCII,
-                        (void **)&ascii,
-                        &length,
-                        plContext);
-
-                if (error || !ascii){
-                        printFailure("Unable to get ASCII encoding of string");
-                        goto cleanup;
-                }
-
-                (void) printf("OUTPUT:\n%s\n", ascii);
-
-        } else {
-                printFailure("Unable to create certificate");
-                goto cleanup;
-        }
-
-cleanup:
-
-        if (cert){
-                PKIX_PL_Object_DecRef((PKIX_PL_Object *)(cert), plContext);
-        }
-
-        if (string){
-                PKIX_PL_Object_DecRef((PKIX_PL_Object *)(string), plContext);
-        }
-
-        if (ascii){
-                PKIX_PL_Free((PKIX_PL_Object *)(ascii), plContext);
-        }
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("DUMPCERT");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/sample_apps/dumpcrl.c b/security/nss/cmd/libpkix/sample_apps/dumpcrl.c
deleted file mode 100644
index 26e20f125..000000000
--- a/security/nss/cmd/libpkix/sample_apps/dumpcrl.c
+++ /dev/null
@@ -1,220 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * dumpcrl.c
- *
- * dump CRL sample application
- *
- */
-
-#include <stdio.h>
-
-#include "pkix.h"
-#include "testutil.h"
-#include "prlong.h"
-#include "plstr.h"
-#include "prthread.h"
-#include "plarena.h"
-#include "seccomon.h"
-#include "secdert.h"
-#include "secasn1t.h"
-#include "certt.h"
-
-static void *plContext = NULL;
-
-static 
-void printUsage(void){
-        (void) printf("\nUSAGE:\tdumpcrl <crlFile>\n");
-        (void) printf("\tParses a CRL located at <crlFile> "
-                "and displays it.\n");
-}
-
-static 
-void printFailure(char *msg){
-        (void) printf("FAILURE: %s\n", msg);
-}
-
-static PKIX_PL_CRL *
-createCRL(char *inFileName)
-{
-        PKIX_PL_ByteArray *byteArray = NULL;
-        PKIX_PL_CRL *crl = NULL;
-        PKIX_Error *error = NULL;
-        PRFileDesc *inFile = NULL;
-        SECItem crlDER;
-        void *buf = NULL;
-        PKIX_UInt32 len;
-        SECStatus rv;
-
-        PKIX_TEST_STD_VARS();
-
-        crlDER.data = NULL;
-
-        inFile = PR_Open(inFileName, PR_RDONLY, 0);
-
-        if (!inFile){
-                printFailure("Unable to open crl file");
-                goto cleanup;
-        } else {
-                rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
-                if (!rv){
-                        buf = (void *)crlDER.data;
-                        len = crlDER.len;
-
-                        error = PKIX_PL_ByteArray_Create
-                                (buf, len, &byteArray, plContext);
-
-                        if (error){
-                                printFailure("PKIX_PL_ByteArray_Create failed");
-                                goto cleanup;
-                        }
-
-                        error = PKIX_PL_CRL_Create(byteArray, &crl, plContext);
-                        if (error){
-                                printFailure("PKIX_PL_CRL_Create failed");
-                                goto cleanup;
-                        }
-
-                        SECITEM_FreeItem(&crlDER, PR_FALSE);
-                } else {
-                        printFailure("Unable to read DER from crl file");
-                        goto cleanup;
-                }
-        }
-
-cleanup:
-
-        if (inFile){
-                PR_Close(inFile);
-        }
-
-        if (error){
-                SECITEM_FreeItem(&crlDER, PR_FALSE);
-        }
-
-        if (byteArray){
-                PKIX_PL_Object_DecRef((PKIX_PL_Object *)(byteArray), plContext);
-        }
-
-        PKIX_TEST_RETURN();
-
-        return (crl);
-}
-
-int dumpcrl(int argc, char *argv[])
-{
-
-        PKIX_PL_String *string = NULL;
-        PKIX_PL_CRL *crl = NULL;
-        PKIX_Error *error = NULL;
-        char *ascii = NULL;
-        PKIX_UInt32 length;
-        PKIX_UInt32 actualMinorVersion;
-        PKIX_UInt32 j = 0;
-        PKIX_Boolean useArenas = PKIX_FALSE;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc == 1){
-                printUsage();
-                return (0);
-        }
-
-        useArenas = PKIX_TEST_ARENAS_ARG(argv[1]);
-
-        PKIX_Initialize
-                (PKIX_TRUE, /* nssInitNeeded */
-                useArenas,
-                PKIX_MAJOR_VERSION,
-                PKIX_MINOR_VERSION,
-                PKIX_MINOR_VERSION,
-                &actualMinorVersion,
-                &plContext);
-
-        crl = createCRL(argv[j+1]);
-
-        if (crl){
-
-                error = PKIX_PL_Object_ToString
-                        ((PKIX_PL_Object *)crl, &string, plContext);
-
-                if (error){
-                        printFailure("Unable to get string representation "
-                                    "of crl");
-                        goto cleanup;
-                }
-
-                error = PKIX_PL_String_GetEncoded
-                        (string,
-                        PKIX_ESCASCII,
-                        (void **)&ascii,
-                        &length,
-                        plContext);
-                if (error || !ascii){
-                        printFailure("Unable to get ASCII encoding of string");
-                        goto cleanup;
-                }
-
-                (void) printf("OUTPUT:\n%s\n", ascii);
-
-        } else {
-                printFailure("Unable to create CRL");
-                goto cleanup;
-        }
-
-cleanup:
-
-        if (crl){
-                PKIX_PL_Object_DecRef((PKIX_PL_Object *)(crl), plContext);
-        }
-
-        if (string){
-                PKIX_PL_Object_DecRef((PKIX_PL_Object *)(string), plContext);
-        }
-
-        if (ascii){
-                PKIX_PL_Free((PKIX_PL_Object *)(ascii), plContext);
-        }
-
-        PKIX_Shutdown(plContext);
-
-        PKIX_TEST_RETURN();
-
-        endTests("DUMPCRL");
-
-        return (0);
-}
diff --git a/security/nss/cmd/libpkix/sample_apps/manifest.mn b/security/nss/cmd/libpkix/sample_apps/manifest.mn
deleted file mode 100755
index 2e9cda0e1..000000000
--- a/security/nss/cmd/libpkix/sample_apps/manifest.mn
+++ /dev/null
@@ -1,56 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# htt/www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-
-# MODULE public and private header directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = dumpcert.c \
-	dumpcrl.c \
-	validate_chain.c \
-	build_chain.c \
-	$(NULL)
-
-LIBRARY_NAME=pkixtoolsmplapps
-
-SOURCE_LIB_DIR=$(PKIX_DEPTH)/$(OBJDIR)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/sample_apps/validate_chain.c b/security/nss/cmd/libpkix/sample_apps/validate_chain.c
deleted file mode 100644
index c580399bb..000000000
--- a/security/nss/cmd/libpkix/sample_apps/validate_chain.c
+++ /dev/null
@@ -1,267 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * validateChain.c
- *
- * Tests Cert Chain Validation
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stddef.h>
-
-#include "pkix_pl_generalname.h"
-#include "pkix_pl_cert.h"
-#include "pkix.h"
-#include "testutil.h"
-#include "prlong.h"
-#include "plstr.h"
-#include "prthread.h"
-#include "nspr.h"
-#include "prtypes.h"
-#include "prtime.h"
-#include "pk11func.h"
-#include "secasn1.h"
-#include "cert.h"
-#include "cryptohi.h"
-#include "secoid.h"
-#include "certdb.h"
-#include "secitem.h"
-#include "keythi.h"
-#include "nss.h"
-
-static void *plContext = NULL;
-
-static 
-void printUsage(void){
-        (void) printf("\nUSAGE:\tvalidateChain <trustedCert> "
-                "<cert_1> <cert_2> ... <cert_n>\n");
-        (void) printf("\tValidates a chain of n certificates "
-                "using the given trust anchor.\n");
-
-}
-
-static PKIX_PL_Cert *
-createCert(char *inFileName)
-{
-        PKIX_PL_ByteArray *byteArray = NULL;
-        void *buf = NULL;
-        PRFileDesc *inFile = NULL;
-        PKIX_UInt32 len;
-        SECItem certDER;
-        SECStatus rv;
-        /* default: NULL cert (failure case) */
-        PKIX_PL_Cert *cert = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        certDER.data = NULL;
-
-        inFile = PR_Open(inFileName, PR_RDONLY, 0);
-
-        if (!inFile){
-                pkixTestErrorMsg = "Unable to open cert file";
-                goto cleanup;
-        } else {
-                rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
-                if (!rv){
-                        buf = (void *)certDER.data;
-                        len = certDER.len;
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_ByteArray_Create
-                                (buf, len, &byteArray, plContext));
-
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create
-                                                (byteArray, &cert, plContext));
-
-                        SECITEM_FreeItem(&certDER, PR_FALSE);
-                } else {
-                        pkixTestErrorMsg = "Unable to read DER from cert file";
-                        goto cleanup;
-                }
-        }
-
-cleanup:
-
-        if (inFile){
-                PR_Close(inFile);
-        }
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                SECITEM_FreeItem(&certDER, PR_FALSE);
-        }
-
-        PKIX_TEST_DECREF_AC(byteArray);
-
-        PKIX_TEST_RETURN();
-
-        return (cert);
-}
-
-int validate_chain(int argc, char *argv[])
-{
-        PKIX_TrustAnchor *anchor = NULL;
-        PKIX_List *anchors = NULL;
-        PKIX_List *certs = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_ValidateParams *valParams = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_PL_X500Name *subject = NULL;
-        PKIX_ComCertSelParams *certSelParams = NULL;
-        PKIX_CertSelector *certSelector = NULL;
-	PKIX_VerifyNode *verifyTree = NULL;
-	PKIX_PL_String *verifyString = NULL;
-
-        char *trustedCertFile = NULL;
-        char *chainCertFile = NULL;
-        PKIX_PL_Cert *trustedCert = NULL;
-        PKIX_PL_Cert *chainCert = NULL;
-        PKIX_UInt32 chainLength = 0;
-        PKIX_UInt32 i = 0;
-        PKIX_UInt32 j = 0;
-        PKIX_UInt32 actualMinorVersion;
-
-        PKIX_TEST_STD_VARS();
-
-        if (argc < 3){
-                printUsage();
-                return (0);
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(
-            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));
-
-        chainLength = (argc - j) - 2;
-
-        /* create processing params with list of trust anchors */
-        trustedCertFile = argv[1+j];
-        trustedCert = createCert(trustedCertFile);
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Cert_GetSubject(trustedCert, &subject, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ComCertSelParams_Create(&certSelParams, plContext));
-
-#if 0
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ComCertSelParams_SetSubject
-                                    (certSelParams, subject, plContext));
-#endif
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_CertSelector_Create
-                (NULL, NULL, &certSelector, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_CertSelector_SetCommonCertSelectorParams
-                                (certSelector, certSelParams, plContext));
-
-        PKIX_TEST_DECREF_BC(subject);
-        PKIX_TEST_DECREF_BC(certSelParams);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
-                                    (trustedCert, &anchor, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchors, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_List_AppendItem
-                (anchors, (PKIX_PL_Object *)anchor, plContext));
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
-                                    (anchors, &procParams, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_SetTargetCertConstraints
-                (procParams, certSelector, plContext));
-
-        PKIX_TEST_DECREF_BC(certSelector);
-
-        /* create cert chain */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certs, plContext));
-        for (i = 0; i < chainLength; i++){
-                chainCertFile = argv[(i + j) + 2];
-                chainCert = createCert(chainCertFile);
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                            (certs,
-                                            (PKIX_PL_Object *)chainCert,
-                                            plContext));
-
-                PKIX_TEST_DECREF_BC(chainCert);
-                chainCert = NULL;
-        }
-        /* create validate params with processing params and cert chain */
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create
-                                    (procParams, certs, &valParams, plContext));
-
-        PKIX_TEST_DECREF_BC(trustedCert); trustedCert = NULL;
-        PKIX_TEST_DECREF_BC(anchor); anchor = NULL;
-        PKIX_TEST_DECREF_BC(anchors); anchors = NULL;
-        PKIX_TEST_DECREF_BC(certs); certs = NULL;
-        PKIX_TEST_DECREF_BC(procParams); procParams = NULL;
-
-        /* validate cert chain using processing params and return valResult */
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ValidateChain(valParams, &valResult, &verifyTree, plContext));
-
-        if (valResult != NULL){
-                (void) printf("SUCCESSFULLY VALIDATED\n");
-        }
-
-cleanup:
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                (void) printf("FAILED TO VALIDATE\n");
-	        (void) PKIX_PL_Object_ToString
-        	        ((PKIX_PL_Object*)verifyTree, &verifyString, plContext);
-	        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);
-	        PKIX_TEST_DECREF_AC(verifyString);
-
-        }
-
-        PKIX_TEST_DECREF_AC(verifyTree);
-        PKIX_TEST_DECREF_AC(valResult);
-        PKIX_TEST_DECREF_AC(valParams);
-
-        PKIX_TEST_RETURN();
-
-        PKIX_Shutdown(plContext);
-
-        return (0);
-
-}
diff --git a/security/nss/cmd/libpkix/testutil/Makefile b/security/nss/cmd/libpkix/testutil/Makefile
deleted file mode 100755
index ea5fd90a6..000000000
--- a/security/nss/cmd/libpkix/testutil/Makefile
+++ /dev/null
@@ -1,84 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-include $(PKIX_DEPTH)/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include $(PLAT_DEPTH)/platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include $(PLAT_DEPTH)/platrules.mk
-
-export:: private_export
-
diff --git a/security/nss/cmd/libpkix/testutil/config.mk b/security/nss/cmd/libpkix/testutil/config.mk
deleted file mode 100644
index 46978a032..000000000
--- a/security/nss/cmd/libpkix/testutil/config.mk
+++ /dev/null
@@ -1,48 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# don't build the static library
-LIBRARY =
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-
-# don't want the 32 in the shared library name
-SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
-IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
-
-endif
diff --git a/security/nss/cmd/libpkix/testutil/manifest.mn b/security/nss/cmd/libpkix/testutil/manifest.mn
deleted file mode 100755
index c40c467df..000000000
--- a/security/nss/cmd/libpkix/testutil/manifest.mn
+++ /dev/null
@@ -1,59 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the PKIX-C library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are
-# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-PKIX_DEPTH = ..
-CORE_DEPTH = $(PKIX_DEPTH)/../../..
-PLAT_DEPTH = $(PKIX_DEPTH)/..
-
-MODULE = nss
-
-PRIVATE_EXPORTS = \
-	testutil_nss.h \
-	testutil.h \
-	$(NULL)
-
-CSRCS = \
-	testutil_nss.c \
-	testutil.c \
-	$(NULL)
-
-LIBRARY_NAME = pkixtooltestutil
-
-SOURCE_LIB_DIR = $(PKIX_DEPTH)/$(OBJDIR)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/libpkix/testutil/pkixutil.def b/security/nss/cmd/libpkix/testutil/pkixutil.def
deleted file mode 100644
index eed954ac5..000000000
--- a/security/nss/cmd/libpkix/testutil/pkixutil.def
+++ /dev/null
@@ -1,81 +0,0 @@
-;+#
-;+# ***** BEGIN LICENSE BLOCK *****
-;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-;+#
-;+# The contents of this file are subject to the Mozilla Public License Version
-;+# 1.1 (the "License"); you may not use this file except in compliance with
-;+# the License. You may obtain a copy of the License at
-;+# http://www.mozilla.org/MPL/
-;+#
-;+# Software distributed under the License is distributed on an "AS IS" basis,
-;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-;+# for the specific language governing rights and limitations under the
-;+# License.
-;+#
-;+# The Original Code is the PKIX-C library.
-;+#
-;+# The Initial Developer of the Original Code is
-;+# Sun Microsystems, Inc.
-;+# Portions created by the Initial Developer are Copyright (C) 2000
-;+# Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
-;+#
-# Contributor(s):
-#   Sun Microsystems, Inc.
-;+#
-;+# Alternatively, the contents of this file may be used under the terms of
-;+# either the GNU General Public License Version 2 or later (the "GPL"), or
-;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-;+# in which case the provisions of the GPL or the LGPL are applicable instead
-;+# of those above. If you wish to allow use of your version of this file only
-;+# under the terms of either the GPL or the LGPL, and not to allow others to
-;+# use your version of this file under the terms of the MPL, indicate your
-;+# decision by deleting the provisions above and replace them with the notice
-;+# and other provisions required by the GPL or the LGPL. If you do not delete
-;+# the provisions above, a recipient may use your version of this file under
-;+# the terms of any one of the MPL, the GPL or the LGPL.
-;+#
-;+# ***** END LICENSE BLOCK *****
-;+#
-;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
-;+#   1. For all unix platforms, the string ";-"  means "remove this line"
-;+#   2. For all unix platforms, the string " DATA " will be removed from any 
-;+#	line on which it occurs.
-;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
-;+#      On AIX, lines containing ";+" will be removed.  
-;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
-;+#   5. For all unix platforms, after the above processing has taken place,
-;+#    all characters after the first ";" on the line will be removed.  
-;+#    And for AIX, the first ";" will also be removed.
-;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
-;+#   directives are hidden behind ";", ";+", and ";-"
-;+
-;+NSS_3.12 {               # NSS 3.12 release
-;+    global:
-LIBRARY pkixutil ;-
-EXPORTS	;-
-createBuildResult;
-createCRL;
-createCert;
-createCertChain;
-createCertChainPlus;
-createDate;
-createGeneralName;
-createProcessingParams;
-createTrustAnchor;
-createValidateParams;
-createValidateResult;
-endTests;
-startTests;
-subTest;
-testDuplicateHelper;
-testEqualsHelper;
-testError;
-testErrorUndo;
-testHashcodeHelper;
-testToStringHelper;
-PKIX_Cert2ASCII;
-PKIX_Error2ASCII;
-PKIX_String2ASCII;
-;+    local:
-;+       *;
-;+};
diff --git a/security/nss/cmd/libpkix/testutil/testutil.c b/security/nss/cmd/libpkix/testutil/testutil.c
deleted file mode 100755
index 266f2ca48..000000000
--- a/security/nss/cmd/libpkix/testutil/testutil.c
+++ /dev/null
@@ -1,619 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * testutil.c
- *
- * Utility error handling functions
- *
- */
-
-#include "testutil.h"
-
-/*
- * static global variable to keep track of total number of errors for
- * a particular test suite (eg. all the OID tests)
- */
-static int errCount = 0;
-
-/*
- * FUNCTION: startTests
- * DESCRIPTION:
- *
- *  Prints standard message for starting the test suite with the name pointed
- *  to by "testName". This function should be called in the beginning of every
- *  test suite.
- *
- * PARAMETERS:
- *  "testName"
- *      Address of string representing name of test suite.
- * THREAD SAFETY:
- *  Not Thread Safe - assumes exclusive access to "errCount"
- *  (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns nothing.
- */
-void
-startTests(char *testName)
-{
-        (void) printf("*START OF TESTS FOR %s:\n", testName);
-        errCount = 0;
-}
-
-/*
- * FUNCTION: endTests
- * DESCRIPTION:
- *
- *  Prints standard message for ending the test suite with the name pointed
- *  to by "testName", followed by a success/failure message. This function
- *  should be called at the end of every test suite.
- *
- * PARAMETERS:
- *  "testName"
- *      Address of string representing name of test suite.
- * THREAD SAFETY:
- *  Not Thread Safe - assumes exclusive access to "errCount"
- *  (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns nothing.
- */
-void
-endTests(char *testName)
-{
-        char plural = ' ';
-
-        (void) printf("*END OF TESTS FOR %s: ", testName);
-        if (errCount > 0) {
-                if (errCount > 1) plural = 's';
-                (void) printf("%d SUBTEST%c FAILED.\n\n", errCount, plural);
-        } else {
-                (void) printf("ALL TESTS COMPLETED SUCCESSFULLY.\n\n");
-        }
-}
-
-/*
- * FUNCTION: subTest
- * DESCRIPTION:
- *
- *  Prints standard message for starting the subtest with the name pointed to
- *  by "subTestName". This function should be called at the beginning of each
- *  subtest.
- *
- * PARAMETERS:
- *  "subTestName"
- *      Address of string representing name of subTest.
- * THREAD SAFETY:
- *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns nothing.
- */
-void
-subTest(char *subTestName)
-{
-        (void) printf("TESTING: %s ...\n", subTestName);
-}
-
-/*
- * FUNCTION: testErrorUndo
- * DESCRIPTION:
- *
- *  Decrements the global variable "errCount" and prints a test failure
- *  expected message followed by the string pointed to by "msg". This function
- *  should be called when an expected error condition is encountered in the
- *  tests. Calling this function *correct* the previous errCount increment.
- *  It should only be called ONCE per subtest.
- *
- * PARAMETERS:
- *  "msg"
- *      Address of text of error message.
- * THREAD SAFETY:
- *  Not Thread Safe - assumes exclusive access to "errCount"
- *  (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns nothing.
- */
-void
-testErrorUndo(char *msg)
-{
-        --errCount;
-        (void) printf("TEST FAILURE *** EXPECTED *** :%s\n", msg);
-}
-
-/*
- * FUNCTION: testError
- * DESCRIPTION:
- *
- *  Increments the global variable "errCount" and prints a standard test
- *  failure message followed by the string pointed to by "msg". This function
- *  should be called when an unexpected error condition is encountered in the
- *  tests. It should only be called ONCE per subtest.
- *
- * PARAMETERS:
- *  "msg"
- *      Address of text of error message.
- * THREAD SAFETY:
- *  Not Thread Safe - assumes exclusive access to "errCount"
- *  (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns nothing.
- */
-void
-testError(char *msg)
-{
-        ++errCount;
-        (void) printf("TEST FAILURE: %s\n", msg);
-}
-
-/*
- * FUNCTION: PKIX_String2ASCII
- * DESCRIPTION:
- *
- *  Converts String object pointed to by "string" to its ASCII representation
- *  and returns the converted value. Returns NULL upon failure.
- *
- *  XXX Might want to use ESCASCII_DEBUG to show control characters, etc.
- *
- * PARAMETERS:
- *  "string"
- *      Address of String to be converted to ASCII. Must be non-NULL.
- *  "plContext"
- *      Platform-specific context pointer.
- * THREAD SAFETY:
- *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns the ASCII representation of "string" upon success;
- *  NULL upon failure.
- */
-char *
-PKIX_String2ASCII(PKIX_PL_String *string, void *plContext)
-{
-        PKIX_UInt32 length;
-        char *asciiString = NULL;
-        PKIX_Error *errorResult;
-
-        errorResult = PKIX_PL_String_GetEncoded
-                (string,
-                PKIX_ESCASCII,
-                (void **)&asciiString,
-                &length,
-                plContext);
-
-        if (errorResult) goto cleanup;
-
-cleanup:
-
-        if (errorResult){
-                return (NULL);
-        }
-
-        return (asciiString);
-
-}
-
-/*
- * FUNCTION: PKIX_Error2ASCII
- * DESCRIPTION:
- *
- *  Converts Error pointed to by "error" to its ASCII representation and
- *  returns the converted value. Returns NULL upon failure.
- *
- * PARAMETERS:
- *  "error"
- *      Address of Error to be converted to ASCII. Must be non-NULL.
- *  "plContext"
- *      Platform-specific context pointer.
- * THREAD SAFETY:
- *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns the ASCII representation of "error" upon success;
- *  NULL upon failure.
- */
-char *
-PKIX_Error2ASCII(PKIX_Error *error, void *plContext)
-{
-        PKIX_UInt32 length;
-        char *asciiString = NULL;
-        PKIX_PL_String *pkixString = NULL;
-        PKIX_Error *errorResult = NULL;
-
-        errorResult = PKIX_PL_Object_ToString
-                ((PKIX_PL_Object*)error, &pkixString, plContext);
-        if (errorResult) goto cleanup;
-
-        errorResult = PKIX_PL_String_GetEncoded
-                (pkixString,
-                PKIX_ESCASCII,
-                (void **)&asciiString,
-                &length,
-                plContext);
-
-cleanup:
-
-        if (pkixString){
-                if (PKIX_PL_Object_DecRef
-                    ((PKIX_PL_Object*)pkixString, plContext)){
-                        return (NULL);
-                }
-        }
-
-        if (errorResult){
-                return (NULL);
-        }
-
-        return (asciiString);
-}
-
-/*
- * FUNCTION: PKIX_Object2ASCII
- * DESCRIPTION:
- *
- *  Converts Object pointed to by "object" to its ASCII representation and
- *  returns the converted value. Returns NULL upon failure.
- *
- * PARAMETERS:
- *  "object"
- *      Address of Object to be converted to ASCII. Must be non-NULL.
- * THREAD SAFETY:
- *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns the ASCII representation of "object" upon success;
- *  NULL upon failure.
- */
-char *
-PKIX_Object2ASCII(PKIX_PL_Object *object)
-{
-        PKIX_UInt32 length;
-        char *asciiString = NULL;
-        PKIX_PL_String *pkixString = NULL;
-        PKIX_Error *errorResult = NULL;
-
-        errorResult = PKIX_PL_Object_ToString
-                (object, &pkixString, NULL);
-        if (errorResult) goto cleanup;
-
-        errorResult = PKIX_PL_String_GetEncoded
-            (pkixString, PKIX_ESCASCII, (void **)&asciiString, &length, NULL);
-
-cleanup:
-
-        if (pkixString){
-                if (PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixString, NULL)){
-                        return (NULL);
-                }
-        }
-
-        if (errorResult){
-                return (NULL);
-        }
-
-        return (asciiString);
-}
-
-/*
- * FUNCTION: PKIX_Cert2ASCII
- * DESCRIPTION:
- *
- *  Converts Cert pointed to by "cert" to its partial ASCII representation and
- *  returns the converted value. Returns NULL upon failure.
- *
- * PARAMETERS:
- *  "cert"
- *      Address of Cert to be converted to ASCII. Must be non-NULL.
- * THREAD SAFETY:
- *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns the partial ASCII representation of "cert" upon success;
- *  NULL upon failure.
- */
-char *
-PKIX_Cert2ASCII(PKIX_PL_Cert *cert)
-{
-        PKIX_PL_X500Name *issuer = NULL;
-        void *issuerAscii = NULL;
-        PKIX_PL_X500Name *subject = NULL;
-        void *subjectAscii = NULL;
-        void *asciiString = NULL;
-        PKIX_Error *errorResult = NULL;
-        PKIX_UInt32 numChars;
-
-        /* Issuer */
-        errorResult = PKIX_PL_Cert_GetIssuer(cert, &issuer, NULL);
-        if (errorResult) goto cleanup;
-
-        issuerAscii = PKIX_Object2ASCII((PKIX_PL_Object*)issuer);
-
-        /* Subject */
-        errorResult = PKIX_PL_Cert_GetSubject(cert, &subject, NULL);
-        if (errorResult) goto cleanup;
-
-        if (subject){
-                subjectAscii = PKIX_Object2ASCII((PKIX_PL_Object*)subject);
-        }
-
-        errorResult = PKIX_PL_Malloc(200, &asciiString, NULL);
-        if (errorResult) goto cleanup;
-
-        numChars =
-                PR_snprintf
-                (asciiString,
-                200,
-                "Issuer=%s\nSubject=%s\n",
-                issuerAscii,
-                subjectAscii);
-
-        if (!numChars) goto cleanup;
-
-cleanup:
-
-        if (issuer){
-                if (PKIX_PL_Object_DecRef((PKIX_PL_Object*)issuer, NULL)){
-                        return (NULL);
-                }
-        }
-
-        if (subject){
-                if (PKIX_PL_Object_DecRef((PKIX_PL_Object*)subject, NULL)){
-                        return (NULL);
-                }
-        }
-
-        if (PKIX_PL_Free((PKIX_PL_Object*)issuerAscii, NULL)){
-                return (NULL);
-        }
-
-        if (PKIX_PL_Free((PKIX_PL_Object*)subjectAscii, NULL)){
-                return (NULL);
-        }
-
-        if (errorResult){
-                return (NULL);
-        }
-
-        return (asciiString);
-}
-
-/*
- * FUNCTION: testHashcodeHelper
- * DESCRIPTION:
- *
- *  Computes the hashcode of the Object pointed to by "goodObject" and the
- *  Object pointed to by "otherObject" and compares them. If the result of the
- *  comparison is not the desired match as specified by "match", an error
- *  message is generated.
- *
- * PARAMETERS:
- *  "goodObject"
- *      Address of an object. Must be non-NULL.
- *  "otherObject"
- *      Address of another object. Must be non-NULL.
- *  "match"
- *      Boolean value representing the desired comparison result.
- *  "plContext"
- *      Platform-specific context pointer.
- * THREAD SAFETY:
- *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns nothing.
- */
-void
-testHashcodeHelper(
-        PKIX_PL_Object *goodObject,
-        PKIX_PL_Object *otherObject,
-        PKIX_Boolean match,
-        void *plContext)
-{
-
-        PKIX_UInt32 goodHash;
-        PKIX_UInt32 otherHash;
-        PKIX_Boolean cmpResult;
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Hashcode
-                        ((PKIX_PL_Object *)goodObject, &goodHash, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Hashcode
-                        ((PKIX_PL_Object *)otherObject, &otherHash, plContext));
-
-        cmpResult = (goodHash == otherHash);
-
-        if ((match && !cmpResult) || (!match && cmpResult)){
-                testError("unexpected mismatch");
-                (void) printf("Hash1:\t%d\n", goodHash);
-                (void) printf("Hash2:\t%d\n", otherHash);
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-}
-
-/*
- * FUNCTION: testToStringHelper
- * DESCRIPTION:
- *
- *  Calls toString on the Object pointed to by "goodObject" and compares the
- *  result to the string pointed to by "expected". If the results are not
- *  equal, an error message is generated.
- *
- * PARAMETERS:
- *  "goodObject"
- *      Address of Object. Must be non-NULL.
- *  "expected"
- *      Address of the desired string.
- *  "plContext"
- *      Platform-specific context pointer.
- * THREAD SAFETY:
- *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns nothing.
- */
-void
-testToStringHelper(
-        PKIX_PL_Object *goodObject,
-        char *expected,
-        void *plContext)
-{
-        PKIX_PL_String *stringRep = NULL;
-        char *actual = NULL;
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
-                        (goodObject, &stringRep, plContext));
-
-        actual = PKIX_String2ASCII(stringRep, plContext);
-        if (actual == NULL){
-                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
-                goto cleanup;
-        }
-
-        /*
-         * If you are having trouble matching the string, uncomment the
-         * PL_strstr function to figure out what's going on.
-         */
-
-        /*
-            if (PL_strstr(actual, expected) == NULL){
-                testError("PL_strstr failed");
-            }
-        */
-
-
-        if (PL_strcmp(actual, expected) != 0){
-                testError("unexpected mismatch");
-                (void) printf("Actual value:\t%s\n", actual);
-                (void) printf("Expected value:\t%s\n", expected);
-        }
-
-cleanup:
-
-        PKIX_PL_Free(actual, plContext);
-
-        PKIX_TEST_DECREF_AC(stringRep);
-
-        PKIX_TEST_RETURN();
-}
-
-/*
- * FUNCTION: testEqualsHelper
- * DESCRIPTION:
- *
- *  Checks if the Object pointed to by "goodObject" is Equal to the Object
- *  pointed to by "otherObject". If the result of the check is not the desired
- *  match as specified by "match", an error message is generated.
- *
- * PARAMETERS:
- *  "goodObject"
- *      Address of an Object. Must be non-NULL.
- *  "otherObject"
- *      Address of another Object. Must be non-NULL.
- *  "match"
- *      Boolean value representing the desired comparison result.
- *  "plContext"
- *      Platform-specific context pointer.
- * THREAD SAFETY:
- *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns nothing.
- */
-void
-testEqualsHelper(
-        PKIX_PL_Object *goodObject,
-        PKIX_PL_Object *otherObject,
-        PKIX_Boolean match,
-        void *plContext)
-{
-
-        PKIX_Boolean cmpResult;
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_PL_Object_Equals
-                (goodObject, otherObject, &cmpResult, plContext));
-
-        if ((match && !cmpResult) || (!match && cmpResult)){
-                testError("unexpected mismatch");
-                (void) printf("Actual value:\t%d\n", cmpResult);
-                (void) printf("Expected value:\t%d\n", match);
-        }
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-}
-
-
-/*
- * FUNCTION: testDuplicateHelper
- * DESCRIPTION:
- *  Checks if the Object pointed to by "object" is equal to its duplicate.
- *  If the result of the check is not equality, an error message is generated.
- * PARAMETERS:
- *  "object"
- *      Address of Object. Must be non-NULL.
- *  "plContext"
- *      Platform-specific context pointer.
- * THREAD SAFETY:
- *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns nothing.
- */
-void
-testDuplicateHelper(PKIX_PL_Object *object, void *plContext)
-{
-        PKIX_PL_Object *newObject = NULL;
-        PKIX_Boolean cmpResult;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Duplicate
-                                    (object, &newObject, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Equals
-                                    (object, newObject, &cmpResult, plContext));
-
-        if (!cmpResult){
-                testError("unexpected mismatch");
-                (void) printf("Actual value:\t%d\n", cmpResult);
-                (void) printf("Expected value:\t%d\n", PKIX_TRUE);
-        }
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(newObject);
-
-        PKIX_TEST_RETURN();
-}
diff --git a/security/nss/cmd/libpkix/testutil/testutil.h b/security/nss/cmd/libpkix/testutil/testutil.h
deleted file mode 100755
index 528fc0ea9..000000000
--- a/security/nss/cmd/libpkix/testutil/testutil.h
+++ /dev/null
@@ -1,337 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * testutil.h
- *
- * Utility functions for handling test errors
- *
- */
-
-#ifndef _TESTUTIL_H
-#define _TESTUTIL_H
-
-#include "pkix.h"
-#include "plstr.h"
-#include "prprf.h"
-#include "prlong.h"
-#include "pkix_pl_common.h"
-#include "secutil.h"
-#include <stdio.h>
-#include <ctype.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * In order to have a consistent format for displaying test information,
- * all tests are REQUIRED to use the functions provided by this library
- * (libtestutil.a) for displaying their information.
- *
- * A test using this library begins with a call to startTests with the test
- * name as the arg (which is used only for formatting). Before the first
- * subtest, a call to subTest should be made with the subtest name as the arg
- * (again, for formatting). If the subTest is successful, then no action
- * is needed. However, if the subTest is not successful, then a call
- * to testError should be made with a descriptive error message as the arg.
- * Note that a subTest MUST NOT call testError more than once.
- * Finally, a call to endTests is made with the test name as the arg (for
- * formatting). Note that most of these macros assume that a variable named
- * "plContext" of type (void *) has been defined by the test. As such, it
- * is essential that the test satisfy this condition.
- */
-
-/*
- * PKIX_TEST_STD_VARS should be called at the beginning of every function
- * that uses PKIX_TEST_RETURN (e.g. subTests), but it should be called only
- * AFTER declaring local variables (so we don't get compiler warnings about
- * declarations after statements). PKIX_TEST_STD_VARS declares and initializes
- * several variables needed by the other test macros.
- */
-#define PKIX_TEST_STD_VARS() \
-        PKIX_Error *pkixTestErrorResult = NULL; \
-        char *pkixTestErrorMsg = NULL;
-
-/*
- * PKIX_TEST_EXPECT_NO_ERROR should be used to wrap a standard PKIX function
- * call (one which returns a pointer to PKIX_Error) that is expected to return
- * NULL (i.e. to succeed). If "pkixTestErrorResult" is not NULL,
- * "goto cleanup" is executed, where a testError call is made if there were
- * unexpected results. This macro MUST NOT be called after the "cleanup" label.
- *
- * Example Usage: PKIX_TEST_EXPECT_NO_ERROR(pkixFunc_expected_to_succeed(...));
- */
-
-#define PKIX_TEST_EXPECT_NO_ERROR(func) \
-        do { \
-                pkixTestErrorResult = (func); \
-                if (pkixTestErrorResult) { \
-                        goto cleanup; \
-                } \
-        } while (0)
-
-/*
- * PKIX_TEST_EXPECT_ERROR should be used to wrap a standard PKIX function call
- * (one which returns a pointer to PKIX_Error) that is expected to return
- * a non-NULL value (i.e. to fail). If "pkixTestErrorResult" is NULL,
- * "pkixTestErrorMsg" is set to a standard string and "goto cleanup"
- * is executed, where a testError call is made if there were unexpected
- * results. This macro MUST NOT be called after the "cleanup" label.
- *
- * Example Usage:  PKIX_TEST_EXPECT_ERROR(pkixFunc_expected_to_fail(...));
- */
-
-#define PKIX_TEST_EXPECT_ERROR(func) \
-        do { \
-                pkixTestErrorResult = (func); \
-                if (!pkixTestErrorResult){ \
-                        pkixTestErrorMsg = \
-                                "Should have thrown an error here."; \
-                        goto cleanup; \
-                } \
-                PKIX_TEST_DECREF_BC(pkixTestErrorResult); \
-        } while (0)
-
-/*
- * PKIX_TEST_DECREF_BC is a convenience macro which should only be called
- * BEFORE the "cleanup" label ("BC"). If the input parameter is non-NULL, it
- * DecRefs the input parameter and wraps the function with
- * PKIX_TEST_EXPECT_NO_ERROR, which executes "goto cleanup" upon error.
- * This macro MUST NOT be called after the "cleanup" label.
- */
-
-#define PKIX_TEST_DECREF_BC(obj) \
-        do { \
-                if (obj){ \
-                        PKIX_TEST_EXPECT_NO_ERROR \
-                        (PKIX_PL_Object_DecRef \
-                                ((PKIX_PL_Object*)(obj), plContext)); \
-                obj = NULL; \
-                } \
-        } while (0)
-
-/*
- * PKIX_TEST_DECREF_AC is a convenience macro which should only be called
- * AFTER the "cleanup" label ("AC"). If the input parameter is non-NULL, it
- * DecRefs the input parameter. A pkixTestTempResult variable is used to prevent
- * incorrectly overwriting pkixTestErrorResult with NULL.
- * In the case DecRef succeeds, pkixTestTempResult will be NULL, and we won't
- * overwrite a previously set pkixTestErrorResult (if any). If DecRef fails,
- * then we do want to overwrite a previously set pkixTestErrorResult since a
- * DecRef failure is fatal and may be indicative of memory corruption.
- */
-
-#define PKIX_TEST_DECREF_AC(obj) \
-        do { \
-                if (obj){ \
-                        PKIX_Error *pkixTestTempResult = NULL; \
-                        pkixTestTempResult = \
-                        PKIX_PL_Object_DecRef \
-                                ((PKIX_PL_Object*)(obj), plContext); \
-                        if (pkixTestTempResult) \
-                                pkixTestErrorResult = pkixTestTempResult; \
-                        obj = NULL; \
-                } \
-        } while (0)
-
-/*
- * PKIX_TEST_RETURN must always be AFTER the "cleanup" label. It does nothing
- * if everything went as expected. However, if there were unexpected results,
- * PKIX_TEST_RETURN calls testError, which displays a standard failure message
- * and increments the number of subtests that have failed. In the case
- * of an unexpected error, testError is called using the error's description
- * as an input and the error is DecRef'd. In the case of unexpected success
- * testError is called with a standard string.
- */
-#define PKIX_TEST_RETURN() \
-        { \
-                if (pkixTestErrorMsg){ \
-                        testError(pkixTestErrorMsg); \
-                } else if (pkixTestErrorResult){ \
-                        pkixTestErrorMsg = \
-                                PKIX_Error2ASCII \
-                                        (pkixTestErrorResult, plContext); \
-                        if (pkixTestErrorMsg) { \
-                                testError(pkixTestErrorMsg); \
-                                PKIX_PL_Free \
-                                        ((PKIX_PL_Object *)pkixTestErrorMsg, \
-                                        plContext); \
-                        } else { \
-                                testError("PKIX_Error2ASCII Failed"); \
-                        } \
-                        if (pkixTestErrorResult != PKIX_ALLOC_ERROR()){ \
-                                PKIX_PL_Object_DecRef \
-                                ((PKIX_PL_Object*)pkixTestErrorResult, \
-                                plContext); \
-                                pkixTestErrorResult = NULL; \
-                        } \
-                } \
-        }
-
-/*
- * PKIX_TEST_EQ_HASH_TOSTR_DUP is a convenience macro which executes the
- * standard set of operations that test the Equals, Hashcode, ToString, and
- * Duplicate functions of an object type. The goodObj, equalObj, and diffObj
- * are as the names suggest. The expAscii parameter is the expected result of
- * calling ToString on the goodObj. If expAscii is NULL, then ToString will
- * not be called on the goodObj. The checkDuplicate parameter is treated as
- * a Boolean to indicate whether the Duplicate function should be tested. If
- * checkDuplicate is NULL, then Duplicate will not be called on the goodObj.
- * The type is the name of the function's family. For example, if the type is
- * Cert, this macro will call PKIX_PL_Cert_Equals, PKIX_PL_Cert_Hashcode, and
- * PKIX_PL_Cert_ToString.
- *
- * Note: If goodObj uses the default Equals and Hashcode functions, then
- * for goodObj and equalObj to be equal, they must have the same pointer value.
- */
-#define PKIX_TEST_EQ_HASH_TOSTR_DUP(goodObj, equalObj, diffObj, \
-                                        expAscii, type, checkDuplicate) \
-        do { \
-                subTest("PKIX_PL_" #type "_Equals   <match>"); \
-                testEqualsHelper \
-                        ((PKIX_PL_Object *)(goodObj), \
-                        (PKIX_PL_Object *)(equalObj), \
-                        PKIX_TRUE, \
-                        plContext); \
-                subTest("PKIX_PL_" #type "_Hashcode <match>"); \
-                testHashcodeHelper \
-                        ((PKIX_PL_Object *)(goodObj), \
-                        (PKIX_PL_Object *)(equalObj), \
-                        PKIX_TRUE, \
-                        plContext); \
-                subTest("PKIX_PL_" #type "_Equals   <non-match>"); \
-                testEqualsHelper \
-                        ((PKIX_PL_Object *)(goodObj), \
-                        (PKIX_PL_Object *)(diffObj), \
-                        PKIX_FALSE, \
-                        plContext); \
-                subTest("PKIX_PL_" #type "_Hashcode <non-match>"); \
-                testHashcodeHelper \
-                        ((PKIX_PL_Object *)(goodObj), \
-                        (PKIX_PL_Object *)(diffObj), \
-                        PKIX_FALSE, \
-                        plContext); \
-                if (expAscii){ \
-                        subTest("PKIX_PL_" #type "_ToString"); \
-                        testToStringHelper \
-                                ((PKIX_PL_Object *)(goodObj), \
-                                (expAscii), \
-                                plContext); } \
-                if (checkDuplicate){ \
-                        subTest("PKIX_PL_" #type "_Duplicate"); \
-                        testDuplicateHelper \
-                                ((PKIX_PL_Object *)goodObj, plContext); } \
-        } while (0)
-
-/*
- * PKIX_TEST_DECREF_BC is a convenience macro which should only be called
- * BEFORE the "cleanup" label ("BC"). If the input parameter is non-NULL, it
- * DecRefs the input parameter and wraps the function with
- * PKIX_TEST_EXPECT_NO_ERROR, which executes "goto cleanup" upon error.
- * This macro MUST NOT be called after the "cleanup" label.
- */
-
-#define PKIX_TEST_ABORT_ON_NULL(obj) \
-        do { \
-                if (!obj){ \
-                        goto cleanup; \
-                } \
-        } while (0)
-
-#define PKIX_TEST_ARENAS_ARG(arena) \
-        (arena? \
-        (PORT_Strcmp(arena, "arenas") ? PKIX_FALSE : (j++, PKIX_TRUE)): \
-        PKIX_FALSE)
-
-#define PKIX_TEST_ERROR_RECEIVED (pkixTestErrorMsg || pkixTestErrorResult)
-
-/* see source file for function documentation */
-
-void startTests(char *testName);
-
-void endTests(char *testName);
-
-void subTest(char *subTestName);
-
-void testError(char *msg);
-
-extern PKIX_Error *
-_ErrorCheck(PKIX_Error *errorResult);
-
-extern PKIX_Error *
-_OutputError(PKIX_Error *errorResult);
-
-char* PKIX_String2ASCII(PKIX_PL_String *string, void *plContext);
-
-char* PKIX_Error2ASCII(PKIX_Error *error, void *plContext);
-
-char* PKIX_Object2ASCII(PKIX_PL_Object *object);
-
-char *PKIX_Cert2ASCII(PKIX_PL_Cert *cert);
-
-void
-testHashcodeHelper(
-        PKIX_PL_Object *goodObject,
-        PKIX_PL_Object *otherObject,
-        PKIX_Boolean match,
-        void *plContext);
-
-void
-testToStringHelper(
-        PKIX_PL_Object *goodObject,
-        char *expected,
-        void *plContext);
-
-void
-testEqualsHelper(
-        PKIX_PL_Object *goodObject,
-        PKIX_PL_Object *otherObject,
-        PKIX_Boolean match,
-        void *plContext);
-
-void
-testDuplicateHelper(
-        PKIX_PL_Object *object,
-        void *plContext);
-void
-testErrorUndo(char *msg);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* TESTUTIL_H */
diff --git a/security/nss/cmd/libpkix/testutil/testutil_nss.c b/security/nss/cmd/libpkix/testutil/testutil_nss.c
deleted file mode 100755
index 6d2928a83..000000000
--- a/security/nss/cmd/libpkix/testutil/testutil_nss.c
+++ /dev/null
@@ -1,663 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * testutil_nss.c
- *
- * NSS-specific utility functions for handling test errors
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stddef.h>
-
-#include "pkix_pl_generalname.h"
-#include "pkix_pl_cert.h"
-#include "pkix.h"
-#include "testutil.h"
-#include "prlong.h"
-#include "plstr.h"
-#include "prthread.h"
-#include "secutil.h"
-#include "nspr.h"
-#include "prtypes.h"
-#include "prtime.h"
-#include "pk11func.h"
-#include "secasn1.h"
-#include "cert.h"
-#include "cryptohi.h"
-#include "secoid.h"
-#include "certdb.h"
-#include "secitem.h"
-#include "keythi.h"
-#include "nss.h"
-
-static char *catDirName(char *dir, char *name, void *plContext)
-{
-        char *pathName = NULL;
-        PKIX_UInt32 nameLen;
-        PKIX_UInt32 dirLen;
-
-        PKIX_TEST_STD_VARS();
-
-        nameLen = PL_strlen(name);
-        dirLen = PL_strlen(dir);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Malloc
-                                    (dirLen + nameLen + 2,
-                                    (void **)&pathName,
-                                    plContext));
-
-        PL_strcpy(pathName, dir);
-        PL_strcat(pathName, "/");
-        PL_strcat(pathName, name);
-        printf("pathName = %s\n", pathName);
-
-cleanup:
-
-        PKIX_TEST_RETURN();
-
-        return (pathName);
-}
-
-PKIX_PL_Cert *
-createCert(
-        char *dirName,
-        char *certFileName,
-        void *plContext)
-{
-        PKIX_PL_ByteArray *byteArray = NULL;
-        void *buf = NULL;
-        PRFileDesc *certFile = NULL;
-        PKIX_UInt32 len;
-        SECItem certDER;
-        SECStatus rv;
-        /* default: NULL cert (failure case) */
-        PKIX_PL_Cert *cert = NULL;
-        char *pathName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-
-        certDER.data = NULL;
-
-        pathName = catDirName(dirName, certFileName, plContext);
-        certFile = PR_Open(pathName, PR_RDONLY, 0);
-
-        if (!certFile){
-                pkixTestErrorMsg = "Unable to open cert file";
-                goto cleanup;
-        } else {
-                rv = SECU_ReadDERFromFile(&certDER, certFile, PR_FALSE);
-                if (!rv){
-                        buf = (void *)certDER.data;
-                        len = certDER.len;
-
-                        PKIX_TEST_EXPECT_NO_ERROR
-                                (PKIX_PL_ByteArray_Create
-                                (buf, len, &byteArray, plContext));
-
-                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_Create
-                                                (byteArray, &cert, plContext));
-
-                        SECITEM_FreeItem(&certDER, PR_FALSE);
-                } else {
-                        pkixTestErrorMsg = "Unable to read DER from cert file";
-                        goto cleanup;
-                }
-        }
-
-cleanup:
-
-        pkixTestErrorResult = PKIX_PL_Free(pathName, plContext);
-
-        if (certFile){
-                PR_Close(certFile);
-        }
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                SECITEM_FreeItem(&certDER, PR_FALSE);
-        }
-
-        PKIX_TEST_DECREF_AC(byteArray);
-
-        PKIX_TEST_RETURN();
-
-        return (cert);
-}
-
-PKIX_PL_CRL *
-createCRL(
-        char *dirName,
-        char *crlFileName,
-        void *plContext)
-{
-        PKIX_PL_ByteArray *byteArray = NULL;
-        PKIX_PL_CRL *crl = NULL;
-        PKIX_Error *error = NULL;
-        PRFileDesc *inFile = NULL;
-        SECItem crlDER;
-        void *buf = NULL;
-        PKIX_UInt32 len;
-        SECStatus rv;
-        char *pathName = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        crlDER.data = NULL;
-
-        pathName = catDirName(dirName, crlFileName, plContext);
-        inFile = PR_Open(pathName, PR_RDONLY, 0);
-
-        if (!inFile){
-                pkixTestErrorMsg = "Unable to open crl file";
-                goto cleanup;
-        } else {
-                rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
-                if (!rv){
-                        buf = (void *)crlDER.data;
-                        len = crlDER.len;
-
-                        error = PKIX_PL_ByteArray_Create
-                                (buf, len, &byteArray, plContext);
-
-                        if (error){
-                                pkixTestErrorMsg =
-                                        "PKIX_PL_ByteArray_Create failed";
-                                goto cleanup;
-                        }
-
-                        error = PKIX_PL_CRL_Create(byteArray, &crl, plContext);
-                        if (error){
-                                pkixTestErrorMsg = "PKIX_PL_Crl_Create failed";
-                                goto cleanup;
-                        }
-
-                        SECITEM_FreeItem(&crlDER, PR_FALSE);
-                } else {
-                        pkixTestErrorMsg = "Unable to read DER from crl file";
-                        goto cleanup;
-                }
-        }
-
-cleanup:
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Free(pathName, plContext));
-
-        if (inFile){
-                PR_Close(inFile);
-        }
-
-        if (error){
-                SECITEM_FreeItem(&crlDER, PR_FALSE);
-        }
-
-        PKIX_TEST_DECREF_AC(byteArray);
-
-        PKIX_TEST_RETURN();
-
-        return (crl);
-
-}
-
-PKIX_TrustAnchor *
-createTrustAnchor(
-        char *dirName,
-        char *certFileName,
-        PKIX_Boolean useCert,
-        void *plContext)
-{
-        PKIX_TrustAnchor *anchor = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_PL_X500Name *name = NULL;
-        PKIX_PL_PublicKey *pubKey = NULL;
-        PKIX_PL_CertNameConstraints *nameConstraints = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        cert = createCert(dirName, certFileName, plContext);
-
-        if (useCert){
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_TrustAnchor_CreateWithCert
-                                        (cert, &anchor, plContext));
-        } else {
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject
-                                        (cert, &name, plContext));
-
-                if (name == NULL){
-                        goto cleanup;
-                }
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
-                                        (cert, &pubKey, plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetNameConstraints
-                                        (cert, &nameConstraints, NULL));
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_TrustAnchor_CreateWithNameKeyPair
-                        (name, pubKey, nameConstraints, &anchor, plContext));
-        }
-
-cleanup:
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                PKIX_TEST_DECREF_AC(anchor);
-        }
-
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(name);
-        PKIX_TEST_DECREF_AC(pubKey);
-        PKIX_TEST_DECREF_AC(nameConstraints);
-
-        PKIX_TEST_RETURN();
-
-        return (anchor);
-}
-
-PKIX_List *
-createCertChain(
-        char *dirName,
-        char *firstCertFileName,
-        char *secondCertFileName,
-        void *plContext)
-{
-        PKIX_PL_Cert *firstCert = NULL;
-        PKIX_PL_Cert *secondCert = NULL;
-        PKIX_List *certList = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certList, plContext));
-
-        firstCert = createCert(dirName, firstCertFileName, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                (certList, (PKIX_PL_Object *)firstCert, plContext));
-
-        if (secondCertFileName){
-                secondCert = createCert(dirName, secondCertFileName, plContext);
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                        (certList, (PKIX_PL_Object *)secondCert, plContext));
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
-                                    (certList, plContext));
-
-cleanup:
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                PKIX_TEST_DECREF_AC(certList);
-        }
-
-        PKIX_TEST_DECREF_AC(firstCert);
-        PKIX_TEST_DECREF_AC(secondCert);
-
-        PKIX_TEST_RETURN();
-
-        return (certList);
-}
-
-PKIX_List *
-createCertChainPlus(
-        char *dirName,
-        char *certNames[],
-        PKIX_PL_Cert *certs[],
-        PKIX_UInt32 numCerts,
-        void *plContext)
-{
-        PKIX_List *certList = NULL;
-        PKIX_UInt32 i;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&certList, plContext));
-
-        for (i = 0; i < numCerts; i++) {
-
-                certs[i] = createCert(dirName, certNames[i], plContext);
-
-                /* Create Cert may fail */
-                if (certs[i] == NULL) {
-                        PKIX_TEST_DECREF_BC(certList);
-                        goto cleanup;
-                }
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                            (certList,
-                                            (PKIX_PL_Object *)certs[i],
-                                            plContext));
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
-                                    (certList, plContext));
-
-cleanup:
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                PKIX_TEST_DECREF_AC(certList);
-        }
-
-        for (i = 0; i < numCerts; i++) {
-                PKIX_TEST_DECREF_AC(certs[i]);
-        }
-
-        PKIX_TEST_RETURN();
-
-        return (certList);
-
-}
-
-PKIX_PL_Date *
-createDate(
-        char *asciiDate,
-        void *plContext)
-{
-        PKIX_PL_Date *date = NULL;
-        PKIX_PL_String *plString = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-            (PKIX_ESCASCII, asciiDate, 0, &plString, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime
-                                    (plString, &date, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(plString);
-
-        PKIX_TEST_RETURN();
-
-        return (date);
-}
-
-PKIX_ProcessingParams *
-createProcessingParams(
-        char *dirName,
-        char *firstAnchorFileName,
-        char *secondAnchorFileName,
-        char *dateAscii,
-        PKIX_List *initialPolicies, /* List of PKIX_PL_OID */
-        PKIX_Boolean isCrlEnabled,
-        void *plContext)
-{
-
-        PKIX_TrustAnchor *firstAnchor = NULL;
-        PKIX_TrustAnchor *secondAnchor = NULL;
-        PKIX_List *anchorsList = NULL;
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_PL_String *dateString = NULL;
-        PKIX_PL_Date *testDate = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&anchorsList, plContext));
-
-        firstAnchor = createTrustAnchor
-                (dirName, firstAnchorFileName, PKIX_FALSE, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                    (anchorsList,
-                                    (PKIX_PL_Object *)firstAnchor,
-                                    plContext));
-
-        if (secondAnchorFileName){
-                secondAnchor =
-                        createTrustAnchor
-                        (dirName, secondAnchorFileName, PKIX_FALSE, plContext);
-
-                PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
-                                            (anchorsList,
-                                            (PKIX_PL_Object *)secondAnchor,
-                                            plContext));
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_Create
-                                    (anchorsList, &procParams, plContext));
-
-        if (dateAscii){
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_PL_String_Create
-                        (PKIX_ESCASCII,
-                        dateAscii,
-                        0,
-                        &dateString,
-                        plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_PL_Date_Create_UTCTime
-                        (dateString, &testDate, plContext));
-
-                PKIX_TEST_EXPECT_NO_ERROR
-                        (PKIX_ProcessingParams_SetDate
-                        (procParams, testDate, plContext));
-        }
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetInitialPolicies
-                (procParams, initialPolicies, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetRevocationEnabled
-                                    (procParams, isCrlEnabled, plContext));
-
-cleanup:
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                PKIX_TEST_DECREF_AC(procParams);
-        }
-
-        PKIX_TEST_DECREF_AC(dateString);
-        PKIX_TEST_DECREF_AC(testDate);
-        PKIX_TEST_DECREF_AC(anchorsList);
-        PKIX_TEST_DECREF_AC(firstAnchor);
-        PKIX_TEST_DECREF_AC(secondAnchor);
-
-        PKIX_TEST_RETURN();
-
-        return (procParams);
-}
-
-PKIX_ValidateParams *
-createValidateParams(
-        char *dirName,
-        char *firstAnchorFileName,
-        char *secondAnchorFileName,
-        char *dateAscii,
-        PKIX_List *initialPolicies, /* List of PKIX_PL_OID */
-        PKIX_Boolean initialPolicyMappingInhibit,
-        PKIX_Boolean initialAnyPolicyInhibit,
-        PKIX_Boolean initialExplicitPolicy,
-        PKIX_Boolean isCrlEnabled,
-        PKIX_List *chain,
-        void *plContext)
-{
-
-        PKIX_ProcessingParams *procParams = NULL;
-        PKIX_ValidateParams *valParams = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        procParams =
-                createProcessingParams
-                    (dirName,
-                    firstAnchorFileName,
-                    secondAnchorFileName,
-                    dateAscii,
-                    NULL,
-                    isCrlEnabled,
-                    plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetInitialPolicies
-                (procParams, initialPolicies, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_SetPolicyMappingInhibited
-                (procParams, initialPolicyMappingInhibit, NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ProcessingParams_SetAnyPolicyInhibited
-                (procParams, initialAnyPolicyInhibit, NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (PKIX_ProcessingParams_SetExplicitPolicyRequired
-                (procParams, initialExplicitPolicy, NULL));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateParams_Create
-                (procParams, chain, &valParams, plContext));
-
-cleanup:
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                PKIX_TEST_DECREF_AC(valParams);
-        }
-
-        PKIX_TEST_DECREF_AC(procParams);
-
-        PKIX_TEST_RETURN();
-
-        return (valParams);
-}
-
-PKIX_ValidateResult *
-createValidateResult(
-        char *dirName,
-        char *anchorFileName,
-        char *pubKeyCertFileName,
-        void *plContext)
-{
-
-        PKIX_TrustAnchor *anchor = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_PL_Cert *cert = NULL;
-        PKIX_PL_PublicKey *pubKey = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        anchor = createTrustAnchor
-                    (dirName, anchorFileName, PKIX_FALSE, plContext);
-        cert = createCert(dirName, pubKeyCertFileName, plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey
-                                    (cert, &pubKey, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (pkix_ValidateResult_Create
-                (pubKey, anchor, NULL, &valResult, plContext));
-
-cleanup:
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                PKIX_TEST_DECREF_AC(valResult);
-        }
-
-        PKIX_TEST_DECREF_AC(anchor);
-        PKIX_TEST_DECREF_AC(cert);
-        PKIX_TEST_DECREF_AC(pubKey);
-
-        PKIX_TEST_RETURN();
-
-        return (valResult);
-}
-
-PKIX_PL_GeneralName *
-createGeneralName(
-        PKIX_UInt32 nameType,
-        char *asciiName,
-        void *plContext)
-{
-
-        PKIX_PL_GeneralName *generalName = NULL;
-        PKIX_PL_String *plString = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create
-            (PKIX_ESCASCII, asciiName, 0, &plString, plContext));
-
-        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_GeneralName_Create
-            (nameType, plString, &generalName, plContext));
-
-cleanup:
-
-        PKIX_TEST_DECREF_AC(plString);
-
-        PKIX_TEST_RETURN();
-
-        return (generalName);
-}
-
-PKIX_BuildResult *
-createBuildResult(
-        char *dirName,
-        char *anchorFileName,
-        char *pubKeyCertFileName,
-        char *firstChainCertFileName,
-        char *secondChainCertFileName,
-        void *plContext)
-{
-        PKIX_BuildResult *buildResult = NULL;
-        PKIX_ValidateResult *valResult = NULL;
-        PKIX_List *certChain = NULL;
-
-        PKIX_TEST_STD_VARS();
-
-        valResult = createValidateResult
-                (dirName, anchorFileName, pubKeyCertFileName, plContext);
-        certChain = createCertChain
-                        (dirName,
-                        firstChainCertFileName,
-                        secondChainCertFileName,
-                        plContext);
-
-        PKIX_TEST_EXPECT_NO_ERROR
-                (pkix_BuildResult_Create
-                (valResult, certChain, &buildResult, plContext));
-
-cleanup:
-
-        if (PKIX_TEST_ERROR_RECEIVED){
-                PKIX_TEST_DECREF_AC(buildResult);
-        }
-
-        PKIX_TEST_DECREF_AC(valResult);
-        PKIX_TEST_DECREF_AC(certChain);
-
-        PKIX_TEST_RETURN();
-
-        return (buildResult);
-}
diff --git a/security/nss/cmd/libpkix/testutil/testutil_nss.h b/security/nss/cmd/libpkix/testutil/testutil_nss.h
deleted file mode 100755
index 4c2a2e04e..000000000
--- a/security/nss/cmd/libpkix/testutil/testutil_nss.h
+++ /dev/null
@@ -1,153 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the PKIX-C library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * testutil_nss.h
- *
- * NSS-specific utility functions for handling test errors
- *
- */
-
-#ifndef _TESTUTIL_NSS_H
-#define _TESTUTIL_NSS_H
-
-#include "pkix_tools.h"
-#include "plstr.h"
-#include "prprf.h"
-#include "prlong.h"
-#include "secutil.h"
-#include <stdio.h>
-#include <ctype.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include "pkix_pl_generalname.h"
-
-/* see source file for function documentation */
-
-PKIX_PL_Cert *
-createCert(
-        char *dirName,
-        char *certFile,
-        void *plContext);
-
-PKIX_PL_CRL *
-createCRL(
-        char *dirName,
-        char *crlFileName,
-        void *plContext);
-
-PKIX_TrustAnchor *
-createTrustAnchor(
-        char *dirName,
-        char *taFileName,
-        PKIX_Boolean useCert,
-        void *plContext);
-
-PKIX_List *
-createCertChain(
-        char *dirName,
-        char *firstCertFileName,
-        char *secondCertFileName,
-        void *plContext);
-
-PKIX_List *
-createCertChainPlus(
-        char *dirName,
-        char *certNames[],
-        PKIX_PL_Cert *certs[],
-        PKIX_UInt32 numCerts,
-        void *plContext);
-
-PKIX_PL_Date *
-createDate(
-        char *asciiDate,
-        void *plContext);
-
-
-PKIX_ProcessingParams *
-createProcessingParams(
-        char *dirName,
-        char *firstAnchorFileName,
-        char *secondAnchorFileName,
-        char *dateAscii,
-        PKIX_List *initialPolicies, /* List of PKIX_PL_OID */
-        PKIX_Boolean isCrlEnabled,
-        void *plContext);
-
-PKIX_ValidateParams *
-createValidateParams(
-        char *dirName,
-        char *firstAnchorFileName,
-        char *secondAnchorFileName,
-        char *dateAscii,
-        PKIX_List *initialPolicies, /* List of PKIX_PL_OID */
-        PKIX_Boolean initialPolicyMappingInhibit,
-        PKIX_Boolean initialAnyPolicyInhibit,
-        PKIX_Boolean initialExplicitPolicy,
-        PKIX_Boolean isCrlEnabled,
-        PKIX_List *chain,
-        void *plContext);
-
-PKIX_ValidateResult *
-createValidateResult(
-        char *dirName,
-        char *anchorFileName,
-        char *pubKeyCertFileName,
-        void *plContext);
-
-PKIX_BuildResult *
-createBuildResult(
-        char *dirName,
-        char *anchorFileName,
-        char *pubKeyCertFileName,
-        char *firstChainCertFileName,
-        char *secondChainCertFileName,
-        void *plContext);
-
-PKIX_PL_GeneralName *
-createGeneralName(
-        PKIX_UInt32 nameType,
-        char *asciiName,
-        void *plContext);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* TESTUTIL_NSS_H */
diff --git a/security/nss/cmd/makepqg/Makefile b/security/nss/cmd/makepqg/Makefile
deleted file mode 100644
index 835c85833..000000000
--- a/security/nss/cmd/makepqg/Makefile
+++ /dev/null
@@ -1,81 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
- 
-
diff --git a/security/nss/cmd/makepqg/makepqg.c b/security/nss/cmd/makepqg/makepqg.c
deleted file mode 100644
index 5a172d696..000000000
--- a/security/nss/cmd/makepqg/makepqg.c
+++ /dev/null
@@ -1,363 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "prtypes.h"
-#include "prtime.h"
-#include "prlong.h"
-
-#include "nss.h"
-#include "secutil.h"
-#include "secitem.h"
-#include "pk11func.h"
-#include "pk11pqg.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#include "plgetopt.h"
-
-#define BPB 8 /* bits per byte. */
-
-char  *progName;
-
-
-const SEC_ASN1Template seckey_PQGParamsTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
-    { 0, }
-};
-
-
-
-void
-Usage(void)
-{
-    fprintf(stderr, "Usage:  %s\n", progName);
-    fprintf(stderr, 
-"-a   Output DER-encoded PQG params, BTOA encoded.\n"
-"     -l prime-length       Length of prime in bits (1024 is default)\n"
-"     -o file               Output to this file (default is stdout)\n"
-"-b   Output DER-encoded PQG params in binary\n"
-"     -l prime-length       Length of prime in bits (1024 is default)\n"
-"     -o file               Output to this file (default is stdout)\n"
-"-r   Output P, Q and G in ASCII hexadecimal. \n"
-"     -l prime-length       Length of prime in bits (1024 is default)\n"
-"     -o file               Output to this file (default is stdout)\n"   
-"-g bits       Generate SEED this many bits long.\n"
-);
-    exit(-1);
-
-}
-
-SECStatus
-outputPQGParams(PQGParams * pqgParams, PRBool output_binary, PRBool output_raw,
-                FILE * outFile)
-{
-    PRArenaPool   * arena 		= NULL;
-    char          * PQG;
-    SECItem       * pItem;
-    int             cc;
-    SECStatus       rv;
-    SECItem         encodedParams;
-
-    if (output_raw) {
-    	SECItem item;
-
-	rv = PK11_PQG_GetPrimeFromParams(pqgParams, &item);
-	if (rv) {
-	    SECU_PrintError(progName, "PK11_PQG_GetPrimeFromParams");
-	    return rv;
-	}
-	SECU_PrintInteger(outFile, &item,    "Prime",    1);
-	SECITEM_FreeItem(&item, PR_FALSE);
-
-	rv = PK11_PQG_GetSubPrimeFromParams(pqgParams, &item);
-	if (rv) {
-	    SECU_PrintError(progName, "PK11_PQG_GetPrimeFromParams");
-	    return rv;
-	}
-	SECU_PrintInteger(outFile, &item, "Subprime", 1);
-	SECITEM_FreeItem(&item, PR_FALSE);
-
-	rv = PK11_PQG_GetBaseFromParams(pqgParams, &item);
-	if (rv) {
-	    SECU_PrintError(progName, "PK11_PQG_GetPrimeFromParams");
-	    return rv;
-	}
-	SECU_PrintInteger(outFile, &item,     "Base",     1);
-	SECITEM_FreeItem(&item, PR_FALSE);
-
-	fprintf(outFile, "\n");
-	return SECSuccess;
-    }
-
-    encodedParams.data = NULL;
-    encodedParams.len  = 0;
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (!arena) {
-    	SECU_PrintError(progName, "PORT_NewArena");
-	return SECFailure;
-    }
-    pItem = SEC_ASN1EncodeItem(arena, &encodedParams, pqgParams,
-			       seckey_PQGParamsTemplate);
-    if (!pItem) {
-    	SECU_PrintError(progName, "SEC_ASN1EncodeItem");
-	PORT_FreeArena(arena, PR_FALSE);
-    	return SECFailure;
-    }
-    if (output_binary) {
-	size_t len;
-	len = fwrite(encodedParams.data, 1, encodedParams.len, outFile);
-	PORT_FreeArena(arena, PR_FALSE);
-	if (len != encodedParams.len) {
-	     fprintf(stderr, "%s: fwrite failed\n", progName);
-	     return SECFailure;
-	}
-	return SECSuccess;
-    }
-
-    /* must be output ASCII */
-    PQG = BTOA_DataToAscii(encodedParams.data, encodedParams.len);    
-    PORT_FreeArena(arena, PR_FALSE);
-    if (!PQG) {
-    	SECU_PrintError(progName, "BTOA_DataToAscii");
-	return SECFailure;
-    }
-
-    cc = fprintf(outFile,"%s\n",PQG);
-    PORT_Free(PQG);
-    if (cc <= 0) {
-	 fprintf(stderr, "%s: fprintf failed\n", progName);
-	 return SECFailure;
-    }
-    return SECSuccess;
-}
-
-SECStatus
-outputPQGVerify(PQGVerify * pqgVerify, PRBool output_binary, PRBool output_raw,
-                FILE * outFile)
-{
-    SECStatus rv = SECSuccess;
-    if (output_raw) {
-    	SECItem item;
-	unsigned int counter;
-
-	rv = PK11_PQG_GetHFromVerify(pqgVerify, &item);
-	if (rv) {
-	    SECU_PrintError(progName, "PK11_PQG_GetHFromVerify");
-	    return rv;
-	}
-	SECU_PrintInteger(outFile, &item,        "h",        1);
-	SECITEM_FreeItem(&item, PR_FALSE);
-
-	rv = PK11_PQG_GetSeedFromVerify(pqgVerify, &item);
-	if (rv) {
-	    SECU_PrintError(progName, "PK11_PQG_GetSeedFromVerify");
-	    return rv;
-	}
-	SECU_PrintInteger(outFile, &item,     "SEED",     1);
-	fprintf(outFile, "    g:       %d\n", item.len * BPB);
-	SECITEM_FreeItem(&item, PR_FALSE);
-
-	counter = PK11_PQG_GetCounterFromVerify(pqgVerify);
-	fprintf(outFile, "    counter: %d\n", counter);
-	fprintf(outFile, "\n");
-    }
-    return rv;
-}
-
-int
-main(int argc, char **argv)
-{
-    FILE          * outFile 		= NULL;
-    char          * outFileName         = NULL;
-    PQGParams     * pqgParams 		= NULL;
-    PQGVerify     * pqgVerify           = NULL;
-    int             keySizeInBits	= 1024;
-    int             j;
-    int             g                   = 0;
-    SECStatus       rv 			= 0;
-    SECStatus       passed 		= 0;
-    PRBool          output_ascii	= PR_FALSE;
-    PRBool          output_binary	= PR_FALSE;
-    PRBool          output_raw		= PR_FALSE;
-    PLOptState *optstate;
-    PLOptStatus status;
-
-
-    progName = strrchr(argv[0], '/');
-    if (!progName)
-	progName = strrchr(argv[0], '\\');
-    progName = progName ? progName+1 : argv[0];
-
-    /* Parse command line arguments */
-    optstate = PL_CreateOptState(argc, argv, "?abg:l:o:r" );
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-
-	  case 'l':
-	    keySizeInBits = atoi(optstate->value);
-	    break;
-
-	  case 'a':
-	    output_ascii = PR_TRUE;  
-	    break;
-
-	  case 'b':
-	    output_binary = PR_TRUE;
-	    break;
-
-	  case 'r':
-	    output_raw = PR_TRUE;
-	    break;
-
-	  case 'o':
-	    if (outFileName) {
-	    	PORT_Free(outFileName);
-	    }
-	    outFileName = PORT_Strdup(optstate->value);
-	    if (!outFileName) {
-		rv = -1;
-	    }
-	    break;
-
-	  case 'g':
-	    g = atoi(optstate->value);
-	    break;
-
-	  default:
-	  case '?':
-	    Usage();
-	    break;
-
-	}
-    }
-    PL_DestroyOptState(optstate);
-
-    if (status == PL_OPT_BAD) {
-        Usage();
-    }
-
-    /* exactly 1 of these options must be set. */
-    if (1 != ((output_ascii  != PR_FALSE) + 
-	      (output_binary != PR_FALSE) +
-	      (output_raw    != PR_FALSE))) {
-	Usage();
-    }
-
-    j = PQG_PBITS_TO_INDEX(keySizeInBits);
-    if (j < 0) {
-	fprintf(stderr, "%s: Illegal prime length, \n"
-			"\tacceptable values are between 512 and 1024,\n"
-			"\tand divisible by 64\n", progName);
-	return 2;
-    }
-    if (g != 0 && (g < 160 || g >= 2048 || g % 8 != 0)) {
-	fprintf(stderr, "%s: Illegal g bits, \n"
-			"\tacceptable values are between 160 and 2040,\n"
-			"\tand divisible by 8\n", progName);
-	return 3;
-    }
-
-    if (!rv && outFileName) {
-	outFile = fopen(outFileName, output_binary ? "wb" : "w");
-	if (!outFile) {
-	    fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
-		    progName, outFileName);
-	    rv = -1;
-	}
-    }
-    if (outFileName) {
-	PORT_Free(outFileName);
-    }
-    if (rv != 0) {
-	return 1;
-    }
-
-    if (outFile == NULL) {
-	outFile = stdout;
-    }
-
-
-    NSS_NoDB_Init(NULL);
-
-    if (g) 
-	rv = PK11_PQG_ParamGenSeedLen((unsigned)j, (unsigned)(g/8), 
-	                         &pqgParams, &pqgVerify);
-    else 
-	rv = PK11_PQG_ParamGen((unsigned)j, &pqgParams, &pqgVerify);
-    /* below here, must go to loser */
-
-    if (rv != SECSuccess || pqgParams == NULL || pqgVerify == NULL) {
-	SECU_PrintError(progName, "PQG parameter generation failed.\n");
-	goto loser;
-    } 
-    fprintf(stderr, "%s: PQG parameter generation completed.\n", progName);
-
-    rv = outputPQGParams(pqgParams, output_binary, output_raw, outFile);
-    if (rv) {
-    	fprintf(stderr, "%s: failed to output PQG params.\n", progName);
-	goto loser;
-    }
-    rv = outputPQGVerify(pqgVerify, output_binary, output_raw, outFile);
-    if (rv) {
-    	fprintf(stderr, "%s: failed to output PQG Verify.\n", progName);
-	goto loser;
-    }
-
-    rv = PK11_PQG_VerifyParams(pqgParams, pqgVerify, &passed);
-    if (rv != SECSuccess) {
-	fprintf(stderr, "%s: PQG parameter verification aborted.\n", progName);
-	goto loser;
-    }
-    if (passed != SECSuccess) {
-	fprintf(stderr, "%s: PQG parameters failed verification.\n", progName);
-	goto loser;
-    } 
-    fprintf(stderr, "%s: PQG parameters passed verification.\n", progName);
-
-    PK11_PQG_DestroyParams(pqgParams);
-    PK11_PQG_DestroyVerify(pqgVerify);
-    return 0;
-
-loser:
-    PK11_PQG_DestroyParams(pqgParams);
-    PK11_PQG_DestroyVerify(pqgVerify);
-    return 1;
-}
diff --git a/security/nss/cmd/makepqg/manifest.mn b/security/nss/cmd/makepqg/manifest.mn
deleted file mode 100644
index 7d623f11b..000000000
--- a/security/nss/cmd/makepqg/manifest.mn
+++ /dev/null
@@ -1,51 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-REQUIRES = dbm 
-
-# DIRS = 
-
-CSRCS	=  makepqg.c
-
-PROGRAM	= makepqg
-
-#USE_STATIC_LIBS = 1
-
diff --git a/security/nss/cmd/makepqg/testit.ksh b/security/nss/cmd/makepqg/testit.ksh
deleted file mode 100644
index 31ac17ea1..000000000
--- a/security/nss/cmd/makepqg/testit.ksh
+++ /dev/null
@@ -1,45 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-COUNTER=75
-while [ $COUNTER -ge "1" ] 
-do 
-	COUNTER=$(eval expr $COUNTER - 1)
-	echo $COUNTER
-    	*/makepqg.exe -r -l 640 -g 160 || exit 1
-done
-
diff --git a/security/nss/cmd/manifest.mn b/security/nss/cmd/manifest.mn
deleted file mode 100644
index d1b83e595..000000000
--- a/security/nss/cmd/manifest.mn
+++ /dev/null
@@ -1,98 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-DEPTH	= ../..
-# MODULE	= seccmd
-
-REQUIRES = nss nspr libdbm
-
-DIRS = lib  \
- $(ZLIB_SRCDIR) \
- addbuiltin \
- atob  \
- bltest \
- btoa  \
- certcgi \
- certutil  \
- checkcert  \
- crlutil  \
- crmftest \
- dbtest \
- derdump  \
- digest  \
- fipstest  \
- makepqg  \
- ocspclnt  \
- oidcalc  \
- p7content  \
- p7env  \
- p7sign  \
- p7verify  \
- pk12util \
- pk11mode \
- pp  \
- rsaperf \
- sdrtest \
- selfserv  \
- signtool \
- signver \
- shlibsign \
- smimetools  \
- ssltap  \
- strsclnt \
- symkeyutil \
- tests \
- tstclnt  \
- vfychain \
- vfyserv \
- modutil \
- $(NULL)
-
-TEMPORARILY_DONT_BUILD = \
- $(NULL)
-
-# rsaperf  \
-#
-#       needs to look at what needs to happen to make jar build in
-# the binary release environment.
-#
-# perror requires lib/strerror.c which requires the client code installed 
-# to build (requires allxpstr.h)
-#
-DONT_BULD = jar \
- perror \
-$(NULL)
diff --git a/security/nss/cmd/modutil/Makefile b/security/nss/cmd/modutil/Makefile
deleted file mode 100644
index 8bdb8658d..000000000
--- a/security/nss/cmd/modutil/Makefile
+++ /dev/null
@@ -1,84 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
-#
-# Cancel the built-in implicit yacc and lex rules.
-#
-
-%.c: %.y
-%.c: %.l
diff --git a/security/nss/cmd/modutil/README b/security/nss/cmd/modutil/README
deleted file mode 100644
index 12d192c9f..000000000
--- a/security/nss/cmd/modutil/README
+++ /dev/null
@@ -1,7 +0,0 @@
-                    CRYPTOGRAPHIC MODULE UTILITY (modutil)
-                                VERSION 1.0
-              ===============================================
-
-The file specification.html documentats the software.
-
-The file pk11jar.html documents the PKCS #11 JAR format.
diff --git a/security/nss/cmd/modutil/error.h b/security/nss/cmd/modutil/error.h
deleted file mode 100644
index f8f4a9187..000000000
--- a/security/nss/cmd/modutil/error.h
+++ /dev/null
@@ -1,189 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef MODUTIL_ERROR_H
-#define MODUTIL_ERROR_H
-
-/*
- * The values of these enumerated constants are immutable and must not be
- * changed.
- */
-typedef enum {
-	NO_ERR=0,
-	INVALID_USAGE_ERR,
-	UNEXPECTED_ARG_ERR,
-	UNKNOWN_OPTION_ERR,
-	MULTIPLE_COMMAND_ERR,
-	OPTION_NEEDS_ARG_ERR,
-	DUPLICATE_OPTION_ERR,
-	MISSING_PARAM_ERR,
-	INVALID_FIPS_ARG,
-	NO_COMMAND_ERR,
-	NO_DBDIR_ERR,
-	FIPS_SWITCH_FAILED_ERR,
-	FIPS_ALREADY_ON_ERR,
-	FIPS_ALREADY_OFF_ERR,
-	FILE_ALREADY_EXISTS_ERR,
-	FILE_DOESNT_EXIST_ERR,
-	FILE_NOT_READABLE_ERR,
-	FILE_NOT_WRITEABLE_ERR,
-	DIR_DOESNT_EXIST_ERR,
-	DIR_NOT_READABLE_ERR,
-	DIR_NOT_WRITEABLE_ERR,
-	INVALID_CONSTANT_ERR,
-	ADD_MODULE_FAILED_ERR,
-	UNUSED_ERR,  /* reserved for future use */
-	OUT_OF_MEM_ERR,
-	DELETE_INTERNAL_ERR,
-	DELETE_FAILED_ERR,
-	NO_LIST_LOCK_ERR,
-	NO_MODULE_LIST_ERR,
-	NO_SUCH_MODULE_ERR,
-	MOD_INFO_ERR,
-	SLOT_INFO_ERR,
-	TOKEN_INFO_ERR,
-	NO_SUCH_TOKEN_ERR,
-	CHANGEPW_FAILED_ERR,
-	BAD_PW_ERR,
-	DB_ACCESS_ERR,
-	AUTHENTICATION_FAILED_ERR,
-	NO_SUCH_SLOT_ERR,
-	ENABLE_FAILED_ERR,
-	UPDATE_MOD_FAILED_ERR,
-	DEFAULT_FAILED_ERR,
-	UNDEFAULT_FAILED_ERR,
-	STDIN_READ_ERR,
-	UNSPECIFIED_ERR,
-	NOCERTDB_MISUSE_ERR,
-	NSS_INITIALIZE_FAILED_ERR,
-
-	LAST_ERR /* must be last */
-} Error;
-#define SUCCESS NO_ERR
-
-/* !!! Should move this into its own .c and un-static it. */
-static char *errStrings[] = {
-	"Operation completed successfully.\n",
-	"ERROR: Invalid command line.\n",
-	"ERROR: Not expecting argument \"%s\".\n",
-	"ERROR: Unknown option: %s.\n",
-	"ERROR: %s: multiple commands are not allowed on the command line.\n",
-	"ERROR: %s: option needs an argument.\n",
-	"ERROR: %s: option cannot be given more than once.\n",
-	"ERROR: Command \"%s\" requires parameter \"%s\".\n",
-	"ERROR: Argument to -fips must be \"true\" or \"false\".\n",
-	"ERROR: No command was specified.\n",
-	"ERROR: Cannot determine database directory: use the -dbdir option.\n",
-	"ERROR: Unable to switch FIPS modes.\n",
-	"FIPS mode already enabled.\n",
-	"FIPS mode already disabled.\n",
-	"ERROR: File \"%s\" already exists.\n",
-	"ERROR: File \"%s\" does not exist.\n",
-	"ERROR: File \"%s\" is not readable.\n",
-	"ERROR: File \"%s\" is not writeable.\n",
-	"ERROR: Directory \"%s\" does not exist.\n",
-	"ERROR: Directory \"%s\" is not readable.\n",
-	"ERROR: Directory \"%s\" is not writeable.\n",
-	"\"%s\" is not a recognized value.\n",
-	"ERROR: Failed to add module \"%s\". Probable cause : \"%s\".\n",
-	"Unused error string",
-	"ERROR: Out of memory.\n",
-	"ERROR: Cannot delete internal module.\n",
-	"ERROR: Failed to delete module \"%s\".\n",
-	"ERROR: Unable to obtain lock on module list.\n",
-	"ERROR: Unable to obtain module list.\n",
-	"ERROR: Module \"%s\" not found in database.\n",
-	"ERROR: Unable to get information about module \"%s\".\n",
-	"ERROR: Unable to get information about slot \"%s\".\n",
-	"ERROR: Unable to get information about token \"%s\".\n",
-	"ERROR: Token \"%s\" not found.\n",
-	"ERROR: Unable to change password on token \"%s\".\n",
-	"ERROR: Incorrect password.\n",
-	"ERROR: Unable to access database \"%s\".\n",
-	"ERROR: Unable to authenticate to token \"%s\".\n",
-	"ERROR: Slot \"%s\" not found.\n",
-	"ERROR: Failed to %s slot \"%s\".\n",
-	"ERROR: Failed to update module \"%s\".\n",
-	"ERROR: Failed to change defaults.\n",
-	"ERROR: Failed to change default.\n",
-	"ERROR: Unable to read from standard input.\n",
-	"ERROR: Unknown error occurred.\n",
-	"ERROR: -nocertdb option can only be used with the -jar command.\n"
-	"ERROR: NSS_Initialize() failed.\n"
-};
-
-typedef enum {
-	FIPS_ENABLED_MSG=0,
-	FIPS_DISABLED_MSG,
-	USING_DBDIR_MSG,
-	CREATING_DB_MSG,
-	ADD_MODULE_SUCCESS_MSG,
-	DELETE_SUCCESS_MSG,
-	CHANGEPW_SUCCESS_MSG,
-	BAD_PW_MSG,
-	PW_MATCH_MSG,
-	DONE_MSG,
-	ENABLE_SUCCESS_MSG,
-	DEFAULT_SUCCESS_MSG,
-	UNDEFAULT_SUCCESS_MSG,
-	BROWSER_RUNNING_MSG,
-	ABORTING_MSG,
-
-	LAST_MSG  /* must be last */
-} Message;
-
-static char *msgStrings[] = {
-	"FIPS mode enabled.\n",
-	"FIPS mode disabled.\n",
-	"Using database directory %s...\n",
-	"Creating \"%s\"...",
-	"Module \"%s\" added to database.\n",
-	"Module \"%s\" deleted from database.\n",
-	"Token \"%s\" password changed successfully.\n",
-	"Incorrect password, try again...\n",
-	"Passwords do not match, try again...\n",
-	"done.\n",
-	"Slot \"%s\" %s.\n",
-	"Successfully changed defaults.\n",
-	"Successfully changed defaults.\n",
-"\nWARNING: Performing this operation while the browser is running could cause"
-"\ncorruption of your security databases. If the browser is currently running,"
-"\nyou should exit browser before continuing this operation. Type "
-"\n'q <enter>' to abort, or <enter> to continue: ",
-	"\nAborting...\n"
-};
-
-#endif /* MODUTIL_ERROR_H */
diff --git a/security/nss/cmd/modutil/install-ds.c b/security/nss/cmd/modutil/install-ds.c
deleted file mode 100644
index 2961dc302..000000000
--- a/security/nss/cmd/modutil/install-ds.c
+++ /dev/null
@@ -1,1544 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "install-ds.h"
-#include <prmem.h>
-#include <plstr.h>
-#include <prprf.h>
-#include <string.h>
-
-#define PORT_Strcasecmp PL_strcasecmp
-
-#define MODULE_FILE_STRING "ModuleFile"
-#define MODULE_NAME_STRING "ModuleName"
-#define MECH_FLAGS_STRING "DefaultMechanismFlags"
-#define CIPHER_FLAGS_STRING "DefaultCipherFlags"
-#define FILES_STRING "Files"
-#define FORWARD_COMPATIBLE_STRING "ForwardCompatible"
-#define PLATFORMS_STRING "Platforms"
-#define RELATIVE_DIR_STRING "RelativePath"
-#define ABSOLUTE_DIR_STRING "AbsolutePath"
-#define FILE_PERMISSIONS_STRING "FilePermissions"
-#define EQUIVALENT_PLATFORM_STRING "EquivalentPlatform"
-#define EXECUTABLE_STRING "Executable"
-
-#define DEFAULT_PERMISSIONS 0777
-
-#define PLATFORM_SEPARATOR_CHAR ':'
-
-/* Error codes */
-enum {
-	BOGUS_RELATIVE_DIR=0,
-	BOGUS_ABSOLUTE_DIR,
-	BOGUS_FILE_PERMISSIONS,
-	NO_RELATIVE_DIR,
-	NO_ABSOLUTE_DIR,
-	EMPTY_PLATFORM_STRING,
-	BOGUS_PLATFORM_STRING,
-	REPEAT_MODULE_FILE,
-	REPEAT_MODULE_NAME,
-	BOGUS_MODULE_FILE,
-	BOGUS_MODULE_NAME,
-	REPEAT_MECH,
-	BOGUS_MECH_FLAGS,
-	REPEAT_CIPHER,
-	BOGUS_CIPHER_FLAGS,
-	REPEAT_FILES,
-	REPEAT_EQUIV,
-	BOGUS_EQUIV,
-	EQUIV_TOO_MUCH_INFO,
-	NO_FILES,
-	NO_MODULE_FILE,
-	NO_MODULE_NAME,
-	NO_PLATFORMS,
-	EQUIV_LOOP,
-	UNKNOWN_MODULE_FILE
-};
-
-/* Indexed by the above error codes */
-static const char *errString[] = {
-	"%s: Invalid relative directory",
-	"%s: Invalid absolute directory",
-	"%s: Invalid file permissions",
-	"%s: No relative directory specified",
-	"%s: No absolute directory specified",
-	"Empty string given for platform name",
-	"%s: invalid platform string",
-	"More than one ModuleFile entry given for platform %s",
-	"More than one ModuleName entry given for platform %s",
-	"Invalid ModuleFile specification for platform %s",
-	"Invalid ModuleName specification for platform %s",
-	"More than one DefaultMechanismFlags entry given for platform %s",
-	"Invalid DefaultMechanismFlags specification for platform %s",
-	"More than one DefaultCipherFlags entry given for platform %s",
-	"Invalid DefaultCipherFlags entry given for platform %s",
-	"More than one Files entry given for platform %s",
-	"More than one EquivalentPlatform entry given for platform %s",
-	"Invalid EquivalentPlatform specification for platform %s",
-	"Module %s uses an EquivalentPlatform but also specifies its own"
-		" information",
-	"No Files specification in module %s",
-	"No ModuleFile specification in module %s",
-	"No ModuleName specification in module %s",
-	"No Platforms specification in installer script",
-	"Platform %s has an equivalency loop",
-	"Module file \"%s\" in platform \"%s\" does not exist"
-};
-
-static char* PR_Strdup(const char* str);
-
-#define PAD(x)  {int i; for(i=0;i<x;i++) printf(" ");}
-#define PADINC 4
-
-Pk11Install_File*
-Pk11Install_File_new()
-{
-	Pk11Install_File* new_this;
-	new_this = (Pk11Install_File*)PR_Malloc(sizeof(Pk11Install_File));
-	Pk11Install_File_init(new_this);
-	return new_this;
-}
-
-void
-Pk11Install_File_init(Pk11Install_File* _this)
-{
-	_this->jarPath=NULL;
-	_this->relativePath=NULL;
-	_this->absolutePath=NULL;
-	_this->executable=PR_FALSE;
-	_this->permissions=0;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	~Pk11Install_File
-// Class:	Pk11Install_File
-// Notes:	Destructor.
-*/
-void
-Pk11Install_File_delete(Pk11Install_File* _this)
-{
-	Pk11Install_File_Cleanup(_this);
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	Cleanup
-// Class:	Pk11Install_File
-*/
-void
-Pk11Install_File_Cleanup(Pk11Install_File* _this)
-{
-	if(_this->jarPath) {
-		PR_Free(_this->jarPath);
-		_this->jarPath = NULL;
-	}
-	if(_this->relativePath) {
-		PR_Free(_this->relativePath);
-		_this->relativePath = NULL;
-	}
-	if(_this->absolutePath) {
-		PR_Free(_this->absolutePath);
-		_this->absolutePath = NULL;
-	}
-
-	_this->permissions = 0;
-	_this->executable = PR_FALSE;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	Generate
-// Class:	Pk11Install_File
-// Notes:	Creates a file data structure from a syntax tree.
-// Returns:	NULL for success, otherwise an error message.
-*/
-char*
-Pk11Install_File_Generate(Pk11Install_File* _this,
-                          const Pk11Install_Pair *pair)
-{
-	Pk11Install_ListIter *iter;
-	Pk11Install_Value *val;
-	Pk11Install_Pair *subpair;
-	Pk11Install_ListIter *subiter;
-	Pk11Install_Value *subval;
-	char* errStr;
-	char *endp;
-	PRBool gotPerms;
-
-	iter=NULL;
-	subiter=NULL;
-	errStr=NULL;
-	gotPerms=PR_FALSE;
-
-	/* Clear out old values */
-	Pk11Install_File_Cleanup(_this);
-
-	_this->jarPath = PR_Strdup(pair->key);
-
-	/* Go through all the pairs under this file heading */
-	iter = Pk11Install_ListIter_new(pair->list);
-	for( ; (val = iter->current); Pk11Install_ListIter_nextItem(iter)) {
-		if(val->type == PAIR_VALUE) {
-			subpair = val->pair;
-
-			/* Relative directory */
-			if(!PORT_Strcasecmp(subpair->key, RELATIVE_DIR_STRING)) {
-				subiter = Pk11Install_ListIter_new(subpair->list);
-				subval = subiter->current;
-				if(!subval || (subval->type != STRING_VALUE)){
-					errStr = PR_smprintf(errString[BOGUS_RELATIVE_DIR], 
-                                    _this->jarPath);
-					goto loser;
-				}
-				_this->relativePath = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(subiter);
-				subiter = NULL;
-
-				/* Absolute directory */
-			} else if( !PORT_Strcasecmp(subpair->key, ABSOLUTE_DIR_STRING)) {
-				subiter = Pk11Install_ListIter_new(subpair->list);
-				subval = subiter->current;
-				if(!subval || (subval->type != STRING_VALUE)){
-					errStr = PR_smprintf(errString[BOGUS_ABSOLUTE_DIR], 
-                                    _this->jarPath);
-					goto loser;
-				}
-				_this->absolutePath = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(subiter);
-				subiter = NULL;
-
-			/* file permissions */
-			} else if( !PORT_Strcasecmp(subpair->key,
-                                     FILE_PERMISSIONS_STRING)) {
-				subiter = Pk11Install_ListIter_new(subpair->list);
-				subval = subiter->current;
-				if(!subval || (subval->type != STRING_VALUE)){
-					errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],
-                                    _this->jarPath);
-					goto loser;
-				}
-				_this->permissions = (int) strtol(subval->string, &endp, 8);
-				if(*endp != '\0' || subval->string == "\0") {
-					errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],
-                                    _this->jarPath);
-					goto loser;
-				}
-				gotPerms = PR_TRUE;
-				Pk11Install_ListIter_delete(subiter);
-				subiter = NULL;
-			}
-		} else {
-			if(!PORT_Strcasecmp(val->string, EXECUTABLE_STRING)) {
-				_this->executable = PR_TRUE;
-			}
-		}
-	}
-
-	/* Default permission value */
-	if(!gotPerms) {
-		_this->permissions = DEFAULT_PERMISSIONS;
-	}
-
-	/* Make sure we got all the information */
-	if(!_this->relativePath && !_this->absolutePath) {
-		errStr = PR_smprintf(errString[NO_ABSOLUTE_DIR], _this->jarPath);
-		goto loser;
-	}
-#if 0
-	if(!_this->relativePath ) {
-		errStr = PR_smprintf(errString[NO_RELATIVE_DIR], _this->jarPath);
-		goto loser;
-	}
-	if(!_this->absolutePath) {
-		errStr = PR_smprintf(errString[NO_ABSOLUTE_DIR], _this->jarPath);
-		goto loser;
-	}
-#endif
-
-loser:
-	if(iter) {
-		Pk11Install_ListIter_delete(iter);
-		PR_Free(iter);
-	}
-	if(subiter) {
-		Pk11Install_ListIter_delete(subiter);
-		PR_Free(subiter);
-	}
-	return errStr;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	Print
-// Class:	Pk11Install_File
-*/
-void
-Pk11Install_File_Print(Pk11Install_File* _this, int pad)
-{
-	PAD(pad); printf("jarPath: %s\n", 
-                    _this->jarPath ? _this->jarPath : "<NULL>");
-	PAD(pad); printf("relativePath: %s\n",
-				_this->relativePath ? _this->relativePath: "<NULL>");
-	PAD(pad); printf("absolutePath: %s\n",
-				_this->absolutePath ? _this->absolutePath: "<NULL>");
-	PAD(pad); printf("permissions: %o\n", _this->permissions);
-}
-
-Pk11Install_PlatformName*
-Pk11Install_PlatformName_new()
-{
-	Pk11Install_PlatformName* new_this;
-	new_this = (Pk11Install_PlatformName*)
-               PR_Malloc(sizeof(Pk11Install_PlatformName));
-	Pk11Install_PlatformName_init(new_this);
-	return new_this;
-}
-
-void
-Pk11Install_PlatformName_init(Pk11Install_PlatformName* _this)
-{
-	_this->OS = NULL;
-	_this->verString = NULL;
-	_this->numDigits = 0;
-	_this->arch = NULL;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	~Pk11Install_PlatformName
-// Class:	Pk11Install_PlatformName
-*/
-void
-Pk11Install_PlatformName_delete(Pk11Install_PlatformName* _this)
-{
-	Pk11Install_PlatformName_Cleanup(_this);
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	Cleanup
-// Class:	Pk11Install_PlatformName
-*/
-void
-Pk11Install_PlatformName_Cleanup(Pk11Install_PlatformName* _this)
-{
-	if(_this->OS) {
-		PR_Free(_this->OS);
-		_this->OS = NULL;
-	}
-	if(_this->verString) {
-		int i;
-		for (i=0; i<_this->numDigits; i++) {
-			PR_Free(_this->verString[i]);
-		}
-		PR_Free(_this->verString);
-		_this->verString = NULL;
-	}
-	if(_this->arch) {
-		PR_Free(_this->arch);
-		_this->arch = NULL;
-	}
-	_this->numDigits = 0;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	Generate
-// Class:	Pk11Install_PlatformName
-// Notes:	Extracts the information from a platform string.
-*/
-char*
-Pk11Install_PlatformName_Generate(Pk11Install_PlatformName* _this,
-                                  const char *str)
-{
-	char *errStr;
-	char *copy;
-	char *end, *start; /* start and end of a section (OS, version, arch)*/
-	char *pend, *pstart; /* start and end of one portion of version*/
-	char *endp; /* used by strtol*/
-	int periods, i;
-
-	errStr=NULL;
-	copy=NULL;
-
-	if(!str) {
-		errStr = PR_smprintf(errString[EMPTY_PLATFORM_STRING]);
-		goto loser;
-	}
-	copy = PR_Strdup(str);
-
-	/*
-	// Get the OS
-	*/
-	end = strchr(copy, PLATFORM_SEPARATOR_CHAR);
-	if(!end || end==copy) {
-		errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
-		goto loser;
-	}
-	*end = '\0';
-
-	_this->OS = PR_Strdup(copy);
-
-	/*
-	// Get the digits of the version of form: x.x.x (arbitrary number of digits)
-	*/
-
-	start = end+1;
-	end = strchr(start, PLATFORM_SEPARATOR_CHAR);
-	if(!end) {
-		errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
-		goto loser;
-	}
-	*end = '\0';
-
-	if(end!=start) { 
-		/* Find out how many periods*/
-		periods = 0;
-		pstart = start;
-		while( (pend=strchr(pstart, '.')) ) {
-			periods++;
-			pstart = pend+1;
-		}
-		_this->numDigits= 1+ periods;
-		_this->verString = (char**)PR_Malloc(sizeof(char*)*_this->numDigits);
-
-		pstart = start;
-		i = 0;
-		/* Get the digits before each period*/
-		while( (pend=strchr(pstart, '.')) ) {
-			if(pend == pstart) {
-				errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
-				goto loser;
-			}
-			*pend = '\0';
-			_this->verString[i] = PR_Strdup(pstart);
-			endp = pend;
-		if(endp==pstart || (*endp != '\0')) {
-				errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
-				goto loser;
-			}
-			pstart = pend+1;
-			i++;
-		}
-		/* Last digit comes after the last period*/
-		if(*pstart == '\0') {
-			errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
-			goto loser;
-		}
-		_this->verString[i] = PR_Strdup(pstart);
-		/*
-		if(endp==pstart || (*endp != '\0')) {
-			errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
-			goto loser;
-		}
-		*/
-	} else {
-		_this->verString = NULL;
-		_this->numDigits = 0;
-	}
-
-	/*
-	// Get the architecture
-	*/
-	start = end+1;
-	if( strchr(start, PLATFORM_SEPARATOR_CHAR) ) {
-		errStr = PR_smprintf(errString[BOGUS_PLATFORM_STRING], str);
-		goto loser;
-	}
-	_this->arch = PR_Strdup(start);
-
-	if(copy) {
-		PR_Free(copy);
-	}
-	return NULL;
-loser:
-	if(_this->OS) {
-		PR_Free(_this->OS);
-		_this->OS = NULL;
-	}
-	if(_this->verString) {
-		for (i=0; i<_this->numDigits; i++) {
-			PR_Free(_this->verString[i]);
-		}
-		PR_Free(_this->verString);
-		_this->verString = NULL;
-	}
-	_this->numDigits = 0;
-	if(_this->arch) {
-		PR_Free(_this->arch);
-		_this->arch = NULL;
-	}
-
-	return errStr;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	operator ==
-// Class:	Pk11Install_PlatformName
-// Returns:	PR_TRUE if the platform have the same OS, arch, and version
-*/
-PRBool
-Pk11Install_PlatformName_equal(Pk11Install_PlatformName* _this,
-                               Pk11Install_PlatformName* cmp) 
-{
-	int i;
-
-	if(!_this->OS || !_this->arch || !cmp->OS || !cmp->arch) {
-		return PR_FALSE;
-	}
-
-	if(	PORT_Strcasecmp(_this->OS, cmp->OS) ||
-		PORT_Strcasecmp(_this->arch, cmp->arch) ||
-		_this->numDigits != cmp->numDigits ) {
-			return PR_FALSE;
-	}
-
-	for(i=0; i < _this->numDigits; i++) {
-		if(PORT_Strcasecmp(_this->verString[i], cmp->verString[i])) {
-			return PR_FALSE;
-		}
-	}
-	return PR_TRUE;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	operator <=
-// Class:	Pk11Install_PlatformName
-// Returns:	PR_TRUE if the platform have the same OS and arch and a lower
-//			or equal release.
-*/
-PRBool
-Pk11Install_PlatformName_lteq(Pk11Install_PlatformName* _this,
-                              Pk11Install_PlatformName* cmp)
-{
-	return (Pk11Install_PlatformName_equal(_this,cmp) ||
-          Pk11Install_PlatformName_lt(_this,cmp)) ? PR_TRUE : PR_FALSE;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	operator <
-// Class:	Pk11Install_PlatformName
-// Returns:	PR_TRUE if the platform have the same OS and arch and a greater
-//			release.
-*/
-PRBool
-Pk11Install_PlatformName_lt(Pk11Install_PlatformName* _this,
-                            Pk11Install_PlatformName* cmp)
-{
-	int i, scmp;
-
-	if(!_this->OS || !_this->arch || !cmp->OS || !cmp->arch) {
-		return PR_FALSE;
-	}
-
-	if( PORT_Strcasecmp(_this->OS, cmp->OS) ) {
-		return PR_FALSE;
-	}
-	if( PORT_Strcasecmp(_this->arch, cmp->arch) ) {
-		return PR_FALSE;
-	}
-
-	for(i=0; (i < _this->numDigits) && (i < cmp->numDigits); i++) {
-		scmp = PORT_Strcasecmp(_this->verString[i], cmp->verString[i]);
-		if (scmp > 0) {
-			return PR_FALSE;
-		} else if (scmp < 0) {
-			return PR_TRUE;
-		}
-	}
-	/* All the digits they have in common are the same. */
-	if(_this->numDigits < cmp->numDigits) {
-		return  PR_TRUE;
-	} 
-
-	return PR_FALSE;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	GetString
-// Class:	Pk11Install_PlatformName
-// Returns:	String composed of OS, release, and architecture separated
-//			by the separator char.  Memory is allocated by this function
-//			but is the responsibility of the caller to de-allocate.
-*/
-char*
-Pk11Install_PlatformName_GetString(Pk11Install_PlatformName* _this) 
-{
-	char *ret;
-	char *ver;
-	char *OS_;
-	char *arch_;
-
-	OS_=NULL;
-	arch_=NULL;
-
-	OS_ = _this->OS ? _this->OS : "";
-	arch_ = _this->arch ? _this->arch : "";
-
-	ver = Pk11Install_PlatformName_GetVerString(_this);
-	ret = PR_smprintf("%s%c%s%c%s", OS_, PLATFORM_SEPARATOR_CHAR, ver,
-					PLATFORM_SEPARATOR_CHAR, arch_);
-
-	PR_Free(ver);
-
-	return ret;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	GetVerString
-// Class:	Pk11Install_PlatformName
-// Returns:	The version string for this platform, in the form x.x.x with an
-//			arbitrary number of digits.  Memory allocated by function,
-//			must be de-allocated by caller.
-*/
-char*
-Pk11Install_PlatformName_GetVerString(Pk11Install_PlatformName* _this) 
-{
-	char *tmp;
-	char *ret;
-	int i;
-	char buf[80];
-
-	tmp = (char*)PR_Malloc(80*_this->numDigits+1);
-	tmp[0] = '\0';
-
-	for(i=0; i < _this->numDigits-1; i++) {
-		sprintf(buf, "%s.", _this->verString[i]);
-		strcat(tmp, buf);
-	}
-	if(i < _this->numDigits) {
-		sprintf(buf, "%s", _this->verString[i]);
-		strcat(tmp, buf);
-	}
-
-	ret = PR_Strdup(tmp);
-	free(tmp);
-
-	return ret;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	Print
-// Class:	Pk11Install_PlatformName
-*/
-void
-Pk11Install_PlatformName_Print(Pk11Install_PlatformName* _this, int pad)
-{
-	PAD(pad); printf("OS: %s\n", _this->OS ? _this->OS : "<NULL>");
-	PAD(pad); printf("Digits: ");
-	if(_this->numDigits == 0) {
-		printf("None\n");
-	} else {
-		printf("%s\n", Pk11Install_PlatformName_GetVerString(_this));
-	}
-	PAD(pad); printf("arch: %s\n", _this->arch ? _this->arch : "<NULL>");
-}
-
-Pk11Install_Platform*
-Pk11Install_Platform_new()
-{
-	Pk11Install_Platform* new_this;
-	new_this = (Pk11Install_Platform*)PR_Malloc(sizeof(Pk11Install_Platform));
-	Pk11Install_Platform_init(new_this);
-	return new_this;
-}
-
-void
-Pk11Install_Platform_init(Pk11Install_Platform* _this)
-{
-	Pk11Install_PlatformName_init(&_this->name);
-	Pk11Install_PlatformName_init(&_this->equivName);
-	_this->equiv = NULL;
-	_this->usesEquiv = PR_FALSE;
-	_this->moduleFile = NULL;
-	_this->moduleName = NULL;
-	_this->modFile = -1;
-	_this->mechFlags = 0;
-	_this->cipherFlags = 0;
-	_this->files = NULL;
-	_this->numFiles = 0;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	~Pk11Install_Platform
-// Class:	Pk11Install_Platform
-*/
-void
-Pk11Install_Platform_delete(Pk11Install_Platform* _this)
-{
-	Pk11Install_Platform_Cleanup(_this);
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	Cleanup
-// Class:	Pk11Install_Platform
-*/
-void
-Pk11Install_Platform_Cleanup(Pk11Install_Platform* _this)
-{
-	int i;
-	if(_this->moduleFile) {
-		PR_Free(_this->moduleFile);
-		_this->moduleFile = NULL;
-	}
-	if(_this->moduleName) {
-		PR_Free(_this->moduleName);
-		_this->moduleName = NULL;
-	}
-	if(_this->files) {
-		for (i=0;i<_this->numFiles;i++) {
-			Pk11Install_File_delete(&_this->files[i]);
-		}
-		PR_Free(_this->files);
-		_this->files = NULL;
-	}
-	_this->equiv = NULL;
-	_this->usesEquiv = PR_FALSE;
-	_this->modFile = -1;
-	_this->numFiles = 0;
-	_this->mechFlags = _this->cipherFlags = 0;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:	Generate
-// Class:	Pk11Install_Platform
-// Notes:	Creates a platform data structure from a syntax tree.
-// Returns:	NULL for success, otherwise an error message.
-*/
-char*
-Pk11Install_Platform_Generate(Pk11Install_Platform* _this,
-                              const Pk11Install_Pair *pair)
-{
-	char* errStr;
-	char* endptr;
-	char* tmp;
-	int i;
-	Pk11Install_ListIter *iter;
-	Pk11Install_Value *val;
-	Pk11Install_Value *subval;
-	Pk11Install_Pair *subpair;
-	Pk11Install_ListIter *subiter;
-	PRBool gotModuleFile, gotModuleName, gotMech, 
-          gotCipher, gotFiles, gotEquiv;
-
-	errStr=NULL;
-	iter=subiter=NULL;
-	val=subval=NULL;
-	subpair=NULL;
-	gotModuleFile=gotModuleName=gotMech=gotCipher=gotFiles=gotEquiv=PR_FALSE;
-	Pk11Install_Platform_Cleanup(_this);
-
-	errStr = Pk11Install_PlatformName_Generate(&_this->name,pair->key);
-	if(errStr) {
-		tmp = PR_smprintf("%s: %s", pair->key, errStr);
-		PR_smprintf_free(errStr);
-		errStr = tmp;
-		goto loser;
-	}
-
-	iter = Pk11Install_ListIter_new(pair->list);
-	for( ; (val=iter->current); Pk11Install_ListIter_nextItem(iter)) {
-		if(val->type==PAIR_VALUE) {
-			subpair = val->pair;
-
-			if( !PORT_Strcasecmp(subpair->key, MODULE_FILE_STRING)) {
-				if(gotModuleFile) {
-					errStr = PR_smprintf(errString[REPEAT_MODULE_FILE],
-                                    Pk11Install_PlatformName_GetString(&_this->name));
-					goto loser;
-				}
-				subiter = Pk11Install_ListIter_new(subpair->list);
-				subval = subiter->current;
-				if(!subval || (subval->type != STRING_VALUE)) {
-					errStr = PR_smprintf(errString[BOGUS_MODULE_FILE],
-                                    Pk11Install_PlatformName_GetString(&_this->name));
-					goto loser;
-				}
-				_this->moduleFile = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter = NULL;
-				gotModuleFile = PR_TRUE;
-			} else if(!PORT_Strcasecmp(subpair->key, MODULE_NAME_STRING)){
-				if(gotModuleName) {
-					errStr = PR_smprintf(errString[REPEAT_MODULE_NAME],
-                                    Pk11Install_PlatformName_GetString(&_this->name));
-					goto loser;
-				}
-				subiter = Pk11Install_ListIter_new(subpair->list);
-				subval = subiter->current;
-				if(!subval || (subval->type != STRING_VALUE)) {
-					errStr = PR_smprintf(errString[BOGUS_MODULE_NAME],
-                                    Pk11Install_PlatformName_GetString(&_this->name));
-					goto loser;
-				}
-				_this->moduleName = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter = NULL;
-				gotModuleName = PR_TRUE;
-			} else if(!PORT_Strcasecmp(subpair->key, MECH_FLAGS_STRING)) {
-				endptr=NULL;
-
-				if(gotMech) {
-					errStr = PR_smprintf(errString[REPEAT_MECH],
-                                    Pk11Install_PlatformName_GetString(&_this->name));
-					goto loser;
-				}
-				subiter = Pk11Install_ListIter_new(subpair->list);
-				subval = subiter->current;
-				if(!subval || (subval->type != STRING_VALUE)) {
-					errStr = PR_smprintf(errString[BOGUS_MECH_FLAGS],
-                                    Pk11Install_PlatformName_GetString(&_this->name));
-					goto loser;
-				}
-				_this->mechFlags = strtol(subval->string, &endptr, 0);
-				if(*endptr!='\0' || (endptr==subval->string) ) {
-					errStr = PR_smprintf(errString[BOGUS_MECH_FLAGS],
-                                    Pk11Install_PlatformName_GetString(&_this->name));
-					goto loser;
-				}
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter=NULL;
-				gotMech = PR_TRUE;
-			} else if(!PORT_Strcasecmp(subpair->key,CIPHER_FLAGS_STRING)) {
-				endptr=NULL;
-
-				if(gotCipher) {
-					errStr = PR_smprintf(errString[REPEAT_CIPHER],
-                                    Pk11Install_PlatformName_GetString(&_this->name));
-					goto loser;
-				}
-				subiter = Pk11Install_ListIter_new(subpair->list);
-				subval = subiter->current;
-				if(!subval || (subval->type != STRING_VALUE)) {
-					errStr = PR_smprintf(errString[BOGUS_CIPHER_FLAGS],
-                                    Pk11Install_PlatformName_GetString(&_this->name));
-					goto loser;
-				}
-				_this->cipherFlags = strtol(subval->string, &endptr, 0);
-				if(*endptr!='\0' || (endptr==subval->string) ) {
-					errStr = PR_smprintf(errString[BOGUS_CIPHER_FLAGS],
-                                    Pk11Install_PlatformName_GetString(&_this->name));
-					goto loser;
-				}
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter=NULL;
-				gotCipher = PR_TRUE;
-			} else if(!PORT_Strcasecmp(subpair->key, FILES_STRING)) {
-				if(gotFiles) {
-					errStr = PR_smprintf(errString[REPEAT_FILES],
-                                    Pk11Install_PlatformName_GetString(&_this->name));
-					goto loser;
-				}
-				subiter = Pk11Install_ListIter_new(subpair->list);
-				_this->numFiles = subpair->list->numPairs;
-				_this->files = (Pk11Install_File*)
-                            PR_Malloc(sizeof(Pk11Install_File)*_this->numFiles);
-				for(i=0; i < _this->numFiles; i++, 
-                                   Pk11Install_ListIter_nextItem(subiter)) {
-					Pk11Install_File_init(&_this->files[i]);
-					val = subiter->current;
-					if(val && (val->type==PAIR_VALUE)) {
-						errStr = Pk11Install_File_Generate(&_this->files[i],val->pair);
-						if(errStr) {
-							tmp = PR_smprintf("%s: %s", 
-                                       Pk11Install_PlatformName_GetString(&_this->name),errStr);
-							PR_smprintf_free(errStr);
-							errStr = tmp;
-							goto loser;
-						}
-					}
-				}
-				gotFiles = PR_TRUE;
-			} else if(!PORT_Strcasecmp(subpair->key,
-                                    EQUIVALENT_PLATFORM_STRING)) {
-				if(gotEquiv) {
-					errStr = PR_smprintf(errString[REPEAT_EQUIV],
-                                    Pk11Install_PlatformName_GetString(&_this->name));
-					goto loser;
-				}
-				subiter = Pk11Install_ListIter_new(subpair->list);
-				subval = subiter->current;
-				if(!subval || (subval->type != STRING_VALUE) ) {
-					errStr = PR_smprintf(errString[BOGUS_EQUIV],
-                               Pk11Install_PlatformName_GetString(&_this->name));
-					goto loser;
-				}
-				errStr = Pk11Install_PlatformName_Generate(&_this->equivName,
-                                                       subval->string);
-				if(errStr) {
-					tmp = PR_smprintf("%s: %s", 
-                            Pk11Install_PlatformName_GetString(&_this->name), errStr);
-					tmp = PR_smprintf("%s: %s", 
-                            Pk11Install_PlatformName_GetString(&_this->name), errStr);
-					PR_smprintf_free(errStr);
-					errStr = tmp;
-					goto loser;
-				}
-				_this->usesEquiv = PR_TRUE;
-			}
-		}
-	}
-
-	/* Make sure we either have an EquivalentPlatform or all the other info */
-	if(_this->usesEquiv &&
-		(gotFiles || gotModuleFile || gotModuleName || gotMech || gotCipher)) {
-		errStr = PR_smprintf(errString[EQUIV_TOO_MUCH_INFO], 
-                           Pk11Install_PlatformName_GetString(&_this->name));
-		goto loser;
-	}
-	if(!gotFiles && !_this->usesEquiv) {
-		errStr = PR_smprintf(errString[NO_FILES], 
-                           Pk11Install_PlatformName_GetString(&_this->name));
-		goto loser;
-	}
-	if(!gotModuleFile && !_this->usesEquiv) {
-		errStr= PR_smprintf(errString[NO_MODULE_FILE], 
-                          Pk11Install_PlatformName_GetString(&_this->name));
-		goto loser;
-	}
-	if(!gotModuleName && !_this->usesEquiv) {
-		errStr = PR_smprintf(errString[NO_MODULE_NAME], 
-                          Pk11Install_PlatformName_GetString(&_this->name));
-		goto loser;
-	}
-
-	/* Point the modFile pointer to the correct file */
-	if(gotModuleFile) {
-		for(i=0; i < _this->numFiles; i++) {
-			if(!PORT_Strcasecmp(_this->moduleFile, _this->files[i].jarPath) ) {
-				_this->modFile = i;
-				break;
-			}
-		}
-		if(_this->modFile==-1) {
-			errStr = PR_smprintf(errString[UNKNOWN_MODULE_FILE], 
-                              _this->moduleFile,
-                              Pk11Install_PlatformName_GetString(&_this->name));
-			goto loser;
-		}
-	}
-	
-loser:
-	if(iter) {
-		PR_Free(iter);
-	}
-	if(subiter) {
-		PR_Free(subiter);
-	}
-	return errStr;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:		Print
-// Class:		Pk11Install_Platform
-*/
-void
-Pk11Install_Platform_Print(Pk11Install_Platform* _this, int pad)
-{
-	int i;
-
-	PAD(pad); printf("Name:\n"); 
-	Pk11Install_PlatformName_Print(&_this->name,pad+PADINC);
-	PAD(pad); printf("equivName:\n"); 
-	Pk11Install_PlatformName_Print(&_this->equivName,pad+PADINC);
-	PAD(pad);
-	if(_this->usesEquiv) {
-		printf("Uses equiv, which points to:\n");
-		Pk11Install_Platform_Print(_this->equiv,pad+PADINC);
-	} else {
-		printf("Doesn't use equiv\n");
-	}
-	PAD(pad); 
-	printf("Module File: %s\n", _this->moduleFile ? _this->moduleFile 
-                                                 : "<NULL>");
-	PAD(pad); printf("mechFlags: %lx\n", _this->mechFlags);
-	PAD(pad); printf("cipherFlags: %lx\n", _this->cipherFlags);
-	PAD(pad); printf("Files:\n");
-	for(i=0; i < _this->numFiles; i++) {
-		Pk11Install_File_Print(&_this->files[i],pad+PADINC);
-		PAD(pad); printf("--------------------\n");
-	}
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:		Pk11Install_Info
-// Class:		Pk11Install_Info
-*/
-Pk11Install_Info*
-Pk11Install_Info_new()
-{
-	Pk11Install_Info* new_this;
-	new_this = (Pk11Install_Info*)PR_Malloc(sizeof(Pk11Install_Info));
-	Pk11Install_Info_init(new_this);
-	return new_this;
-}
-
-void
-Pk11Install_Info_init(Pk11Install_Info* _this)
-{
-	_this->platforms = NULL;
-	_this->numPlatforms = 0;
-	_this->forwardCompatible = NULL;
-	_this->numForwardCompatible = 0;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:		~Pk11Install_Info
-// Class:		Pk11Install_Info
-*/
-void
-Pk11Install_Info_delete(Pk11Install_Info* _this)
-{
-	Pk11Install_Info_Cleanup(_this);
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:		Cleanup
-// Class:		Pk11Install_Info
-*/
-void
-Pk11Install_Info_Cleanup(Pk11Install_Info* _this)
-{
-	int i;
-	if(_this->platforms) {
-		for (i=0;i<_this->numPlatforms;i++) {
-			Pk11Install_Platform_delete(&_this->platforms[i]);
-		}
-		PR_Free(&_this->platforms);
-		_this->platforms = NULL;
-		_this->numPlatforms = 0;
-	}
-
-	if(_this->forwardCompatible) {
-		for (i=0;i<_this->numForwardCompatible;i++) {
-			Pk11Install_PlatformName_delete(&_this->forwardCompatible[i]);
-		}
-		PR_Free(&_this->forwardCompatible);
-		_this->numForwardCompatible = 0;
-	}
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:		Generate
-// Class:		Pk11Install_Info
-// Takes:		Pk11Install_ValueList *list, the top-level list
-//				resulting from parsing an installer file.
-// Returns:		char*, NULL if successful, otherwise an error string.
-//				Caller is responsible for freeing memory.
-*/
-char*
-Pk11Install_Info_Generate(Pk11Install_Info* _this,
-                          const Pk11Install_ValueList *list)
-{
-	char *errStr;
-	Pk11Install_ListIter *iter;
-	Pk11Install_Value *val;
-	Pk11Install_Pair *pair;
-	Pk11Install_ListIter *subiter;
-	Pk11Install_Value *subval;
-	Pk11Install_Platform *first, *second;
-	int i, j;
-
-	errStr=NULL;
-	iter=subiter=NULL;
-	Pk11Install_Info_Cleanup(_this);
-
-	iter = Pk11Install_ListIter_new(list);
-	for( ; (val=iter->current); Pk11Install_ListIter_nextItem(iter)) {
-		if(val->type == PAIR_VALUE) {
-			pair = val->pair;
-
-			if(!PORT_Strcasecmp(pair->key, FORWARD_COMPATIBLE_STRING)) {
-				subiter = Pk11Install_ListIter_new(pair->list);
-				_this->numForwardCompatible = pair->list->numStrings;
-				_this->forwardCompatible = (Pk11Install_PlatformName*)
-                                        PR_Malloc(sizeof(Pk11Install_PlatformName)*
-                                               _this->numForwardCompatible);
-				for(i=0; i < _this->numForwardCompatible; i++, 
-                       Pk11Install_ListIter_nextItem(subiter)) {
-					subval = subiter->current;
-					if(subval->type == STRING_VALUE) {
-						errStr = Pk11Install_PlatformName_Generate(
-                              &_this->forwardCompatible[i], subval->string);
-						if(errStr) {
-							goto loser;
-						}
-					}
-				}
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter = NULL;
-			} else if(!PORT_Strcasecmp(pair->key, PLATFORMS_STRING)) {
-				subiter = Pk11Install_ListIter_new(pair->list);
-				_this->numPlatforms = pair->list->numPairs;
-				_this->platforms = (Pk11Install_Platform*)
-                            PR_Malloc(sizeof(Pk11Install_Platform)*
-                            _this->numPlatforms);
-				for(i=0; i < _this->numPlatforms; i++, 
-                       Pk11Install_ListIter_nextItem(subiter)) {
-					 Pk11Install_Platform_init(&_this->platforms[i]);
-					subval = subiter->current;
-					if(subval->type == PAIR_VALUE) {
-						errStr = Pk11Install_Platform_Generate(&_this->platforms[i],subval->pair);
-						if(errStr) {
-							goto loser;
-						}
-					}
-				}
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter = NULL;
-			}
-		}
-	}
-
-	if(_this->numPlatforms == 0) {
-		errStr = PR_smprintf(errString[NO_PLATFORMS]);
-		goto loser;
-	}
-
-/*
-	//
-	// Now process equivalent platforms
-	//
-
-	// First the naive pass
-*/
-	for(i=0; i < _this->numPlatforms; i++) {
-		if(_this->platforms[i].usesEquiv) {
-			_this->platforms[i].equiv = NULL;
-			for(j=0; j < _this->numPlatforms; j++) {
-				if (Pk11Install_PlatformName_equal(&_this->platforms[i].equivName,
-                                           &_this->platforms[j].name)) {
-					if(i==j) {
-						errStr = PR_smprintf(errString[EQUIV_LOOP],
-                              Pk11Install_PlatformName_GetString(&_this->platforms[i].name));
-						goto loser;
-					}
-					_this->platforms[i].equiv = &_this->platforms[j];
-					break;
-				}
-			}
-			if(_this->platforms[i].equiv == NULL) {
-				errStr = PR_smprintf(errString[BOGUS_EQUIV],
-                       Pk11Install_PlatformName_GetString(&_this->platforms[i].name));
-				goto loser;
-			}
-		}
-	}
-
-/*
-	// Now the intelligent pass, which will also detect loops.
-	// We will send two pointers through the linked list of equivalent
-	// platforms. Both start with the current node.  "first" traverses
-	// two nodes for each iteration.  "second" lags behind, only traversing
-	// one node per iteration.  Eventually one of two things will happen:
-	// first will hit the end of the list (a platform that doesn't use
-	// an equivalency), or first will equal second if there is a loop.
-*/
-	for(i=0; i < _this->numPlatforms; i++) {
-		if(_this->platforms[i].usesEquiv) {
-			second = _this->platforms[i].equiv;
-			if(!second->usesEquiv) {
-				/* The first link is the terminal node */
-				continue;
-			}
-			first = second->equiv;
-			while(first->usesEquiv) {
-				if(first == second) {
-					errStr = PR_smprintf(errString[EQUIV_LOOP],
-                         Pk11Install_PlatformName_GetString(&_this->platforms[i].name));
-					goto loser;
-				}
-				first = first->equiv;
-				if(!first->usesEquiv) {
-					break;
-				}
-				if(first == second) {
-					errStr = PR_smprintf(errString[EQUIV_LOOP],
-                       Pk11Install_PlatformName_GetString(&_this->platforms[i].name));
-					goto loser;
-				}
-				second = second->equiv;
-				first = first->equiv;
-			}
-			_this->platforms[i].equiv = first;
-		}
-	}
-
-loser:
-	if(iter) {
-		Pk11Install_ListIter_delete(iter);
-		PR_Free(iter);
-		iter = NULL;
-	}
-	if(subiter) {
-		Pk11Install_ListIter_delete(subiter);
-		PR_Free(subiter);
-		subiter = NULL;
-	}
-	return errStr;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:		GetBestPlatform
-// Class:		Pk11Install_Info
-// Takes:		char *myPlatform, the platform we are currently running
-//				on.
-*/
-Pk11Install_Platform*
-Pk11Install_Info_GetBestPlatform(Pk11Install_Info* _this, char *myPlatform)
-{
-	Pk11Install_PlatformName plat;
-	char *errStr;
-	int i, j;
-
-	errStr=NULL;
-
-	Pk11Install_PlatformName_init(&plat);
-	if( (errStr=Pk11Install_PlatformName_Generate(&plat, myPlatform)) ) {
-		PR_smprintf_free(errStr);
-		return NULL;
-	}
-
-	/* First try real platforms */
-	for(i=0; i < _this->numPlatforms; i++) {
-		if(Pk11Install_PlatformName_equal(&_this->platforms[i].name,&plat)) {
-			if(_this->platforms[i].equiv) {
-				return _this->platforms[i].equiv;
-			}
-			else {
-				return &_this->platforms[i];
-			}
-		}
-	}
-
-	/* Now try forward compatible platforms */
-	for(i=0; i < _this->numForwardCompatible; i++) {
-		if(Pk11Install_PlatformName_lteq(&_this->forwardCompatible[i],&plat)) {
-			break;
-		}
-	}
-	if(i == _this->numForwardCompatible) {
-		return NULL;
-	}
-
-	/* Got a forward compatible name, find the actual platform. */
-	for(j=0; j < _this->numPlatforms; j++) {
-		if(Pk11Install_PlatformName_equal(&_this->platforms[j].name,
-         &_this->forwardCompatible[i])) {
-			if(_this->platforms[j].equiv) {
-				return _this->platforms[j].equiv;
-			} else {
-				return &_this->platforms[j];
-			}
-		}
-	}
-
-	return NULL;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Method:		Print
-// Class:		Pk11Install_Info
-*/
-void
-Pk11Install_Info_Print(Pk11Install_Info* _this, int pad)
-{
-	int i;
-
-	PAD(pad); printf("Forward Compatible:\n");
-	for(i = 0; i < _this->numForwardCompatible; i++) {
-		Pk11Install_PlatformName_Print(&_this->forwardCompatible[i],pad+PADINC);
-		PAD(pad); printf("-------------------\n");
-	}
-	PAD(pad); printf("Platforms:\n");
-	for( i = 0; i < _this->numPlatforms; i++) {
-		Pk11Install_Platform_Print(&_this->platforms[i],pad+PADINC);
-		PAD(pad); printf("-------------------\n");
-	}
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-*/
-static char*
-PR_Strdup(const char* str)
-{
-	char *tmp;
-	tmp = (char*) PR_Malloc((unsigned int)(strlen(str)+1));
-	strcpy(tmp, str);
-	return tmp;
-}
-
-/* The global value list, the top of the tree */
-Pk11Install_ValueList* Pk11Install_valueList=NULL;
-
-/****************************************************************************/
-void
-Pk11Install_ValueList_AddItem(Pk11Install_ValueList* _this,
-                              Pk11Install_Value *item)
-{
-	_this->numItems++;
-	if (item->type == STRING_VALUE) {
-		_this->numStrings++;
-	} else {
-		_this->numPairs++;
-	}
-	item->next = _this->head;
-	_this->head = item;
-}
-
-/****************************************************************************/
-Pk11Install_ListIter*
-Pk11Install_ListIter_new_default()
-{
-	Pk11Install_ListIter* new_this;
-	new_this = (Pk11Install_ListIter*)
-                    PR_Malloc(sizeof(Pk11Install_ListIter));
-	Pk11Install_ListIter_init(new_this);
-	return new_this;
-}
-
-/****************************************************************************/
-void
-Pk11Install_ListIter_init(Pk11Install_ListIter* _this)
-{
-	_this->list = NULL;
-	_this->current = NULL;
-}
-
-/****************************************************************************/
-Pk11Install_ListIter*
-Pk11Install_ListIter_new(const Pk11Install_ValueList *_list)
-{
-	Pk11Install_ListIter* new_this;
-	new_this = (Pk11Install_ListIter*)
-                    PR_Malloc(sizeof(Pk11Install_ListIter));
-	new_this->list = _list;
-	new_this->current = _list->head;
-	return new_this;
-}
-
-/****************************************************************************/
-void
-Pk11Install_ListIter_delete(Pk11Install_ListIter* _this)
-{
-	_this->list=NULL;
-	_this->current=NULL;
-}
-
-/****************************************************************************/
-void
-Pk11Install_ListIter_reset(Pk11Install_ListIter* _this)
-{
-	if(_this->list) {
-		_this->current = _this->list->head;
-	}
-}
-
-/*************************************************************************/
-Pk11Install_Value*
-Pk11Install_ListIter_nextItem(Pk11Install_ListIter* _this)
-{
-	if(_this->current) {
-		_this->current = _this->current->next;
-	}
-
-	return _this->current;
-}
-
-/****************************************************************************/
-Pk11Install_ValueList*
-Pk11Install_ValueList_new()
-{
-	Pk11Install_ValueList* new_this;
-	new_this = (Pk11Install_ValueList*)
-                    PR_Malloc(sizeof(Pk11Install_ValueList));
-	new_this->numItems = 0;
-	new_this->numPairs = 0;
-	new_this->numStrings = 0;
-	new_this->head = NULL;
-	return new_this;
-}
-
-/****************************************************************************/
-void
-Pk11Install_ValueList_delete(Pk11Install_ValueList* _this)
-{
-
-	Pk11Install_Value *tmp;
-	Pk11Install_Value *list;
-	list = _this->head;
-	
-	while(list != NULL) {
-		tmp = list;
-		list = list->next;
-		PR_Free(tmp);
-	}
-	PR_Free(_this);
-}
-
-/****************************************************************************/
-Pk11Install_Value*
-Pk11Install_Value_new_default()
-{
-	Pk11Install_Value* new_this;
-	new_this = (Pk11Install_Value*)PR_Malloc(sizeof(Pk11Install_Value));
-	new_this->type = STRING_VALUE;
-	new_this->string = NULL;
-	new_this->pair = NULL;
-	new_this->next = NULL;
-	return new_this;
-}
-
-/****************************************************************************/
-Pk11Install_Value*
-Pk11Install_Value_new(ValueType _type, Pk11Install_Pointer ptr)
-{
-	Pk11Install_Value* new_this;
-	new_this = Pk11Install_Value_new_default();
-	new_this->type = _type;
-	if(_type == STRING_VALUE) {
-		new_this->pair = NULL;
-		new_this->string = ptr.string;
-	} else {
-		new_this->string = NULL;
-		new_this->pair = ptr.pair;
-	}
-	return new_this;
-}
-
-/****************************************************************************/
-void
-Pk11Install_Value_delete(Pk11Install_Value* _this)
-{
-	if(_this->type == STRING_VALUE) {
-		PR_Free(_this->string);
-	} else {
-		PR_Free(_this->pair);
-	}
-}
-
-/****************************************************************************/
-Pk11Install_Pair*
-Pk11Install_Pair_new_default()
-{
-	return Pk11Install_Pair_new(NULL,NULL);
-}
-
-/****************************************************************************/
-Pk11Install_Pair*
-Pk11Install_Pair_new(char *_key, Pk11Install_ValueList *_list)
-{
-	Pk11Install_Pair* new_this;
-	new_this = (Pk11Install_Pair*)PR_Malloc(sizeof(Pk11Install_Pair));
-	new_this->key = _key;
-	new_this->list = _list;
-	return new_this;
-}
-
-/****************************************************************************/
-void
-Pk11Install_Pair_delete(Pk11Install_Pair* _this)
-{
-	PR_Free(_this->key);
-	Pk11Install_ValueList_delete(_this->list);
-	PR_Free(_this->list);
-}
-
-/*************************************************************************/
-void
-Pk11Install_Pair_Print(Pk11Install_Pair* _this, int pad)
-{
-	while (_this) {
-		/*PAD(pad); printf("**Pair\n");
-		PAD(pad); printf("***Key====\n");*/
-		PAD(pad); printf("%s {\n", _this->key);
-		/*PAD(pad); printf("====\n");*/
-		/*PAD(pad); printf("***ValueList\n");*/
-		Pk11Install_ValueList_Print(_this->list,pad+PADINC);
-		PAD(pad); printf("}\n");
-	}
-}
-
-/*************************************************************************/
-void
-Pk11Install_ValueList_Print(Pk11Install_ValueList* _this, int pad)
-{
-	Pk11Install_Value *v;
-
-	/*PAD(pad);printf("**Value List**\n");*/
-	for(v = _this->head; v != NULL; v=v->next) {
-		Pk11Install_Value_Print(v,pad);
-	}
-}
-
-/*************************************************************************/
-void
-Pk11Install_Value_Print(Pk11Install_Value* _this, int pad)
-{
-	/*PAD(pad); printf("**Value, type=%s\n",
-		type==STRING_VALUE ? "string" : "pair");*/
-	if(_this->type==STRING_VALUE) {
-		/*PAD(pad+PADINC); printf("====\n");*/
-		PAD(pad); printf("%s\n", _this->string);
-		/*PAD(pad+PADINC); printf("====\n");*/
-	} else {
-		Pk11Install_Pair_Print(_this->pair,pad+PADINC);
-	}
-}
diff --git a/security/nss/cmd/modutil/install-ds.h b/security/nss/cmd/modutil/install-ds.h
deleted file mode 100644
index 9af614437..000000000
--- a/security/nss/cmd/modutil/install-ds.h
+++ /dev/null
@@ -1,293 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef INSTALL_DS_H
-#define INSTALL_DS_H
-
-#include <stdio.h>
-#include <prio.h>
-#include <prmem.h>
-
-extern PRFileDesc *Pk11Install_FD;
-extern int Pk11Install_yylex();
-extern int Pk11Install_yylinenum;
-extern char *Pk11Install_yyerrstr;
-
-typedef enum { STRING_VALUE, PAIR_VALUE } ValueType;
-
-typedef struct Pk11Install_Pair_str Pk11Install_Pair;
-typedef union Pk11Install_Pointer_str Pk11Install_Pointer;
-typedef struct Pk11Install_Value_str Pk11Install_Value;
-typedef struct Pk11Install_ValueList_str Pk11Install_ValueList;
-typedef struct Pk11Install_ListIter_str Pk11Install_ListIter;
-typedef struct Pk11Install_File_str Pk11Install_File;
-typedef struct Pk11Install_PlatformName_str Pk11Install_PlatformName;
-typedef struct Pk11Install_Platform_str Pk11Install_Platform;
-typedef struct Pk11Install_Info_str Pk11Install_Info;
-
-extern Pk11Install_Pointer Pk11Install_yylval;
-extern Pk11Install_ValueList* Pk11Install_valueList;
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Pk11Install_Pair
-//////////////////////////////////////////////////////////////////////////
-*/
-
-struct Pk11Install_Pair_str {
-	char * key;
-	Pk11Install_ValueList *list;
-
-};
-
-Pk11Install_Pair* 
-Pk11Install_Pair_new_default();
-Pk11Install_Pair* 
-Pk11Install_Pair_new( char* _key, Pk11Install_ValueList* _list);
-void 
-Pk11Install_Pair_delete(Pk11Install_Pair* _this);
-void
-Pk11Install_Pair_Print(Pk11Install_Pair* _this, int pad);
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Pk11Install_Pointer
-//////////////////////////////////////////////////////////////////////////
-*/
-union Pk11Install_Pointer_str {
-	Pk11Install_ValueList *list;
-	Pk11Install_Value *value;
-	Pk11Install_Pair *pair;
-	char *string;
-};
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Pk11Install_Value
-//////////////////////////////////////////////////////////////////////////
-*/
-struct Pk11Install_Value_str {
-
-	ValueType type;
-	char *string;	
-	Pk11Install_Pair *pair;
-	struct Pk11Install_Value_str *next;
-};
-
-Pk11Install_Value* 
-Pk11Install_Value_new_default();
-Pk11Install_Value*
-Pk11Install_Value_new(ValueType _type, Pk11Install_Pointer ptr);
-void
-Pk11Install_Value_delete(Pk11Install_Value* _this);
-void
-Pk11Install_Value_Print(Pk11Install_Value* _this, int pad);
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Pk11Install_ValueList
-//////////////////////////////////////////////////////////////////////////
-*/
-struct Pk11Install_ValueList_str {
-	int numItems;
-	int numPairs;
-	int numStrings;
-	Pk11Install_Value *head;
-};
-
-Pk11Install_ValueList* 
-Pk11Install_ValueList_new();
-void
-Pk11Install_ValueList_delete(Pk11Install_ValueList* _this);
-void
-Pk11Install_ValueList_AddItem(Pk11Install_ValueList* _this,
-                              Pk11Install_Value* item);
-void
-Pk11Install_ValueList_Print(Pk11Install_ValueList* _this, int pad);
-
-
-/*
-//////////////////////////////////////////////////////////////////////////
-// Pk11Install_ListIter
-//////////////////////////////////////////////////////////////////////////
-*/
-struct Pk11Install_ListIter_str {
-	const Pk11Install_ValueList *list;
-	Pk11Install_Value *current;
-};
-
-Pk11Install_ListIter* 
-Pk11Install_ListIter_new_default();
-void
-Pk11Install_ListIter_init(Pk11Install_ListIter* _this);
-Pk11Install_ListIter*
-Pk11Install_ListIter_new(const Pk11Install_ValueList* _list);
-void
-Pk11Install_ListIter_delete(Pk11Install_ListIter* _this);
-void
-Pk11Install_ListIter_reset(Pk11Install_ListIter* _this);
-Pk11Install_Value*
-Pk11Install_ListIter_nextItem(Pk11Install_ListIter* _this);
-
-/************************************************************************
- *
- * Pk11Install_File
- */
-struct Pk11Install_File_str {
-	char *jarPath;
-	char *relativePath;
-	char *absolutePath;
-	PRBool executable;
-	int permissions;
-};
-
-Pk11Install_File*
-Pk11Install_File_new();
-void
-Pk11Install_File_init(Pk11Install_File* _this);
-void
-Pk11Install_file_delete(Pk11Install_File* _this);
-/*// Parses a syntax tree to obtain all attributes.
-// Returns NULL for success, error message if parse error.*/
-char*
-Pk11Install_File_Generate(Pk11Install_File* _this, 
-                          const Pk11Install_Pair* pair);
-void
-Pk11Install_File_Print(Pk11Install_File* _this, int pad);
-void
-Pk11Install_File_Cleanup(Pk11Install_File* _this);
-
-/************************************************************************
- *
- * Pk11Install_PlatformName
- */
-struct Pk11Install_PlatformName_str {
-	char *OS;
-	char **verString;
-	int numDigits;
-	char *arch;
-};
-
-Pk11Install_PlatformName*
-Pk11Install_PlatformName_new();
-void
-Pk11Install_PlatformName_init(Pk11Install_PlatformName* _this);
-void
-Pk11Install_PlatformName_delete(Pk11Install_PlatformName* _this);
-char*
-Pk11Install_PlatformName_Generate(Pk11Install_PlatformName* _this,
-                                  const char* str);
-char*
-Pk11Install_PlatformName_GetString(Pk11Install_PlatformName* _this);
-char*
-Pk11Install_PlatformName_GetVerString(Pk11Install_PlatformName* _this);
-void
-Pk11Install_PlatformName_Print(Pk11Install_PlatformName* _this, int pad);
-void
-Pk11Install_PlatformName_Cleanup(Pk11Install_PlatformName* _this);
-PRBool
-Pk11Install_PlatformName_equal(Pk11Install_PlatformName* _this,
-                               Pk11Install_PlatformName* cmp);
-PRBool
-Pk11Install_PlatformName_lteq(Pk11Install_PlatformName* _this,
-                              Pk11Install_PlatformName* cmp);
-PRBool
-Pk11Install_PlatformName_lt(Pk11Install_PlatformName* _this,
-                            Pk11Install_PlatformName* cmp);
-
-/************************************************************************
- *
- * Pk11Install_Platform
- */
-struct Pk11Install_Platform_str {
-	Pk11Install_PlatformName name;
-	Pk11Install_PlatformName equivName;
-	struct Pk11Install_Platform_str *equiv;
-	PRBool usesEquiv;
-	char *moduleFile;
-	char *moduleName;
-	int modFile;
-	unsigned long mechFlags;
-	unsigned long cipherFlags;
-	Pk11Install_File *files;
-	int numFiles;
-};
-
-Pk11Install_Platform*
-Pk11Install_Platform_new();
-void
-Pk11Install_Platform_init(Pk11Install_Platform* _this);
-void
-Pk11Install_Platform_delete(Pk11Install_Platform* _this);
-/*// Returns NULL for success, error message if parse error.*/
-char* 
-Pk11Install_Platform_Generate(Pk11Install_Platform* _this,
-                              const Pk11Install_Pair *pair);
-void 
-Pk11Install_Platform_Print(Pk11Install_Platform* _this, int pad);
-void 
-Pk11Install_Platform_Cleanup(Pk11Install_Platform* _this);
-
-/************************************************************************
- *
- * Pk11Install_Info
- */
-struct Pk11Install_Info_str {
-	Pk11Install_Platform *platforms;
-	int numPlatforms;
-	Pk11Install_PlatformName *forwardCompatible;
-	int numForwardCompatible;
-};
-
-Pk11Install_Info*
-Pk11Install_Info_new();
-void
-Pk11Install_Info_init();
-void
-Pk11Install_Info_delete(Pk11Install_Info* _this);
-/*// Returns NULL for success, error message if parse error.*/
-char* 
-Pk11Install_Info_Generate(Pk11Install_Info* _this, 
-                          const Pk11Install_ValueList *list);
-	/*// Returns NULL if there is no matching platform*/
-Pk11Install_Platform* 
-Pk11Install_Info_GetBestPlatform(Pk11Install_Info* _this, char* myPlatform);
-void 
-Pk11Install_Info_Print(Pk11Install_Info* _this, int pad);
-void 
-Pk11Install_Info_Cleanup(Pk11Install_Info* _this);
-
-#endif /* INSTALL_DS_H */
diff --git a/security/nss/cmd/modutil/install.c b/security/nss/cmd/modutil/install.c
deleted file mode 100644
index 10819190c..000000000
--- a/security/nss/cmd/modutil/install.c
+++ /dev/null
@@ -1,988 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "install.h"
-#include "install-ds.h"
-#include <prlock.h>
-#include <prio.h>
-#include <prmem.h>
-#include <prprf.h>
-#include <prsystem.h>
-#include <prproces.h>
-
-#ifdef XP_UNIX
-/* for chmod */
-#include <sys/types.h>
-#include <sys/stat.h>
-#endif
-
-/*extern "C" {*/
-#include <jar.h>
-/*}*/
-
-extern /*"C"*/
-int Pk11Install_AddNewModule(char* moduleName, char* dllPath,
-                              unsigned long defaultMechanismFlags,
-                              unsigned long cipherEnableFlags);
-extern /*"C"*/
-short Pk11Install_UserVerifyJar(JAR *jar, PRFileDesc *out,
-	PRBool query);
-extern /*"C"*/
-const char* mySECU_ErrorString(int16);
-extern 
-int Pk11Install_yyparse();
-
-#define INSTALL_METAINFO_TAG "Pkcs11_install_script"
-#define SCRIPT_TEMP_FILE "pkcs11inst.tmp"
-#define ROOT_MARKER "%root%"
-#define TEMP_MARKER "%temp%"
-#define PRINTF_ROOT_MARKER "%%root%%"
-#define TEMPORARY_DIRECTORY_NAME "pk11inst.dir"
-#define JAR_BASE_END (JAR_BASE+100)
-
-static PRLock* errorHandlerLock=NULL;
-static Pk11Install_ErrorHandler errorHandler=NULL;
-static char* PR_Strdup(const char* str);
-static int rm_dash_r (char *path);
-static int make_dirs(char *path, int file_perms);
-static int dir_perms(int perms);
-
-static Pk11Install_Error DoInstall(JAR *jar, const char *installDir,
-	const char* tempDir, Pk11Install_Platform *platform, 
-	PRFileDesc *feedback, PRBool noverify);
-
-static char *errorString[]= {
-	"Operation was successful", /* PK11_INSTALL_NO_ERROR */
-	"Directory \"%s\" does not exist", /* PK11_INSTALL_DIR_DOESNT_EXIST */
-	"File \"%s\" does not exist", /* PK11_INSTALL_FILE_DOESNT_EXIST */
-	"File \"%s\" is not readable", /* PK11_INSTALL_FILE_NOT_READABLE */
-	"%s",		/* PK11_INSTALL_ERROR_STRING */
-	"Error in JAR file %s: %s",  /* PK11_INSTALL_JAR_ERROR */
-	"No Pkcs11_install_script specified in JAR metainfo file",
-				/* PK11_INSTALL_NO_INSTALLER_SCRIPT */
-	"Could not delete temporary file \"%s\"",
-				/*PK11_INSTALL_DELETE_TEMP_FILE */
-	"Could not open temporary file \"%s\"", /*PK11_INSTALL_OPEN_SCRIPT_FILE*/
-	"%s: %s", /* PK11_INSTALL_SCRIPT_PARSE */
-	"Error in script: %s",
-	"Unable to obtain system platform information",
-	"Installer script has no information about the current platform (%s)",
-	"Relative directory \"%s\" does not contain "PRINTF_ROOT_MARKER,
-	"Module File \"%s\" not found",
-	"Error occurred installing module \"%s\" into database",
-	"Error extracting \"%s\" from JAR file: %s",
-	"Directory \"%s\" is not writeable",
-	"Could not create directory \"%s\"",
-	"Could not remove directory \"%s\"",
-	"Unable to execute \"%s\"",
-	"Unable to wait for process \"%s\"",
-	"\"%s\" returned error code %d",
-	"User aborted operation",
-	"Unspecified error"
-};
-
-enum {
-	INSTALLED_FILE_MSG=0,
-	INSTALLED_MODULE_MSG,
-	INSTALLER_SCRIPT_NAME,
-	MY_PLATFORM_IS,
-	USING_PLATFORM,
-	PARSED_INSTALL_SCRIPT,
-	EXEC_FILE_MSG,
-	EXEC_SUCCESS,
-	INSTALLATION_COMPLETE_MSG,
-	USER_ABORT
-};
-
-static char *msgStrings[] = {
-	"Installed file %s to %s\n",
-	"Installed module \"%s\" into module database\n",
-	"Using installer script \"%s\"\n",
-	"Current platform is %s\n",
-	"Using installation parameters for platform %s\n",
-	"Successfully parsed installation script\n",
-	"Executing \"%s\"...\n",
-	"\"%s\" executed successfully\n",
-	"\nInstallation completed successfully\n",
-	"\nAborting...\n"
-};
-
-/**************************************************************************
- * S t r i n g N o d e
- */
-typedef struct StringNode_str {
-    char *str;
-    struct StringNode_str* next;
-} StringNode;
-
-StringNode* StringNode_new()
-{
-	StringNode* new_this;
-	new_this = (StringNode*)malloc(sizeof(StringNode));
-  new_this->str=NULL;
-  new_this->next=NULL;
-	return new_this;
-}
-
-void StringNode_delete(StringNode* s) 
-{
-	if(s->str) {
-		PR_Free(s->str);
-		s->str=NULL;
-	}
-}
-
-/*************************************************************************
- * S t r i n g L i s t
- */
-typedef struct StringList_str {
-  StringNode* head;
-	StringNode* tail;
-} StringList;
-
-void StringList_new(StringList* list)
-{
-  list->head=NULL;
-  list->tail=NULL;
-}
-
-void StringList_delete(StringList* list)
-{
-	StringNode *tmp;
-	while(list->head) {
-		tmp = list->head;
-		list->head = list->head->next;
-		StringNode_delete(tmp);
-	}
-}
-
-void
-StringList_Append(StringList* list, char* str)
-{
-	if(!str) {
-		return;
-	}
-
-	if(!list->tail) {
-		/* This is the first element */
-	  list->head = list->tail = StringNode_new();
-	} else {
-		list->tail->next = StringNode_new();
-		list->tail = list->tail->next;
-	}
-
-	list->tail->str = PR_Strdup(str);
-	list->tail->next = NULL;	/* just to be sure */
-}
-
-/**************************************************************************
- *
- * P k 1 1 I n s t a l l _ S e t E r r o r H a n d l e r
- *
- * Sets the error handler to be used by the library.  Returns the current
- * error handler function.
- */
-Pk11Install_ErrorHandler
-Pk11Install_SetErrorHandler(Pk11Install_ErrorHandler handler)
-{
-	Pk11Install_ErrorHandler old;
-
-	if(!errorHandlerLock) {
-		errorHandlerLock = PR_NewLock();
-	}
-
-	PR_Lock(errorHandlerLock);
-
-	old = errorHandler;
-	errorHandler = handler;
-
-	PR_Unlock(errorHandlerLock);
-
-	return old;
-}
-
-/**************************************************************************
- *
- * P k 1 1 I n s t a l l _ I n i t
- *
- * Does initialization that otherwise would be done on the fly.  Only
- * needs to be called by multithreaded apps, before they make any calls
- * to this library.
- */
-void
-Pk11Install_Init()
-{
-	if(!errorHandlerLock) {
-		errorHandlerLock = PR_NewLock();
-	}
-}
-
-/**************************************************************************
- *
- * P k 1 1 I n s t a l l _ R e l e a s e
- *
- * Releases static data structures used by the library.  Don't use the
- * library after calling this, unless you call Pk11Install_Init()
- * first.  This function doesn't have to be called at all unless you're
- * really anal about freeing memory before your program exits.
- */
-void
-Pk11Install_Release()
-{
-	if(errorHandlerLock) {
-		PR_Free(errorHandlerLock);
-		errorHandlerLock = NULL;
-	}
-}
-
-/*************************************************************************
- *
- * e r r o r
- *
- * Takes an error code and its arguments, creates the error string,
- * and sends the string to the handler function if it exists.
- */
-
-#ifdef OSF1
-/* stdarg has already been pulled in from NSPR */
-#undef va_start
-#undef va_end
-#undef va_arg
-#include <varargs.h>
-#else
-#include <stdarg.h>
-#endif
-
-#ifdef OSF1
-static void
-error(long va_alist, ...)
-#else
-static void
-error(Pk11Install_Error errcode, ...)
-#endif
-{
-
-	va_list ap;
-	char *errstr;
-	Pk11Install_ErrorHandler handler;
-
-	if(!errorHandlerLock) {
-		errorHandlerLock = PR_NewLock();
-	}
-
-	PR_Lock(errorHandlerLock);
-
-	handler = errorHandler;
-
-	PR_Unlock(errorHandlerLock);
-
-	if(handler) {
-#ifdef OSF1
-		va_start(ap);
-		errstr = PR_vsmprintf(errorString[va_arg(ap, Pk11Install_Error)], ap);
-#else
-		va_start(ap, errcode);
-		errstr = PR_vsmprintf(errorString[errcode], ap);
-#endif
-		handler(errstr);
-		PR_smprintf_free(errstr);
-		va_end(ap);
-	}
-}
-
-/*************************************************************************
- *
- * j a r _ c a l l b a c k
- */
-static int
-jar_callback(int status, JAR *foo, const char *bar, char *pathname,
-	char *errortext) {
-	char *string;
-
-	string = PR_smprintf("JAR error %d: %s in file %s\n", status, errortext,
-		pathname);
-	error(PK11_INSTALL_ERROR_STRING, string);
-	PR_smprintf_free(string);
-	return 0;
-}
-	
-/*************************************************************************
- *
- * P k 1 1 I n s t a l l _ D o I n s t a l l
- *
- * jarFile is the path of a JAR in the PKCS #11 module JAR format.
- * installDir is the directory relative to which files will be
- *   installed.
- */
-Pk11Install_Error
-Pk11Install_DoInstall(char *jarFile, const char *installDir,
-	const char *tempDir, PRFileDesc *feedback, short force, PRBool noverify)
-{
-	JAR *jar;
-	char *installer;
-	unsigned long installer_len;
-	int status;
-	Pk11Install_Error ret;
-	PRBool made_temp_file;
-	Pk11Install_Info installInfo;
-	Pk11Install_Platform *platform;
-	char* errMsg;
-	char sysname[SYS_INFO_BUFFER_LENGTH], release[SYS_INFO_BUFFER_LENGTH],
-       arch[SYS_INFO_BUFFER_LENGTH];
-	char *myPlatform;
-
-	jar=NULL;
-	ret = PK11_INSTALL_UNSPECIFIED;
-	made_temp_file=PR_FALSE;
-	errMsg=NULL;
-	Pk11Install_Info_init(&installInfo);
-
-	/*
-	printf("Inside DoInstall, jarFile=%s, installDir=%s, tempDir=%s\n",
-		jarFile, installDir, tempDir);
-	*/
-
-	/*
-	 * Check out jarFile and installDir for validity
-	 */
-	if( PR_Access(installDir, PR_ACCESS_EXISTS) != PR_SUCCESS ) {
-		error(PK11_INSTALL_DIR_DOESNT_EXIST, installDir);
-		return PK11_INSTALL_DIR_DOESNT_EXIST;
-	}
-	if(!tempDir) {
-		tempDir = ".";
-	}
-	if( PR_Access(tempDir, PR_ACCESS_EXISTS) != PR_SUCCESS ) {
-		error(PK11_INSTALL_DIR_DOESNT_EXIST, tempDir);
-		return PK11_INSTALL_DIR_DOESNT_EXIST;
-	}
-	if( PR_Access(tempDir, PR_ACCESS_WRITE_OK) != PR_SUCCESS ) {
-		error(PK11_INSTALL_DIR_NOT_WRITEABLE, tempDir);
-		return PK11_INSTALL_DIR_NOT_WRITEABLE;
-	}
-	if( (PR_Access(jarFile, PR_ACCESS_EXISTS) != PR_SUCCESS) ) {
-		error(PK11_INSTALL_FILE_DOESNT_EXIST, jarFile);
-		return PK11_INSTALL_FILE_DOESNT_EXIST;
-	}
-	if( PR_Access(jarFile, PR_ACCESS_READ_OK) != PR_SUCCESS ) {
-		error(PK11_INSTALL_FILE_NOT_READABLE, jarFile);
-		return PK11_INSTALL_FILE_NOT_READABLE;
-	}
-
-	/*
-	 * Extract the JAR file
-	 */
-	jar = JAR_new();
-	JAR_set_callback(JAR_CB_SIGNAL, jar, jar_callback);
-
-	if(noverify) {
-		status = JAR_pass_archive_unverified(jar, jarArchGuess, jarFile, "url");
-	} else {
-		status = JAR_pass_archive(jar, jarArchGuess, jarFile, "url");
-	}
-	if( (status < 0) || (jar->valid < 0) ) {
-		if (status >= JAR_BASE && status <= JAR_BASE_END) {
-			error(PK11_INSTALL_JAR_ERROR, jarFile, JAR_get_error(status));
-		} else {
-			error(PK11_INSTALL_JAR_ERROR, jarFile,
-			  mySECU_ErrorString((int16) PORT_GetError()) );
-		}
-		ret=PK11_INSTALL_JAR_ERROR;
-		goto loser;
-	}
-	/*printf("passed the archive\n");*/
-
-	/*
-	 * Show the user security information, allow them to abort or continue
-	 */
-	if( Pk11Install_UserVerifyJar(jar, PR_STDOUT,
-		force?PR_FALSE:PR_TRUE) && !force) {
-		if(feedback) {
-			PR_fprintf(feedback, msgStrings[USER_ABORT]);
-		}
-		ret=PK11_INSTALL_USER_ABORT;
-		goto loser;
-	}
-
-	/*
-	 * Get the name of the installation file
-	 */
-	if( JAR_get_metainfo(jar, NULL, INSTALL_METAINFO_TAG, (void**)&installer,
-		(unsigned long*)&installer_len) ) {
-		error(PK11_INSTALL_NO_INSTALLER_SCRIPT);
-		ret=PK11_INSTALL_NO_INSTALLER_SCRIPT;
-		goto loser;
-	}
-	if(feedback) {
-		PR_fprintf(feedback, msgStrings[INSTALLER_SCRIPT_NAME], installer);
-	}
-
-	/*
-	 * Extract the installation file
-	 */
-	if( PR_Access(SCRIPT_TEMP_FILE, PR_ACCESS_EXISTS) == PR_SUCCESS) {
-		if( PR_Delete(SCRIPT_TEMP_FILE) != PR_SUCCESS) {
-			error(PK11_INSTALL_DELETE_TEMP_FILE, SCRIPT_TEMP_FILE);
-			ret=PK11_INSTALL_DELETE_TEMP_FILE;
-			goto loser;
-		}
-	}
-	if(noverify) {
-		status = JAR_extract(jar, installer, SCRIPT_TEMP_FILE);
-	} else {
-		status = JAR_verified_extract(jar, installer, SCRIPT_TEMP_FILE);
-	}
-	if(status) {
-		if (status >= JAR_BASE && status <= JAR_BASE_END) {
-			error(PK11_INSTALL_JAR_EXTRACT, installer, JAR_get_error(status));
-		} else {
-			error(PK11_INSTALL_JAR_EXTRACT, installer,
-			  mySECU_ErrorString((int16) PORT_GetError()) );
-		}
-		ret = PK11_INSTALL_JAR_EXTRACT;
-		goto loser;
-	} else {
-		made_temp_file = PR_TRUE;
-	}
-
-	/*
-	 * Parse the installation file into a syntax tree
-	 */
-	Pk11Install_FD = PR_Open(SCRIPT_TEMP_FILE, PR_RDONLY, 0);
-	if(!Pk11Install_FD) {
-		error(PK11_INSTALL_OPEN_SCRIPT_FILE, SCRIPT_TEMP_FILE);
-		ret=PK11_INSTALL_OPEN_SCRIPT_FILE;
-		goto loser;
-	}
-	if(Pk11Install_yyparse()) {
-		error(PK11_INSTALL_SCRIPT_PARSE, installer,
-			Pk11Install_yyerrstr ? Pk11Install_yyerrstr : "");
-		ret=PK11_INSTALL_SCRIPT_PARSE;
-		goto loser;
-	}
-
-#if 0
-	/* for debugging */
-	Pk11Install_valueList->Print(0);
-#endif
-
-	/*
-	 * From the syntax tree, build a semantic structure
-	 */
-	errMsg = Pk11Install_Info_Generate(&installInfo,Pk11Install_valueList);
-	if(errMsg) {
-		error(PK11_INSTALL_SEMANTIC, errMsg);
-		ret=PK11_INSTALL_SEMANTIC;
-		goto loser;
-	}
-#if 0
-	installInfo.Print(0);
-#endif
-
-	if(feedback) {
-		PR_fprintf(feedback, msgStrings[PARSED_INSTALL_SCRIPT]);
-	}
-
-	/*
-	 * Figure out which platform to use
-	 */
-	{
-		sysname[0] = release[0] = arch[0] = '\0';
-
-		if( (PR_GetSystemInfo(PR_SI_SYSNAME, sysname, SYS_INFO_BUFFER_LENGTH)
-				!= PR_SUCCESS) ||
-		    (PR_GetSystemInfo(PR_SI_RELEASE, release, SYS_INFO_BUFFER_LENGTH)
-				!= PR_SUCCESS) ||
-		    (PR_GetSystemInfo(PR_SI_ARCHITECTURE, arch, SYS_INFO_BUFFER_LENGTH)
-				!= PR_SUCCESS) ) {
-			error(PK11_INSTALL_SYSINFO);
-			ret=PK11_INSTALL_SYSINFO;
-			goto loser;
-		}
-		myPlatform = PR_smprintf("%s:%s:%s", sysname, release, arch);
-		platform = Pk11Install_Info_GetBestPlatform(&installInfo,myPlatform);
-		if(!platform) {
-			error(PK11_INSTALL_NO_PLATFORM, myPlatform);
-			PR_smprintf_free(myPlatform);
-			ret=PK11_INSTALL_NO_PLATFORM;
-			goto loser;
-		}
-		if(feedback) {
-			PR_fprintf(feedback, msgStrings[MY_PLATFORM_IS], myPlatform);
-			PR_fprintf(feedback, msgStrings[USING_PLATFORM],
-                    Pk11Install_PlatformName_GetString(&platform->name));
-		}
-		PR_smprintf_free(myPlatform);
-	}
-
-	/* Run the install for that platform */
-	ret = DoInstall(jar, installDir, tempDir, platform, feedback, noverify);
-	if(ret) {
-		goto loser;
-	}
-
-	ret = PK11_INSTALL_SUCCESS;
-loser:
-	if(Pk11Install_valueList) {
-		Pk11Install_ValueList_delete(Pk11Install_valueList);
-		PR_Free(Pk11Install_valueList);
-		Pk11Install_valueList = NULL;
-	}
-	if(jar) {
-		JAR_destroy(jar);
-	}
-	if(made_temp_file) {
-		PR_Delete(SCRIPT_TEMP_FILE);
-	}
-	if(errMsg) {
-		PR_smprintf_free(errMsg);
-	}
-	return ret;
-}
-
-/*
-/////////////////////////////////////////////////////////////////////////
-// actually run the installation, copying files to and fro
-*/
-static Pk11Install_Error
-DoInstall(JAR *jar, const char *installDir, const char *tempDir,
-	Pk11Install_Platform *platform, PRFileDesc *feedback, PRBool noverify)
-{
-	Pk11Install_File *file;
-	Pk11Install_Error ret;
-	char *reldir;
-	char *dest;
-	char *modDest;
-	char *cp;
-	int i;
-	int status;
-	char *tempname, *temp;
-	StringList executables;
-	StringNode *execNode;
-	PRProcessAttr *attr;
-	PRProcess *proc;
-	char *argv[2];
-	char *envp[1];
-	int errcode;
-
-	ret=PK11_INSTALL_UNSPECIFIED;
-	reldir=NULL;
-	dest=NULL;
-	modDest=NULL;
-	tempname=NULL;
-
-	StringList_new(&executables);
-	/*
-	// Create Temporary directory
-	*/
-	tempname = PR_smprintf("%s/%s", tempDir, TEMPORARY_DIRECTORY_NAME);
-	if( PR_Access(tempname, PR_ACCESS_EXISTS)==PR_SUCCESS ) {
-		/* Left over from previous run?  Delete it. */
-		rm_dash_r(tempname);
-	}
-	if(PR_MkDir(tempname, 0700) != PR_SUCCESS) {
-		error(PK11_INSTALL_CREATE_DIR, tempname);
-		ret = PK11_INSTALL_CREATE_DIR;
-		goto loser;
-	}
-
-	/*
-	// Install all the files
-	*/
-	for(i=0; i < platform->numFiles; i++) {
-		file = &platform->files[i];
-
-		if(file->relativePath) {
-			PRBool foundMarker = PR_FALSE;
-			reldir = PR_Strdup(file->relativePath);
-
-			/* Replace all the markers with the directories for which they stand */
-			while(1) {
-				if( (cp=PL_strcasestr(reldir, ROOT_MARKER)) ) {
-					/* Has a %root% marker  */
-					*cp = '\0';
-					temp = PR_smprintf("%s%s%s", reldir, installDir,
-						cp+strlen(ROOT_MARKER));
-					PR_Free(reldir);
-					reldir = temp;
-					foundMarker = PR_TRUE;
-				} else if( (cp = PL_strcasestr(reldir, TEMP_MARKER)) ) {
-					/* Has a %temp% marker */
-					*cp = '\0';
-					temp = PR_smprintf("%s%s%s", reldir, tempname, 
-						cp+strlen(TEMP_MARKER));
-					PR_Free(reldir);
-					reldir = temp;
-					foundMarker = PR_TRUE;
-				} else {
-					break;
-				}
-			}
-			if(!foundMarker) {
-				/* Has no markers...this isn't really a relative directory */
-				error(PK11_INSTALL_BOGUS_REL_DIR, file->relativePath);
-				ret = PK11_INSTALL_BOGUS_REL_DIR;
-				goto loser;
-			}
-			dest = reldir;
-			reldir = NULL;
-		} else if(file->absolutePath) {
-			dest = PR_Strdup(file->absolutePath);
-		}
-
-		/* Remember if this is the module file, we'll need to add it later */
-		if(i == platform->modFile) {
-			modDest = PR_Strdup(dest);
-		}
-
-		/* Remember is this is an executable, we'll need to run it later */
-		if(file->executable) {
-			StringList_Append(&executables,dest);
-			/*executables.Append(dest);*/
-		}
-
-		/* Make sure the directory we are targetting exists */
-		if( make_dirs(dest, file->permissions) ) {
-			ret=PK11_INSTALL_CREATE_DIR;
-			goto loser;
-		}
-
-		/* Actually extract the file onto the filesystem */
-		if(noverify) {
-			status = JAR_extract(jar, (char*)file->jarPath, dest);
-		} else {
-			status = JAR_verified_extract(jar, (char*)file->jarPath, dest);
-		}
-		if(status) {
-			if (status >= JAR_BASE && status <= JAR_BASE_END) {
-				error(PK11_INSTALL_JAR_EXTRACT, file->jarPath,
-                  JAR_get_error(status));
-			} else {
-				error(PK11_INSTALL_JAR_EXTRACT, file->jarPath,
-				  mySECU_ErrorString((int16) PORT_GetError()) );
-			}
-			ret=PK11_INSTALL_JAR_EXTRACT;
-			goto loser;
-		}
-		if(feedback) {
-			PR_fprintf(feedback, msgStrings[INSTALLED_FILE_MSG],
-				file->jarPath, dest);
-		}
-
-		/* no NSPR command to change permissions? */
-#ifdef XP_UNIX
-		chmod(dest, file->permissions);
-#endif
-
-		/* Memory clean-up tasks */
-		if(reldir) {
-			PR_Free(reldir);
-			reldir = NULL;
-		}
-		if(dest) {
-			PR_Free(dest);
-			dest = NULL;
-		}
-	}
-	/* Make sure we found the module file */
-	if(!modDest) {
-		/* Internal problem here, since every platform is supposed to have
-		   a module file */
-		error(PK11_INSTALL_NO_MOD_FILE, platform->moduleName);
-		ret=PK11_INSTALL_NO_MOD_FILE;
-		goto loser;
-	}
-
-	/*
-	// Execute any executable files
-	*/
-	{
-		argv[1] = NULL;
-		envp[0] = NULL;
-		for(execNode = executables.head; execNode; execNode = execNode->next) {
-			attr = PR_NewProcessAttr();
-			argv[0] = PR_Strdup(execNode->str);
-
-			/* Announce our intentions */
-			if(feedback) {
-				PR_fprintf(feedback, msgStrings[EXEC_FILE_MSG], execNode->str);
-			}
-
-			/* start the process */
-			if( !(proc=PR_CreateProcess(execNode->str, argv, envp, attr)) ) {
-				PR_Free(argv[0]);
-				PR_DestroyProcessAttr(attr);
-				error(PK11_INSTALL_EXEC_FILE, execNode->str);
-				ret=PK11_INSTALL_EXEC_FILE;
-				goto loser;
-			}
-
-			/* wait for it to finish */
-			if( PR_WaitProcess(proc, &errcode) != PR_SUCCESS) {
-				PR_Free(argv[0]);
-				PR_DestroyProcessAttr(attr);
-				error(PK11_INSTALL_WAIT_PROCESS, execNode->str);
-				ret=PK11_INSTALL_WAIT_PROCESS;
-				goto loser;
-			}
-
-			/* What happened? */
-			if(errcode) {
-				/* process returned an error */
-				error(PK11_INSTALL_PROC_ERROR, execNode->str, errcode);
-			} else if(feedback) {
-				/* process ran successfully */
-				PR_fprintf(feedback, msgStrings[EXEC_SUCCESS], execNode->str);
-			}
-
-			PR_Free(argv[0]);
-			PR_DestroyProcessAttr(attr);
-		}
-	}
-
-	/*
-	// Add the module
-	*/
-	status = Pk11Install_AddNewModule((char*)platform->moduleName,
-		(char*)modDest, platform->mechFlags, platform->cipherFlags );
-
-	if(status != SECSuccess) {
-		error(PK11_INSTALL_ADD_MODULE, platform->moduleName);
-		ret=PK11_INSTALL_ADD_MODULE;
-		goto loser;
-	}
-	if(feedback) {
-		PR_fprintf(feedback, msgStrings[INSTALLED_MODULE_MSG],
-			platform->moduleName);
-	}
-
-	if(feedback) {
-		PR_fprintf(feedback, msgStrings[INSTALLATION_COMPLETE_MSG]);
-	}
-
-	ret = PK11_INSTALL_SUCCESS;
-
-loser:
-	if(reldir) {
-		PR_Free(reldir);
-	}
-	if(dest) {
-		PR_Free(dest);
-	}
-	if(modDest) {
-		PR_Free(modDest);
-	}
-	if(tempname) {
-		PRFileInfo info;
-		if(PR_GetFileInfo(tempname, &info) == PR_SUCCESS) {
-			if((info.type == PR_FILE_DIRECTORY)) {
-				/* Recursively remove temporary directory */
-				if(rm_dash_r(tempname)) {
-					error(PK11_INSTALL_REMOVE_DIR,
-						tempname);
-					ret=PK11_INSTALL_REMOVE_DIR;
-				}
-					
-			}
-		}
-		PR_Free(tempname);
-	}
-	StringList_delete(&executables);
-	return ret;
-}
-
-/*
-//////////////////////////////////////////////////////////////////////////
-*/
-static char*
-PR_Strdup(const char* str)
-{
-	char *tmp = (char*) PR_Malloc(strlen(str)+1);
-	strcpy(tmp, str);
-	return tmp;
-}
-
-/*
- *  r m _ d a s h _ r
- *
- *  Remove a file, or a directory recursively.
- *
- */
-static int
-rm_dash_r (char *path)
-{
-    PRDir   *dir;
-    PRDirEntry *entry;
-    PRFileInfo fileinfo;
-    char filename[240];
-
-    if(PR_GetFileInfo(path, &fileinfo) != PR_SUCCESS) {
-        /*fprintf(stderr, "Error: Unable to access %s\n", filename);*/
-        return -1;
-    }
-    if(fileinfo.type == PR_FILE_DIRECTORY) {
-
-        dir = PR_OpenDir(path);
-        if(!dir) {
-            return -1;
-        }
-
-        /* Recursively delete all entries in the directory */
-        while((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
-            sprintf(filename, "%s/%s", path, entry->name);
-            if(rm_dash_r(filename)) return -1;
-        }
-
-        if(PR_CloseDir(dir) != PR_SUCCESS) {
-            return -1;
-        }
-
-        /* Delete the directory itself */
-        if(PR_RmDir(path) != PR_SUCCESS) {
-            return -1;
-        }
-    } else {
-        if(PR_Delete(path) != PR_SUCCESS) {
-            return -1;
-        }
-    }
-    return 0;
-}
-
-/***************************************************************************
- *
- * m a k e _ d i r s
- *
- * Ensure that the directory portion of the path exists.  This may require
- * making the directory, and its parent, and its parent's parent, etc.
- */
-static int
-make_dirs(char *path, int file_perms)
-{
-	char *Path;
-	char *start;
-	char *sep;
-	int ret = 0;
-	PRFileInfo info;
-
-	if(!path) {
-		return 0;
-	}
-
-	Path = PR_Strdup(path);
-	start = strpbrk(Path, "/\\");
-	if(!start) {
-		return 0;
-	}
-	start++; /* start right after first slash */
-
-	/* Each time through the loop add one more directory. */
-	while( (sep=strpbrk(start, "/\\")) ) {
-		*sep = '\0';
-
-		if( PR_GetFileInfo(Path, &info) != PR_SUCCESS) {
-			/* No such dir, we have to create it */
-			if( PR_MkDir(Path, dir_perms(file_perms)) != PR_SUCCESS) {
-				error(PK11_INSTALL_CREATE_DIR, Path);
-				ret = PK11_INSTALL_CREATE_DIR;
-				goto loser;
-			}
-		} else {
-			/* something exists by this name, make sure it's a directory */
-			if( info.type != PR_FILE_DIRECTORY ) {
-				error(PK11_INSTALL_CREATE_DIR, Path);
-				ret = PK11_INSTALL_CREATE_DIR;
-				goto loser;
-			}
-		}
-
-		/* If this is the lowest directory level, make sure it is writeable */
-		if(!strpbrk(sep+1, "/\\")) {
-			if( PR_Access(Path, PR_ACCESS_WRITE_OK)!=PR_SUCCESS) {
-				error(PK11_INSTALL_DIR_NOT_WRITEABLE, Path);
-				ret = PK11_INSTALL_DIR_NOT_WRITEABLE;
-				goto loser;
-			}
-		}
-
-		start = sep+1; /* start after the next slash */
-		*sep = '/';
-	}
-
-loser:
-	PR_Free(Path);
-	return ret;
-}
-
-/*************************************************************************
- * d i r _ p e r m s
- * 
- * Guesses the desired permissions on a directory based on the permissions
- * of a file that will be stored in it. Give read, write, and
- * execute to the owner (so we can create the file), read and 
- * execute to anyone who has read permissions on the file, and write
- * to anyone who has write permissions on the file.
- */
-static int
-dir_perms(int perms)
-{
-	int ret = 0;
-
-	/* owner */
-	ret |= 0700;
-
-	/* group */
-	if(perms & 0040) {
-		/* read on the file -> read and execute on the directory */
-		ret |= 0050;
-	}
-	if(perms & 0020) {
-		/* write on the file -> write on the directory */
-		ret |= 0020;
-	}
-
-	/* others */
-	if(perms & 0004) {
-		/* read on the file -> read and execute on the directory */
-		ret |= 0005;
-	}
-	if(perms & 0002) {
-		/* write on the file -> write on the directory */
-		ret |= 0002;
-	}
-
-	return ret;
-}
diff --git a/security/nss/cmd/modutil/install.h b/security/nss/cmd/modutil/install.h
deleted file mode 100644
index 00fae7aeb..000000000
--- a/security/nss/cmd/modutil/install.h
+++ /dev/null
@@ -1,133 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef PK11INSTALL_H
-#define PK11INSTALL_H
-
-#include <prio.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef void (*Pk11Install_ErrorHandler)(char *);
-
-typedef enum {
-	PK11_INSTALL_NO_ERROR=0,
-	PK11_INSTALL_DIR_DOESNT_EXIST,
-	PK11_INSTALL_FILE_DOESNT_EXIST,
-	PK11_INSTALL_FILE_NOT_READABLE,
-	PK11_INSTALL_ERROR_STRING,
-	PK11_INSTALL_JAR_ERROR,
-	PK11_INSTALL_NO_INSTALLER_SCRIPT,
-	PK11_INSTALL_DELETE_TEMP_FILE,
-	PK11_INSTALL_OPEN_SCRIPT_FILE,
-	PK11_INSTALL_SCRIPT_PARSE,
-	PK11_INSTALL_SEMANTIC,
-	PK11_INSTALL_SYSINFO,
-	PK11_INSTALL_NO_PLATFORM,
-	PK11_INSTALL_BOGUS_REL_DIR,
-	PK11_INSTALL_NO_MOD_FILE,
-	PK11_INSTALL_ADD_MODULE,
-	PK11_INSTALL_JAR_EXTRACT,
-	PK11_INSTALL_DIR_NOT_WRITEABLE,
-	PK11_INSTALL_CREATE_DIR,
-	PK11_INSTALL_REMOVE_DIR,
-	PK11_INSTALL_EXEC_FILE,
-	PK11_INSTALL_WAIT_PROCESS,
-	PK11_INSTALL_PROC_ERROR,
-	PK11_INSTALL_USER_ABORT,
-	PK11_INSTALL_UNSPECIFIED
-} Pk11Install_Error;
-#define PK11_INSTALL_SUCCESS PK11_INSTALL_NO_ERROR
-
-/**************************************************************************
- *
- * P k 1 1 I n s t a l l _ I n i t
- *
- * Does initialization that otherwise would be done on the fly.  Only
- * needs to be called by multithreaded apps, before they make any calls
- * to this library.
- */
-void 
-Pk11Install_Init();
-
-/**************************************************************************
- *
- * P k 1 1 I n s t a l l _ S e t E r r o r H a n d l e r
- *
- * Sets the error handler to be used by the library.  Returns the current
- * error handler function.
- */
-Pk11Install_ErrorHandler
-Pk11Install_SetErrorHandler(Pk11Install_ErrorHandler handler);
-
-
-/**************************************************************************
- *
- * P k 1 1 I n s t a l l _ R e l e a s e
- *
- * Releases static data structures used by the library.  Don't use the
- * library after calling this, unless you call Pk11Install_Init()
- * first.  This function doesn't have to be called at all unless you're
- * really anal about freeing memory before your program exits.
- */
-void 
-Pk11Install_Release();
-
-/*************************************************************************
- *
- * P k 1 1 I n s t a l l _ D o I n s t a l l
- *
- * jarFile is the path of a JAR in the PKCS #11 module JAR format.
- * installDir is the directory relative to which files will be
- *   installed.
- * feedback is a file descriptor to which to write informative (not error)
- * status messages: what files are being installed, what modules are being
- * installed.  If feedback==NULL, no messages will be displayed.
- * If force != 0, interactive prompts will be suppressed.
- * If noverify == PR_TRUE, signatures won't be checked on the JAR file.
- */
-Pk11Install_Error
-Pk11Install_DoInstall(char *jarFile, const char *installDir,
-	const char *tempDir, PRFileDesc *feedback, short force,
-	PRBool noverify);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /*PK11INSTALL_H*/
diff --git a/security/nss/cmd/modutil/installparse.c b/security/nss/cmd/modutil/installparse.c
deleted file mode 100644
index 1d85d213a..000000000
--- a/security/nss/cmd/modutil/installparse.c
+++ /dev/null
@@ -1,429 +0,0 @@
-#ifndef lint
-char yysccsid[] = "@(#)yaccpar	1.4 (Berkeley) 02/25/90";
-#endif
-#line 37 "installparse.y"
- 
-#define yyparse Pk11Install_yyparse
-#define yylex Pk11Install_yylex
-#define yyerror Pk11Install_yyerror
-#define yychar Pk11Install_yychar
-#define yyval Pk11Install_yyval
-#define yylval Pk11Install_yylval
-#define yydebug Pk11Install_yydebug
-#define yynerrs Pk11Install_yynerrs
-#define yyerrflag Pk11Install_yyerrflag
-#define yyss Pk11Install_yyss
-#define yyssp Pk11Install_yyssp
-#define yyvs Pk11Install_yyvs
-#define yyvsp Pk11Install_yyvsp
-#define yylhs Pk11Install_yylhs
-#define yylen Pk11Install_yylen
-#define yydefred Pk11Install_yydefred
-#define yydgoto Pk11Install_yydgoto
-#define yysindex Pk11Install_yysindex
-#define yyrindex Pk11Install_yyrindex
-#define yygindex Pk11Install_yygindex
-#define yytable Pk11Install_yytable
-#define yycheck Pk11Install_yycheck
-#define yyname Pk11Install_yyname
-#define yyrule Pk11Install_yyrule
-
-/* C Stuff */
-#include "install-ds.h"
-#include <prprf.h>
-
-#define YYSTYPE Pk11Install_Pointer
-extern char *Pk11Install_yytext;
-char *Pk11Install_yyerrstr=NULL;
-
-#line 40 "ytab.c"
-#define OPENBRACE 257
-#define CLOSEBRACE 258
-#define STRING 259
-#define YYERRCODE 256
-short yylhs[] = {                                        -1,
-    0,    1,    1,    2,    2,    3,    4,
-};
-short yylen[] = {                                         2,
-    1,    2,    0,    1,    1,    4,    1,
-};
-short yydefred[] = {                                      0,
-    0,    0,    1,    0,    4,    0,    2,    0,    0,    6,
-};
-short yydgoto[] = {                                       2,
-    3,    4,    5,    6,
-};
-short yysindex[] = {                                   -257,
-    0,    0,    0, -257,    0, -252,    0, -257, -251,    0,
-};
-short yyrindex[] = {                                      6,
-    1,    0,    0,    3,    0,    0,    0, -250,    0,    0,
-};
-short yygindex[] = {                                      0,
-   -4,    0,    0,    0,
-};
-#define YYTABLESIZE 261
-short yytable[] = {                                       7,
-    5,    1,    3,    9,    8,    3,   10,    3,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
-    0,    0,    0,    0,    0,    0,    0,    7,    5,    5,
-    3,
-};
-short yycheck[] = {                                       4,
-    0,  259,    0,    8,  257,    0,  258,  258,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
-   -1,   -1,   -1,   -1,   -1,   -1,   -1,  257,  258,  259,
-  258,
-};
-#define YYFINAL 2
-#ifndef YYDEBUG
-#define YYDEBUG 0
-#endif
-#define YYMAXTOKEN 259
-#if YYDEBUG
-char *yyname[] = {
-"end-of-file",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"OPENBRACE","CLOSEBRACE","STRING",
-};
-char *yyrule[] = {
-"$accept : toplist",
-"toplist : valuelist",
-"valuelist : value valuelist",
-"valuelist :",
-"value : key_value_pair",
-"value : STRING",
-"key_value_pair : key OPENBRACE valuelist CLOSEBRACE",
-"key : STRING",
-};
-#endif
-#ifndef YYSTYPE
-typedef int YYSTYPE;
-#endif
-#define yyclearin (yychar=(-1))
-#define yyerrok (yyerrflag=0)
-#ifndef YYSTACKSIZE
-#ifdef YYMAXDEPTH
-#define YYSTACKSIZE YYMAXDEPTH
-#else
-#define YYSTACKSIZE 300
-#endif
-#endif
-int yydebug;
-int yynerrs;
-int yyerrflag;
-int yychar;
-short *yyssp;
-YYSTYPE *yyvsp;
-YYSTYPE yyval;
-YYSTYPE yylval;
-#define yystacksize YYSTACKSIZE
-short yyss[YYSTACKSIZE];
-YYSTYPE yyvs[YYSTACKSIZE];
-#line 118 "installparse.y"
-/*----------------------- Program Section --------------------------------*/
-
-/*************************************************************************/
-void
-Pk11Install_yyerror(char *message)
-{
-	char *tmp;
-	if(Pk11Install_yyerrstr) {
-		tmp=PR_smprintf("%sline %d: %s\n", Pk11Install_yyerrstr,
-			Pk11Install_yylinenum, message);
-		PR_smprintf_free(Pk11Install_yyerrstr);
-	} else {
-		tmp = PR_smprintf("line %d: %s\n", Pk11Install_yylinenum, message);
-	}
-	Pk11Install_yyerrstr=tmp;
-}
-#line 191 "ytab.c"
-#define YYABORT goto yyabort
-#define YYACCEPT goto yyaccept
-#define YYERROR goto yyerrlab
-int
-yyparse()
-{
-    register int yym, yyn, yystate;
-#if YYDEBUG
-    register char *yys;
-    extern char *getenv();
-
-    if (yys = getenv("YYDEBUG"))
-    {
-        yyn = *yys;
-        if (yyn >= '0' && yyn <= '9')
-            yydebug = yyn - '0';
-    }
-#endif
-
-    yynerrs = 0;
-    yyerrflag = 0;
-    yychar = (-1);
-
-    yyssp = yyss;
-    yyvsp = yyvs;
-    *yyssp = yystate = 0;
-
-yyloop:
-    if (yyn = yydefred[yystate]) goto yyreduce;
-    if (yychar < 0)
-    {
-        if ((yychar = yylex()) < 0) yychar = 0;
-#if YYDEBUG
-        if (yydebug)
-        {
-            yys = 0;
-            if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
-            if (!yys) yys = "illegal-symbol";
-            printf("yydebug: state %d, reading %d (%s)\n", yystate,
-                    yychar, yys);
-        }
-#endif
-    }
-    if ((yyn = yysindex[yystate]) && (yyn += yychar) >= 0 &&
-            yyn <= YYTABLESIZE && yycheck[yyn] == yychar)
-    {
-#if YYDEBUG
-        if (yydebug)
-            printf("yydebug: state %d, shifting to state %d\n",
-                    yystate, yytable[yyn]);
-#endif
-        if (yyssp >= yyss + yystacksize - 1)
-        {
-            goto yyoverflow;
-        }
-        *++yyssp = yystate = yytable[yyn];
-        *++yyvsp = yylval;
-        yychar = (-1);
-        if (yyerrflag > 0)  --yyerrflag;
-        goto yyloop;
-    }
-    if ((yyn = yyrindex[yystate]) && (yyn += yychar) >= 0 &&
-            yyn <= YYTABLESIZE && yycheck[yyn] == yychar)
-    {
-        yyn = yytable[yyn];
-        goto yyreduce;
-    }
-    if (yyerrflag) goto yyinrecovery;
-#ifdef lint
-    goto yynewerror;
-yynewerror:
-#endif
-    yyerror("syntax error");
-#ifdef lint
-    goto yyerrlab;
-yyerrlab:
-#endif
-    ++yynerrs;
-yyinrecovery:
-    if (yyerrflag < 3)
-    {
-        yyerrflag = 3;
-        for (;;)
-        {
-            if ((yyn = yysindex[*yyssp]) && (yyn += YYERRCODE) >= 0 &&
-                    yyn <= YYTABLESIZE && yycheck[yyn] == YYERRCODE)
-            {
-#if YYDEBUG
-                if (yydebug)
-                    printf("yydebug: state %d, error recovery shifting\
- to state %d\n", *yyssp, yytable[yyn]);
-#endif
-                if (yyssp >= yyss + yystacksize - 1)
-                {
-                    goto yyoverflow;
-                }
-                *++yyssp = yystate = yytable[yyn];
-                *++yyvsp = yylval;
-                goto yyloop;
-            }
-            else
-            {
-#if YYDEBUG
-                if (yydebug)
-                    printf("yydebug: error recovery discarding state %d\n",
-                            *yyssp);
-#endif
-                if (yyssp <= yyss) goto yyabort;
-                --yyssp;
-                --yyvsp;
-            }
-        }
-    }
-    else
-    {
-        if (yychar == 0) goto yyabort;
-#if YYDEBUG
-        if (yydebug)
-        {
-            yys = 0;
-            if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
-            if (!yys) yys = "illegal-symbol";
-            printf("yydebug: state %d, error recovery discards token %d (%s)\n",
-                    yystate, yychar, yys);
-        }
-#endif
-        yychar = (-1);
-        goto yyloop;
-    }
-yyreduce:
-#if YYDEBUG
-    if (yydebug)
-        printf("yydebug: state %d, reducing by rule %d (%s)\n",
-                yystate, yyn, yyrule[yyn]);
-#endif
-    yym = yylen[yyn];
-    yyval = yyvsp[1-yym];
-    switch (yyn)
-    {
-case 1:
-#line 84 "installparse.y"
-{
-	Pk11Install_valueList = yyvsp[0].list;
-}
-break;
-case 2:
-#line 89 "installparse.y"
-{ 
-	Pk11Install_ValueList_AddItem(yyvsp[0].list,yyvsp[-1].value);
-	yyval .list = yyvsp[0].list; 
-}
-break;
-case 3:
-#line 94 "installparse.y"
-{ 
-	yyval .list = Pk11Install_ValueList_new(); 
-}
-break;
-case 4:
-#line 99 "installparse.y"
-{
-	yyval .value= Pk11Install_Value_new(PAIR_VALUE,yyvsp[0]);
-}
-break;
-case 5:
-#line 103 "installparse.y"
-{
-	yyval .value= Pk11Install_Value_new(STRING_VALUE, yyvsp[0]);
-}
-break;
-case 6:
-#line 108 "installparse.y"
-{
-	yyval .pair = Pk11Install_Pair_new(yyvsp[-3].string,yyvsp[-1].list);
-}
-break;
-case 7:
-#line 113 "installparse.y"
-{
-	yyval .string = yyvsp[0].string;
-}
-break;
-#line 374 "ytab.c"
-    }
-    yyssp -= yym;
-    yystate = *yyssp;
-    yyvsp -= yym;
-    yym = yylhs[yyn];
-    if (yystate == 0 && yym == 0)
-    {
-#ifdef YYDEBUG
-        if (yydebug)
-            printf("yydebug: after reduction, shifting from state 0 to\
- state %d\n", YYFINAL);
-#endif
-        yystate = YYFINAL;
-        *++yyssp = YYFINAL;
-        *++yyvsp = yyval;
-        if (yychar < 0)
-        {
-            if ((yychar = yylex()) < 0) yychar = 0;
-#if YYDEBUG
-            if (yydebug)
-            {
-                yys = 0;
-                if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
-                if (!yys) yys = "illegal-symbol";
-                printf("yydebug: state %d, reading %d (%s)\n",
-                        YYFINAL, yychar, yys);
-            }
-#endif
-        }
-        if (yychar == 0) goto yyaccept;
-        goto yyloop;
-    }
-    if ((yyn = yygindex[yym]) && (yyn += yystate) >= 0 &&
-            yyn <= YYTABLESIZE && yycheck[yyn] == yystate)
-        yystate = yytable[yyn];
-    else
-        yystate = yydgoto[yym];
-#ifdef YYDEBUG
-    if (yydebug)
-        printf("yydebug: after reduction, shifting from state %d \
-to state %d\n", *yyssp, yystate);
-#endif
-    if (yyssp >= yyss + yystacksize - 1)
-    {
-        goto yyoverflow;
-    }
-    *++yyssp = yystate;
-    *++yyvsp = yyval;
-    goto yyloop;
-yyoverflow:
-    yyerror("yacc stack overflow");
-yyabort:
-    return (1);
-yyaccept:
-    return (0);
-}
diff --git a/security/nss/cmd/modutil/installparse.h b/security/nss/cmd/modutil/installparse.h
deleted file mode 100644
index 75686d4fd..000000000
--- a/security/nss/cmd/modutil/installparse.h
+++ /dev/null
@@ -1,3 +0,0 @@
-#define OPENBRACE 257
-#define CLOSEBRACE 258
-#define STRING 259
diff --git a/security/nss/cmd/modutil/installparse.l b/security/nss/cmd/modutil/installparse.l
deleted file mode 100644
index 3881ea530..000000000
--- a/security/nss/cmd/modutil/installparse.l
+++ /dev/null
@@ -1,169 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-/* lex file for analyzing PKCS #11 Module installation instructions */
-
-/*----------------------------- Definitions ---------------------------*/
-%{
-#include <string.h>
-
-#include "install-ds.h"		/* defines tokens and data structures */
-#include "installparse.h"	/* produced by yacc -d */
-#include <prprf.h>
-static char *putSimpleString(char*);	/* return copy of string */
-static char *putComplexString(char*);	/* strip out quotes, deal with */
-											/* escaped characters */
-
-void Pk11Install_yyerror(char *);
-
-/* Overrides to use NSPR */
-#define malloc PR_Malloc
-#define realloc PR_Realloc
-#define free PR_Free
-
-int Pk11Install_yylinenum=1;
-static char *err;
-
-#define YY_NEVER_INTERACTIVE 1
-#define yyunput Pkcs11Install_yyunput
-
-/* This is the default YY_INPUT modified for NSPR */
-#define YY_INPUT(buf,result,max_size) \
-	if ( yy_current_buffer->yy_is_interactive ) { \
-		char c; \
-		int n; \
-		for ( n = 0; n < max_size && \
-		  PR_Read(Pk11Install_FD, &c, 1)==1 && c != '\n'; ++n ) { \
-			buf[n] = c; \
-		} \
-        if ( c == '\n' ) { \
-            buf[n++] = c; \
-		} \
-        result = n; \
-	} else { \
-		result = PR_Read(Pk11Install_FD, buf, max_size); \
-	}
-
-%}
-
-/*** Regular expression definitions ***/
-/* simple_string has no whitespace, quotes, or braces */
-simple_string		[^ \t\r\n\""{""}"]+
-
-/* complex_string is enclosed in quotes. Inside the quotes, quotes and
-   backslashes must be backslash-escaped. No newlines or carriage returns
-   are allowed inside the quotes. Otherwise, anything goes. */
-complex_string		\"([^\"\\\r\n]|(\\\")|(\\\\))+\"
-
-/* Standard whitespace */
-whitespace			[ \t\r]+
-
-other				.
-
-/*---------------------------- Actions --------------------------------*/
-%%
-
-"{"					return OPENBRACE;
-"}"					return CLOSEBRACE;
-{simple_string}		{Pk11Install_yylval.string =
-						putSimpleString(Pk11Install_yytext);
-						return STRING;}
-{complex_string}	{Pk11Install_yylval.string =
-						putComplexString(Pk11Install_yytext);
-						return STRING;}
-
-"\n"				Pk11Install_yylinenum++;
-
-{whitespace}		;
-
-{other}				{err = PR_smprintf("Invalid lexeme: %s",Pk11Install_yytext);
-						Pk11Install_yyerror(err);
-						PR_smprintf_free(err);
-						return 1;
-					}
-
-%%
-/*------------------------ Program Section ----------------------------*/
-
-PRFileDesc *Pk11Install_FD=NULL;
-
-/*************************************************************************/
-/* dummy function required by lex */
-int Pk11Install_yywrap(void) { return 1;}
-
-/*************************************************************************/
-/* Return a copy of the given string */
-static char*
-putSimpleString(char *str)
-{
-	char *tmp = (char*) PR_Malloc(strlen(str)+1);
-	strcpy(tmp, str);
-	return tmp;
-}
-
-/*************************************************************************/
-/* Strip out quotes, replace escaped characters with what they stand for.
-   This function assumes that what is passed in is actually a complex
-   string, so error checking is lax. */
-static char*
-putComplexString(char *str)
-{
-	int size, i,j;
-	char *tmp;
-
-	if(!str) {
-		return NULL;
-	}
-	size = strlen(str);
-
-	/* Allocate the new space.  This string will actually be too big, 
-		since quotes and backslashes will be stripped out.  But that's ok. */
-	tmp = (char*) PR_Malloc(size+1);
-
-	/* Copy it over */
-	for(i=0, j=0; i < size; i++) {
-		if(str[i]=='\"') {
-			continue;  /* skip un-escaped quotes */
-		} else if(str[i]=='\\') {
-			++i;       /* escaped character. skip the backslash */
-		}
-		tmp[j++] = str[i];
-	}
-	tmp[j] = '\0';
-
-	return tmp;
-}
diff --git a/security/nss/cmd/modutil/installparse.y b/security/nss/cmd/modutil/installparse.y
deleted file mode 100644
index 003f04628..000000000
--- a/security/nss/cmd/modutil/installparse.y
+++ /dev/null
@@ -1,136 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* yacc file for parsing PKCS #11 module installation instructions */
-/*------------------------ Definition Section ---------------------------*/
-
-%{ 
-#define yyparse Pk11Install_yyparse
-#define yylex Pk11Install_yylex
-#define yyerror Pk11Install_yyerror
-#define yychar Pk11Install_yychar
-#define yyval Pk11Install_yyval
-#define yylval Pk11Install_yylval
-#define yydebug Pk11Install_yydebug
-#define yynerrs Pk11Install_yynerrs
-#define yyerrflag Pk11Install_yyerrflag
-#define yyss Pk11Install_yyss
-#define yyssp Pk11Install_yyssp
-#define yyvs Pk11Install_yyvs
-#define yyvsp Pk11Install_yyvsp
-#define yylhs Pk11Install_yylhs
-#define yylen Pk11Install_yylen
-#define yydefred Pk11Install_yydefred
-#define yydgoto Pk11Install_yydgoto
-#define yysindex Pk11Install_yysindex
-#define yyrindex Pk11Install_yyrindex
-#define yygindex Pk11Install_yygindex
-#define yytable Pk11Install_yytable
-#define yycheck Pk11Install_yycheck
-#define yyname Pk11Install_yyname
-#define yyrule Pk11Install_yyrule
-
-/* C Stuff */
-#include "install-ds.h"
-#include <prprf.h>
-
-#define YYSTYPE Pk11Install_Pointer
-extern char *Pk11Install_yytext;
-char *Pk11Install_yyerrstr=NULL;
-
-%}
-
-/* Tokens */
-%token OPENBRACE
-%token CLOSEBRACE
-%token STRING
-%start toplist
-
-%%
-
-/*--------------------------- Productions -------------------------------*/
-
-toplist		: valuelist	
-{
-	Pk11Install_valueList = $1.list;
-}
-
-valuelist	: value valuelist
-{ 
-	Pk11Install_ValueList_AddItem($2.list,$1.value);
-	$$.list = $2.list; 
-}
-|
-{ 
-	$$.list = Pk11Install_ValueList_new(); 
-};
-
-value		: key_value_pair
-{
-	$$.value= Pk11Install_Value_new(PAIR_VALUE,$1);
-}
-| STRING
-{
-	$$.value= Pk11Install_Value_new(STRING_VALUE, $1);
-};
-
-key_value_pair	: key OPENBRACE valuelist CLOSEBRACE 
-{
-	$$.pair = Pk11Install_Pair_new($1.string,$3.list);
-};
-
-key			: STRING
-{
-	$$.string = $1.string;
-};
-
-%%
-/*----------------------- Program Section --------------------------------*/
-
-/*************************************************************************/
-void
-Pk11Install_yyerror(char *message)
-{
-	char *tmp;
-	if(Pk11Install_yyerrstr) {
-		tmp=PR_smprintf("%sline %d: %s\n", Pk11Install_yyerrstr,
-			Pk11Install_yylinenum, message);
-		PR_smprintf_free(Pk11Install_yyerrstr);
-	} else {
-		tmp = PR_smprintf("line %d: %s\n", Pk11Install_yylinenum, message);
-	}
-	Pk11Install_yyerrstr=tmp;
-}
diff --git a/security/nss/cmd/modutil/instsec.c b/security/nss/cmd/modutil/instsec.c
deleted file mode 100644
index cfc008234..000000000
--- a/security/nss/cmd/modutil/instsec.c
+++ /dev/null
@@ -1,181 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include <plarena.h>
-#include <prio.h>
-#include <prprf.h>
-#include <seccomon.h>
-#include <secmod.h>
-#include <jar.h>
-#include <secutil.h>
-
-/* These are installation functions that make calls to the security library.
- * We don't want to include security include files in the C++ code too much.
- */
-
-static char* PR_fgets(char *buf, int size, PRFileDesc *file);
-
-/***************************************************************************
- *
- * P k 1 1 I n s t a l l _ A d d N e w M o d u l e
- */
-int
-Pk11Install_AddNewModule(char* moduleName, char* dllPath,
-                              unsigned long defaultMechanismFlags,
-                              unsigned long cipherEnableFlags)
-{
-	return (SECMOD_AddNewModule(moduleName, dllPath,
-		SECMOD_PubMechFlagstoInternal(defaultMechanismFlags),
-		SECMOD_PubCipherFlagstoInternal(cipherEnableFlags))
-													== SECSuccess) ? 0 : -1;
-}
-
-/*************************************************************************
- *
- * P k 1 1 I n s t a l l _ U s e r V e r i f y J a r
- *
- * Gives the user feedback on the signatures of a JAR files, asks them
- * whether they actually want to continue.
- * Assumes the jar structure has already been created and is valid.
- * Returns 0 if the user wants to continue the installation, nonzero
- * if the user wishes to abort.
- */
-short
-Pk11Install_UserVerifyJar(JAR *jar, PRFileDesc *out, PRBool query)
-{
-	JAR_Context *ctx;
-	JAR_Cert *fing;
-	JAR_Item *item;
-	char stdinbuf[80];
-	int count=0;
-
-	CERTCertificate *cert, *prev=NULL;
-
-	PR_fprintf(out, "\nThis installation JAR file was signed by:\n");
-
-	ctx = JAR_find(jar, NULL, jarTypeSign);
-
-	while(JAR_find_next(ctx, &item) >= 0 ) {
-		fing = (JAR_Cert*) item->data;
-		cert = fing->cert;
-		if(cert==prev) {
-			continue;
-		}
-
-		count++;
-		PR_fprintf(out, "----------------------------------------------\n");
-		if(cert) {
-			if(cert->nickname) {
-				PR_fprintf(out, "**NICKNAME**\n%s\n", cert->nickname);
-			}
-			if(cert->subjectName) {
-				PR_fprintf(out, "**SUBJECT NAME**\n%s\n", cert->subjectName); }
-			if(cert->issuerName) {
-				PR_fprintf(out, "**ISSUER NAME**\n%s\n", cert->issuerName);
-			}
-		} else {
-			PR_fprintf(out, "No matching certificate could be found.\n");
-		}
-		PR_fprintf(out, "----------------------------------------------\n\n");
-
-		prev=cert;
-	}
-
-	JAR_find_end(ctx);
-
-	if(count==0) {
-		PR_fprintf(out, "No signatures found: JAR FILE IS UNSIGNED.\n");
-	}
-
-	if(query) {
-		PR_fprintf(out,
-"Do you wish to continue this installation? (y/n) ");
-
-		if(PR_fgets(stdinbuf, 80, PR_STDIN) != NULL) {
-			char *response;
-
-			if( (response=strtok(stdinbuf, " \t\n\r")) ) {
-				if( !PL_strcasecmp(response, "y") ||
-					!PL_strcasecmp(response, "yes") ) {
-					return 0;
-				}
-			}
-		}
-	}
-
-	return 1;
-}
-
-/**************************************************************************
- *
- * P R _ f g e t s
- *
- * fgets implemented with NSPR.
- */
-static char*
-PR_fgets(char *buf, int size, PRFileDesc *file)
-{
-    int i;
-    int status;
-    char c;
-
-    i=0;
-    while(i < size-1) {
-        status = PR_Read(file, (void*) &c, 1);
-        if(status==-1) {
-            return NULL;
-        } else if(status==0) {
-            break;
-        }
-        buf[i++] = c;
-        if(c=='\n') {
-            break;
-        }
-    }
-    buf[i]='\0';
-
-    return buf;
-}
-
-/**************************************************************************
- *
- * m y S E C U _ E r r o r S t r i n g
- *
- */
-const char* mySECU_ErrorString(int16 errnum)
-{
-	return SECU_Strerror(errnum);
-}
diff --git a/security/nss/cmd/modutil/lex.Pk11Install_yy.c b/security/nss/cmd/modutil/lex.Pk11Install_yy.c
deleted file mode 100644
index 1c123e578..000000000
--- a/security/nss/cmd/modutil/lex.Pk11Install_yy.c
+++ /dev/null
@@ -1,1694 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#define yy_create_buffer Pk11Install_yy_create_buffer
-#define yy_delete_buffer Pk11Install_yy_delete_buffer
-#define yy_scan_buffer Pk11Install_yy_scan_buffer
-#define yy_scan_string Pk11Install_yy_scan_string
-#define yy_scan_bytes Pk11Install_yy_scan_bytes
-#define yy_flex_debug Pk11Install_yy_flex_debug
-#define yy_init_buffer Pk11Install_yy_init_buffer
-#define yy_flush_buffer Pk11Install_yy_flush_buffer
-#define yy_load_buffer_state Pk11Install_yy_load_buffer_state
-#define yy_switch_to_buffer Pk11Install_yy_switch_to_buffer
-#define yyin Pk11Install_yyin
-#define yyleng Pk11Install_yyleng
-#define yylex Pk11Install_yylex
-#define yyout Pk11Install_yyout
-#define yyrestart Pk11Install_yyrestart
-#define yytext Pk11Install_yytext
-#define yywrap Pk11Install_yywrap
-
-#line 20 "lex.Pk11Install_yy.c"
-/* A lexical scanner generated by flex */
-
-/* Scanner skeleton version:
- * $Header$
- */
-
-#define FLEX_SCANNER
-#define YY_FLEX_MAJOR_VERSION 2
-#define YY_FLEX_MINOR_VERSION 5
-
-#include <stdio.h>
-
-
-/* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */
-#ifdef c_plusplus
-#ifndef __cplusplus
-#define __cplusplus
-#endif
-#endif
-
-
-#ifdef __cplusplus
-
-#include <stdlib.h>
-//#include <unistd.h>
-
-/* Use prototypes in function declarations. */
-#define YY_USE_PROTOS
-
-/* The "const" storage-class-modifier is valid. */
-#define YY_USE_CONST
-
-#else	/* ! __cplusplus */
-
-#if __STDC__
-
-#define YY_USE_PROTOS
-#define YY_USE_CONST
-
-#endif	/* __STDC__ */
-#endif	/* ! __cplusplus */
-
-#ifdef __TURBOC__
- #pragma warn -rch
- #pragma warn -use
-#include <io.h>
-#include <stdlib.h>
-#define YY_USE_CONST
-#define YY_USE_PROTOS
-#endif
-
-#ifdef YY_USE_CONST
-#define yyconst const
-#else
-#define yyconst
-#endif
-
-
-#ifdef YY_USE_PROTOS
-#define YY_PROTO(proto) proto
-#else
-#define YY_PROTO(proto) ()
-#endif
-
-/* Returned upon end-of-file. */
-#define YY_NULL 0
-
-/* Promotes a possibly negative, possibly signed char to an unsigned
- * integer for use as an array index.  If the signed char is negative,
- * we want to instead treat it as an 8-bit unsigned char, hence the
- * double cast.
- */
-#define YY_SC_TO_UI(c) ((unsigned int) (unsigned char) c)
-
-/* Enter a start condition.  This macro really ought to take a parameter,
- * but we do it the disgusting crufty way forced on us by the ()-less
- * definition of BEGIN.
- */
-#define BEGIN yy_start = 1 + 2 *
-
-/* Translate the current start state into a value that can be later handed
- * to BEGIN to return to the state.  The YYSTATE alias is for lex
- * compatibility.
- */
-#define YY_START ((yy_start - 1) / 2)
-#define YYSTATE YY_START
-
-/* Action number for EOF rule of a given start state. */
-#define YY_STATE_EOF(state) (YY_END_OF_BUFFER + state + 1)
-
-/* Special action meaning "start processing a new file". */
-#define YY_NEW_FILE yyrestart( yyin )
-
-#define YY_END_OF_BUFFER_CHAR 0
-
-/* Size of default input buffer. */
-#define YY_BUF_SIZE 16384
-
-typedef struct yy_buffer_state *YY_BUFFER_STATE;
-
-extern int yyleng;
-extern FILE *yyin, *yyout;
-
-#define EOB_ACT_CONTINUE_SCAN 0
-#define EOB_ACT_END_OF_FILE 1
-#define EOB_ACT_LAST_MATCH 2
-
-/* The funky do-while in the following #define is used to turn the definition
- * int a single C statement (which needs a semi-colon terminator).  This
- * avoids problems with code like:
- *
- * 	if ( condition_holds )
- *		yyless( 5 );
- *	else
- *		do_something_else();
- *
- * Prior to using the do-while the compiler would get upset at the
- * "else" because it interpreted the "if" statement as being all
- * done when it reached the ';' after the yyless() call.
- */
-
-/* Return all but the first 'n' matched characters back to the input stream. */
-
-#define yyless(n) \
-	do \
-		{ \
-		/* Undo effects of setting up yytext. */ \
-		*yy_cp = yy_hold_char; \
-		YY_RESTORE_YY_MORE_OFFSET \
-		yy_c_buf_p = yy_cp = yy_bp + n - YY_MORE_ADJ; \
-		YY_DO_BEFORE_ACTION; /* set up yytext again */ \
-		} \
-	while ( 0 )
-
-#define unput(c) yyunput( c, yytext_ptr )
-
-/* The following is because we cannot portably get our hands on size_t
- * (without autoconf's help, which isn't available because we want
- * flex-generated scanners to compile on their own).
- */
-typedef unsigned int yy_size_t;
-
-
-struct yy_buffer_state
-	{
-	FILE *yy_input_file;
-
-	char *yy_ch_buf;		/* input buffer */
-	char *yy_buf_pos;		/* current position in input buffer */
-
-	/* Size of input buffer in bytes, not including room for EOB
-	 * characters.
-	 */
-	yy_size_t yy_buf_size;
-
-	/* Number of characters read into yy_ch_buf, not including EOB
-	 * characters.
-	 */
-	int yy_n_chars;
-
-	/* Whether we "own" the buffer - i.e., we know we created it,
-	 * and can realloc() it to grow it, and should free() it to
-	 * delete it.
-	 */
-	int yy_is_our_buffer;
-
-	/* Whether this is an "interactive" input source; if so, and
-	 * if we're using stdio for input, then we want to use getc()
-	 * instead of fread(), to make sure we stop fetching input after
-	 * each newline.
-	 */
-	int yy_is_interactive;
-
-	/* Whether we're considered to be at the beginning of a line.
-	 * If so, '^' rules will be active on the next match, otherwise
-	 * not.
-	 */
-	int yy_at_bol;
-
-	/* Whether to try to fill the input buffer when we reach the
-	 * end of it.
-	 */
-	int yy_fill_buffer;
-
-	int yy_buffer_status;
-#define YY_BUFFER_NEW 0
-#define YY_BUFFER_NORMAL 1
-	/* When an EOF's been seen but there's still some text to process
-	 * then we mark the buffer as YY_EOF_PENDING, to indicate that we
-	 * shouldn't try reading from the input source any more.  We might
-	 * still have a bunch of tokens to match, though, because of
-	 * possible backing-up.
-	 *
-	 * When we actually see the EOF, we change the status to "new"
-	 * (via yyrestart()), so that the user can continue scanning by
-	 * just pointing yyin at a new input file.
-	 */
-#define YY_BUFFER_EOF_PENDING 2
-	};
-
-static YY_BUFFER_STATE yy_current_buffer = 0;
-
-/* We provide macros for accessing buffer states in case in the
- * future we want to put the buffer states in a more general
- * "scanner state".
- */
-#define YY_CURRENT_BUFFER yy_current_buffer
-
-
-/* yy_hold_char holds the character lost when yytext is formed. */
-static char yy_hold_char;
-
-static int yy_n_chars;		/* number of characters read into yy_ch_buf */
-
-
-int yyleng;
-
-/* Points to current character in buffer. */
-static char *yy_c_buf_p = (char *) 0;
-static int yy_init = 1;		/* whether we need to initialize */
-static int yy_start = 0;	/* start state number */
-
-/* Flag which is used to allow yywrap()'s to do buffer switches
- * instead of setting up a fresh yyin.  A bit of a hack ...
- */
-static int yy_did_buffer_switch_on_eof;
-
-void yyrestart YY_PROTO(( FILE *input_file ));
-
-void yy_switch_to_buffer YY_PROTO(( YY_BUFFER_STATE new_buffer ));
-void yy_load_buffer_state YY_PROTO(( void ));
-YY_BUFFER_STATE yy_create_buffer YY_PROTO(( FILE *file, int size ));
-void yy_delete_buffer YY_PROTO(( YY_BUFFER_STATE b ));
-void yy_init_buffer YY_PROTO(( YY_BUFFER_STATE b, FILE *file ));
-void yy_flush_buffer YY_PROTO(( YY_BUFFER_STATE b ));
-#define YY_FLUSH_BUFFER yy_flush_buffer( yy_current_buffer )
-
-YY_BUFFER_STATE yy_scan_buffer YY_PROTO(( char *base, yy_size_t size ));
-YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *yy_str ));
-YY_BUFFER_STATE yy_scan_bytes YY_PROTO(( yyconst char *bytes, int len ));
-
-static void *yy_flex_alloc YY_PROTO(( yy_size_t ));
-static void *yy_flex_realloc YY_PROTO(( void *, yy_size_t ));
-static void yy_flex_free YY_PROTO(( void * ));
-
-#define yy_new_buffer yy_create_buffer
-
-#define yy_set_interactive(is_interactive) \
-	{ \
-	if ( ! yy_current_buffer ) \
-		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
-	yy_current_buffer->yy_is_interactive = is_interactive; \
-	}
-
-#define yy_set_bol(at_bol) \
-	{ \
-	if ( ! yy_current_buffer ) \
-		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE ); \
-	yy_current_buffer->yy_at_bol = at_bol; \
-	}
-
-#define YY_AT_BOL() (yy_current_buffer->yy_at_bol)
-
-typedef unsigned char YY_CHAR;
-FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
-typedef int yy_state_type;
-extern char *yytext;
-#define yytext_ptr yytext
-
-static yy_state_type yy_get_previous_state YY_PROTO(( void ));
-static yy_state_type yy_try_NUL_trans YY_PROTO(( yy_state_type current_state ));
-static int yy_get_next_buffer YY_PROTO(( void ));
-static void yy_fatal_error YY_PROTO(( yyconst char msg[] ));
-
-/* Done after the current pattern has been matched and before the
- * corresponding action - sets up yytext.
- */
-#define YY_DO_BEFORE_ACTION \
-	yytext_ptr = yy_bp; \
-	yyleng = (int) (yy_cp - yy_bp); \
-	yy_hold_char = *yy_cp; \
-	*yy_cp = '\0'; \
-	yy_c_buf_p = yy_cp;
-
-#define YY_NUM_RULES 8
-#define YY_END_OF_BUFFER 9
-static yyconst short int yy_accept[16] =
-    {   0,
-        0,    0,    9,    3,    6,    5,    7,    1,    2,    3,
-        6,    0,    0,    4,    0
-    } ;
-
-static yyconst int yy_ec[256] =
-    {   0,
-        1,    1,    1,    1,    1,    1,    1,    1,    2,    3,
-        1,    1,    4,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    2,    1,    5,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    6,    1,    1,    1,    1,    1,    1,    1,    1,
-
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    7,    1,    8,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
-        1,    1,    1,    1,    1
-    } ;
-
-static yyconst int yy_meta[9] =
-    {   0,
-        1,    2,    3,    4,    3,    1,    5,    5
-    } ;
-
-static yyconst short int yy_base[19] =
-    {   0,
-        0,    0,   19,    0,    0,   21,   12,   21,   21,    0,
-        0,    4,    6,   21,   21,   13,   11,   15
-    } ;
-
-static yyconst short int yy_def[19] =
-    {   0,
-       15,    1,   15,   16,   17,   15,   18,   15,   15,   16,
-       17,   18,   15,   15,    0,   15,   15,   15
-    } ;
-
-static yyconst short int yy_nxt[30] =
-    {   0,
-        4,    5,    6,    5,    7,    4,    8,    9,   14,   13,
-       12,   12,   11,   10,   11,   12,   12,   13,   15,   12,
-        3,   15,   15,   15,   15,   15,   15,   15,   15
-    } ;
-
-static yyconst short int yy_chk[30] =
-    {   0,
-        1,    1,    1,    1,    1,    1,    1,    1,   12,   12,
-       13,   13,   17,   16,   17,   18,   18,    7,    3,   18,
-       15,   15,   15,   15,   15,   15,   15,   15,   15
-    } ;
-
-static yy_state_type yy_last_accepting_state;
-static char *yy_last_accepting_cpos;
-
-/* The intent behind this definition is that it'll catch
- * any uses of REJECT which flex missed.
- */
-#define REJECT reject_used_but_not_detected
-#define yymore() yymore_used_but_not_detected
-#define YY_MORE_ADJ 0
-#define YY_RESTORE_YY_MORE_OFFSET
-char *yytext;
-#line 1 "installparse.l"
-#define INITIAL 0
-/* lex file for analyzing PKCS #11 Module installation instructions */
-/*----------------------------- Definitions ---------------------------*/
-#line 5 "installparse.l"
-#include <string.h>
-
-#include "install-ds.h"		/* defines tokens and data structures */
-#include "installparse.h"	/* produced by yacc -d */
-#include <prprf.h>
-static char *putSimpleString(char*);	/* return copy of string */
-static char *putComplexString(char*);	/* strip out quotes, deal with */
-											/* escaped characters */
-
-void Pk11Install_yyerror(char *);
-
-/* Overrides to use NSPR */
-#define malloc PR_Malloc
-#define realloc PR_Realloc
-#define free PR_Free
-
-int Pk11Install_yylinenum=1;
-static char *err;
-
-#define YY_NEVER_INTERACTIVE 1
-#define yyunput Pkcs11Install_yyunput
-
-/* This is the default YY_INPUT modified for NSPR */
-#define YY_INPUT(buf,result,max_size) \
-	if ( yy_current_buffer->yy_is_interactive ) { \
-		char c; \
-		int n; \
-		for ( n = 0; n < max_size && \
-		  PR_Read(Pk11Install_FD, &c, 1)==1 && c != '\n'; ++n ) { \
-			buf[n] = c; \
-		} \
-        if ( c == '\n' ) { \
-            buf[n++] = c; \
-		} \
-        result = n; \
-	} else { \
-		result = PR_Read(Pk11Install_FD, buf, max_size); \
-	}
-
-/*** Regular expression definitions ***/
-/* simple_string has no whitespace, quotes, or braces */
-/* complex_string is enclosed in quotes. Inside the quotes, quotes and
-   backslashes must be backslash-escaped. Otherwise, anything goes. */
-/* Standard whitespace */
-/*---------------------------- Actions --------------------------------*/
-#line 437 "lex.Pk11Install_yy.cpp"
-
-/* Macros after this point can all be overridden by user definitions in
- * section 1.
- */
-
-#ifndef YY_SKIP_YYWRAP
-#ifdef __cplusplus
-extern "C" int yywrap YY_PROTO(( void ));
-#else
-extern int yywrap YY_PROTO(( void ));
-#endif
-#endif
-
-#ifndef YY_NO_UNPUT
-static void yyunput YY_PROTO(( int c, char *buf_ptr ));
-#endif
-
-#ifndef yytext_ptr
-static void yy_flex_strncpy YY_PROTO(( char *, yyconst char *, int ));
-#endif
-
-#ifdef YY_NEED_STRLEN
-static int yy_flex_strlen YY_PROTO(( yyconst char * ));
-#endif
-
-#ifndef YY_NO_INPUT
-#ifdef __cplusplus
-static int yyinput YY_PROTO(( void ));
-#else
-static int input YY_PROTO(( void ));
-#endif
-#endif
-
-#if YY_STACK_USED
-static int yy_start_stack_ptr = 0;
-static int yy_start_stack_depth = 0;
-static int *yy_start_stack = 0;
-#ifndef YY_NO_PUSH_STATE
-static void yy_push_state YY_PROTO(( int new_state ));
-#endif
-#ifndef YY_NO_POP_STATE
-static void yy_pop_state YY_PROTO(( void ));
-#endif
-#ifndef YY_NO_TOP_STATE
-static int yy_top_state YY_PROTO(( void ));
-#endif
-
-#else
-#define YY_NO_PUSH_STATE 1
-#define YY_NO_POP_STATE 1
-#define YY_NO_TOP_STATE 1
-#endif
-
-#ifdef YY_MALLOC_DECL
-YY_MALLOC_DECL
-#else
-#if __STDC__
-#ifndef __cplusplus
-#include <stdlib.h>
-#endif
-#else
-/* Just try to get by without declaring the routines.  This will fail
- * miserably on non-ANSI systems for which sizeof(size_t) != sizeof(int)
- * or sizeof(void*) != sizeof(int).
- */
-#endif
-#endif
-
-/* Amount of stuff to slurp up with each read. */
-#ifndef YY_READ_BUF_SIZE
-#define YY_READ_BUF_SIZE 8192
-#endif
-
-/* Copy whatever the last rule matched to the standard output. */
-
-#ifndef ECHO
-/* This used to be an fputs(), but since the string might contain NUL's,
- * we now use fwrite().
- */
-#define ECHO (void) fwrite( yytext, yyleng, 1, yyout )
-#endif
-
-/* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
- * is returned in "result".
- */
-#ifndef YY_INPUT
-#define YY_INPUT(buf,result,max_size) \
-	if ( yy_current_buffer->yy_is_interactive ) \
-		{ \
-		int c = '*', n; \
-		for ( n = 0; n < max_size && \
-			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
-			buf[n] = (char) c; \
-		if ( c == '\n' ) \
-			buf[n++] = (char) c; \
-		if ( c == EOF && ferror( yyin ) ) \
-			YY_FATAL_ERROR( "input in flex scanner failed" ); \
-		result = n; \
-		} \
-	else if ( ((result = fread( buf, 1, max_size, yyin )) == 0) \
-		  && ferror( yyin ) ) \
-		YY_FATAL_ERROR( "input in flex scanner failed" );
-#endif
-
-/* No semi-colon after return; correct usage is to write "yyterminate();" -
- * we don't want an extra ';' after the "return" because that will cause
- * some compilers to complain about unreachable statements.
- */
-#ifndef yyterminate
-#define yyterminate() return YY_NULL
-#endif
-
-/* Number of entries by which start-condition stack grows. */
-#ifndef YY_START_STACK_INCR
-#define YY_START_STACK_INCR 25
-#endif
-
-/* Report a fatal error. */
-#ifndef YY_FATAL_ERROR
-#define YY_FATAL_ERROR(msg) yy_fatal_error( msg )
-#endif
-
-/* Default declaration of generated scanner - a define so the user can
- * easily add parameters.
- */
-#ifndef YY_DECL
-#define YY_DECL int yylex YY_PROTO(( void ))
-#endif
-
-/* Code executed at the beginning of each rule, after yytext and yyleng
- * have been set up.
- */
-#ifndef YY_USER_ACTION
-#define YY_USER_ACTION
-#endif
-
-/* Code executed at the end of each rule. */
-#ifndef YY_BREAK
-#define YY_BREAK break;
-#endif
-
-#define YY_RULE_SETUP \
-	YY_USER_ACTION
-
-YY_DECL
-	{
-	register yy_state_type yy_current_state;
-	register char *yy_cp, *yy_bp;
-	register int yy_act;
-
-#line 60 "installparse.l"
-
-
-#line 591 "lex.Pk11Install_yy.cpp"
-
-	if ( yy_init )
-		{
-		yy_init = 0;
-
-#ifdef YY_USER_INIT
-		YY_USER_INIT;
-#endif
-
-		if ( ! yy_start )
-			yy_start = 1;	/* first start state */
-
-		if ( ! yyin )
-			yyin = stdin;
-
-		if ( ! yyout )
-			yyout = stdout;
-
-		if ( ! yy_current_buffer )
-			yy_current_buffer =
-				yy_create_buffer( yyin, YY_BUF_SIZE );
-
-		yy_load_buffer_state();
-		}
-
-	while ( 1 )		/* loops until end-of-file is reached */
-		{
-		yy_cp = yy_c_buf_p;
-
-		/* Support of yytext. */
-		*yy_cp = yy_hold_char;
-
-		/* yy_bp points to the position in yy_ch_buf of the start of
-		 * the current run.
-		 */
-		yy_bp = yy_cp;
-
-		yy_current_state = yy_start;
-yy_match:
-		do
-			{
-			register YY_CHAR yy_c = yy_ec[YY_SC_TO_UI(*yy_cp)];
-			if ( yy_accept[yy_current_state] )
-				{
-				yy_last_accepting_state = yy_current_state;
-				yy_last_accepting_cpos = yy_cp;
-				}
-			while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
-				{
-				yy_current_state = (int) yy_def[yy_current_state];
-				if ( yy_current_state >= 16 )
-					yy_c = yy_meta[(unsigned int) yy_c];
-				}
-			yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
-			++yy_cp;
-			}
-		while ( yy_base[yy_current_state] != 21 );
-
-yy_find_action:
-		yy_act = yy_accept[yy_current_state];
-		if ( yy_act == 0 )
-			{ /* have to back up */
-			yy_cp = yy_last_accepting_cpos;
-			yy_current_state = yy_last_accepting_state;
-			yy_act = yy_accept[yy_current_state];
-			}
-
-		YY_DO_BEFORE_ACTION;
-
-
-do_action:	/* This label is used only to access EOF actions. */
-
-
-		switch ( yy_act )
-	{ /* beginning of action switch */
-			case 0: /* must back up */
-			/* undo the effects of YY_DO_BEFORE_ACTION */
-			*yy_cp = yy_hold_char;
-			yy_cp = yy_last_accepting_cpos;
-			yy_current_state = yy_last_accepting_state;
-			goto yy_find_action;
-
-case 1:
-YY_RULE_SETUP
-#line 62 "installparse.l"
-return OPENBRACE;
-	YY_BREAK
-case 2:
-YY_RULE_SETUP
-#line 63 "installparse.l"
-return CLOSEBRACE;
-	YY_BREAK
-case 3:
-YY_RULE_SETUP
-#line 64 "installparse.l"
-{Pk11Install_yylval.string =
-						putSimpleString(Pk11Install_yytext);
-						return STRING;}
-	YY_BREAK
-case 4:
-YY_RULE_SETUP
-#line 67 "installparse.l"
-{Pk11Install_yylval.string =
-						putComplexString(Pk11Install_yytext);
-						return STRING;}
-	YY_BREAK
-case 5:
-YY_RULE_SETUP
-#line 71 "installparse.l"
-Pk11Install_yylinenum++;
-	YY_BREAK
-case 6:
-YY_RULE_SETUP
-#line 73 "installparse.l"
-;
-	YY_BREAK
-case 7:
-YY_RULE_SETUP
-#line 75 "installparse.l"
-{err = PR_smprintf("Invalid lexeme: %s",Pk11Install_yytext);
-						Pk11Install_yyerror(err);
-						PR_smprintf_free(err);
-						return 1;
-					}
-	YY_BREAK
-case 8:
-YY_RULE_SETUP
-#line 81 "installparse.l"
-ECHO;
-	YY_BREAK
-#line 722 "lex.Pk11Install_yy.cpp"
-case YY_STATE_EOF(INITIAL):
-	yyterminate();
-
-	case YY_END_OF_BUFFER:
-		{
-		/* Amount of text matched not including the EOB char. */
-		int yy_amount_of_matched_text = (int) (yy_cp - yytext_ptr) - 1;
-
-		/* Undo the effects of YY_DO_BEFORE_ACTION. */
-		*yy_cp = yy_hold_char;
-		YY_RESTORE_YY_MORE_OFFSET
-
-		if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_NEW )
-			{
-			/* We're scanning a new file or input source.  It's
-			 * possible that this happened because the user
-			 * just pointed yyin at a new source and called
-			 * yylex().  If so, then we have to assure
-			 * consistency between yy_current_buffer and our
-			 * globals.  Here is the right place to do so, because
-			 * this is the first action (other than possibly a
-			 * back-up) that will match for the new input source.
-			 */
-			yy_n_chars = yy_current_buffer->yy_n_chars;
-			yy_current_buffer->yy_input_file = yyin;
-			yy_current_buffer->yy_buffer_status = YY_BUFFER_NORMAL;
-			}
-
-		/* Note that here we test for yy_c_buf_p "<=" to the position
-		 * of the first EOB in the buffer, since yy_c_buf_p will
-		 * already have been incremented past the NUL character
-		 * (since all states make transitions on EOB to the
-		 * end-of-buffer state).  Contrast this with the test
-		 * in input().
-		 */
-		if ( yy_c_buf_p <= &yy_current_buffer->yy_ch_buf[yy_n_chars] )
-			{ /* This was really a NUL. */
-			yy_state_type yy_next_state;
-
-			yy_c_buf_p = yytext_ptr + yy_amount_of_matched_text;
-
-			yy_current_state = yy_get_previous_state();
-
-			/* Okay, we're now positioned to make the NUL
-			 * transition.  We couldn't have
-			 * yy_get_previous_state() go ahead and do it
-			 * for us because it doesn't know how to deal
-			 * with the possibility of jamming (and we don't
-			 * want to build jamming into it because then it
-			 * will run more slowly).
-			 */
-
-			yy_next_state = yy_try_NUL_trans( yy_current_state );
-
-			yy_bp = yytext_ptr + YY_MORE_ADJ;
-
-			if ( yy_next_state )
-				{
-				/* Consume the NUL. */
-				yy_cp = ++yy_c_buf_p;
-				yy_current_state = yy_next_state;
-				goto yy_match;
-				}
-
-			else
-				{
-				yy_cp = yy_c_buf_p;
-				goto yy_find_action;
-				}
-			}
-
-		else switch ( yy_get_next_buffer() )
-			{
-			case EOB_ACT_END_OF_FILE:
-				{
-				yy_did_buffer_switch_on_eof = 0;
-
-				if ( yywrap() )
-					{
-					/* Note: because we've taken care in
-					 * yy_get_next_buffer() to have set up
-					 * yytext, we can now set up
-					 * yy_c_buf_p so that if some total
-					 * hoser (like flex itself) wants to
-					 * call the scanner after we return the
-					 * YY_NULL, it'll still work - another
-					 * YY_NULL will get returned.
-					 */
-					yy_c_buf_p = yytext_ptr + YY_MORE_ADJ;
-
-					yy_act = YY_STATE_EOF(YY_START);
-					goto do_action;
-					}
-
-				else
-					{
-					if ( ! yy_did_buffer_switch_on_eof )
-						YY_NEW_FILE;
-					}
-				break;
-				}
-
-			case EOB_ACT_CONTINUE_SCAN:
-				yy_c_buf_p =
-					yytext_ptr + yy_amount_of_matched_text;
-
-				yy_current_state = yy_get_previous_state();
-
-				yy_cp = yy_c_buf_p;
-				yy_bp = yytext_ptr + YY_MORE_ADJ;
-				goto yy_match;
-
-			case EOB_ACT_LAST_MATCH:
-				yy_c_buf_p =
-				&yy_current_buffer->yy_ch_buf[yy_n_chars];
-
-				yy_current_state = yy_get_previous_state();
-
-				yy_cp = yy_c_buf_p;
-				yy_bp = yytext_ptr + YY_MORE_ADJ;
-				goto yy_find_action;
-			}
-		break;
-		}
-
-	default:
-		YY_FATAL_ERROR(
-			"fatal flex scanner internal error--no action found" );
-	} /* end of action switch */
-		} /* end of scanning one token */
-	} /* end of yylex */
-
-
-/* yy_get_next_buffer - try to read in a new buffer
- *
- * Returns a code representing an action:
- *	EOB_ACT_LAST_MATCH -
- *	EOB_ACT_CONTINUE_SCAN - continue scanning from current position
- *	EOB_ACT_END_OF_FILE - end of file
- */
-
-static int yy_get_next_buffer()
-	{
-	register char *dest = yy_current_buffer->yy_ch_buf;
-	register char *source = yytext_ptr;
-	register int number_to_move, i;
-	int ret_val;
-
-	if ( yy_c_buf_p > &yy_current_buffer->yy_ch_buf[yy_n_chars + 1] )
-		YY_FATAL_ERROR(
-		"fatal flex scanner internal error--end of buffer missed" );
-
-	if ( yy_current_buffer->yy_fill_buffer == 0 )
-		{ /* Don't try to fill the buffer, so this is an EOF. */
-		if ( yy_c_buf_p - yytext_ptr - YY_MORE_ADJ == 1 )
-			{
-			/* We matched a single character, the EOB, so
-			 * treat this as a final EOF.
-			 */
-			return EOB_ACT_END_OF_FILE;
-			}
-
-		else
-			{
-			/* We matched some text prior to the EOB, first
-			 * process it.
-			 */
-			return EOB_ACT_LAST_MATCH;
-			}
-		}
-
-	/* Try to read more data. */
-
-	/* First move last chars to start of buffer. */
-	number_to_move = (int) (yy_c_buf_p - yytext_ptr) - 1;
-
-	for ( i = 0; i < number_to_move; ++i )
-		*(dest++) = *(source++);
-
-	if ( yy_current_buffer->yy_buffer_status == YY_BUFFER_EOF_PENDING )
-		/* don't do the read, it's not guaranteed to return an EOF,
-		 * just force an EOF
-		 */
-		yy_current_buffer->yy_n_chars = yy_n_chars = 0;
-
-	else
-		{
-		int num_to_read =
-			yy_current_buffer->yy_buf_size - number_to_move - 1;
-
-		while ( num_to_read <= 0 )
-			{ /* Not enough room in the buffer - grow it. */
-#ifdef YY_USES_REJECT
-			YY_FATAL_ERROR(
-"input buffer overflow, can't enlarge buffer because scanner uses REJECT" );
-#else
-
-			/* just a shorter name for the current buffer */
-			YY_BUFFER_STATE b = yy_current_buffer;
-
-			int yy_c_buf_p_offset =
-				(int) (yy_c_buf_p - b->yy_ch_buf);
-
-			if ( b->yy_is_our_buffer )
-				{
-				int new_size = b->yy_buf_size * 2;
-
-				if ( new_size <= 0 )
-					b->yy_buf_size += b->yy_buf_size / 8;
-				else
-					b->yy_buf_size *= 2;
-
-				b->yy_ch_buf = (char *)
-					/* Include room in for 2 EOB chars. */
-					yy_flex_realloc( (void *) b->yy_ch_buf,
-							 b->yy_buf_size + 2 );
-				}
-			else
-				/* Can't grow it, we don't own it. */
-				b->yy_ch_buf = 0;
-
-			if ( ! b->yy_ch_buf )
-				YY_FATAL_ERROR(
-				"fatal error - scanner input buffer overflow" );
-
-			yy_c_buf_p = &b->yy_ch_buf[yy_c_buf_p_offset];
-
-			num_to_read = yy_current_buffer->yy_buf_size -
-						number_to_move - 1;
-#endif
-			}
-
-		if ( num_to_read > YY_READ_BUF_SIZE )
-			num_to_read = YY_READ_BUF_SIZE;
-
-		/* Read in more data. */
-		YY_INPUT( (&yy_current_buffer->yy_ch_buf[number_to_move]),
-			yy_n_chars, num_to_read );
-
-		yy_current_buffer->yy_n_chars = yy_n_chars;
-		}
-
-	if ( yy_n_chars == 0 )
-		{
-		if ( number_to_move == YY_MORE_ADJ )
-			{
-			ret_val = EOB_ACT_END_OF_FILE;
-			yyrestart( yyin );
-			}
-
-		else
-			{
-			ret_val = EOB_ACT_LAST_MATCH;
-			yy_current_buffer->yy_buffer_status =
-				YY_BUFFER_EOF_PENDING;
-			}
-		}
-
-	else
-		ret_val = EOB_ACT_CONTINUE_SCAN;
-
-	yy_n_chars += number_to_move;
-	yy_current_buffer->yy_ch_buf[yy_n_chars] = YY_END_OF_BUFFER_CHAR;
-	yy_current_buffer->yy_ch_buf[yy_n_chars + 1] = YY_END_OF_BUFFER_CHAR;
-
-	yytext_ptr = &yy_current_buffer->yy_ch_buf[0];
-
-	return ret_val;
-	}
-
-
-/* yy_get_previous_state - get the state just before the EOB char was reached */
-
-static yy_state_type yy_get_previous_state()
-	{
-	register yy_state_type yy_current_state;
-	register char *yy_cp;
-
-	yy_current_state = yy_start;
-
-	for ( yy_cp = yytext_ptr + YY_MORE_ADJ; yy_cp < yy_c_buf_p; ++yy_cp )
-		{
-		register YY_CHAR yy_c = (*yy_cp ? yy_ec[YY_SC_TO_UI(*yy_cp)] : 1);
-		if ( yy_accept[yy_current_state] )
-			{
-			yy_last_accepting_state = yy_current_state;
-			yy_last_accepting_cpos = yy_cp;
-			}
-		while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
-			{
-			yy_current_state = (int) yy_def[yy_current_state];
-			if ( yy_current_state >= 16 )
-				yy_c = yy_meta[(unsigned int) yy_c];
-			}
-		yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
-		}
-
-	return yy_current_state;
-	}
-
-
-/* yy_try_NUL_trans - try to make a transition on the NUL character
- *
- * synopsis
- *	next_state = yy_try_NUL_trans( current_state );
- */
-
-#ifdef YY_USE_PROTOS
-static yy_state_type yy_try_NUL_trans( yy_state_type yy_current_state )
-#else
-static yy_state_type yy_try_NUL_trans( yy_current_state )
-yy_state_type yy_current_state;
-#endif
-	{
-	register int yy_is_jam;
-	register char *yy_cp = yy_c_buf_p;
-
-	register YY_CHAR yy_c = 1;
-	if ( yy_accept[yy_current_state] )
-		{
-		yy_last_accepting_state = yy_current_state;
-		yy_last_accepting_cpos = yy_cp;
-		}
-	while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
-		{
-		yy_current_state = (int) yy_def[yy_current_state];
-		if ( yy_current_state >= 16 )
-			yy_c = yy_meta[(unsigned int) yy_c];
-		}
-	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
-	yy_is_jam = (yy_current_state == 15);
-
-	return yy_is_jam ? 0 : yy_current_state;
-	}
-
-
-#ifndef YY_NO_UNPUT
-#ifdef YY_USE_PROTOS
-static void yyunput( int c, register char *yy_bp )
-#else
-static void yyunput( c, yy_bp )
-int c;
-register char *yy_bp;
-#endif
-	{
-	register char *yy_cp = yy_c_buf_p;
-
-	/* undo effects of setting up yytext */
-	*yy_cp = yy_hold_char;
-
-	if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
-		{ /* need to shift things up to make room */
-		/* +2 for EOB chars. */
-		register int number_to_move = yy_n_chars + 2;
-		register char *dest = &yy_current_buffer->yy_ch_buf[
-					yy_current_buffer->yy_buf_size + 2];
-		register char *source =
-				&yy_current_buffer->yy_ch_buf[number_to_move];
-
-		while ( source > yy_current_buffer->yy_ch_buf )
-			*--dest = *--source;
-
-		yy_cp += (int) (dest - source);
-		yy_bp += (int) (dest - source);
-		yy_current_buffer->yy_n_chars =
-			yy_n_chars = yy_current_buffer->yy_buf_size;
-
-		if ( yy_cp < yy_current_buffer->yy_ch_buf + 2 )
-			YY_FATAL_ERROR( "flex scanner push-back overflow" );
-		}
-
-	*--yy_cp = (char) c;
-
-
-	yytext_ptr = yy_bp;
-	yy_hold_char = *yy_cp;
-	yy_c_buf_p = yy_cp;
-	}
-#endif	/* ifndef YY_NO_UNPUT */
-
-
-#ifdef __cplusplus
-static int yyinput()
-#else
-static int input()
-#endif
-	{
-	int c;
-
-	*yy_c_buf_p = yy_hold_char;
-
-	if ( *yy_c_buf_p == YY_END_OF_BUFFER_CHAR )
-		{
-		/* yy_c_buf_p now points to the character we want to return.
-		 * If this occurs *before* the EOB characters, then it's a
-		 * valid NUL; if not, then we've hit the end of the buffer.
-		 */
-		if ( yy_c_buf_p < &yy_current_buffer->yy_ch_buf[yy_n_chars] )
-			/* This was really a NUL. */
-			*yy_c_buf_p = '\0';
-
-		else
-			{ /* need more input */
-			int offset = yy_c_buf_p - yytext_ptr;
-			++yy_c_buf_p;
-
-			switch ( yy_get_next_buffer() )
-				{
-				case EOB_ACT_LAST_MATCH:
-					/* This happens because yy_g_n_b()
-					 * sees that we've accumulated a
-					 * token and flags that we need to
-					 * try matching the token before
-					 * proceeding.  But for input(),
-					 * there's no matching to consider.
-					 * So convert the EOB_ACT_LAST_MATCH
-					 * to EOB_ACT_END_OF_FILE.
-					 */
-
-					/* Reset buffer status. */
-					yyrestart( yyin );
-
-					/* fall through */
-
-				case EOB_ACT_END_OF_FILE:
-					{
-					if ( yywrap() )
-						return EOF;
-
-					if ( ! yy_did_buffer_switch_on_eof )
-						YY_NEW_FILE;
-#ifdef __cplusplus
-					return yyinput();
-#else
-					return input();
-#endif
-					}
-
-				case EOB_ACT_CONTINUE_SCAN:
-					yy_c_buf_p = yytext_ptr + offset;
-					break;
-				}
-			}
-		}
-
-	c = *(unsigned char *) yy_c_buf_p;	/* cast for 8-bit char's */
-	*yy_c_buf_p = '\0';	/* preserve yytext */
-	yy_hold_char = *++yy_c_buf_p;
-
-
-	return c;
-	}
-
-
-#ifdef YY_USE_PROTOS
-void yyrestart( FILE *input_file )
-#else
-void yyrestart( input_file )
-FILE *input_file;
-#endif
-	{
-	if ( ! yy_current_buffer )
-		yy_current_buffer = yy_create_buffer( yyin, YY_BUF_SIZE );
-
-	yy_init_buffer( yy_current_buffer, input_file );
-	yy_load_buffer_state();
-	}
-
-
-#ifdef YY_USE_PROTOS
-void yy_switch_to_buffer( YY_BUFFER_STATE new_buffer )
-#else
-void yy_switch_to_buffer( new_buffer )
-YY_BUFFER_STATE new_buffer;
-#endif
-	{
-	if ( yy_current_buffer == new_buffer )
-		return;
-
-	if ( yy_current_buffer )
-		{
-		/* Flush out information for old buffer. */
-		*yy_c_buf_p = yy_hold_char;
-		yy_current_buffer->yy_buf_pos = yy_c_buf_p;
-		yy_current_buffer->yy_n_chars = yy_n_chars;
-		}
-
-	yy_current_buffer = new_buffer;
-	yy_load_buffer_state();
-
-	/* We don't actually know whether we did this switch during
-	 * EOF (yywrap()) processing, but the only time this flag
-	 * is looked at is after yywrap() is called, so it's safe
-	 * to go ahead and always set it.
-	 */
-	yy_did_buffer_switch_on_eof = 1;
-	}
-
-
-#ifdef YY_USE_PROTOS
-void yy_load_buffer_state( void )
-#else
-void yy_load_buffer_state()
-#endif
-	{
-	yy_n_chars = yy_current_buffer->yy_n_chars;
-	yytext_ptr = yy_c_buf_p = yy_current_buffer->yy_buf_pos;
-	yyin = yy_current_buffer->yy_input_file;
-	yy_hold_char = *yy_c_buf_p;
-	}
-
-
-#ifdef YY_USE_PROTOS
-YY_BUFFER_STATE yy_create_buffer( FILE *file, int size )
-#else
-YY_BUFFER_STATE yy_create_buffer( file, size )
-FILE *file;
-int size;
-#endif
-	{
-	YY_BUFFER_STATE b;
-
-	b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) );
-	if ( ! b )
-		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
-
-	b->yy_buf_size = size;
-
-	/* yy_ch_buf has to be 2 characters longer than the size given because
-	 * we need to put in 2 end-of-buffer characters.
-	 */
-	b->yy_ch_buf = (char *) yy_flex_alloc( b->yy_buf_size + 2 );
-	if ( ! b->yy_ch_buf )
-		YY_FATAL_ERROR( "out of dynamic memory in yy_create_buffer()" );
-
-	b->yy_is_our_buffer = 1;
-
-	yy_init_buffer( b, file );
-
-	return b;
-	}
-
-
-#ifdef YY_USE_PROTOS
-void yy_delete_buffer( YY_BUFFER_STATE b )
-#else
-void yy_delete_buffer( b )
-YY_BUFFER_STATE b;
-#endif
-	{
-	if ( ! b )
-		return;
-
-	if ( b == yy_current_buffer )
-		yy_current_buffer = (YY_BUFFER_STATE) 0;
-
-	if ( b->yy_is_our_buffer )
-		yy_flex_free( (void *) b->yy_ch_buf );
-
-	yy_flex_free( (void *) b );
-	}
-
-
-#ifndef YY_ALWAYS_INTERACTIVE
-#ifndef YY_NEVER_INTERACTIVE
-extern int isatty YY_PROTO(( int ));
-#endif
-#endif
-
-#ifdef YY_USE_PROTOS
-void yy_init_buffer( YY_BUFFER_STATE b, FILE *file )
-#else
-void yy_init_buffer( b, file )
-YY_BUFFER_STATE b;
-FILE *file;
-#endif
-
-
-	{
-	yy_flush_buffer( b );
-
-	b->yy_input_file = file;
-	b->yy_fill_buffer = 1;
-
-#if YY_ALWAYS_INTERACTIVE
-	b->yy_is_interactive = 1;
-#else
-#if YY_NEVER_INTERACTIVE
-	b->yy_is_interactive = 0;
-#else
-	b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
-#endif
-#endif
-	}
-
-
-#ifdef YY_USE_PROTOS
-void yy_flush_buffer( YY_BUFFER_STATE b )
-#else
-void yy_flush_buffer( b )
-YY_BUFFER_STATE b;
-#endif
-
-	{
-	if ( ! b )
-		return;
-
-	b->yy_n_chars = 0;
-
-	/* We always need two end-of-buffer characters.  The first causes
-	 * a transition to the end-of-buffer state.  The second causes
-	 * a jam in that state.
-	 */
-	b->yy_ch_buf[0] = YY_END_OF_BUFFER_CHAR;
-	b->yy_ch_buf[1] = YY_END_OF_BUFFER_CHAR;
-
-	b->yy_buf_pos = &b->yy_ch_buf[0];
-
-	b->yy_at_bol = 1;
-	b->yy_buffer_status = YY_BUFFER_NEW;
-
-	if ( b == yy_current_buffer )
-		yy_load_buffer_state();
-	}
-
-
-#ifndef YY_NO_SCAN_BUFFER
-#ifdef YY_USE_PROTOS
-YY_BUFFER_STATE yy_scan_buffer( char *base, yy_size_t size )
-#else
-YY_BUFFER_STATE yy_scan_buffer( base, size )
-char *base;
-yy_size_t size;
-#endif
-	{
-	YY_BUFFER_STATE b;
-
-	if ( size < 2 ||
-	     base[size-2] != YY_END_OF_BUFFER_CHAR ||
-	     base[size-1] != YY_END_OF_BUFFER_CHAR )
-		/* They forgot to leave room for the EOB's. */
-		return 0;
-
-	b = (YY_BUFFER_STATE) yy_flex_alloc( sizeof( struct yy_buffer_state ) );
-	if ( ! b )
-		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_buffer()" );
-
-	b->yy_buf_size = size - 2;	/* "- 2" to take care of EOB's */
-	b->yy_buf_pos = b->yy_ch_buf = base;
-	b->yy_is_our_buffer = 0;
-	b->yy_input_file = 0;
-	b->yy_n_chars = b->yy_buf_size;
-	b->yy_is_interactive = 0;
-	b->yy_at_bol = 1;
-	b->yy_fill_buffer = 0;
-	b->yy_buffer_status = YY_BUFFER_NEW;
-
-	yy_switch_to_buffer( b );
-
-	return b;
-	}
-#endif
-
-
-#ifndef YY_NO_SCAN_STRING
-#ifdef YY_USE_PROTOS
-YY_BUFFER_STATE yy_scan_string( yyconst char *yy_str )
-#else
-YY_BUFFER_STATE yy_scan_string( yy_str )
-yyconst char *yy_str;
-#endif
-	{
-	int len;
-	for ( len = 0; yy_str[len]; ++len )
-		;
-
-	return yy_scan_bytes( yy_str, len );
-	}
-#endif
-
-
-#ifndef YY_NO_SCAN_BYTES
-#ifdef YY_USE_PROTOS
-YY_BUFFER_STATE yy_scan_bytes( yyconst char *bytes, int len )
-#else
-YY_BUFFER_STATE yy_scan_bytes( bytes, len )
-yyconst char *bytes;
-int len;
-#endif
-	{
-	YY_BUFFER_STATE b;
-	char *buf;
-	yy_size_t n;
-	int i;
-
-	/* Get memory for full buffer, including space for trailing EOB's. */
-	n = len + 2;
-	buf = (char *) yy_flex_alloc( n );
-	if ( ! buf )
-		YY_FATAL_ERROR( "out of dynamic memory in yy_scan_bytes()" );
-
-	for ( i = 0; i < len; ++i )
-		buf[i] = bytes[i];
-
-	buf[len] = buf[len+1] = YY_END_OF_BUFFER_CHAR;
-
-	b = yy_scan_buffer( buf, n );
-	if ( ! b )
-		YY_FATAL_ERROR( "bad buffer in yy_scan_bytes()" );
-
-	/* It's okay to grow etc. this buffer, and we should throw it
-	 * away when we're done.
-	 */
-	b->yy_is_our_buffer = 1;
-
-	return b;
-	}
-#endif
-
-
-#ifndef YY_NO_PUSH_STATE
-#ifdef YY_USE_PROTOS
-static void yy_push_state( int new_state )
-#else
-static void yy_push_state( new_state )
-int new_state;
-#endif
-	{
-	if ( yy_start_stack_ptr >= yy_start_stack_depth )
-		{
-		yy_size_t new_size;
-
-		yy_start_stack_depth += YY_START_STACK_INCR;
-		new_size = yy_start_stack_depth * sizeof( int );
-
-		if ( ! yy_start_stack )
-			yy_start_stack = (int *) yy_flex_alloc( new_size );
-
-		else
-			yy_start_stack = (int *) yy_flex_realloc(
-					(void *) yy_start_stack, new_size );
-
-		if ( ! yy_start_stack )
-			YY_FATAL_ERROR(
-			"out of memory expanding start-condition stack" );
-		}
-
-	yy_start_stack[yy_start_stack_ptr++] = YY_START;
-
-	BEGIN(new_state);
-	}
-#endif
-
-
-#ifndef YY_NO_POP_STATE
-static void yy_pop_state()
-	{
-	if ( --yy_start_stack_ptr < 0 )
-		YY_FATAL_ERROR( "start-condition stack underflow" );
-
-	BEGIN(yy_start_stack[yy_start_stack_ptr]);
-	}
-#endif
-
-
-#ifndef YY_NO_TOP_STATE
-static int yy_top_state()
-	{
-	return yy_start_stack[yy_start_stack_ptr - 1];
-	}
-#endif
-
-#ifndef YY_EXIT_FAILURE
-#define YY_EXIT_FAILURE 2
-#endif
-
-#ifdef YY_USE_PROTOS
-static void yy_fatal_error( yyconst char msg[] )
-#else
-static void yy_fatal_error( msg )
-char msg[];
-#endif
-	{
-	(void) fprintf( stderr, "%s\n", msg );
-	exit( YY_EXIT_FAILURE );
-	}
-
-
-
-/* Redefine yyless() so it works in section 3 code. */
-
-#undef yyless
-#define yyless(n) \
-	do \
-		{ \
-		/* Undo effects of setting up yytext. */ \
-		yytext[yyleng] = yy_hold_char; \
-		yy_c_buf_p = yytext + n; \
-		yy_hold_char = *yy_c_buf_p; \
-		*yy_c_buf_p = '\0'; \
-		yyleng = n; \
-		} \
-	while ( 0 )
-
-
-/* Internal utility routines. */
-
-#ifndef yytext_ptr
-#ifdef YY_USE_PROTOS
-static void yy_flex_strncpy( char *s1, yyconst char *s2, int n )
-#else
-static void yy_flex_strncpy( s1, s2, n )
-char *s1;
-yyconst char *s2;
-int n;
-#endif
-	{
-	register int i;
-	for ( i = 0; i < n; ++i )
-		s1[i] = s2[i];
-	}
-#endif
-
-#ifdef YY_NEED_STRLEN
-#ifdef YY_USE_PROTOS
-static int yy_flex_strlen( yyconst char *s )
-#else
-static int yy_flex_strlen( s )
-yyconst char *s;
-#endif
-	{
-	register int n;
-	for ( n = 0; s[n]; ++n )
-		;
-
-	return n;
-	}
-#endif
-
-
-#ifdef YY_USE_PROTOS
-static void *yy_flex_alloc( yy_size_t size )
-#else
-static void *yy_flex_alloc( size )
-yy_size_t size;
-#endif
-	{
-	return (void *) malloc( size );
-	}
-
-#ifdef YY_USE_PROTOS
-static void *yy_flex_realloc( void *ptr, yy_size_t size )
-#else
-static void *yy_flex_realloc( ptr, size )
-void *ptr;
-yy_size_t size;
-#endif
-	{
-	/* The cast to (char *) in the following accommodates both
-	 * implementations that use char* generic pointers, and those
-	 * that use void* generic pointers.  It works with the latter
-	 * because both ANSI C and C++ allow castless assignment from
-	 * any pointer type to void*, and deal with argument conversions
-	 * as though doing an assignment.
-	 */
-	return (void *) realloc( (char *) ptr, size );
-	}
-
-#ifdef YY_USE_PROTOS
-static void yy_flex_free( void *ptr )
-#else
-static void yy_flex_free( ptr )
-void *ptr;
-#endif
-	{
-	free( ptr );
-	}
-
-#if YY_MAIN
-int main()
-	{
-	yylex();
-	return 0;
-	}
-#endif
-#line 81 "installparse.l"
-
-/*------------------------ Program Section ----------------------------*/
-
-PRFileDesc *Pk11Install_FD=NULL;
-
-/*************************************************************************/
-/* dummy function required by lex */
-int Pk11Install_yywrap(void) { return 1;}
-
-/*************************************************************************/
-/* Return a copy of the given string */
-static char*
-putSimpleString(char *str)
-{
-	char *tmp = (char*) PR_Malloc(strlen(str)+1);
-	strcpy(tmp, str);
-	return tmp;
-}
-
-/*************************************************************************/
-/* Strip out quotes, replace escaped characters with what they stand for.
-   This function assumes that what is passed in is actually a complex
-   string, so error checking is lax. */
-static char*
-putComplexString(char *str)
-{
-	int size, i,j;
-	char *tmp;
-
-	if(!str) {
-		return NULL;
-	}
-	size = strlen(str);
-
-	/* Allocate the new space.  This string will actually be too big, 
-		since quotes and backslashes will be stripped out.  But that's ok. */
-	tmp = (char*) PR_Malloc(size+1);
-
-	/* Copy it over */
-	for(i=0, j=0; i < size; i++) {
-		if(str[i]=='\"') {
-			continue;  /* skip un-escaped quotes */
-		} else if(str[i]=='\\') {
-			++i;       /* escaped character. skip the backslash */
-		}
-		tmp[j++] = str[i];
-	}
-	tmp[j] = '\0';
-
-	return tmp;
-}
diff --git a/security/nss/cmd/modutil/manifest.mn b/security/nss/cmd/modutil/manifest.mn
deleted file mode 100644
index 31ebcf68c..000000000
--- a/security/nss/cmd/modutil/manifest.mn
+++ /dev/null
@@ -1,66 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = sectools
-
-EXPORTS = 
-
-CSRCS = modutil.c		\
-		pk11.c			\
-		instsec.c		\
-		install.c		\
-		installparse.c		\
-		install-ds.c		\
-		lex.Pk11Install_yy.c	\
-		$(NULL)
-
-CPPSRCS = 
-
-PROGRAM =  modutil
-
-REQUIRES = seccmd nss dbm
-
-DEFINES = -DNSPR20
-
-# sigh
-#INCLUDES += -I$(CORE_DEPTH)/nss/lib/pk11wrap
-
-# USE_STATIC_LIBS = 1 
-
-EXTRA_LIBS = $(JAR_LIBS)
diff --git a/security/nss/cmd/modutil/modutil.c b/security/nss/cmd/modutil/modutil.c
deleted file mode 100644
index c91c5eebd..000000000
--- a/security/nss/cmd/modutil/modutil.c
+++ /dev/null
@@ -1,979 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* To edit this file, set TABSTOPS to 4 spaces. 
- * This is not the normal NSS convention. 
- */
-
-#include "modutil.h"
-#include "install.h"
-#include <plstr.h>
-#include "certdb.h" /* for CERT_DB_FILE_VERSION */
-#include "nss.h"
-
-static void install_error(char *message);
-static char* PR_fgets(char *buf, int size, PRFileDesc *file);
-static char *progName;
-
-
-/* This enum must be kept in sync with the commandNames list */
-typedef enum {
-	NO_COMMAND,
-	ADD_COMMAND,
-	CHANGEPW_COMMAND,
-	CREATE_COMMAND,
-	DEFAULT_COMMAND,
-	DELETE_COMMAND,
-	DISABLE_COMMAND,
-	ENABLE_COMMAND,
-	FIPS_COMMAND,
-	JAR_COMMAND,
-	LIST_COMMAND,
-	RAW_LIST_COMMAND,
-	RAW_ADD_COMMAND,
-	CHKFIPS_COMMAND,
-	UNDEFAULT_COMMAND
-} Command;
-
-/* This list must be kept in sync with the Command enum */
-static char *commandNames[] = {
-	"(no command)",
-	"-add",
-	"-changepw",
-	"-create",
-	"-default",
-	"-delete",
-	"-disable",
-	"-enable",
-	"-fips",
-	"-jar",
-	"-list",
-	"-rawlist",
-	"-rawadd",
-	"-chkfips",
-	"-undefault"
-};
-
-
-/* this enum must be kept in sync with the optionStrings list */
-typedef enum {
-	ADD_ARG=0,
-	RAW_ADD_ARG,
-	CHANGEPW_ARG,
-	CIPHERS_ARG,
-	CREATE_ARG,
-	DBDIR_ARG,
-	DBPREFIX_ARG,
-	DEFAULT_ARG,
-	DELETE_ARG,
-	DISABLE_ARG,
-	ENABLE_ARG,
-	FIPS_ARG,
-	FORCE_ARG,
-	JAR_ARG,
-	LIBFILE_ARG,
-	LIST_ARG,
-	RAW_LIST_ARG,
-	MECHANISMS_ARG,
-	NEWPWFILE_ARG,
-	PWFILE_ARG,
-	SLOT_ARG,
-	UNDEFAULT_ARG,
-	INSTALLDIR_ARG,
-	TEMPDIR_ARG,
-	SECMOD_ARG,
-	NOCERTDB_ARG,
-	STRING_ARG,
-	CHKFIPS_ARG,
-
-	NUM_ARGS	/* must be last */
-} Arg;
-
-/* This list must be kept in sync with the Arg enum */
-static char *optionStrings[] = {
-	"-add",
-	"-rawadd",
-	"-changepw",
-	"-ciphers",
-	"-create",
-	"-dbdir",
-	"-dbprefix",
-	"-default",
-	"-delete",
-	"-disable",
-	"-enable",
-	"-fips",
-	"-force",
-	"-jar",
-	"-libfile",
-	"-list",
-	"-rawlist",
-	"-mechanisms",
-	"-newpwfile",
-	"-pwfile",
-	"-slot",
-	"-undefault",
-	"-installdir",
-	"-tempdir",
-	"-secmod",
-	"-nocertdb",
-	"-string",
-	"-chkfips",
-};
-
-/* Increment i if doing so would have i still be less than j.  If you
-   are able to do this, return 0.  Otherwise return 1. */
-#define TRY_INC(i,j)  ( ((i+1)<j) ? (++i, 0) : 1 )
-
-/********************************************************************
- *
- * file-wide variables obtained from the command line
- */
-static Command command = NO_COMMAND;
-static char* pwFile = NULL;
-static char* newpwFile = NULL;
-static char* moduleName = NULL;
-static char* moduleSpec = NULL;
-static char* slotName = NULL;
-static char* secmodName = NULL;
-static char* tokenName = NULL;
-static char* libFile = NULL;
-static char* dbdir = NULL;
-static char* dbprefix = "";
-static char* secmodString = NULL;
-static char* mechanisms = NULL;
-static char* ciphers = NULL;
-static char* fipsArg = NULL;
-static char* jarFile = NULL;
-static char* installDir = NULL;
-static char* tempDir = NULL;
-static short force = 0;
-static PRBool nocertdb = PR_FALSE;
-
-/*******************************************************************
- *
- * p a r s e _ a r g s
- */
-static Error
-parse_args(int argc, char *argv[])
-{
-	int i;
-	char *arg;
-	int optionType;
-
-	/* Loop over all arguments */
-	for(i=1; i < argc; i++) {
-		arg = argv[i];
-
-		/* Make sure this is an option and not some floating argument */
-		if(arg[0] != '-') {
-			PR_fprintf(PR_STDERR, errStrings[UNEXPECTED_ARG_ERR], argv[i]);
-			return UNEXPECTED_ARG_ERR;
-		}
-
-		/* Find which option this is */
-		for(optionType=0; optionType < NUM_ARGS; optionType++) {
-			if(! strcmp(arg, optionStrings[optionType])) {
-				break;
-			}
-		}
-		
-		/* Deal with this specific option */
-		switch(optionType) {
-		case NUM_ARGS:
-		default:
-			PR_fprintf(PR_STDERR, errStrings[UNKNOWN_OPTION_ERR], arg);
-			return UNKNOWN_OPTION_ERR;
-			break;
-		case ADD_ARG:
-			if(command != NO_COMMAND) {
-				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
-				return MULTIPLE_COMMAND_ERR;
-			}
-			command = ADD_COMMAND;
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			moduleName = argv[i];
-			break;
-		case CHANGEPW_ARG:
-			if(command != NO_COMMAND) {
-				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
-				return MULTIPLE_COMMAND_ERR;
-			}
-			command = CHANGEPW_COMMAND;
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			tokenName = argv[i];
-			break;
-		case CIPHERS_ARG:
-			if(ciphers != NULL) {
-				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
-				return DUPLICATE_OPTION_ERR;
-			}
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			ciphers = argv[i];
-			break;
-		case CREATE_ARG:
-			if(command != NO_COMMAND) {
-				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
-				return MULTIPLE_COMMAND_ERR;
-			}
-			command = CREATE_COMMAND;
-			break;
-		case DBDIR_ARG:
-			if(dbdir != NULL) {
-				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
-				return DUPLICATE_OPTION_ERR;
-			}
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			dbdir = argv[i];
-			break;
-		case DBPREFIX_ARG:
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			dbprefix = argv[i];
-			break;
-		case UNDEFAULT_ARG:
-		case DEFAULT_ARG:
-			if(command != NO_COMMAND) {
-				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
-				return MULTIPLE_COMMAND_ERR;
-			}
-			if(optionType == DEFAULT_ARG) {
-				command = DEFAULT_COMMAND;
-			} else {
-				command = UNDEFAULT_COMMAND;
-			}
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			moduleName = argv[i];
-			break;
-		case DELETE_ARG:
-			if(command != NO_COMMAND) {
-				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
-				return MULTIPLE_COMMAND_ERR;
-			}
-			command = DELETE_COMMAND;
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			moduleName = argv[i];
-			break;
-		case DISABLE_ARG:
-			if(command != NO_COMMAND) {
-				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
-				return MULTIPLE_COMMAND_ERR;
-			}
-			command = DISABLE_COMMAND;
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			moduleName = argv[i];
-			break;
-		case ENABLE_ARG:
-			if(command != NO_COMMAND) {
-				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
-				return MULTIPLE_COMMAND_ERR;
-			}
-			command = ENABLE_COMMAND;
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			moduleName = argv[i];
-			break;
-		case FIPS_ARG:
-			if(command != NO_COMMAND) {
-				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
-				return MULTIPLE_COMMAND_ERR;
-			}
-			command = FIPS_COMMAND;
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			fipsArg = argv[i];
-			break;
-		case CHKFIPS_ARG:
-			if(command != NO_COMMAND) {
-				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
-				return MULTIPLE_COMMAND_ERR;
-			}
-			command = CHKFIPS_COMMAND;
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			fipsArg = argv[i];
-			break;
-		case FORCE_ARG:
-			force = 1;
-			break;
-		case NOCERTDB_ARG:
-			nocertdb = PR_TRUE;
-			break;
-		case INSTALLDIR_ARG:
-			if(installDir != NULL) {
-				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
-				return DUPLICATE_OPTION_ERR;
-			}
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			installDir = argv[i];
-			break;
-		case TEMPDIR_ARG:
-			if(tempDir != NULL) {
-				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
-				return DUPLICATE_OPTION_ERR;
-			}
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			tempDir = argv[i];
-			break;
-		case JAR_ARG:
-			if(command != NO_COMMAND) {
-				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
-				return MULTIPLE_COMMAND_ERR;
-			}
-			command = JAR_COMMAND;
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			jarFile = argv[i];
-			break;
-		case LIBFILE_ARG:
-			if(libFile != NULL) {
-				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
-				return DUPLICATE_OPTION_ERR;
-			}
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			libFile = argv[i];
-			break;
-		case LIST_ARG:
-			if(command != NO_COMMAND) {
-				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
-				return MULTIPLE_COMMAND_ERR;
-			}
-			command = LIST_COMMAND;
-			/* This option may or may not have an argument */
-			if( (i+1 < argc) && (argv[i+1][0] != '-') ) {
-				moduleName = argv[++i];
-			}
-			break;
-		case RAW_LIST_ARG:
-			if(command != NO_COMMAND) {
-				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
-				return MULTIPLE_COMMAND_ERR;
-			}
-			command = RAW_LIST_COMMAND;
-			/* This option may or may not have an argument */
-			if( (i+1 < argc) && (argv[i+1][0] != '-') ) {
-				moduleName = argv[++i];
-			}
-			break;
-		case RAW_ADD_ARG:
-			if(command != NO_COMMAND) {
-				PR_fprintf(PR_STDERR, errStrings[MULTIPLE_COMMAND_ERR], arg);
-				return MULTIPLE_COMMAND_ERR;
-			}
-			command = RAW_ADD_COMMAND;
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			moduleSpec = argv[i];
-			break;
-		case MECHANISMS_ARG:
-			if(mechanisms != NULL) {
-				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
-				return DUPLICATE_OPTION_ERR;
-			}
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			mechanisms = argv[i];
-			break;
-		case NEWPWFILE_ARG:
-			if(newpwFile != NULL) {
-				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
-				return DUPLICATE_OPTION_ERR;
-			}
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			newpwFile = argv[i];
-			break;
-		case PWFILE_ARG:
-			if(pwFile != NULL) {
-				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
-				return DUPLICATE_OPTION_ERR;
-			}
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			pwFile = argv[i];
-			break;
-		case SLOT_ARG:
-			if(slotName != NULL) {
-				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
-				return DUPLICATE_OPTION_ERR;
-			}
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			slotName = argv[i];
-			break;
-		case SECMOD_ARG:
-			if(secmodName != NULL) {
-				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
-				return DUPLICATE_OPTION_ERR;
-			}
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			secmodName = argv[i];
-			break;
-		case STRING_ARG:
-			if(secmodString != NULL) {
-				PR_fprintf(PR_STDERR, errStrings[DUPLICATE_OPTION_ERR], arg);
-				return DUPLICATE_OPTION_ERR;
-			}
-			if(TRY_INC(i, argc)) {
-				PR_fprintf(PR_STDERR, errStrings[OPTION_NEEDS_ARG_ERR], arg);
-				return OPTION_NEEDS_ARG_ERR;
-			}
-			secmodString = argv[i];
-			break;
-		}
-	}
-	return SUCCESS;
-}
-
-/************************************************************************
- *
- * v e r i f y _ p a r a m s
- */
-static Error
-verify_params()
-{
-	switch(command) {
-	case ADD_COMMAND:
-		if(libFile == NULL) {
-			PR_fprintf(PR_STDERR, errStrings[MISSING_PARAM_ERR],
-				commandNames[ADD_COMMAND], optionStrings[LIBFILE_ARG]);
-			return MISSING_PARAM_ERR;
-		}
-		break;
-	case CHANGEPW_COMMAND:
-		break;
-	case CREATE_COMMAND:
-		break;
-	case DELETE_COMMAND:
-		break;
-	case DISABLE_COMMAND:
-		break;
-	case ENABLE_COMMAND:
-		break;
-	case FIPS_COMMAND:
-	case CHKFIPS_COMMAND:
-		if(PL_strcasecmp(fipsArg, "true") &&
-			PL_strcasecmp(fipsArg, "false")) {
-			PR_fprintf(PR_STDERR, errStrings[INVALID_FIPS_ARG]);
-			return INVALID_FIPS_ARG;
-		}
-		break;
-	case JAR_COMMAND:
-		if(installDir == NULL) {
-			PR_fprintf(PR_STDERR, errStrings[MISSING_PARAM_ERR],
-				commandNames[JAR_COMMAND], optionStrings[INSTALLDIR_ARG]);
-			return MISSING_PARAM_ERR;
-		}
-		break;
-	case LIST_COMMAND:
-	case RAW_LIST_COMMAND:
-		break;
-	case RAW_ADD_COMMAND:
-		break;
-	case UNDEFAULT_COMMAND:
-	case DEFAULT_COMMAND:
-		if(mechanisms == NULL) {
-			PR_fprintf(PR_STDERR, errStrings[MISSING_PARAM_ERR],
-				commandNames[command], optionStrings[MECHANISMS_ARG]);
-			return MISSING_PARAM_ERR;
-		}
-		break;
-	default:
-		/* Ignore this here */
-		break;
-	}
-
-	return SUCCESS;
-}
-
-/********************************************************************
- *
- * i n i t _ c r y p t o
- *
- * Does crypto initialization that all commands will require.
- * If -nocertdb option is specified, don't open key or cert db (we don't
- * need them if we aren't going to be verifying signatures).  This is
- * because serverland doesn't always have cert and key database files
- * available.
- *
- * This function is ill advised. Names and locations of databases are
- * private to NSS proper. Such functions only confuse other users.
- *
- */
-static Error
-check_crypto(PRBool create, PRBool readOnly)
-{
-	char *dir;
-	char *moddbname=NULL;
-	Error retval;
-	static const char multiaccess[] = { "multiaccess:" };
-
-	dir = SECU_ConfigDirectory(dbdir); /* dir is never NULL */
-	if (dir[0] == '\0') {
-		PR_fprintf(PR_STDERR, errStrings[NO_DBDIR_ERR]);
-		retval=NO_DBDIR_ERR;
-		goto loser;
-	}
-	if (strncmp(dir, multiaccess, sizeof multiaccess - 1) == 0) {
-		/* won't attempt to handle the multiaccess case. */
-		return SUCCESS;
-	}
-#ifdef notdef
-	/* Make sure db directory exists and is readable */
-	if(PR_Access(dir, PR_ACCESS_EXISTS) != PR_SUCCESS) {
-		PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dir);
-		retval = DIR_DOESNT_EXIST_ERR;
-		goto loser;
-	} else if(PR_Access(dir, PR_ACCESS_READ_OK) != PR_SUCCESS) {
-		PR_fprintf(PR_STDERR, errStrings[DIR_NOT_READABLE_ERR], dir);
-		retval = DIR_NOT_READABLE_ERR;
-		goto loser;
-	}
-
-	if (secmodName == NULL) {
-		secmodName = "secmod.db";
-	}
-
-	moddbname = PR_smprintf("%s/%s", dir, secmodName);
-	if (!moddbname)
-	    return OUT_OF_MEM_ERR;
-
-	/* Check for the proper permissions on databases */
-	if(create) {
-		/* Make sure dbs don't already exist, and the directory is
-			writeable */
-		if(PR_Access(moddbname, PR_ACCESS_EXISTS)==PR_SUCCESS) {
-			PR_fprintf(PR_STDERR, errStrings[FILE_ALREADY_EXISTS_ERR],
-			           moddbname);
-			retval=FILE_ALREADY_EXISTS_ERR;
-			goto loser;
-		} else 
-		if(PR_Access(dir, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
-			PR_fprintf(PR_STDERR, errStrings[DIR_NOT_WRITEABLE_ERR], dir);
-			retval=DIR_NOT_WRITEABLE_ERR;
-			goto loser;
-		}
-	} else {
-		/* Make sure dbs are readable and writeable */
-		if(PR_Access(moddbname, PR_ACCESS_READ_OK) != PR_SUCCESS) {
-			PR_fprintf(PR_STDERR, errStrings[FILE_NOT_READABLE_ERR], moddbname);
-			retval=FILE_NOT_READABLE_ERR;
-			goto loser;
-		}
-
-		/* Check for write access if we'll be making changes */
-		if( !readOnly ) {
-			if(PR_Access(moddbname, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
-				PR_fprintf(PR_STDERR, errStrings[FILE_NOT_WRITEABLE_ERR],
-							moddbname);
-				retval=FILE_NOT_WRITEABLE_ERR;
-				goto loser;
-			}
-		}
-		PR_fprintf(PR_STDOUT, msgStrings[USING_DBDIR_MSG],
-		  SECU_ConfigDirectory(NULL));
-	}
-#endif
-	retval=SUCCESS;
-loser:
-	if (moddbname) {
-		PR_Free(moddbname);
-	}
-	return retval;
-}
-
-static Error
-init_crypto(PRBool create, PRBool readOnly)
-{
-
-	PRUint32  flags = 0;
-	SECStatus rv;
-	Error     retval;
-	/* Open/create key database */
-
-	if (readOnly) flags |= NSS_INIT_READONLY;
-	if (nocertdb) flags |= NSS_INIT_NOCERTDB;
-	rv = NSS_Initialize(SECU_ConfigDirectory(NULL), dbprefix, dbprefix,
-		       secmodName, flags);
-	if (rv != SECSuccess) {
-		SECU_PrintPRandOSError(progName);
-		retval=NSS_INITIALIZE_FAILED_ERR;
-	} else 
-		retval=SUCCESS;
-
-	return retval;
-}
-
-/*************************************************************************
- *
- * u s a g e
- */
-static void
-usage()
-{
-	PR_fprintf(PR_STDOUT,
-"\nNetscape Cryptographic Module Utility\n"
-"Usage: modutil [command] [options]\n\n"
-"                            COMMANDS\n"
-"---------------------------------------------------------------------------\n"
-"-add MODULE_NAME                 Add the named module to the module database\n"
-"   -libfile LIBRARY_FILE         The name of the file (.so or .dll)\n"
-"                                 containing the implementation of PKCS #11\n"
-"   [-ciphers CIPHER_LIST]        Enable the given ciphers on this module\n"
-"   [-mechanisms MECHANISM_LIST]  Make the module a default provider of the\n"
-"                                 given mechanisms\n"
-"   [-string CONFIG_STRING]       Pass a configuration string to this module\n"
-"-changepw TOKEN                  Change the password on the named token\n"
-"   [-pwfile FILE]                The old password is in this file\n"
-"   [-newpwfile FILE]             The new password is in this file\n"
-"-chkfips [ true | false ]        If true, verify  FIPS mode.  If false,\n"
-"                                 verify not FIPS mode\n"
-"-create                          Create a new set of security databases\n"
-"-default MODULE                  Make the given module a default provider\n"
-"   -mechanisms MECHANISM_LIST    of the given mechanisms\n"
-"   [-slot SLOT]                  limit change to only the given slot\n"
-"-delete MODULE                   Remove the named module from the module\n"
-"                                 database\n"
-"-disable MODULE                  Disable the named module\n"
-"   [-slot SLOT]                  Disable only the named slot on the module\n"
-"-enable MODULE                   Enable the named module\n"
-"   [-slot SLOT]                  Enable only the named slot on the module\n"
-"-fips [ true | false ]           If true, enable FIPS mode.  If false,\n"
-"                                 disable FIPS mode\n"
-"-force                           Do not run interactively\n"
-"-jar JARFILE                     Install a PKCS #11 module from the given\n"
-"                                 JAR file in the PKCS #11 JAR format\n"
-"   -installdir DIR               Use DIR as the root directory of the\n"
-"                                 installation\n"
-"   [-tempdir DIR]                Use DIR as the temporary installation\n"
-"                                 directory. If not specified, the current\n"
-"                                 directory is used\n"
-"-list [MODULE]                   Lists information about the specified module\n"
-"                                 or about all modules if none is specified\n"
-"-rawadd MODULESPEC               Add module spec string to secmod DB\n"
-"-rawlist [MODULE]                Display module spec(s) for one or all\n"
-"                                 loadable modules\n"
-"-undefault MODULE                The given module is NOT a default provider\n"
-"   -mechanisms MECHANISM_LIST    of the listed mechanisms\n"
-"   [-slot SLOT]                  limit change to only the given slot\n"
-"---------------------------------------------------------------------------\n"
-"\n"
-"                             OPTIONS\n"
-"---------------------------------------------------------------------------\n"
-"-dbdir DIR                       Directory DIR contains the security databases\n"
-"-dbprefix prefix                 Prefix for the security databases\n"
-"-nocertdb                        Do not load certificate or key databases. No\n"
-"                                 verification will be performed on JAR files.\n"
-"-secmod secmodName               Name of the security modules file\n"
-"---------------------------------------------------------------------------\n"
-"\n"
-"Mechanism lists are colon-separated.  The following mechanisms are recognized:\n"
-"RSA, DSA, DH, RC2, RC4, RC5, AES, CAMELLIA, DES, MD2, MD5, SHA1, SHA256, SHA512,\n"
-"SSL, TLS, RANDOM, and FRIENDLY\n"
-"\n"
-"Cipher lists are colon-separated.  The following ciphers are recognized:\n"
-"\n"
-"\nQuestions or bug reports should be sent to modutil-support@netscape.com.\n"
-);
-
-}
-
-/*************************************************************************
- *
- * m a i n
- */
-int
-main(int argc, char *argv[])
-{
-	int errcode = SUCCESS;
-	PRBool createdb, readOnly;
-#define STDINBUF_SIZE 80
-	char stdinbuf[STDINBUF_SIZE];
-
-	progName = strrchr(argv[0], '/');
-	progName = progName ? progName+1 : argv[0];
-
-
-	PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
-
-	if(parse_args(argc, argv) != SUCCESS) {
-		usage();
-		errcode = INVALID_USAGE_ERR;
-		goto loser;
-	}
-
-	if(verify_params() != SUCCESS) {
-		usage();
-		errcode = INVALID_USAGE_ERR;
-		goto loser;
-	}
-
-	if(command==NO_COMMAND) {
-		PR_fprintf(PR_STDERR, errStrings[NO_COMMAND_ERR]);
-		usage();
-		errcode = INVALID_USAGE_ERR;
-		goto loser;
-	}
-
-	/* Set up crypto stuff */
-	createdb = command==CREATE_COMMAND;
-	readOnly = ((command == LIST_COMMAND) || 
-	            (command == CHKFIPS_COMMAND) ||
-	            (command == RAW_LIST_COMMAND));
-
-	/* Make sure browser is not running if we're writing to a database */
-	/* Do this before initializing crypto */
-	if(!readOnly && !force) {
-		char *response;
-
-		PR_fprintf(PR_STDOUT, msgStrings[BROWSER_RUNNING_MSG]);
-		if( ! PR_fgets(stdinbuf, STDINBUF_SIZE, PR_STDIN)) {
-			PR_fprintf(PR_STDERR, errStrings[STDIN_READ_ERR]);
-			errcode = STDIN_READ_ERR;
-			goto loser;
-		}
-		if( (response=strtok(stdinbuf, " \r\n\t")) ) {
-			if(!PL_strcasecmp(response, "q")) {
-				PR_fprintf(PR_STDOUT, msgStrings[ABORTING_MSG]);
-				errcode = SUCCESS;
-				goto loser;
-			}
-		}
-		PR_fprintf(PR_STDOUT, "\n");
-	}
-
-	errcode = check_crypto(createdb, readOnly);
-	if( errcode != SUCCESS) {
-		goto loser;
-	}
-
-	if ((command == RAW_LIST_COMMAND) || (command == RAW_ADD_COMMAND)) {
-		if(!moduleName) {
-			char *readOnlyStr, *noCertDBStr, *sep;
-			if (!secmodName) secmodName="secmod.db";
-			if (!dbprefix) dbprefix = "";
-			sep = ((command == RAW_LIST_COMMAND) && nocertdb) ? "," : " ";
-			readOnlyStr = (command == RAW_LIST_COMMAND) ? "readOnly" : "" ;
-			noCertDBStr = nocertdb ? "noCertDB" : "";
-			SECU_ConfigDirectory(dbdir);
-
-			moduleName=PR_smprintf(
-    "name=\"NSS default Module DB\" parameters=\"configdir=%s certPrefix=%s "
-    "keyPrefix=%s secmod=%s flags=%s%s%s\" NSS=\"flags=internal,moduleDB,"
-    "moduleDBOnly,critical\"",
-			                       SECU_ConfigDirectory(NULL),dbprefix,dbprefix,
-			                       secmodName, readOnlyStr,sep, noCertDBStr);
-		}
-		if (command == RAW_LIST_COMMAND) {
-			errcode = RawListModule(moduleName);
-		} else {
-			PORT_Assert(moduleSpec);
-			errcode = RawAddModule(moduleName,moduleSpec);
-		}
-		goto loser;
-	}
-
-	errcode = init_crypto(createdb, readOnly);
-	if( errcode != SUCCESS) {
-		goto loser;
-	}
-
-	/* Execute the command */
-	switch(command) {
-	case ADD_COMMAND:
-		errcode = AddModule(moduleName, libFile, ciphers, mechanisms, secmodString);
-		break;
-	case CHANGEPW_COMMAND:
-		errcode = ChangePW(tokenName, pwFile, newpwFile);
-		break;
-	case CREATE_COMMAND:
-		/* The work was already done in init_crypto() */
-		break;
-	case DEFAULT_COMMAND:
-		errcode = SetDefaultModule(moduleName, slotName, mechanisms);
-		break;
-	case DELETE_COMMAND:
-		errcode = DeleteModule(moduleName);
-		break;
-	case DISABLE_COMMAND:
-		errcode = EnableModule(moduleName, slotName, PR_FALSE);
-		break;
-	case ENABLE_COMMAND:
-		errcode = EnableModule(moduleName, slotName, PR_TRUE);
-		break;
-	case FIPS_COMMAND:
-		errcode = FipsMode(fipsArg);
-		break;
-	case CHKFIPS_COMMAND:
-		errcode = ChkFipsMode(fipsArg);
-		break;
-	case JAR_COMMAND:
-		Pk11Install_SetErrorHandler(install_error);
-		errcode = Pk11Install_DoInstall(jarFile, installDir, tempDir,
-		                                PR_STDOUT, force, nocertdb);
-		break;
-	case LIST_COMMAND:
-		if(moduleName) {
-			errcode = ListModule(moduleName);
-		} else {
-			errcode = ListModules();
-		}
-		break;
-	case UNDEFAULT_COMMAND:
-		errcode = UnsetDefaultModule(moduleName, slotName, mechanisms);
-		break;
-	default:
-		PR_fprintf(PR_STDERR, "This command is not supported yet.\n");
-		errcode = INVALID_USAGE_ERR;
-		break;
-	}
-
-	if (NSS_Shutdown() != SECSuccess) {
-		exit(1);
-	}
-
-loser:
-	PR_Cleanup();
-	return errcode;
-}
-
-/************************************************************************
- *
- * i n s t a l l _ e r r o r
- *
- * Callback function to handle errors in PK11 JAR file installation.
- */
-static void
-install_error(char *message)
-{
-	PR_fprintf(PR_STDERR, "Install error: %s\n", message);
-}
-
-/*************************************************************************
- *
- * o u t _ o f _ m e m o r y
- */
-void
-out_of_memory(void)
-{
-	PR_fprintf(PR_STDERR, errStrings[OUT_OF_MEM_ERR]);
-	exit(OUT_OF_MEM_ERR);
-}
-
-
-/**************************************************************************
- *
- * P R _ f g e t s
- *
- * fgets implemented with NSPR.
- */
-static char*
-PR_fgets(char *buf, int size, PRFileDesc *file)
-{
-	int i;
-	int status;
-	char c;
-
-	i=0;
-	while(i < size-1) {
-		status = PR_Read(file, (void*) &c, 1);
-		if(status==-1) {
-			return NULL;
-		} else if(status==0) {
-			break;
-		}
-		buf[i++] = c;
-		if(c=='\n') {
-			break;
-		}
-	}
-	buf[i]='\0';
-
-	return buf;
-}
diff --git a/security/nss/cmd/modutil/modutil.h b/security/nss/cmd/modutil/modutil.h
deleted file mode 100644
index d7c164ae4..000000000
--- a/security/nss/cmd/modutil/modutil.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef MODUTIL_H
-#define MODUTIL_H
-
-#include <stdio.h>
-#include <prio.h>
-#include <prprf.h>
-#include <prinit.h>
-#include <prmem.h>
-#include <plarena.h>
-#include <string.h>
-#include <seccomon.h>
-#include <secmod.h>
-#include <secutil.h>
-
-#include <prlock.h>
-
-#include "error.h"
-
-Error FipsMode(char *arg);
-Error ChkFipsMode(char *arg);
-Error AddModule(char *moduleName, char *libFile, char *ciphers,
-      char *mechanisms, char* modparms);
-Error DeleteModule(char *moduleName);
-Error ListModule(char *moduleName);
-Error ListModules();
-Error ChangePW(char *tokenName, char *pwFile, char *newpwFile);
-Error EnableModule(char *moduleName, char *slotName, PRBool enable);
-Error RawAddModule(char *dbmodulespec, char *modulespec);
-Error RawListModule(char *modulespec);
-Error SetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
-Error UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
-void out_of_memory(void);
-
-#endif /*MODUTIL_H*/
diff --git a/security/nss/cmd/modutil/pk11.c b/security/nss/cmd/modutil/pk11.c
deleted file mode 100644
index 0e1f21603..000000000
--- a/security/nss/cmd/modutil/pk11.c
+++ /dev/null
@@ -1,983 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* To edit this file, set TABSTOPS to 4 spaces. 
- * This is not the normal NSS convention. 
- */
-
-#include "modutil.h"
-/* #include "secmodti.h"  */
-#include "pk11func.h"
-
-static PK11DefaultArrayEntry *pk11_DefaultArray = NULL;
-static int pk11_DefaultArraySize = 0;
-
-/*************************************************************************
- *
- * F i p s M o d e
- * If arg=="true", enable FIPS mode on the internal module.  If arg=="false",
- * disable FIPS mode on the internal module.
- */
-Error
-FipsMode(char *arg)
-{
-    char *internal_name;
-
-    if(!PORT_Strcasecmp(arg, "true")) {
-	if(!PK11_IsFIPS()) {
-	    internal_name = PR_smprintf("%s",
-		SECMOD_GetInternalModule()->commonName);
-	    if(SECMOD_DeleteInternalModule(internal_name) != SECSuccess) {
-		PR_fprintf(PR_STDERR, "%s\n", SECU_Strerror(PORT_GetError()));
-		PR_smprintf_free(internal_name);
-		PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
-		return FIPS_SWITCH_FAILED_ERR;
-	    }
-	    PR_smprintf_free(internal_name);
-	    if (!PK11_IsFIPS()) {
-		PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
-		return FIPS_SWITCH_FAILED_ERR;
-	    }
-	    PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
-	} else {
-	    PR_fprintf(PR_STDERR, errStrings[FIPS_ALREADY_ON_ERR]);
-	    return FIPS_ALREADY_ON_ERR;
-	}
-    } else if(!PORT_Strcasecmp(arg, "false")) {
-	if(PK11_IsFIPS()) {
-	    internal_name = PR_smprintf("%s",
-		SECMOD_GetInternalModule()->commonName);
-	    if(SECMOD_DeleteInternalModule(internal_name) != SECSuccess) {
-		PR_fprintf(PR_STDERR, "%s\n", SECU_Strerror(PORT_GetError()));
-		PR_smprintf_free(internal_name);
-		PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
-		return FIPS_SWITCH_FAILED_ERR;
-	    }
-	    PR_smprintf_free(internal_name);
-	    if (PK11_IsFIPS()) {
-		PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
-		return FIPS_SWITCH_FAILED_ERR;
-	    }
-	    PR_fprintf(PR_STDOUT, msgStrings[FIPS_DISABLED_MSG]);
-	} else {
-	    PR_fprintf(PR_STDERR, errStrings[FIPS_ALREADY_OFF_ERR]);
-	    return FIPS_ALREADY_OFF_ERR;
-	}
-    } else {
-	PR_fprintf(PR_STDERR, errStrings[INVALID_FIPS_ARG]);
-	return INVALID_FIPS_ARG;
-    }
-
-    return SUCCESS;
-}
-
-/*************************************************************************
- *
- * C h k F i p s M o d e
- * If arg=="true", verify FIPS mode is enabled on the internal module.  
- * If arg=="false", verify FIPS mode is disabled on the internal module.
- */
-Error
-ChkFipsMode(char *arg)
-{
-    if(!PORT_Strcasecmp(arg, "true")) {
-	if (PK11_IsFIPS()) {
-	    PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
-	} else {
-	    PR_fprintf(PR_STDOUT, msgStrings[FIPS_DISABLED_MSG]);
-	    return FIPS_SWITCH_FAILED_ERR;
-	}
-
-    } else if(!PORT_Strcasecmp(arg, "false")) {
-	if(!PK11_IsFIPS()) {
-	    PR_fprintf(PR_STDOUT, msgStrings[FIPS_DISABLED_MSG]);
-	} else {
-	    PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
-	    return FIPS_SWITCH_FAILED_ERR;
-	}
-    } else {
-	PR_fprintf(PR_STDERR, errStrings[INVALID_FIPS_ARG]);
-	return INVALID_FIPS_ARG;
-    }
-
-    return SUCCESS;
-}
-
-/************************************************************************
- * Cipher and Mechanism name-bitmask translation tables
- */
-
-typedef struct {
-    const char *name;
-    const unsigned long mask;
-} MaskString;
-
-static const MaskString mechanismStrings[] = {
-    {"RSA", PUBLIC_MECH_RSA_FLAG},
-    {"DSA", PUBLIC_MECH_DSA_FLAG},
-    {"RC2", PUBLIC_MECH_RC2_FLAG},
-    {"RC4", PUBLIC_MECH_RC4_FLAG},
-    {"RC5", PUBLIC_MECH_RC5_FLAG},
-    {"DES", PUBLIC_MECH_DES_FLAG},
-    {"DH", PUBLIC_MECH_DH_FLAG},
-    {"FORTEZZA", PUBLIC_MECH_FORTEZZA_FLAG},
-    {"SHA1", PUBLIC_MECH_SHA1_FLAG},
-    {"MD5", PUBLIC_MECH_MD5_FLAG},
-    {"MD2", PUBLIC_MECH_MD2_FLAG},
-    {"SSL", PUBLIC_MECH_SSL_FLAG},
-    {"TLS", PUBLIC_MECH_TLS_FLAG},
-    {"AES", PUBLIC_MECH_AES_FLAG},
-    {"CAMELLIA", PUBLIC_MECH_CAMELLIA_FLAG},
-    {"SHA256", PUBLIC_MECH_SHA256_FLAG},
-    {"SHA512", PUBLIC_MECH_SHA512_FLAG},
-    {"RANDOM", PUBLIC_MECH_RANDOM_FLAG},
-    {"FRIENDLY", PUBLIC_MECH_FRIENDLY_FLAG}
-};
-static const int numMechanismStrings =
-    sizeof(mechanismStrings) / sizeof(mechanismStrings[0]);
-
-static const MaskString cipherStrings[] = {
-    {"FORTEZZA", PUBLIC_CIPHER_FORTEZZA_FLAG}
-};
-static const int numCipherStrings =
-    sizeof(cipherStrings) / sizeof(cipherStrings[0]);
-
-/* Maximum length of a colon-separated list of all the strings in an 
- * array. */
-#define MAX_STRING_LIST_LEN 240    /* or less */
-
-/************************************************************************
- * 
- * g e t F l a g s F r o m S t r i n g
- *
- * Parses a mechanism list passed on the command line and converts it
- * to an unsigned long bitmask.
- * string is a colon-separated string of constants
- * array is an array of MaskStrings.
- * elements is the number of elements in array.
- */
-static unsigned long
-getFlagsFromString(char *string, const MaskString array[], int elements)
-{
-    unsigned long ret = 0;
-    short i = 0;
-    char *cp;
-    char *buf;
-    char *end;
-
-    if(!string || !string[0]) {
-	return ret;
-    }
-
-    /* Make a temporary copy of the string */
-    buf = PR_Malloc(strlen(string)+1);
-    if(!buf) {
-	out_of_memory();
-    }
-    strcpy(buf, string);
-
-    /* Look at each element of the list passed in */
-    for(cp=buf; cp && *cp; cp = (end ? end+1 : NULL) ) {
-	/* Look at the string up to the next colon */
-	end = strchr(cp, ':');
-	if(end) {
-	    *end = '\0';
-	}
-
-	/* Find which element this is */
-	for(i=0; i < elements; i++) {
-	    if( !PORT_Strcasecmp(cp, array[i].name) ) {
-		break;
-	    }
-	}
-	if(i == elements) {
-	    /* Skip a bogus string, but print a warning message */
-	    PR_fprintf(PR_STDERR, errStrings[INVALID_CONSTANT_ERR], cp);
-	    continue;
-	}
-	ret |= array[i].mask;
-    }
-
-    PR_Free(buf);
-    return ret;
-}
-
-/**********************************************************************
- *
- * g e t S t r i n g F r o m F l a g s
- * 
- * The return string's memory is owned by this function.  Copy it
- * if you need it permanently or you want to change it.
- */
-static char *
-getStringFromFlags(unsigned long flags, const MaskString array[], int elements)
-{
-    static char buf[MAX_STRING_LIST_LEN];
-    int i;
-    int count=0;
-
-    buf[0] = '\0';
-    for(i=0; i<elements; i++) {
-	if( flags & array[i].mask ) {
-	    ++count;
-	    if(count!=1) {
-		strcat(buf, ":");
-	    }
-	    strcat(buf, array[i].name);
-	}
-    }
-    return buf;
-}
-
-/**********************************************************************
- *
- * A d d M o d u l e
- *
- * Add the named module, with the given library file, ciphers, and
- * default mechanism flags
- */
-Error
-AddModule(char *moduleName, char *libFile, char *cipherString,
-    char *mechanismString, char* modparms)
-{
-    unsigned long ciphers;
-    unsigned long mechanisms;
-    SECStatus status;
-
-    mechanisms =
-	getFlagsFromString(mechanismString, mechanismStrings,
-			   numMechanismStrings);
-    ciphers =
-	getFlagsFromString(cipherString, cipherStrings, numCipherStrings);
-
-    status =
-	SECMOD_AddNewModuleEx(moduleName, libFile,
-		  SECMOD_PubMechFlagstoInternal(mechanisms),
-		  SECMOD_PubCipherFlagstoInternal(ciphers),
-		  modparms, NULL );
-
-    if(status != SECSuccess) {
-	char* errtxt=NULL;
-	PRInt32 copied = 0;
-	if (PR_GetErrorTextLength()) {
-	    errtxt = PR_Malloc(PR_GetErrorTextLength());
-	    copied = PR_GetErrorText(errtxt);
-	}
-	if (copied && errtxt) {
-	    PR_fprintf(PR_STDERR, errStrings[ADD_MODULE_FAILED_ERR], 
-		       moduleName, errtxt);
-	    PR_Free(errtxt);
-	} else {
-	    PR_fprintf(PR_STDERR, errStrings[ADD_MODULE_FAILED_ERR], 
-		       moduleName, SECU_Strerror(PORT_GetError()));
-	}
-	return ADD_MODULE_FAILED_ERR;
-    } else {
-	PR_fprintf(PR_STDOUT, msgStrings[ADD_MODULE_SUCCESS_MSG], moduleName);
-	return SUCCESS;
-    }
-}
-
-/***********************************************************************
- *
- * D e l e t e M o d u l e
- *
- * Deletes the named module from the database.
- */
-Error
-DeleteModule(char *moduleName)
-{
-    SECStatus status;
-    int type;
-    
-    status = SECMOD_DeleteModule(moduleName, &type);
-
-    if(status != SECSuccess) {
-	if(type == SECMOD_FIPS || type == SECMOD_INTERNAL) {
-	    PR_fprintf(PR_STDERR, errStrings[DELETE_INTERNAL_ERR]);
-	    return DELETE_INTERNAL_ERR;
-	} else {
-	    PR_fprintf(PR_STDERR, errStrings[DELETE_FAILED_ERR], moduleName);
-	    return DELETE_FAILED_ERR;
-	}
-    }
-
-    PR_fprintf(PR_STDOUT, msgStrings[DELETE_SUCCESS_MSG], moduleName);
-    return SUCCESS;
-}
-
-/************************************************************************
- *
- * R a w L i s t M o d u l e s
- *
- * Lists all the modules in the database, along with their slots and tokens.
- */
-Error
-RawListModule(char *modulespec)
-{
-    SECMODModule *module;
-    char **moduleSpecList;
-
-    module = SECMOD_LoadModule(modulespec,NULL,PR_FALSE);
-    if (module == NULL) {
-	/* handle error */
-	return NO_SUCH_MODULE_ERR;
-    }
-
-    moduleSpecList = SECMOD_GetModuleSpecList(module);
-    if (!moduleSpecList || !moduleSpecList[0]) {
-	SECU_PrintError("modutil",
-			    "no specs in secmod DB");
-	return NO_SUCH_MODULE_ERR;
-    }
-
-    for ( ;*moduleSpecList; moduleSpecList++) {
-	printf("%s\n\n",*moduleSpecList);
-    }
-
-    return SUCCESS;
-}
-
-Error
-RawAddModule(char *dbmodulespec, char *modulespec)
-{
-    SECMODModule *module;
-    SECMODModule *dbmodule;
-
-
-    dbmodule = SECMOD_LoadModule(dbmodulespec,NULL,PR_TRUE);
-    if (dbmodule == NULL) {
-	/* handle error */
-	return NO_SUCH_MODULE_ERR;
-    }
-
-    module = SECMOD_LoadModule(modulespec,dbmodule,PR_FALSE);
-    if (module == NULL) {
-	/* handle error */
-	return NO_SUCH_MODULE_ERR;
-    }
-
-    if( SECMOD_UpdateModule(module) != SECSuccess ) {
-	PR_fprintf(PR_STDERR, errStrings[UPDATE_MOD_FAILED_ERR], modulespec);
-	return UPDATE_MOD_FAILED_ERR;
-    }
-    return SUCCESS;
-}
-
-static void
-printModule(SECMODModule *module, int *count) 
-{
-    int slotCount = module->loaded ? module->slotCount : 0;
-    int i;
-
-    if ((*count)++) {
-        PR_fprintf(PR_STDOUT,"\n");
-    }
-        PR_fprintf(PR_STDOUT, "%3d. %s\n", *count, module->commonName);
-
-    if (module->dllName) {
-        PR_fprintf(PR_STDOUT, "\tlibrary name: %s\n", module->dllName);
-    }
-
-    if (slotCount == 0) {
-        PR_fprintf(PR_STDOUT,
-	"\t slots: There are no slots attached to this module\n");
-    } else {
-        PR_fprintf(PR_STDOUT, "\t slots: %d slot%s attached\n",
-		slotCount, (slotCount==1 ? "" : "s") );
-    }
-
-    if (module->loaded == 0) {
-        PR_fprintf(PR_STDOUT, "\tstatus: Not loaded\n");
-    } else {
-        PR_fprintf(PR_STDOUT, "\tstatus: loaded\n");
-    }
-
-    /* Print slot and token names */
-    for (i = 0; i < slotCount; i++) {
-        PK11SlotInfo *slot = module->slots[i];
-
-        PR_fprintf(PR_STDOUT, "\n");
-        PR_fprintf(PR_STDOUT, "\t slot: %s\n", PK11_GetSlotName(slot));
-        PR_fprintf(PR_STDOUT, "\ttoken: %s\n", PK11_GetTokenName(slot));
-    }
-    return;
-}
-
-/************************************************************************
- *
- * L i s t M o d u l e s
- *
- * Lists all the modules in the database, along with their slots and tokens.
- */
-Error
-ListModules()
-{
-    SECMODListLock *lock;
-    SECMODModuleList *list;
-    SECMODModuleList *deadlist;
-    SECMODModuleList *mlp;
-    Error ret=UNSPECIFIED_ERR;
-    int count = 0;
-
-    lock = SECMOD_GetDefaultModuleListLock();
-    if(!lock) {
-	PR_fprintf(PR_STDERR, errStrings[NO_LIST_LOCK_ERR]);
-	return NO_LIST_LOCK_ERR;
-    }
-
-    SECMOD_GetReadLock(lock);
-
-    list = SECMOD_GetDefaultModuleList();
-    deadlist = SECMOD_GetDeadModuleList();
-    if (!list && !deadlist) {
-	PR_fprintf(PR_STDERR, errStrings[NO_MODULE_LIST_ERR]);
-	ret = NO_MODULE_LIST_ERR;
-	goto loser;
-    }
-
-    PR_fprintf(PR_STDOUT,
-	"\nListing of PKCS #11 Modules\n"
-	"-----------------------------------------------------------\n");
-    
-    for(mlp=list; mlp != NULL; mlp = mlp->next) {
-	printModule(mlp->module, &count);
-    }
-    for (mlp=deadlist; mlp != NULL; mlp = mlp->next) {
-	printModule(mlp->module, &count);
-    }
-
-
-    PR_fprintf(PR_STDOUT,
-	"-----------------------------------------------------------\n");
-
-    ret = SUCCESS;
-
-loser:
-    SECMOD_ReleaseReadLock(lock);
-    return ret;
-}
-
-/* Strings describing PK11DisableReasons */
-static char *disableReasonStr[] = {
-    "no reason",
-    "user disabled",
-    "could not initialize token",
-    "could not verify token",
-    "token not present"
-};
-static int numDisableReasonStr =
-    sizeof(disableReasonStr) / sizeof(disableReasonStr[0]);
-
-/***********************************************************************
- *
- * L i s t M o d u l e
- *
- * Lists detailed information about the named module.
- */
-Error
-ListModule(char *moduleName)
-{
-    SECMODModule *module = NULL;
-    PK11SlotInfo *slot;
-    int slotnum;
-    CK_INFO modinfo;
-    CK_SLOT_INFO slotinfo;
-    CK_TOKEN_INFO tokeninfo;
-    char *ciphers, *mechanisms;
-    PK11DisableReasons reason;
-    Error  rv = SUCCESS;
-
-    if(!moduleName) {
-	return SUCCESS;
-    }
-
-    module = SECMOD_FindModule(moduleName);
-    if(!module) {
-	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
-	rv = NO_SUCH_MODULE_ERR;
-        goto loser;
-    }
-
-    if ((module->loaded) && 
-			(PK11_GetModInfo(module, &modinfo) != SECSuccess)) {
-	PR_fprintf(PR_STDERR, errStrings[MOD_INFO_ERR], moduleName);
-	rv = MOD_INFO_ERR;
-        goto loser;
-    }
-
-    /* Module info */
-    PR_fprintf(PR_STDOUT, 
-	"\n-----------------------------------------------------------\n");
-    PR_fprintf(PR_STDOUT, "Name: %s\n", module->commonName);
-    if(module->internal || !module->dllName) {
-	PR_fprintf(PR_STDOUT, "Library file: **Internal ONLY module**\n");
-    } else {
-	PR_fprintf(PR_STDOUT, "Library file: %s\n", module->dllName);
-    }
-
-    if (module->loaded) {
-	PR_fprintf(PR_STDOUT, "Manufacturer: %.32s\n", modinfo.manufacturerID);
-	PR_fprintf(PR_STDOUT, "Description: %.32s\n", modinfo.libraryDescription);
-	PR_fprintf(PR_STDOUT, "PKCS #11 Version %d.%d\n",
-	modinfo.cryptokiVersion.major, modinfo.cryptokiVersion.minor);
-	PR_fprintf(PR_STDOUT, "Library Version: %d.%d\n",
-	modinfo.libraryVersion.major, modinfo.libraryVersion.minor);
-    } else {
-	PR_fprintf(PR_STDOUT, "* Module not loaded\n");
-    }
-    /* Get cipher and mechanism flags */
-    ciphers = getStringFromFlags(module->ssl[0], cipherStrings,
-      numCipherStrings);
-    if(ciphers[0] == '\0') {
-	ciphers = "None";
-    }
-    PR_fprintf(PR_STDOUT, "Cipher Enable Flags: %s\n", ciphers);
-    mechanisms = NULL;
-    if (module->slotCount > 0) {
-	mechanisms = getStringFromFlags(
-	    PK11_GetDefaultFlags(module->slots[0]),
-	    mechanismStrings, numMechanismStrings);
-    }
-    if ((mechanisms==NULL) || (mechanisms[0] =='\0')) {
-	mechanisms = "None";
-    }
-    PR_fprintf(PR_STDOUT, "Default Mechanism Flags: %s\n", mechanisms);
-
-#define PAD "  "
-
-    /* Loop over each slot */
-    for (slotnum=0; slotnum < module->slotCount; slotnum++) {
-	slot = module->slots[slotnum];
-	if (PK11_GetSlotInfo(slot, &slotinfo) != SECSuccess) {
-	    PR_fprintf(PR_STDERR, errStrings[SLOT_INFO_ERR],
-		PK11_GetSlotName(slot));
-	    rv = SLOT_INFO_ERR;
-	    continue;
-	}
-
-	/* Slot Info */
-	PR_fprintf(PR_STDOUT, "\n"PAD"Slot: %s\n", PK11_GetSlotName(slot));
-	mechanisms = getStringFromFlags(PK11_GetDefaultFlags(slot),
-	    mechanismStrings, numMechanismStrings);
-	if(mechanisms[0] =='\0') {
-	     mechanisms = "None";
-	}
-	PR_fprintf(PR_STDOUT, PAD"Slot Mechanism Flags: %s\n", mechanisms);
-	PR_fprintf(PR_STDOUT, PAD"Manufacturer: %.32s\n",
-	    slotinfo.manufacturerID);
-	if (PK11_IsHW(slot)) {
-	    PR_fprintf(PR_STDOUT, PAD"Type: Hardware\n");
-	} else {
-	    PR_fprintf(PR_STDOUT, PAD"Type: Software\n");
-	}
-	PR_fprintf(PR_STDOUT, PAD"Version Number: %d.%d\n",
-	    slotinfo.hardwareVersion.major, slotinfo.hardwareVersion.minor);
-	PR_fprintf(PR_STDOUT, PAD"Firmware Version: %d.%d\n",
-	    slotinfo.firmwareVersion.major, slotinfo.firmwareVersion.minor);
-	if (PK11_IsDisabled(slot)) {
-	    reason  = PK11_GetDisabledReason(slot);
-	    if(reason < numDisableReasonStr) {
-		PR_fprintf(PR_STDOUT, PAD"Status: DISABLED (%s)\n",
-		  disableReasonStr[reason]);
-	    } else {
-		PR_fprintf(PR_STDOUT, PAD"Status: DISABLED\n");
-	    }
-	} else {
-	    PR_fprintf(PR_STDOUT, PAD"Status: Enabled\n");
-	}
-
-	if(PK11_GetTokenInfo(slot, &tokeninfo) != SECSuccess) {
-	    PR_fprintf(PR_STDERR, errStrings[TOKEN_INFO_ERR],
-	      PK11_GetTokenName(slot));
-	    rv = TOKEN_INFO_ERR;
-	    continue;
-	}
-
-	/* Token Info */
-	PR_fprintf(PR_STDOUT, PAD"Token Name: %.32s\n",
-	    tokeninfo.label);
-	PR_fprintf(PR_STDOUT, PAD"Token Manufacturer: %.32s\n",
-	    tokeninfo.manufacturerID);
-	PR_fprintf(PR_STDOUT, PAD"Token Model: %.16s\n", tokeninfo.model);
-	PR_fprintf(PR_STDOUT, PAD"Token Serial Number: %.16s\n",
-	    tokeninfo.serialNumber);
-	PR_fprintf(PR_STDOUT, PAD"Token Version: %d.%d\n",
-	    tokeninfo.hardwareVersion.major, tokeninfo.hardwareVersion.minor);
-	PR_fprintf(PR_STDOUT, PAD"Token Firmware Version: %d.%d\n",
-	    tokeninfo.firmwareVersion.major, tokeninfo.firmwareVersion.minor);
-	if(tokeninfo.flags & CKF_WRITE_PROTECTED) {
-	    PR_fprintf(PR_STDOUT, PAD"Access: Write Protected\n");
-	} else {
-	    PR_fprintf(PR_STDOUT, PAD"Access: NOT Write Protected\n");
-	}
-	if(tokeninfo.flags & CKF_LOGIN_REQUIRED) {
-	    PR_fprintf(PR_STDOUT, PAD"Login Type: Login required\n");
-	} else {
-	    PR_fprintf(PR_STDOUT, PAD
-	      "Login Type: Public (no login required)\n");
-	}
-	if(tokeninfo.flags & CKF_USER_PIN_INITIALIZED) {
-	    PR_fprintf(PR_STDOUT, PAD"User Pin: Initialized\n");
-	} else {
-	    PR_fprintf(PR_STDOUT, PAD"User Pin: NOT Initialized\n");
-	}
-    }
-    PR_fprintf(PR_STDOUT, 
-	"\n-----------------------------------------------------------\n");
-loser:
-    if (module) {
-        SECMOD_DestroyModule(module);
-    }
-    return rv;
-}
-
-/************************************************************************
- *
- * C h a n g e P W
- */
-Error
-ChangePW(char *tokenName, char *pwFile, char *newpwFile)
-{
-    char *oldpw=NULL, *newpw=NULL, *newpw2=NULL;
-    PK11SlotInfo *slot;
-    Error ret=UNSPECIFIED_ERR;
-    PRBool matching;
-
-    slot = PK11_FindSlotByName(tokenName);
-    if(!slot) {
-	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], tokenName);
-	return NO_SUCH_TOKEN_ERR;
-    }
-
-    /* Get old password */
-    if(! PK11_NeedUserInit(slot)) {
-	if(pwFile) {
-	    oldpw = SECU_FilePasswd(NULL, PR_FALSE, pwFile);
-	    if(PK11_CheckUserPassword(slot, oldpw) != SECSuccess) {
-		PR_fprintf(PR_STDERR, errStrings[BAD_PW_ERR]);
-		ret=BAD_PW_ERR;
-		goto loser;
-	    }
-	} else {
-	    for(matching=PR_FALSE; !matching; ) {
-		oldpw = SECU_GetPasswordString(NULL, "Enter old password: ");
-		if(PK11_CheckUserPassword(slot, oldpw) == SECSuccess) {
-		    matching = PR_TRUE;
-		} else {
-		    PR_fprintf(PR_STDOUT, msgStrings[BAD_PW_MSG]);
-		}
-	    }
-	}
-    }
-
-    /* Get new password */
-    if(newpwFile) {
-	newpw = SECU_FilePasswd(NULL, PR_FALSE, newpwFile);
-    } else {
-	for(matching=PR_FALSE; !matching; ) {
-	    newpw = SECU_GetPasswordString(NULL, "Enter new password: ");
-	    newpw2 = SECU_GetPasswordString(NULL, "Re-enter new password: ");
-	    if(strcmp(newpw, newpw2)) {
-		PR_fprintf(PR_STDOUT, msgStrings[PW_MATCH_MSG]);
-	    } else {
-		matching = PR_TRUE;
-	    }
-	}
-    }
-
-    /* Change the password */
-    if(PK11_NeedUserInit(slot)) {
-	if(PK11_InitPin(slot, NULL /*ssopw*/, newpw) != SECSuccess) {
-	    PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName);
-	    ret = CHANGEPW_FAILED_ERR;
-	    goto loser;
-	}
-    } else {
-	if(PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) {
-	    PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName);
-	    ret = CHANGEPW_FAILED_ERR;
-	    goto loser;
-	}
-    }
-
-    PR_fprintf(PR_STDOUT, msgStrings[CHANGEPW_SUCCESS_MSG], tokenName);
-    ret = SUCCESS;
-
-loser:
-    if(oldpw) {
-	memset(oldpw, 0, strlen(oldpw));
-	PORT_Free(oldpw);
-    }
-    if(newpw) {
-	memset(newpw, 0, strlen(newpw));
-	PORT_Free(newpw);
-    }
-    if(newpw2) {
-	memset(newpw2, 0, strlen(newpw2));
-	PORT_Free(newpw2);
-    }
-    PK11_FreeSlot(slot);
-
-    return ret;
-}
-
-/***********************************************************************
- *
- * E n a b l e M o d u l e
- *
- * If enable==PR_TRUE, enables the module or slot.
- * If enable==PR_FALSE, disables the module or slot.
- * moduleName is the name of the module.
- * slotName is the name of the slot.  It is optional.
- */
-Error
-EnableModule(char *moduleName, char *slotName, PRBool enable)
-{
-    int i;
-    SECMODModule *module = NULL;
-    PK11SlotInfo *slot = NULL;
-    PRBool found = PR_FALSE;
-    Error rv;
-
-    module = SECMOD_FindModule(moduleName);
-    if(!module) {
-	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
-	rv = NO_SUCH_MODULE_ERR;
-        goto loser;
-    }
-
-    for(i=0; i < module->slotCount; i++) {
-	slot = module->slots[i];
-	if(slotName && strcmp(PK11_GetSlotName(slot), slotName)) {
-		/* Not the right slot */
-		continue;
-	}
-	if(enable) {
-	    if(! PK11_UserEnableSlot(slot)) {
-		PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
-		    "enable", PK11_GetSlotName(slot));
-		rv = ENABLE_FAILED_ERR;
-                goto loser;
-	    } else {
-		found = PR_TRUE;
-		PR_fprintf(PR_STDOUT, msgStrings[ENABLE_SUCCESS_MSG],
-		    PK11_GetSlotName(slot), "enabled");
-	    }
-	} else {
-	    if(! PK11_UserDisableSlot(slot)) {
-		PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
-		    "disable", PK11_GetSlotName(slot));
-		rv = ENABLE_FAILED_ERR;
-                goto loser;
-	    } else {
-		found = PR_TRUE;
-		PR_fprintf(PR_STDOUT, msgStrings[ENABLE_SUCCESS_MSG],
-		    PK11_GetSlotName(slot), "disabled");
-	    }
-	}
-    }
-
-    if(slotName && !found) {
-	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName);
-	rv = NO_SUCH_SLOT_ERR;
-        goto loser;
-    }
-
-    /* Delete and re-add module to save changes */
-    if( SECMOD_UpdateModule(module) != SECSuccess ) {
-	PR_fprintf(PR_STDERR, errStrings[UPDATE_MOD_FAILED_ERR], moduleName);
-	rv = UPDATE_MOD_FAILED_ERR;
-        goto loser;
-    }
-
-    rv = SUCCESS;
-loser:
-    if (module) {
-        SECMOD_DestroyModule(module);
-    }
-    return rv;
-}
-
-/*************************************************************************
- *
- * S e t D e f a u l t M o d u l e
- *
- */
-Error
-SetDefaultModule(char *moduleName, char *slotName, char *mechanisms)
-{
-    SECMODModule *module = NULL;
-    PK11SlotInfo *slot;
-    int s, i;
-    unsigned long mechFlags = getFlagsFromString(mechanisms, mechanismStrings,
-	numMechanismStrings);
-    PRBool found = PR_FALSE;
-    Error errcode = UNSPECIFIED_ERR;
-
-    if (pk11_DefaultArray == NULL) {
-	pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
-	if (pk11_DefaultArray == NULL) {
-	    /* should assert. This shouldn't happen */
-	    goto loser;
-	}
-    }
-
-    mechFlags =  SECMOD_PubMechFlagstoInternal(mechFlags);
-
-    module = SECMOD_FindModule(moduleName);
-    if(!module) {
-	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
-	errcode = NO_SUCH_MODULE_ERR;
-	goto loser;
-    }
-
-    /* Go through each slot */
-    for(s=0; s < module->slotCount; s++) {
-	slot = module->slots[s];
-
-	if ((slotName != NULL) &&
-	    !((strcmp(PK11_GetSlotName(slot),slotName) == 0) ||
-	    (strcmp(PK11_GetTokenName(slot),slotName) == 0)) ) {
-	    /* we are only interested in changing the one slot */
-	    continue;
-	}
-
-	found = PR_TRUE;
-
-	/* Go through each mechanism */
-	for(i=0; i < pk11_DefaultArraySize; i++) {
-	    if(pk11_DefaultArray[i].flag & mechFlags) {
-		/* Enable this default mechanism */
-		PK11_UpdateSlotAttribute(slot, &(pk11_DefaultArray[i]),
-		    PR_TRUE);
-	    }
-	}
-    }
-    if (slotName && !found) {
-	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName);
-	errcode = NO_SUCH_SLOT_ERR;
-	goto loser;
-    }
-
-    /* Delete and re-add module to save changes */
-    if( SECMOD_UpdateModule(module) != SECSuccess ) {
-	PR_fprintf(PR_STDERR, errStrings[DEFAULT_FAILED_ERR],
-	  moduleName);
-	errcode = DEFAULT_FAILED_ERR;
-	goto loser;
-    }
-
-    PR_fprintf(PR_STDOUT, msgStrings[DEFAULT_SUCCESS_MSG]);
-
-    errcode = SUCCESS;
-loser:
-    if (module) {
-        SECMOD_DestroyModule(module);
-    }
-    return errcode;
-}
-
-/************************************************************************
- *
- * U n s e t D e f a u l t M o d u l e
- */
-Error
-UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms)
-{
-    SECMODModule * module = NULL;
-    PK11SlotInfo *slot;
-    int s, i;
-    unsigned long mechFlags = getFlagsFromString(mechanisms,
-	mechanismStrings, numMechanismStrings);
-    PRBool found = PR_FALSE;
-    Error rv;
-
-    if (pk11_DefaultArray == NULL) {
-	pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
-	if (pk11_DefaultArray == NULL) {
-	    /* should assert. This shouldn't happen */
-	    rv = UNSPECIFIED_ERR;
-            goto loser;
-	}
-    }
-
-    mechFlags =  SECMOD_PubMechFlagstoInternal(mechFlags);
-
-    module = SECMOD_FindModule(moduleName);
-    if(!module) {
-	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
-	rv = NO_SUCH_MODULE_ERR;
-        goto loser;
-    }
-
-    for(s=0; s < module->slotCount; s++) {
-	slot = module->slots[s];
-	if ((slotName != NULL) &&
-	    !((strcmp(PK11_GetSlotName(slot),slotName) == 0) ||
-	    (strcmp(PK11_GetTokenName(slot),slotName) == 0)) ) {
-	    /* we are only interested in changing the one slot */
-	    continue;
-	}
-	for(i=0; i < pk11_DefaultArraySize ; i++) {
-	    if(pk11_DefaultArray[i].flag & mechFlags) {
-		PK11_UpdateSlotAttribute(slot, &(pk11_DefaultArray[i]),
-		    PR_FALSE);
-	    }
-	}
-    }
-    if (slotName && !found) {
-	PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName);
-	rv = NO_SUCH_SLOT_ERR;
-        goto loser;
-    }
-
-    /* Delete and re-add module to save changes */
-    if( SECMOD_UpdateModule(module) != SECSuccess ) {
-	PR_fprintf(PR_STDERR, errStrings[UNDEFAULT_FAILED_ERR],
-	  moduleName);
-	rv = UNDEFAULT_FAILED_ERR;
-        goto loser;
-    }
-
-    PR_fprintf(PR_STDOUT, msgStrings[UNDEFAULT_SUCCESS_MSG]);
-    rv = SUCCESS;
-loser:
-    if (module) {
-        SECMOD_DestroyModule(module);
-    }
-    return rv;
-}
diff --git a/security/nss/cmd/modutil/pk11jar.html b/security/nss/cmd/modutil/pk11jar.html
deleted file mode 100644
index 4a3a94f97..000000000
--- a/security/nss/cmd/modutil/pk11jar.html
+++ /dev/null
@@ -1,311 +0,0 @@
-<html>
-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is the Netscape security libraries.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 1994-2000
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-<head>
-<title>PKCS #11 JAR Format</title>
-</head>
-<body bgcolor=white text=black link=blue vlink=purple alink=red>
-<center><h1>PKCS #11 JAR Format</h1></center>
-
-<p>PKCS #11 modules can be packaged into JAR files that support automatic
-installation onto the filesystem and into the security module database.
-The JAR file should contain:
-<ul>
-<li>All files that will be installed onto the target machine.  This will
-include at least the PKCS #11 module library file (.DLL or .so), and
-may also include any other file that should be installed (such as
-documentation).
-<li>A script to perform the installation.
-</ul>
-The script can be in one of two forms. If the JAR file is to be
-run by Communicator (or any program that interprets Javascript), the
-instructions will be in the form of a SmartUpdate script.
-<a href="http://devedge/library/documentation/security/jmpkcs/">Documentation
-</a> on creating this script can be found on DevEdge.
-
-<p>If the
-JAR file is to be run by a server, modutil, or any other program that
-doesn't interpret Javascript, a special information file must be included
-in the format described in this document.
-
-<h2>Declaring the Script in the Manifest File</h2>
-The script can have any name, but it must be declared in the manifest file
-of the JAR archive.  The metainfo tag for this is
-<code>Pkcs11_install_script</code>.  Meta-information is put in the manifest
-file by putting it in a file which is passed to
-<a href="http://developer.netscape.com/software/index_frame.html?content=signedobj/jarpack.html#signtool1.3">Signtool</a>.  For example,
-suppose the PKCS #11 installer script is in the file <code>pk11install</code>.
-In Signtool's metainfo file, you would have a line like this:
-<blockquote><pre>
-+ Pkcs11_install_script: pk11install
-</pre></blockquote>
-
-<h2>Sample Script File</h2>
-<blockquote><pre>
-ForwardCompatible { IRIX:6.2:mips Solaris:5.5.1:sparc }
-Platforms {
-	WINNT::x86 {
-		ModuleName { "Fortezza Module" }
-		ModuleFile { win32/fort32.dll }
-		DefaultMechanismFlags{0x0001}
-		DefaultCipherFlags{0x0001}
-		Files {
-			win32/setup.exe {
-				Executable
-				RelativePath { %temp%/setup.exe }
-			}
-			win32/setup.hlp {
-				RelativePath { %temp%/setup.hlp }
-			}
-			win32/setup.cab {
-				RelativePath { %temp%/setup.cab }
-			}
-		}
-	}
-	WIN95::x86 {
-		EquivalentPlatform {WINNT::x86}
-	}
-	Solaris:5.5.1:sparc {
-		ModuleName { "Fortezza UNIX Module" }
-		ModuleFile { unix/fort.so }
-		DefaultMechanismFlags{0x0001}
-		CipherEnableFlags{0x0001}
-		Files {
-			unix/fort.so {
-				RelativePath{%root%/lib/fort.so}
-				AbsolutePath{/usr/local/netscape/lib/fort.so}
-				FilePermissions{555}
-			}
-			xplat/instr.html {
-				RelativePath{%root%/docs/inst.html}
-				AbsolutePath{/usr/local/netscape/docs/inst.html}
-				FilePermissions{555}
-			}
-		}
-	}
-	IRIX:6.2:mips {
-		EquivalentPlatform { Solaris:5.5.1:sparc }
-	}
-}
-</pre></blockquote>
-
-<hr>
-
-<h2>Script File Grammar</h2>
-<blockquote><pre>
---> <i>valuelist</i>
-
-<i>valuelist</i> --> <i>value</i> <i>valuelist</i>
-<i>         </i>     <i>&lt;null&gt;</i>
-
-<i>value</i> --> <i>key_value_pair</i>
-<i>     </i>     <i>string</i>
-
-<i>key_value_pair</i> --> <i>key</i> { <i>valuelist</i> }
-
-<i>key</i> --> <i>string</i>
-
-<i>string</i> --> <i>simple_string</i>
-<i>      </i>     "<i>complex_string</i>"
-
-<i>simple_string</i> --> [^ \t\n\""{""}"]+ <font size=-1><i>(no whitespace, quotes, or braces)</i></font>
-
-<i>complex_string</i> --> ([^\"\\\r\n]|(\\\")|(\\\\))+ <font size=-1><i>(quotes and backslashes must be escaped with a backslash, no newlines or carriage returns are allowed in the string)</i></font>
-</pre></blockquote>
-Outside of complex strings, all whitespace (space, tab, newline) is considered
-equal and is used only to delimit tokens. 
-
-<hr>
-
-<h2>Keys</h2>
-Keys are case-insensitive.
-<h3>Global Keys</h3>
-<dl>
-<dt><code>ForwardCompatible</code>
-<dd>Gives a list of platforms that are forward compatible.  If the current
-platform cannot be found in the list of supported platforms, then the
-ForwardCompatible list will be checked for any platforms that have the same
-OS and architecture and an earlier version. If one is found, its
-attributes will be used for the current platform.
-<dt><code>Platforms</code> (<i>required</i>)
-<dd>Gives a list of platforms.  Each entry in the list is itself a key-value
-pair:
-the key is the name of the platform, and the valuelist contains various
-attributes of the platform. The ModuleName, ModuleFile, and Files attributes
-must be specified, unless an EquivalentPlatform attribute is specified. 
-The platform string is in the following
-format: <u><i>system name</i></u>:<u><i>os release</i></u>:<u><i>architecture</i></u>. The installer
-will obtain these values from NSPR. <u><i>os release</i></u> is an empty
-string on non-UNIX operating systems.  The following system names and platforms
-are currently defined by NSPR:<code>
-<ul>
-<li>AIX (rs6000)
-<li>BSDI (x86)
-<li>FREEBSD (x86)
-<li>HPUX (hppa1.1)
-<li>IRIX (mips)
-<li>LINUX (ppc, alpha, x86)
-<li>MacOS (PowerPC) </code>(<i>Note: NSPR actually defines the OS as
-"</i><code>Mac OS</code><i>".  The
-space makes the name unsuitable for being embedded in identifiers.  Until
-NSPR changes, you will have to add some special code to deal with this case.
-</i>)<code>
-<li>NCR (x86)
-<li>NEC (mips)
-<li>OS2 (x86)
-<li>OSF (alpha)
-<li>ReliantUNIX (mips)
-<li>SCO (x86)
-<li>SOLARIS (sparc)
-<li>SONY (mips)
-<li>SUNOS (sparc)
-<li>UnixWare (x86)
-<li>WIN95 (x86)
-<li>WINNT (x86)
-</ul>
-</code>
-Examples of valid platform strings: <code>IRIX:6.2:mips, Solaris:5.5.1:sparc,
-Linux:2.0.32:x86, WIN95::x86</code>.
-</dl>
-
-<h3>Per-Platform Keys</h3>
-These keys only have meaning within the value list of an entry in 
-the <code>Platforms</code> list.
-<dl>
-<dt><code>ModuleName</code> (<i>required</i>)
-<dd>Gives the common name for the module. This name will be used to 
-reference the module from Communicator, modutil, servers, or any other
-program that uses the Netscape security module database.
-<dt><code>ModuleFile</code> (<i>required</i>)
-<dd>Names the PKCS #11 module file (DLL or .so) for this platform.  The name
-is given as the relative path of the file within the JAR archive.
-<dt><code>Files</code> (<i>required</i>)
-<dd>Lists the files that should be installed for this module.  Each entry
-in the file list is a key-value pair: the key is the path of the file in
-the JAR archive, and 
-the valuelist contains attributes of the file.  At least RelativePath and
-AbsoluteDir must be specified in this valuelist.
-<dt><code>DefaultMechanismFlags</code>
-<dd>This key-value pair specifies
-of which mechanisms this module will be a default provider. It is a bitstring
-specified in hexadecimal (0x) format.  It is constructed as a bitwise OR
-of the following constants. If the <code>DefaultMechanismFlags</code>
-entry is omitted, the value will default to 0x0.
-<blockquote><pre>
-RSA:			0x0000 0001
-DSA:			0x0000 0002
-RC2:			0x0000 0004
-RC4:			0x0000 0008
-DES:			0x0000 0010
-DH:			0x0000 0020
-FORTEZZA:		0x0000 0040
-RC5:			0x0000 0080
-SHA1:			0x0000 0100
-MD5:			0x0000 0200
-MD2:			0x0000 0400
-RANDOM:			0x0800 0000
-FRIENDLY:		0x1000 0000
-OWN_PW_DEFAULTS:	0x2000 0000
-DISABLE:		0x4000 0000
-</pre></blockquote>
-<dt><code>CipherEnableFlags</code>
-<dd>This key-value pair specifies
-which SSL ciphers will be enabled.  It is a bitstring specified in
-hexadecimal (0x) format.  It is constructed as a bitwise OR of the following
-constants.  If the <code>CipherEnableFlags</code> entry is omitted, the
-value will default to 0x0.
-<blockquote><pre>
-FORTEZZA:		0x0000 0001
-</pre></blockquote>
-<dt><code>EquivalentPlatform</code>
-<dd>Specifies that the attributes of the named platform should also be used
-for the current platform. Saves typing when there is more than one platform
-that uses the same settings.
-</dl>
-
-<h3>Per-File Keys</h3>
-These keys only have meaning within the valuelist of an entry in a
-<code>Files</code> list. At least one of <code>RelativePath</code> and
-<code>AbsolutePath</code> must be specified.  If both are specified, the
-relative path will be tried first and the absolute path used only if no
-relative root directory is provided by the installer program.
-<dl>
-<dt><code>RelativePath</code>
-<dd>Specifies the destination directory of the file, relative to some directory
-decided at install-time.  Two variables can be used in the relative
-path, "%root%" and "%temp%".  "%root%" will be replaced at run-time with
-the directory relative to which files should be installed; for
-example, it may be the server's root directory or Communicator's root
-directory. "%temp%" is a directory that will be created at the beginning
-of the installation and destroyed at the end of the installation. Its purpose
-is to hold executable files (such as setup programs), or files that are
-used by these programs.  For example, a Windows installation might consist
-of a <code>setup.exe</code> installation program, a help file, and a .cab file
-containing compressed information. All these files could be installed into the
-temporary directory. Files destined for the temporary directory are guaranteed
-to be in place before any executable file is run, and will not be deleted
-until all executable files have finished.
-<dt><code>AbsoluteDir</code>
-<dd>Specifies the destination directory of the file as an absolute path.
-This will only be used if the installer is unable to determine a
-relative directory.
-<dt><code>Executable</code>
-<dd>This string specifies that the file is to be executed during the
-course of the
-installation.  Typically this would be used for a setup program provided
-by a module vendor, such as a self-extracting <code>setup.exe</code>.
-More than one file can be specified as executable, in which case they will
-be run in the order they are specified in the script file. 
-<dt><code>FilePermissions</code>
-<dd>This string is interpreted as a string of octal digits, according to the
-standard UNIX format. It is a bitwise OR of the following constants:
-<blockquote><pre>
-user read:         400
-user write:        200
-user execute:      100
-group read:        040
-group write:       020
-group execute:     010
-other read:        004
-other write:       002
-other execute:     001
-</pre></blockquote>
-Some platforms may not understand these permissions.  They will only be
-applied insofar as makes sense for the current platform. If this attribute
-is omitted, a default of 777 is assumed.
-
-</body>
-</html>
diff --git a/security/nss/cmd/modutil/rules.mk b/security/nss/cmd/modutil/rules.mk
deleted file mode 100644
index 75eab4c9e..000000000
--- a/security/nss/cmd/modutil/rules.mk
+++ /dev/null
@@ -1,58 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-# Some versions of yacc generate files that include platform-specific
-# system headers.  For example, the yacc in Solaris 2.6 inserts
-#     #include <values.h>
-# which does not exist on NT.  For portability, always use Berkeley
-# yacc (such as the yacc in Linux) to generate files.
-#
-
-generate: installparse.c installparse.l
-
-installparse.c:
-	yacc -p Pk11Install_yy -d installparse.y
-	mv y.tab.c installparse.c
-	mv y.tab.h installparse.h
-
-installparse.l:
-	lex -olex.Pk11Install_yy.c -PPk11Install_yy installparse.l
-	@echo
-	@echo "**YOU MUST COMMENT OUT UNISTD.H FROM lex.Pk11Install_yy.cpp**"
-
-install.c: install-ds.h install.h
diff --git a/security/nss/cmd/modutil/specification.html b/security/nss/cmd/modutil/specification.html
deleted file mode 100644
index b64fe80c7..000000000
--- a/security/nss/cmd/modutil/specification.html
+++ /dev/null
@@ -1,354 +0,0 @@
-<html>
-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is the Netscape security libraries.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 1994-2000
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-<head>
-<title>Modutil Specification</title>
-</head>
-<body bgcolor=white fgcolor=black>
-<center><h1>PKCS #11 Module Management Utility
-<br><i>Specification</i></h1></center>
-
-<!---------------------------------------------------------------------->
-<!-------------------------- capabilities ------------------------------>
-<!---------------------------------------------------------------------->
-<h2>Capabilities</h2>
-<ul>
-<li>Add a PKCS #11 module, specifying a name and library file.
-(<a href="#add">-add</a>)
-<li>Add a PKCS #11 module from a server-formatted JAR file.
-(<a href="#jar">-jar</a>)
-<li>Change the password on or initialize a token.
-(<a href="#changepw">-changepw</a>)
-<li>Create databases (secmod[ule].db, key3.db, cert7.db) from scratch.
-(<a href="#create">-create</a>)
-<li>Switch to and from FIPS-140 compliant mode.
-(<a href="#fips">-fips</a>)
-<li>Delete a PKCS #11 module. (<a href="#delete">-delete</a>)
-<li>List installed PKCS #11 modules. (<a href="#list">-list</a>)
-<li>List detailed info on a particular module and its tokens, including 
-whether needs login, is hardware, needs user init
-(<a href="#list">-list</a>)
-<li>Specify which modules should be the default provider of various
-cryptographic operations.(<a href="#default">-default</a>,
-<a href="#undefault">-undefault</a>)
-<li>Disable and enable slots, find out whether and why they are disabled.
-(<a href="#disable">-disable</a>, <a href="#enable">-enable</a>,
-<a href="#list">-list</a>)
-</ul>
-
-<hr>
-
-<!---------------------------------------------------------------------->
-<!-------------------------- Usage ------------------------------------->
-<!---------------------------------------------------------------------->
-<h2>Usage</h2>
-<code>modutil [<i>command</i>] [<i>options</i>]</code>
-<p>At most one command can be specified. With no arguments,
-<code>modutil</code> prints a usage message.
-<h3>Commands:</h3>
-<table border>
-<tr bgcolor="#cccccc">
-<th>Command</th><th>Description</th>
-</tr>
-
-<!---------------------------- -add ------------------------------>
-<tr>
-<td> <a name="add"></a>
-<code>-add <u><i>module name</i></u> -libfile <u><i>library file</i></u>
- [-ciphers <u><i>cipher enable list</i></u>]
- [-mechanisms <u><i>default mechanism list</i></u>]
-</code></td>
-<td>Adds a new module to the database with the given name.
-
-<p><u><i>library file</i></u> is the path of the DLL or other library file
-containing the module's implementation of the PKCS #11 interface.
-
-<p><u><i>cipher enable flags</i></u> is a colon-separated list of ciphers
-that will be enabled on this module. The list should be enclosed within quotes
-if necessary to prevent shell interpretation. The following ciphers are
-currently available:
-<ul>
-<li>FORTEZZA
-</ul>
-
-<p><u><i>default mechanism flags</i></u> is a colon-separated list of
-mechanisms for which this module should be the default provider. The
-list should be enclosed within quotes if necessary to prevent shell
-interpretation. <b>This
-list does not enable the mechanisms; it only specifies that this module
-will be a default provider for the listed mechanisms.</b> If more than
-one module claims to be a default provider for a given mechanism, it is
-undefined which will actually be chosen to provide that mechanism. The 
-following mechanisms are currently available:
-<ul>
-<li>RSA
-<li>DSA
-<li>RC2
-<li>RC4
-<li>RC5
-<li>DES
-<li>DH
-<li>FORTEZZA
-<li>SHA1
-<li>MD5
-<li>MD2
-<li>RANDOM <i>(random number generation)</i>
-<li>FRIENDLY <i>(certificates are publicly-readable)</i>
-</ul>
-</td>
-</tr>
-
-<!-------------------------- -changepw ------------------------------------->
-<tr>
-<td><a name="changepw"></a><code>-changepw <u><i>token name</i></u>
-[-pwfile <u><i>old password file</i></u>]
-[-newpwfile <u><i>new password file</i></u>]</code></td>
-<td>Changes the password on the named token.  If the token has not been
-initialized, this command will initialize the PIN.
-If a password file is given, the password will be read from that file;
-otherwise, the password will be obtained interactively.
-<b>Storing passwords in a file is much less secure than supplying them
-interactively.</b>
-<p>The password on the Netscape internal module cannot be changed if
-the <code>-nocertdb</code> option is specified.
-</td>
-</tr>
-
-<!-------------------------- -create ------------------------------------->
-<tr>
-<td><a name="create"></a><code>-create</code></td>
-<td>Creates a new secmod[ule].db, key3.db, and cert7.db in the directory
-specified with the
-<code>-dbdir</code> option, if one is specified.  If no directory is
-specified, UNIX systems will use the user's .netscape directory, while other
-systems will return with an error message.  If any of these databases already
-exist in the chosen directory, an error message is returned.
-<p>If used with <code>-nocertdb</code>, only secmod[ule].db will be created;
-cert7.db and key3.db will not be created.
-</td>
-</tr>
-
-<!------------------------------ -default -------------------------------->
-<tr>
-<td> <a name="default"></a> <code>-default <u><i>module name</i></u>
--mechanisms <u><i>mechanism list</i></u></code>
-</td>
-<td>Specifies that the given module will be a default provider of the
-listed mechanisms.  The mechanism list is the same as in the <code>-add</code>
-command.
-</td>
-</tr>
-
-<!-------------------------- -delete ------------------------------------->
-<tr>
-<td><a name="delete"></a><code>-delete <u><i>module name</i></u></code></td>
-<td>Deletes the named module from the database</td>
-</tr>
-
-<!-------------------------- -disable ------------------------------------->
-<tr>
-<td> <a name="disable"></a> <code>-disable <u><i>module name</i></u>
-[-slot <u><i>slot name</i></u>]</code></td>
-<td>Disables the named slot. If no slot is specified, all slots on
-the module are disabled.</td>
-</tr>
-
-<!-------------------------- -enable ------------------------------------->
-<tr>
-<td> <a name="enable"></a> <code>-enable <u><i>module name</i></u>
-[-slot <u><i>slot name</i></u>]</code></td>
-<td>Enables the named slot. If no slot is specified, all slots on
-the module are enabled.</td>
-</tr>
-
-<!-------------------------- -fips ------------------------------------->
-<tr>
-<td><a name="fips"></a><code>-fips [true | false]</code></td>
-<td>Enables or disables FIPS mode on the internal module.  Passing
-<code>true</code> enables FIPS mode, passing <code>false</code> disables
-FIPS mode.</td>
-</tr>
-
-<!-------------------------- -force ------------------------------------->
-<tr>
-<td><a name="force"></a><code>-force</code></td>
-<td>Disables interactive prompts, so modutil can be run in a script. 
-Should only be used by experts, since the prompts may relate to security
-or database integrity. Before using this option, test the command
-interactively once to see the warnings that are produced.</td>
-</tr>
-
-<!-------------------------- -jar ------------------------------------->
-<tr>
-<td><a name="jar"></a><code>-jar <u><i>JAR file</i></u>
--installdir <u><i>root installation directory</i></u>
-[-tempdir <u><i>temporary directory</i></u>]</code></td>
-<td>Adds a new module from the given JAR file. The JAR file uses the 
-server <a href="pk11jar.html">PKCS #11 JAR format</a> to describe the names of
-any files that need to be installed, the name of the module, mechanism flags,
-and cipher flags.  The <u><i>root installation directory</i></u>
-is the directory relative to which files will be installed. This should be a
- directory 
-under which it would be natural to store dynamic library files, such as
-a server's root directory, or Communicator's root directory.
-The <u><i>temporary directory</i></u> is where temporary modutil files
-will be created in the course of the installation.  If no temporary directory
-is specified, the current directory will be used.
-<p>If used with the <code>-nocertdb</code> option, the signatures on the JAR
-file will not be checked.</td>
-</tr>
-
-<!----------------------------- -list ------------------------------>
-<tr>
-<td><a name="list"></a><code>-list [<u><i>module name</i></u>]</code></td>
-<td>Without an argument, lists the PKCS #11 modules present in the module
-database.
-<blockquote>
-<pre>
-% <b>modutil -list</b>
-Using database directory /u/nicolson/.netscape...
-
-Listing of PKCS #11 Modules
------------------------------------------------------------
-  1. Netscape Internal PKCS #11 Module
-         slots: 2 slots attached
-        status: loaded
-
-         slot: Communicator Internal Cryptographic Services Version 4.0
-        token: Communicator Generic Crypto Svcs
-
-         slot: Communicator User Private Key and Certificate Services
-        token: Communicator Certificate DB
------------------------------------------------------------
-</pre>
-</blockquote>
-<p>With an argument, provides a detailed description of the named module
-and its slots and tokens.
-<blockquote>
-<pre>
-% <b>modutil -list "Netscape Internal PKCS #11 Module"</b>
-Using database directory /u/nicolson/.netscape...
-
------------------------------------------------------------
-Name: Netscape Internal PKCS #11 Module
-Library file: **Internal ONLY module**
-Manufacturer: Netscape Communications Corp    
-Description: Communicator Internal Crypto Svc
-PKCS #11 Version 2.0
-Library Version: 4.0
-Cipher Enable Flags: None
-Default Mechanism Flags: RSA:DSA:RC2:RC4:DES:SHA1:MD5:MD2
-
-  Slot: Communicator Internal Cryptographic Services Version 4.0
-  Manufacturer: Netscape Communications Corp    
-  Type: Software
-  Version Number: 4.1
-  Firmware Version: 0.0
-  Status: Enabled
-  Token Name: Communicator Generic Crypto Svcs
-  Token Manufacturer: Netscape Communications Corp    
-  Token Model: Libsec 4.0      
-  Token Serial Number: 0000000000000000
-  Token Version: 4.0
-  Token Firmware Version: 0.0
-  Access: Write Protected
-  Login Type: Public (no login required)
-  User Pin: NOT Initialized
-
-  Slot: Communicator User Private Key and Certificate Services
-  Manufacturer: Netscape Communications Corp    
-  Type: Software
-  Version Number: 3.0
-  Firmware Version: 0.0
-  Status: Enabled
-  Token Name: Communicator Certificate DB     
-  Token Manufacturer: Netscape Communications Corp    
-  Token Model: Libsec 4.0      
-  Token Serial Number: 0000000000000000
-  Token Version: 7.0
-  Token Firmware Version: 0.0
-  Access: NOT Write Protected
-  Login Type: Login required
-  User Pin: Initialized
-
------------------------------------------------------------
-</pre>
-</blockquote>
-</td>
-</tr>
-
-<!------------------------------ Undefault ------------------------------->
-<tr>
-<td><a name="undefault"></a><code>-undefault <u><i>module name</i></u>
--mechanisms <u><i>mechanism list</i></u></code></td>
-<td>Specifies that the given module will NOT be a default provider of 
-the listed mechanisms. This command clears the default mechanism flags
-for the given module.</td>
-</tr>
-
-</table>
-
-<!------------------------------------------------------------------------>
-<!------------------------------ Options --------------------------------->
-<!------------------------------------------------------------------------>
-<h3>Options:</h3>
-<table border>
-<tr bgcolor="#cccccc"><th>Option</th><th>Description</th> </tr>
-
-<!------------------------------ -dbdir ---------------------------------->
-<tr>
-<td><code>-dbdir <u><i>directory</i></u></code></td>
-<td>Specifies which directory holds the module database. On UNIX systems,
-the user's netscape directory is the default. On other systems, there is
-no default, and this option must be used.</td>
-</tr>
-
-<!------------------------------ -dbdir ---------------------------------->
-<tr>
-<td><code>-nocertdb</code></td>
-<td>Do not open the certificate or key databases.  This has several effects.
-With the <code>-create</code> command, this means that only a secmod.db file
-will be created; cert7.db and key3.db will not be created.  With the
-<code>-jar</code> command, signatures on the JAR file will not be checked.
-With the <code>-changepw</code> command, the password on the Netscape internal 
-module cannot be set or changed, since this password is stored in key3.db.
-</td>
-</tr>
-
-</table>
-
-</body>
-</html>
diff --git a/security/nss/cmd/ocspclnt/Makefile b/security/nss/cmd/ocspclnt/Makefile
deleted file mode 100644
index 4d209348e..000000000
--- a/security/nss/cmd/ocspclnt/Makefile
+++ /dev/null
@@ -1,77 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
diff --git a/security/nss/cmd/ocspclnt/manifest.mn b/security/nss/cmd/ocspclnt/manifest.mn
deleted file mode 100644
index 158d0a5e8..000000000
--- a/security/nss/cmd/ocspclnt/manifest.mn
+++ /dev/null
@@ -1,58 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = \
-	ocspclnt.c \
-	$(NULL)
-
-# headers for the MODULE (defined above) are implicitly required.
-REQUIRES = dbm seccmd
-
-# WINNT uses EXTRA_LIBS as the list of libs to link in.
-# Unix uses     OS_LIBS for that purpose.
-# We can solve this via conditional makefile code, but 
-# can't do this in manifest.mn because OS_ARCH isn't defined there.
-# So, look in the local Makefile for the defines for the list of libs.
-
-PROGRAM = ocspclnt
-
-USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/ocspclnt/ocspclnt.c b/security/nss/cmd/ocspclnt/ocspclnt.c
deleted file mode 100644
index f86c5a2c5..000000000
--- a/security/nss/cmd/ocspclnt/ocspclnt.c
+++ /dev/null
@@ -1,1293 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Test program for client-side OCSP.
- *
- * $Id$
- */
-
-#include "secutil.h"
-#include "nspr.h"
-#include "plgetopt.h"
-#include "nss.h"
-#include "cert.h"
-#include "ocsp.h"
-#include "xconst.h"	/*
-			 * XXX internal header file; needed to get at
-			 * cert_DecodeAuthInfoAccessExtension -- would be
-			 * nice to not need this, but that would require
-			 * better/different APIs.
-			 */
-
-#ifndef NO_PP		/*
-			 * Compile with this every once in a while to be
-			 * sure that no dependencies on it get added
-			 * outside of the pretty-printing routines.
-			 */
-#include "ocspti.h"	/* internals for pretty-printing routines *only* */
-#endif	/* NO_PP */
-
-#if defined(_WIN32)
-#include "fcntl.h"
-#include "io.h"
-#endif
-
-#define DEFAULT_DB_DIR	"~/.netscape"
-
-/* global */
-char	*program_name;
-
-
-static void
-synopsis (char *program_name)
-{
-    PRFileDesc *pr_stderr;
-
-    pr_stderr = PR_STDERR;
-    PR_fprintf (pr_stderr, "Usage:");
-    PR_fprintf (pr_stderr,
-		"\t%s -p [-d <dir>]\n",
-		program_name);
-    PR_fprintf (pr_stderr,
-		"\t%s -P [-d <dir>]\n",
-		program_name);
-    PR_fprintf (pr_stderr,
-		"\t%s -r <name> [-a] [-L] [-s <name>] [-d <dir>]\n",
-		program_name);
-    PR_fprintf (pr_stderr,
-		"\t%s -R <name> [-a] [-l <location>] [-s <name>] [-d <dir>]\n",
-		program_name);
-    PR_fprintf (pr_stderr,
-		"\t%s -S <name> [-a] [-l <location> -t <name>]\n",
-		program_name);
-    PR_fprintf (pr_stderr,
-		"\t\t [-s <name>] [-w <time>] [-d <dir>]\n");
-    PR_fprintf (pr_stderr,
-		"\t%s -V <name> [-a] -u <usage> [-l <location> -t <name>]\n",
-		program_name);
-    PR_fprintf (pr_stderr,
-		"\t\t [-s <name>] [-w <time>] [-d <dir>]\n");
-}
-
-
-static void
-short_usage (char *program_name)
-{
-    PR_fprintf (PR_STDERR,
-		"Type %s -H for more detailed descriptions\n",
-		program_name);
-    synopsis (program_name);
-}
-
-
-static void
-long_usage (char *program_name)
-{
-    PRFileDesc *pr_stderr;
-
-    pr_stderr = PR_STDERR;
-    synopsis (program_name);
-    PR_fprintf (pr_stderr, "\nCommands (must specify exactly one):\n");
-    PR_fprintf (pr_stderr,
-		"  %-13s Pretty-print a binary request read from stdin\n",
-		"-p");
-    PR_fprintf (pr_stderr,
-		"  %-13s Pretty-print a binary response read from stdin\n",
-		"-P");
-    PR_fprintf (pr_stderr,
-		"  %-13s Create a request for cert \"nickname\" on stdout\n",
-		"-r nickname");
-    PR_fprintf (pr_stderr,
-		"  %-13s Get response for cert \"nickname\", dump to stdout\n",
-		"-R nickname");
-    PR_fprintf (pr_stderr,
-		"  %-13s Get status for cert \"nickname\"\n",
-		"-S nickname");
-    PR_fprintf (pr_stderr,
-		"  %-13s Fully verify cert \"nickname\", w/ status check\n",
-		"-V nickname");
-    PR_fprintf (pr_stderr,
-		"\n     %-10s also can be the name of the file with DER or\n"
-                "  %-13s PEM(use -a option) cert encoding\n", "nickname", "");
-    PR_fprintf (pr_stderr, "Options:\n");
-    PR_fprintf (pr_stderr,
-		"  %-13s Decode input cert from PEM format. DER is default\n",
-		"-a");
-    PR_fprintf (pr_stderr,
-		"  %-13s Add the service locator extension to the request\n",
-		"-L");
-    PR_fprintf (pr_stderr,
-		"  %-13s Find security databases in \"dbdir\" (default %s)\n",
-		"-d dbdir", DEFAULT_DB_DIR);
-    PR_fprintf (pr_stderr,
-		"  %-13s Use \"location\" as URL of responder\n",
-		"-l location");
-    PR_fprintf (pr_stderr,
-		"  %-13s Trust cert \"nickname\" as response signer\n",
-		"-t nickname");
-    PR_fprintf (pr_stderr,
-		"  %-13s Sign requests with cert \"nickname\"\n",
-		"-s nickname");
-    PR_fprintf (pr_stderr,
-		"  %-13s Type of certificate usage for verification:\n",
-		"-u usage");
-    PR_fprintf (pr_stderr,
-		"%-17s c   SSL Client\n", "");
-    PR_fprintf (pr_stderr,
-		"%-17s s   SSL Server\n", "");
-    PR_fprintf (pr_stderr,
-		"%-17s e   Email Recipient\n", "");
-    PR_fprintf (pr_stderr,
-		"%-17s E   Email Signer\n", "");
-    PR_fprintf (pr_stderr,
-		"%-17s S   Object Signer\n", "");
-    PR_fprintf (pr_stderr,
-		"%-17s C   CA\n", "");
-    PR_fprintf (pr_stderr,
-		"  %-13s Validity time (default current time), one of:\n",
-		"-w time");
-    PR_fprintf (pr_stderr,
-		"%-17s %-25s (GMT)\n", "", "YYMMDDhhmm[ss]Z");
-    PR_fprintf (pr_stderr,
-		"%-17s %-25s (later than GMT)\n", "", "YYMMDDhhmm[ss]+hhmm");
-    PR_fprintf (pr_stderr,
-		"%-17s %-25s (earlier than GMT)\n", "", "YYMMDDhhmm[ss]-hhmm");
-}
-
-#if defined(WIN32)
-/* We're going to write binary data to stdout, or read binary from stdin. 
- * We must put stdout or stdin into O_BINARY mode or else 
-   outgoing \n's will become \r\n's, and incoming \r\n's will become \n's.
-*/
-static SECStatus
-make_file_binary(FILE * binfile)
-{
-    int smrv = _setmode(_fileno(binfile), _O_BINARY);
-    if (smrv == -1) {
-        fprintf(stderr, "%s: Cannot change stdout to binary mode.\n",
-                  program_name);
-    }
-    return smrv;
-}
-#define MAKE_FILE_BINARY make_file_binary
-#else
-#define MAKE_FILE_BINARY(file) 
-#endif
-
-/*
- * XXX This is a generic function that would probably make a good
- * replacement for SECU_DER_Read (which is not at all specific to DER,
- * despite its name), but that requires fixing all of the tools...
- * Still, it should be done, whenenver I/somebody has the time.
- * (Also, consider whether this actually belongs in the security
- * library itself, not just in the command library.)
- *
- * This function takes an open file (a PRFileDesc *) and reads the
- * entire file into a SECItem.  (Obviously, the file is intended to
- * be small enough that such a thing is advisable.)  Both the SECItem
- * and the buffer it points to are allocated from the heap; the caller
- * is expected to free them.  ("SECITEM_FreeItem(item, PR_TRUE)")
- */
-static SECItem *
-read_file_into_item (PRFileDesc *in_file, SECItemType si_type)
-{
-    PRStatus	 prv;
-    SECItem 	*item;
-    PRFileInfo	 file_info;
-    PRInt32	 bytes_read;
-
-    prv = PR_GetOpenFileInfo (in_file, &file_info);
-    if (prv != PR_SUCCESS)
-	return NULL;
-
-    if (file_info.size ==  0) {
-	/* XXX Need a better error; just grabbed this one for expediency. */
-	PORT_SetError (SEC_ERROR_INPUT_LEN);
-	return NULL;
-    }
-
-    if (file_info.size > 0xffff) {	/* I think this is too big. */
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    item = PORT_Alloc (sizeof (SECItem));
-    if (item == NULL)
-	return NULL;
-
-    item->type = si_type;
-    item->len = (unsigned int) file_info.size;
-    item->data = PORT_Alloc ((size_t)item->len);
-    if (item->data == NULL)
-	goto loser;
-
-    bytes_read = PR_Read (in_file, item->data, (PRInt32) item->len);
-    if (bytes_read < 0) {
-	/* Something went wrong; error is already set for us. */
-	goto loser;
-    } else if (bytes_read == 0) {
-	/* Something went wrong; we read nothing.  But no system/nspr error. */
-	/* XXX Need to set an error here. */
-	goto loser;
-    } else if (item->len != (unsigned int)bytes_read) {
-	/* Something went wrong; we read less (or more!?) than we expected. */
-	/* XXX Need to set an error here. */
-	goto loser;
-    }
-
-    return item;
-
-loser:
-    SECITEM_FreeItem (item, PR_TRUE);
-    return NULL;
-}
-
-
-/*
- * Create a DER-encoded OCSP request (for the certificate whose nickname
- * is "name") and dump it out.
- */
-static SECStatus
-create_request (FILE *out_file, CERTCertDBHandle *handle, CERTCertificate *cert,
-		PRBool add_service_locator, PRBool add_acceptable_responses)
-{
-    CERTCertList *certs = NULL;
-    CERTCertificate *myCert = NULL;
-    CERTOCSPRequest *request = NULL;
-    int64 now = PR_Now();
-    SECItem *encoding = NULL;
-    SECStatus rv = SECFailure;
-
-    if (handle == NULL || cert == NULL)
-	return rv;
-
-    myCert = CERT_DupCertificate(cert);
-    if (myCert == NULL)
-        goto loser;
-
-    /*
-     * We need to create a list of one.
-     */
-    certs = CERT_NewCertList();
-    if (certs == NULL)
-	goto loser;
-
-    if (CERT_AddCertToListTail (certs, myCert) != SECSuccess)
-	goto loser;
-
-    /*
-     * Now that cert is included in the list, we need to be careful
-     * that we do not try to destroy it twice.  This will prevent that.
-     */
-    myCert = NULL;
-
-    request = CERT_CreateOCSPRequest (certs, now, add_service_locator, NULL);
-    if (request == NULL)
-	goto loser;
-
-    if (add_acceptable_responses) {
-	rv = CERT_AddOCSPAcceptableResponses(request,
-					     SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
-	if (rv != SECSuccess)
-	    goto loser;
-    }
-
-    encoding = CERT_EncodeOCSPRequest (NULL, request, NULL);
-    if (encoding == NULL)
-	goto loser;
-
-    MAKE_FILE_BINARY(out_file);
-    if (fwrite (encoding->data, encoding->len, 1, out_file) != 1)
-	goto loser;
-
-    rv = SECSuccess;
-
-loser:
-    if (encoding != NULL)
-	SECITEM_FreeItem(encoding, PR_TRUE);
-    if (request != NULL)
-	CERT_DestroyOCSPRequest(request);
-    if (certs != NULL)
-	CERT_DestroyCertList (certs);
-    if (myCert != NULL)
-	CERT_DestroyCertificate(myCert);
-
-    return rv;
-}
-
-
-/*
- * Create a DER-encoded OCSP request (for the certificate whose nickname is
- * "cert_name"), then get and dump a corresponding response.  The responder
- * location is either specified explicitly (as "responder_url") or found
- * via the AuthorityInfoAccess URL in the cert.
- */
-static SECStatus
-dump_response (FILE *out_file, CERTCertDBHandle *handle, CERTCertificate *cert,
-	       const char *responder_url)
-{
-    CERTCertList *certs = NULL;
-    CERTCertificate *myCert = NULL;
-    char *loc = NULL;
-    int64 now = PR_Now();
-    SECItem *response = NULL;
-    SECStatus rv = SECFailure;
-    PRBool includeServiceLocator;
-
-    if (handle == NULL || cert == NULL)
-	return rv;
-
-    myCert = CERT_DupCertificate(cert);
-    if (myCert == NULL)
-        goto loser;
-
-    if (responder_url != NULL) {
-	loc = (char *) responder_url;
-	includeServiceLocator = PR_TRUE;
-    } else {
-	loc = CERT_GetOCSPAuthorityInfoAccessLocation (cert);
-	if (loc == NULL)
-	    goto loser;
-	includeServiceLocator = PR_FALSE;
-    }
-
-    /*
-     * We need to create a list of one.
-     */
-    certs = CERT_NewCertList();
-    if (certs == NULL)
-	goto loser;
-
-    if (CERT_AddCertToListTail (certs, myCert) != SECSuccess)
-	goto loser;
-
-    /*
-     * Now that cert is included in the list, we need to be careful
-     * that we do not try to destroy it twice.  This will prevent that.
-     */
-    myCert = NULL;
-
-    response = CERT_GetEncodedOCSPResponse (NULL, certs, loc, now,
-					    includeServiceLocator,
-					    NULL, NULL, NULL);
-    if (response == NULL)
-	goto loser;
-
-    MAKE_FILE_BINARY(out_file);
-    if (fwrite (response->data, response->len, 1, out_file) != 1)
-	goto loser;
-
-    rv = SECSuccess;
-
-loser:
-    if (response != NULL)
-	SECITEM_FreeItem (response, PR_TRUE);
-    if (certs != NULL)
-	CERT_DestroyCertList (certs);
-    if (myCert != NULL)
-	CERT_DestroyCertificate(myCert);
-    if (loc != NULL && loc != responder_url)
-	PORT_Free (loc);
-
-    return rv;
-}
-
-
-/*
- * Get the status for the specified certificate (whose nickname is "cert_name").
- * Directly use the OCSP function rather than doing a full verification.
- */
-static SECStatus
-get_cert_status (FILE *out_file, CERTCertDBHandle *handle,
-		 CERTCertificate *cert, const char *cert_name,
-                 int64 verify_time)
-{
-    SECStatus rv = SECFailure;
-
-    if (handle == NULL || cert == NULL)
-	goto loser;
-
-    rv = CERT_CheckOCSPStatus (handle, cert, verify_time, NULL);
-
-    fprintf (out_file, "Check of certificate \"%s\" ", cert_name); 
-    if (rv == SECSuccess) {
-	fprintf (out_file, "succeeded.\n"); 
-    } else {
-	const char *error_string = SECU_Strerror(PORT_GetError());
-	fprintf (out_file, "failed.  Reason:\n");
-	if (error_string != NULL && PORT_Strlen(error_string) > 0)
-	    fprintf (out_file, "%s\n", error_string);
-	else
-	    fprintf (out_file, "Unknown\n");
-    }
-
-    rv = SECSuccess;
-
-loser:
-
-    return rv;
-}
-
-
-/*
- * Verify the specified certificate (whose nickname is "cert_name").
- * OCSP is already turned on, so we just need to call the standard
- * certificate verification API and let it do all the work.
- */
-static SECStatus
-verify_cert (FILE *out_file, CERTCertDBHandle *handle, CERTCertificate *cert,
-	     const char *cert_name, SECCertUsage cert_usage, int64 verify_time)
-{
-    SECStatus rv = SECFailure;
-
-    if (handle == NULL || cert == NULL)
-	return rv;
-
-    rv = CERT_VerifyCert (handle, cert, PR_TRUE, cert_usage, verify_time,
-			  NULL, NULL);
-
-    fprintf (out_file, "Verification of certificate \"%s\" ", cert_name); 
-    if (rv == SECSuccess) {
-	fprintf (out_file, "succeeded.\n"); 
-    } else {
-	const char *error_string = SECU_Strerror(PORT_GetError());
-	fprintf (out_file, "failed.  Reason:\n");
-	if (error_string != NULL && PORT_Strlen(error_string) > 0)
-	    fprintf (out_file, "%s\n", error_string);
-	else
-	    fprintf (out_file, "Unknown\n");
-    }
-
-    rv = SECSuccess;
-
-    return rv;
-}
-
-CERTCertificate*
-find_certificate(CERTCertDBHandle *handle, const char *name, PRBool ascii)
-{
-    CERTCertificate *cert = NULL;
-    SECItem der;
-    PRFileDesc *certFile;
-
-    if (handle == NULL || name == NULL)
-        return NULL;
-
-    if (ascii == PR_FALSE) { 
-        /* by default need to check if there is cert nick is given */
-        cert = CERT_FindCertByNicknameOrEmailAddr (handle, (char *) name);
-        if (cert != NULL)
-            return cert;
-    }
-
-    certFile = PR_Open(name, PR_RDONLY, 0);
-    if (certFile == NULL) {
-        return NULL;
-    }
-
-    if (SECU_ReadDERFromFile(&der, certFile, ascii) == SECSuccess) {
-        cert = CERT_DecodeCertFromPackage((char*)der.data, der.len);
-        SECITEM_FreeItem(&der, PR_FALSE);
-    }
-    PR_Close(certFile);
-
-    return cert;
-}
-
-
-#ifdef	NO_PP
-
-static SECStatus
-print_request (FILE *out_file, SECItem *data)
-{
-    fprintf (out_file, "Cannot pretty-print request compiled with NO_PP.\n");
-    return SECSuccess;
-}
-
-static SECStatus
-print_response (FILE *out_file, SECItem *data, CERTCertDBHandle *handle)
-{
-    fprintf (out_file, "Cannot pretty-print response compiled with NO_PP.\n");
-    return SECSuccess;
-}
-
-#else /* NO_PP */
-
-static void
-print_ocsp_version (FILE *out_file, SECItem *version, int level)
-{
-    if (version->len > 0) {
-	SECU_PrintInteger (out_file, version, "Version", level);
-    } else {
-	SECU_Indent (out_file, level);
-	fprintf (out_file, "Version: DEFAULT\n");
-    }
-}
-
-
-static void
-print_ocsp_cert_id (FILE *out_file, CERTOCSPCertID *cert_id, int level)
-{
-    SECU_Indent (out_file, level);
-    fprintf (out_file, "Cert ID:\n");
-    level++;
-
-    SECU_PrintAlgorithmID (out_file, &(cert_id->hashAlgorithm),
-			   "Hash Algorithm", level);
-    SECU_PrintAsHex (out_file, &(cert_id->issuerNameHash),
-		     "Issuer Name Hash", level);
-    SECU_PrintAsHex (out_file, &(cert_id->issuerKeyHash),
-		     "Issuer Key Hash", level);
-    SECU_PrintInteger (out_file, &(cert_id->serialNumber),
-		       "Serial Number", level);
-    /* XXX lookup the cert; if found, print something nice (nickname?) */
-}
-
-
-static void
-print_raw_certificates (FILE *out_file, SECItem **raw_certs, int level)
-{
-    SECItem *raw_cert;
-    int i = 0;
-    char cert_label[50];
-
-    SECU_Indent (out_file, level);
-
-    if (raw_certs == NULL) {
-	fprintf (out_file, "No Certificates.\n");
-	return;
-    }
-
-    fprintf (out_file, "Certificate List:\n");
-    while ((raw_cert = raw_certs[i++]) != NULL) {
-	sprintf (cert_label, "Certificate (%d)", i);
-	(void) SECU_PrintSignedData (out_file, raw_cert, cert_label, level + 1,
-				     SECU_PrintCertificate);
-    }
-}
-
-
-static void
-print_ocsp_extensions (FILE *out_file, CERTCertExtension **extensions,
-		       char *msg, int level)
-{
-    if (extensions) {
-	SECU_PrintExtensions (out_file, extensions, msg, level);
-    } else {
-	SECU_Indent (out_file, level);
-	fprintf (out_file, "No %s\n", msg);
-    }
-}
-
-
-static void
-print_single_request (FILE *out_file, ocspSingleRequest *single, int level)
-{
-    print_ocsp_cert_id (out_file, single->reqCert, level);
-    print_ocsp_extensions (out_file, single->singleRequestExtensions,
-			   "Single Request Extensions", level);
-}
-
-
-/*
- * Decode the DER/BER-encoded item "data" as an OCSP request
- * and pretty-print the subfields.
- */
-static SECStatus
-print_request (FILE *out_file, SECItem *data)
-{
-    CERTOCSPRequest *request;
-    ocspTBSRequest *tbsRequest;
-    int level = 0;
-
-    PORT_Assert (out_file != NULL);
-    PORT_Assert (data != NULL);
-    if (out_file == NULL || data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    request = CERT_DecodeOCSPRequest (data);
-    if (request == NULL || request->tbsRequest == NULL)
-	return SECFailure;
-
-    tbsRequest = request->tbsRequest;
-
-    fprintf (out_file, "TBS Request:\n");
-    level++;
-
-    print_ocsp_version (out_file, &(tbsRequest->version), level);
-
-    /*
-     * XXX Probably should be an interface to get the signer name
-     * without looking inside the tbsRequest at all.
-     */
-    if (tbsRequest->requestorName != NULL) {
-	SECU_Indent (out_file, level);
-	fprintf (out_file, "XXX print the requestorName\n");
-    } else {
-	SECU_Indent (out_file, level);
-	fprintf (out_file, "No Requestor Name.\n");
-    }
-
-    if (tbsRequest->requestList != NULL) {
-	int i;
-
-	for (i = 0; tbsRequest->requestList[i] != NULL; i++) {
-	    SECU_Indent (out_file, level);
-	    fprintf (out_file, "Request %d:\n", i);
-	    print_single_request (out_file, tbsRequest->requestList[i],
-				  level + 1);
-	}
-    } else {
-	fprintf (out_file, "Request list is empty.\n");
-    }
-
-    print_ocsp_extensions (out_file, tbsRequest->requestExtensions,
-			   "Request Extensions", level);
-
-    if (request->optionalSignature != NULL) {
-	ocspSignature *whole_sig;
-	SECItem rawsig;
-
-	fprintf (out_file, "Signature:\n");
-
-	whole_sig = request->optionalSignature;
-	SECU_PrintAlgorithmID (out_file, &(whole_sig->signatureAlgorithm),
-			       "Signature Algorithm", level);
-
-	rawsig = whole_sig->signature;
-	DER_ConvertBitString (&rawsig);
-	SECU_PrintAsHex (out_file, &rawsig, "Signature", level);
-
-	print_raw_certificates (out_file, whole_sig->derCerts, level);
-
-	fprintf (out_file, "XXX verify the sig and print result\n");
-    } else {
-	fprintf (out_file, "No Signature\n");
-    }
-
-    CERT_DestroyOCSPRequest (request);
-    return SECSuccess;
-}
-
-
-static void
-print_revoked_info (FILE *out_file, ocspRevokedInfo *revoked_info, int level)
-{
-    SECU_PrintGeneralizedTime (out_file, &(revoked_info->revocationTime),
-			       "Revocation Time", level);
-
-    if (revoked_info->revocationReason != NULL) {
-	SECU_PrintAsHex (out_file, revoked_info->revocationReason,
-			 "Revocation Reason", level);
-    } else {
-	SECU_Indent (out_file, level);
-	fprintf (out_file, "No Revocation Reason.\n");
-    }
-}
-
-
-static void
-print_cert_status (FILE *out_file, ocspCertStatus *status, int level)
-{
-    SECU_Indent (out_file, level);
-    fprintf (out_file, "Status: ");
-
-    switch (status->certStatusType) {
-      case ocspCertStatus_good:
-	fprintf (out_file, "Cert is good.\n");
-	break;
-      case ocspCertStatus_revoked:
-	fprintf (out_file, "Cert has been revoked.\n");
-	print_revoked_info (out_file, status->certStatusInfo.revokedInfo,
-			    level + 1);
-	break;
-      case ocspCertStatus_unknown:
-	fprintf (out_file, "Cert is unknown to responder.\n");
-	break;
-      default:
-	fprintf (out_file, "Unrecognized status.\n");
-	break;
-    }
-}
-
-
-static void
-print_single_response (FILE *out_file, CERTOCSPSingleResponse *single,
-		       int level)
-{
-    print_ocsp_cert_id (out_file, single->certID, level);
-
-    print_cert_status (out_file, single->certStatus, level);
-
-    SECU_PrintGeneralizedTime (out_file, &(single->thisUpdate),
-			       "This Update", level);
-
-    if (single->nextUpdate != NULL) {
-	SECU_PrintGeneralizedTime (out_file, single->nextUpdate,
-				   "Next Update", level);
-    } else {
-	SECU_Indent (out_file, level);
-	fprintf (out_file, "No Next Update\n");
-    }
-
-    print_ocsp_extensions (out_file, single->singleExtensions,
-			   "Single Response Extensions", level);
-}
-
-
-static void
-print_responder_id (FILE *out_file, ocspResponderID *responderID, int level)
-{
-    SECU_Indent (out_file, level);
-    fprintf (out_file, "Responder ID ");
-
-    switch (responderID->responderIDType) {
-      case ocspResponderID_byName:
-	fprintf (out_file, "(byName):\n");
-	SECU_PrintName (out_file, &(responderID->responderIDValue.name),
-			"Name", level + 1);
-	break;
-      case ocspResponderID_byKey:
-	fprintf (out_file, "(byKey):\n");
-	SECU_PrintAsHex (out_file, &(responderID->responderIDValue.keyHash),
-			 "Key Hash", level + 1);
-	break;
-      default:
-	fprintf (out_file, "Unrecognized Responder ID Type\n");
-	break;
-    }
-}
-
-
-static void
-print_response_data (FILE *out_file, ocspResponseData *responseData, int level)
-{
-    SECU_Indent (out_file, level);
-    fprintf (out_file, "Response Data:\n");
-    level++;
-
-    print_ocsp_version (out_file, &(responseData->version), level);
-
-    print_responder_id (out_file, responseData->responderID, level);
-
-    SECU_PrintGeneralizedTime (out_file, &(responseData->producedAt),
-			       "Produced At", level);
-
-    if (responseData->responses != NULL) {
-	int i;
-
-	for (i = 0; responseData->responses[i] != NULL; i++) {
-	    SECU_Indent (out_file, level);
-	    fprintf (out_file, "Response %d:\n", i);
-	    print_single_response (out_file, responseData->responses[i],
-				   level + 1);
-	}
-    } else {
-	fprintf (out_file, "Response list is empty.\n");
-    }
-
-    print_ocsp_extensions (out_file, responseData->responseExtensions,
-			   "Response Extensions", level);
-}
-
-
-static void
-print_basic_response (FILE *out_file, ocspBasicOCSPResponse *basic, int level)
-{
-    SECItem rawsig;
-
-    SECU_Indent (out_file, level);
-    fprintf (out_file, "Basic OCSP Response:\n");
-    level++;
-
-    print_response_data (out_file, basic->tbsResponseData, level);
-
-    SECU_PrintAlgorithmID (out_file,
-			   &(basic->responseSignature.signatureAlgorithm),
-			   "Signature Algorithm", level);
-
-    rawsig = basic->responseSignature.signature;
-    DER_ConvertBitString (&rawsig);
-    SECU_PrintAsHex (out_file, &rawsig, "Signature", level);
-
-    print_raw_certificates (out_file, basic->responseSignature.derCerts, level);
-}
-
-
-/*
- * Note this must match (exactly) the enumeration ocspResponseStatus.
- */
-static char *responseStatusNames[] = {
-    "successful (Response has valid confirmations)",
-    "malformedRequest (Illegal confirmation request)",
-    "internalError (Internal error in issuer)",
-    "tryLater (Try again later)",
-    "unused ((4) is not used)",
-    "sigRequired (Must sign the request)",
-    "unauthorized (Request unauthorized)",
-    "other (Status value out of defined range)"
-};
-
-/*
- * Decode the DER/BER-encoded item "data" as an OCSP response
- * and pretty-print the subfields.
- */
-static SECStatus
-print_response (FILE *out_file, SECItem *data, CERTCertDBHandle *handle)
-{
-    CERTOCSPResponse *response;
-    int level = 0;
-
-    PORT_Assert (out_file != NULL);
-    PORT_Assert (data != NULL);
-    if (out_file == NULL || data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    response = CERT_DecodeOCSPResponse (data);
-    if (response == NULL)
-	return SECFailure;
-
-    PORT_Assert (response->statusValue <= ocspResponse_other);
-    fprintf (out_file, "Response Status: %s\n",
-	     responseStatusNames[response->statusValue]);
-
-    if (response->statusValue == ocspResponse_successful) {
-	ocspResponseBytes *responseBytes = response->responseBytes;
-	SECStatus sigStatus;
-	CERTCertificate *signerCert = NULL;
-
-	PORT_Assert (responseBytes != NULL);
-
-	level++;
-	fprintf (out_file, "Response Bytes:\n");
-	SECU_PrintObjectID (out_file, &(responseBytes->responseType),
-			    "Response Type", level);
-	switch (response->responseBytes->responseTypeTag) {
-	  case SEC_OID_PKIX_OCSP_BASIC_RESPONSE:
-	    print_basic_response (out_file,
-				  responseBytes->decodedResponse.basic,
-				  level);
-	    break;
-	  default:
-	    SECU_Indent (out_file, level);
-	    fprintf (out_file, "Unknown response syntax\n");
-	    break;
-	}
-
-	sigStatus = CERT_VerifyOCSPResponseSignature (response, handle,
-						      NULL, &signerCert, NULL);
-	SECU_Indent (out_file, level);
-	fprintf (out_file, "Signature verification ");
-	if (sigStatus != SECSuccess) {
-	    fprintf (out_file, "failed: %s\n", SECU_Strerror (PORT_GetError()));
-	} else {
-	    fprintf (out_file, "succeeded.\n");
-	    if (signerCert != NULL) {
-		SECU_PrintName (out_file, &signerCert->subject, "Signer",
-				level);
-		CERT_DestroyCertificate (signerCert);
-	    } else {
-		SECU_Indent (out_file, level);
-		fprintf (out_file, "No signer cert returned?\n");
-	    }
-	}
-    } else {
-	SECU_Indent (out_file, level);
-	fprintf (out_file, "Unsuccessful response, no more information.\n");
-    }
-
-    CERT_DestroyOCSPResponse (response);
-    return SECSuccess;
-}
-
-#endif	/* NO_PP */
-
-
-static SECStatus
-cert_usage_from_char (const char *cert_usage_str, SECCertUsage *cert_usage)
-{
-    PORT_Assert (cert_usage_str != NULL);
-    PORT_Assert (cert_usage != NULL);
-
-    if (PORT_Strlen (cert_usage_str) != 1)
-	return SECFailure;
-
-    switch (*cert_usage_str) {
-      case 'c':
-	*cert_usage = certUsageSSLClient;
-	break;
-      case 's':
-	*cert_usage = certUsageSSLServer;
-	break;
-      case 'e':
-	*cert_usage = certUsageEmailRecipient;
-	break;
-      case 'E':
-	*cert_usage = certUsageEmailSigner;
-	break;
-      case 'S':
-	*cert_usage = certUsageObjectSigner;
-	break;
-      case 'C':
-	*cert_usage = certUsageVerifyCA;
-	break;
-      default:
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-
-int
-main (int argc, char **argv)
-{
-    int		 retval;
-    PRFileDesc	*in_file;
-    FILE	*out_file;	/* not PRFileDesc until SECU accepts it */
-    int		 crequest, dresponse;
-    int		 prequest, presponse;
-    int		 ccert, vcert;
-    const char	*db_dir, *date_str, *cert_usage_str, *name;
-    const char	*responder_name, *responder_url, *signer_name;
-    PRBool	 add_acceptable_responses, add_service_locator;
-    SECItem	*data = NULL;
-    PLOptState	*optstate;
-    SECStatus	 rv;
-    CERTCertDBHandle *handle = NULL;
-    SECCertUsage cert_usage;
-    int64	 verify_time;
-    CERTCertificate *cert = NULL;
-    PRBool ascii = PR_FALSE;
-
-    retval = -1;		/* what we return/exit with on error */
-
-    program_name = PL_strrchr(argv[0], '/');
-    program_name = program_name ? (program_name + 1) : argv[0];
-
-    in_file = PR_STDIN;
-    out_file = stdout;
-
-    crequest = 0;
-    dresponse = 0;
-    prequest = 0;
-    presponse = 0;
-    ccert = 0;
-    vcert = 0;
-
-    db_dir = NULL;
-    date_str = NULL;
-    cert_usage_str = NULL;
-    name = NULL;
-    responder_name = NULL;
-    responder_url = NULL;
-    signer_name = NULL;
-
-    add_acceptable_responses = PR_FALSE;
-    add_service_locator = PR_FALSE;
-
-    optstate = PL_CreateOptState (argc, argv, "AHLPR:S:V:d:l:pr:s:t:u:w:");
-    if (optstate == NULL) {
-	SECU_PrintError (program_name, "PL_CreateOptState failed");
-	return retval;
-    }
-
-    while (PL_GetNextOpt (optstate) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case '?':
-	    short_usage (program_name);
-	    return retval;
-
-	  case 'A':
-	    add_acceptable_responses = PR_TRUE;
-	    break;
-
-	  case 'H':
-	    long_usage (program_name);
-	    return retval;
-
-	  case 'L':
-	    add_service_locator = PR_TRUE;
-	    break;
-
-	  case 'P':
-	    presponse = 1;
-	    break;
-
-	  case 'R':
-	    dresponse = 1;
-	    name = optstate->value;
-	    break;
-
-	  case 'S':
-	    ccert = 1;
-	    name = optstate->value;
-	    break;
-
-	  case 'V':
-	    vcert = 1;
-	    name = optstate->value;
-	    break;
-
-	  case 'a':
-	    ascii = PR_TRUE;
-	    break;
-
-	  case 'd':
-	    db_dir = optstate->value;
-	    break;
-
-	  case 'l':
-	    responder_url = optstate->value;
-	    break;
-
-	  case 'p':
-	    prequest = 1;
-	    break;
-
-	  case 'r':
-	    crequest = 1;
-	    name = optstate->value;
-	    break;
-
-	  case 's':
-	    signer_name = optstate->value;
-	    break;
-
-	  case 't':
-	    responder_name = optstate->value;
-	    break;
-
-	  case 'u':
-	    cert_usage_str = optstate->value;
-	    break;
-
-	  case 'w':
-	    date_str = optstate->value;
-	    break;
-	}
-    }
-
-    PL_DestroyOptState(optstate);
-
-    if ((crequest + dresponse + prequest + presponse + ccert + vcert) != 1) {
-	PR_fprintf (PR_STDERR, "%s: must specify exactly one command\n\n",
-		    program_name);
-	short_usage (program_name);
-	return retval;
-    }
-
-    if (vcert) {
-	if (cert_usage_str == NULL) {
-	    PR_fprintf (PR_STDERR, "%s: verification requires cert usage\n\n",
-			program_name);
-	    short_usage (program_name);
-	    return retval;
-	}
-
-	rv = cert_usage_from_char (cert_usage_str, &cert_usage);
-	if (rv != SECSuccess) {
-	    PR_fprintf (PR_STDERR, "%s: invalid cert usage (\"%s\")\n\n",
-			program_name, cert_usage_str);
-	    long_usage (program_name);
-	    return retval;
-	}
-    }
-
-    if (ccert + vcert) {
-	if (responder_url != NULL || responder_name != NULL) {
-	    /*
-	     * To do a full status check, both the URL and the cert name
-	     * of the responder must be specified if either one is.
-	     */
-	    if (responder_url == NULL || responder_name == NULL) {
-		if (responder_url == NULL)
-		    PR_fprintf (PR_STDERR,
-				"%s: must also specify responder location\n\n",
-				program_name);
-		else
-		    PR_fprintf (PR_STDERR,
-				"%s: must also specify responder name\n\n",
-				program_name);
-		short_usage (program_name);
-		return retval;
-	    }
-	}
-
-	if (date_str != NULL) {
-	    rv = DER_AsciiToTime (&verify_time, (char *) date_str);
-	    if (rv != SECSuccess) {
-		SECU_PrintError (program_name, "error converting time string");
-		PR_fprintf (PR_STDERR, "\n");
-		long_usage (program_name);
-		return retval;
-	    }
-	} else {
-	    verify_time = PR_Now();
-	}
-    }
-
-    retval = -2;		/* errors change from usage to runtime */
-
-    /*
-     * Initialize the NSPR and Security libraries.
-     */
-    PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-    db_dir = SECU_ConfigDirectory (db_dir);
-    rv = NSS_Init (db_dir);
-    if (rv != SECSuccess) {
-	SECU_PrintError (program_name, "NSS_Init failed");
-	goto prdone;
-    }
-    SECU_RegisterDynamicOids();
-
-    if (prequest + presponse) {
-	MAKE_FILE_BINARY(stdin);
-	data = read_file_into_item (in_file, siBuffer);
-	if (data == NULL) {
-	    SECU_PrintError (program_name, "problem reading input");
-	    goto nssdone;
-	}
-    }
-
-    if (crequest + dresponse + presponse + ccert + vcert) {
-	handle = CERT_GetDefaultCertDB();
-	if (handle == NULL) {
-	    SECU_PrintError (program_name, "problem getting certdb handle");
-	    goto nssdone;
-	}
-
-	/*
-	 * It would be fine to do the enable for all of these commands,
-	 * but this way we check that everything but an overall verify
-	 * can be done without it.  That is, that the individual pieces
-	 * work on their own.
-	 */
-	if (vcert) {
-	    rv = CERT_EnableOCSPChecking (handle);
-	    if (rv != SECSuccess) {
-		SECU_PrintError (program_name, "error enabling OCSP checking");
-		goto nssdone;
-	    }
-	}
-
-	if ((ccert + vcert) && (responder_name != NULL)) {
-	    rv = CERT_SetOCSPDefaultResponder (handle, responder_url,
-					       responder_name);
-	    if (rv != SECSuccess) {
-		SECU_PrintError (program_name,
-				 "error setting default responder");
-		goto nssdone;
-	    }
-
-	    rv = CERT_EnableOCSPDefaultResponder (handle);
-	    if (rv != SECSuccess) {
-		SECU_PrintError (program_name,
-				 "error enabling default responder");
-		goto nssdone;
-	    }
-	}
-    }
-
-#define NOTYET(opt)							\
-	{								\
-	    PR_fprintf (PR_STDERR, "%s not yet working\n", opt);	\
-	    exit (-1);							\
-	}
-
-    if (name) {
-        cert = find_certificate(handle, name, ascii);
-    }
-
-    if (crequest) {
-	if (signer_name != NULL) {
-	    NOTYET("-s");
-	}
-	rv = create_request (out_file, handle, cert, add_service_locator,
-			     add_acceptable_responses);
-    } else if (dresponse) {
-	if (signer_name != NULL) {
-	    NOTYET("-s");
-	}
-	rv = dump_response (out_file, handle, cert, responder_url);
-    } else if (prequest) {
-	rv = print_request (out_file, data);
-    } else if (presponse) {
-	rv = print_response (out_file, data, handle);
-    } else if (ccert) {
-	if (signer_name != NULL) {
-	    NOTYET("-s");
-	}
-	rv = get_cert_status (out_file, handle, cert, name, verify_time);
-    } else if (vcert) {
-	if (signer_name != NULL) {
-	    NOTYET("-s");
-	}
-	rv = verify_cert (out_file, handle, cert, name, cert_usage, verify_time);
-    }
-
-    if (rv != SECSuccess)
-	SECU_PrintError (program_name, "error performing requested operation");
-    else
-	retval = 0;
-
-nssdone:
-    if (cert) {
-        CERT_DestroyCertificate(cert);
-    }
-
-    if (data != NULL) {
-	SECITEM_FreeItem (data, PR_TRUE);
-    }
-
-    if (handle != NULL) {
- 	CERT_DisableOCSPDefaultResponder(handle);        
- 	CERT_DisableOCSPChecking (handle);
-    }
-
-    if (NSS_Shutdown () != SECSuccess) {
-	retval = 1;
-    }
-
-prdone:
-    PR_Cleanup ();
-    return retval;
-}
diff --git a/security/nss/cmd/oidcalc/Makefile b/security/nss/cmd/oidcalc/Makefile
deleted file mode 100644
index 27ca0c50e..000000000
--- a/security/nss/cmd/oidcalc/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/oidcalc/manifest.mn b/security/nss/cmd/oidcalc/manifest.mn
deleted file mode 100644
index 59fe6c51c..000000000
--- a/security/nss/cmd/oidcalc/manifest.mn
+++ /dev/null
@@ -1,51 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH	= ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-REQUIRES = seccmd dbm 
-
-DEFINES = -DNSPR20
-
-CSRCS = oidcalc.c
-
-PROGRAM	= oidcalc
diff --git a/security/nss/cmd/oidcalc/oidcalc.c b/security/nss/cmd/oidcalc/oidcalc.c
deleted file mode 100644
index 27b0e2b3b..000000000
--- a/security/nss/cmd/oidcalc/oidcalc.c
+++ /dev/null
@@ -1,120 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-int
-main(int argc, char **argv)
-{
-    char *curstr;
-    char *nextstr;
-    unsigned int firstval;
-    unsigned int secondval;
-    unsigned int val;
-    unsigned char buf[5];
-    int count;
-    
-    if ( argc != 2 ) {
-	fprintf(stderr, "wrong number of args\n");
-	exit(-1);
-    }
-    
-    curstr = argv[1];
-    
-    nextstr = strchr(curstr, '.');
-    
-    if ( nextstr == NULL ) {
-	fprintf(stderr, "only one component\n");
-	exit(-1);
-    }
-    
-    *nextstr = '\0';
-    firstval = atoi(curstr);
-
-    curstr = nextstr + 1;
-    
-    nextstr = strchr(curstr, '.');
-
-    if ( nextstr ) {
-	*nextstr = '\0';
-    }
-
-    secondval = atoi(curstr);
-    
-    if ( ( firstval < 0 ) || ( firstval > 2 ) ) {
-	fprintf(stderr, "first component out of range\n");
-	exit(-1);
-	
-    }
-    
-    if ( ( secondval < 0 ) || ( secondval > 39 ) ) {
-	fprintf(stderr, "second component out of range\n");
-	exit(-1);
-    }
-    
-    printf("0x%x, ", ( firstval * 40 ) + secondval );
-    while ( nextstr ) {
-	curstr = nextstr + 1;
-
-	nextstr = strchr(curstr, '.');
-
-	if ( nextstr ) {
-	    *nextstr = '\0';
-	}
-
-	memset(buf, 0, sizeof(buf));
-	val = atoi(curstr);
-	count = 0;
-	while ( val ) {
-	    buf[count] = ( val & 0x7f );
-	    val = val >> 7;
-	    count++;
-	}
-
-	while ( count-- ) {
-	    if ( count ) {
-		printf("0x%x, ", buf[count] | 0x80 );
-	    } else {
-		printf("0x%x, ", buf[count] );
-	    }
-	}
-    }
-    printf("\n");
-    return 0;
-}
-
diff --git a/security/nss/cmd/p7content/Makefile b/security/nss/cmd/p7content/Makefile
deleted file mode 100644
index 9ee2a8f00..000000000
--- a/security/nss/cmd/p7content/Makefile
+++ /dev/null
@@ -1,79 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/p7content/manifest.mn b/security/nss/cmd/p7content/manifest.mn
deleted file mode 100644
index 3a9f7f9a7..000000000
--- a/security/nss/cmd/p7content/manifest.mn
+++ /dev/null
@@ -1,47 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH	= ../../..
-
-MODULE = nss
-
-CSRCS = p7content.c
-
-REQUIRES = seccmd 
-
-PROGRAM = p7content
-
diff --git a/security/nss/cmd/p7content/p7content.c b/security/nss/cmd/p7content/p7content.c
deleted file mode 100644
index 95c0eccf2..000000000
--- a/security/nss/cmd/p7content/p7content.c
+++ /dev/null
@@ -1,287 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * p7content -- A command to display pkcs7 content.
- *
- * $Id$
- */
-
-#include "nspr.h"
-#include "secutil.h"
-#include "plgetopt.h"
-#include "secpkcs7.h"
-#include "cert.h"
-#include "certdb.h"
-#include "nss.h"
-#include "pk11pub.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#include <stdio.h>
-#include <string.h>
-
-#if (defined(XP_WIN) && !defined(WIN32)) || (defined(__sun) && !defined(SVR4))
-extern int fwrite(char *, size_t, size_t, FILE*);
-extern int fprintf(FILE *, char *, ...);
-#endif
-
-
-
-static void
-Usage(char *progName)
-{
-    fprintf(stderr,
-	    "Usage:  %s [-d dbdir] [-i input] [-o output]\n",
-	    progName);
-    fprintf(stderr,
-	    "%-20s Key/Cert database directory (default is ~/.netscape)\n",
-	    "-d dbdir");
-    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
-	    "-i input");
-    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
-	    "-o output");
-    exit(-1);
-}
-
-static PRBool saw_content;
-static secuPWData  pwdata          = { PW_NONE, 0 };
-
-static void
-PrintBytes(void *arg, const char *buf, unsigned long len)
-{
-    FILE *out;
-
-    out = arg; 
-    fwrite (buf, len, 1, out);
-
-    saw_content = PR_TRUE;
-}
-
-/*
- * XXX Someday we may want to do real policy stuff here.  This allows
- * anything to be decrypted, which is okay for a test program but does
- * not set an example of how a real client with a real policy would
- * need to do it.
- */
-static PRBool
-decryption_allowed(SECAlgorithmID *algid, PK11SymKey *key)
-{
-    return PR_TRUE;
-}
-
-int
-DecodeAndPrintFile(FILE *out, PRFileDesc *in, char *progName)
-{
-    SECItem derdata;
-    SEC_PKCS7ContentInfo *cinfo = NULL;
-    SEC_PKCS7DecoderContext *dcx;
-
-    if (SECU_ReadDERFromFile(&derdata, in, PR_FALSE)) {
-        SECU_PrintError(progName, "error converting der");
-	return -1;
-    }
-
-    fprintf(out,
-	    "Content printed between bars (newline added before second bar):");
-    fprintf(out, "\n---------------------------------------------\n");
-
-    saw_content = PR_FALSE;
-    dcx = SEC_PKCS7DecoderStart(PrintBytes, out, NULL, &pwdata,
-				NULL, NULL, decryption_allowed);
-    if (dcx != NULL) {
-#if 0	/* Test that decoder works when data is really streaming in. */
-	{
-	    unsigned long i;
-	    for (i = 0; i < derdata.len; i++)
-		SEC_PKCS7DecoderUpdate(dcx, derdata.data + i, 1);
-	}
-#else
-	SEC_PKCS7DecoderUpdate(dcx, (char *)derdata.data, derdata.len);
-#endif
-	cinfo = SEC_PKCS7DecoderFinish(dcx);
-    }
-
-    fprintf(out, "\n---------------------------------------------\n");
-
-    if (cinfo == NULL)
-	return -1;
-
-    fprintf(out, "Content was%s encrypted.\n",
-	    SEC_PKCS7ContentIsEncrypted(cinfo) ? "" : " not");
-
-    if (SEC_PKCS7ContentIsSigned(cinfo)) {
-	char *signer_cname, *signer_ename;
-	SECItem *signing_time;
-
-	if (saw_content) {
-	    fprintf(out, "Signature is ");
-	    PORT_SetError(0);
-	    if (SEC_PKCS7VerifySignature(cinfo, certUsageEmailSigner, PR_FALSE))
-		fprintf(out, "valid.\n");
-	    else
-		fprintf(out, "invalid (Reason: %s).\n",
-			SECU_Strerror(PORT_GetError()));
-	} else {
-	    fprintf(out,
-		    "Content is detached; signature cannot be verified.\n");
-	}
-
-	signer_cname = SEC_PKCS7GetSignerCommonName(cinfo);
-	if (signer_cname != NULL) {
-	    fprintf(out, "The signer's common name is %s\n", signer_cname);
-	    PORT_Free(signer_cname);
-	} else {
-	    fprintf(out, "No signer common name.\n");
-	}
-
-	signer_ename = SEC_PKCS7GetSignerEmailAddress(cinfo);
-	if (signer_ename != NULL) {
-	    fprintf(out, "The signer's email address is %s\n", signer_ename);
-	    PORT_Free(signer_ename);
-	} else {
-	    fprintf(out, "No signer email address.\n");
-	}
-
-	signing_time = SEC_PKCS7GetSigningTime(cinfo);
-	if (signing_time != NULL) {
-	    SECU_PrintTimeChoice(out, signing_time, "Signing time", 0);
-	} else {
-	    fprintf(out, "No signing time included.\n");
-	}
-    } else {
-	fprintf(out, "Content was not signed.\n");
-    }
-
-    fprintf(out, "There were%s certs or crls included.\n",
-	    SEC_PKCS7ContainsCertsOrCrls(cinfo) ? "" : " no");
-
-    SEC_PKCS7DestroyContentInfo(cinfo);
-    return 0;
-}
-
-/*
- * Print the contents of a PKCS7 message, indicating signatures, etc.
- */
-
-int
-main(int argc, char **argv)
-{
-    char *progName;
-    FILE *outFile;
-    PRFileDesc *inFile;
-    PLOptState *optstate;
-    PLOptStatus status;
-    SECStatus rv;
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    inFile = NULL;
-    outFile = NULL;
-
-    /*
-     * Parse command line arguments
-     */
-    optstate = PL_CreateOptState(argc, argv, "d:i:o:p:f:");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case 'd':
-	    SECU_ConfigDirectory(optstate->value);
-	    break;
-
-	  case 'i':
-	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
-	    if (!inFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 'o':
-	    outFile = fopen(optstate->value, "w");
-	    if (!outFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 'p':
-            pwdata.source = PW_PLAINTEXT;
-            pwdata.data = PORT_Strdup (optstate->value);
-            break;
-
-          case 'f':
-            pwdata.source = PW_FROMFILE;
-            pwdata.data = PORT_Strdup (optstate->value);
-            break;
-
-	  default:
-	    Usage(progName);
-	    break;
-	}
-    }
-    if (status == PL_OPT_BAD)
-	Usage(progName);
-
-    if (!inFile) inFile = PR_STDIN;
-    if (!outFile) outFile = stdout;
-
-    /* Call the initialization routines */
-    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-    rv = NSS_Init(SECU_ConfigDirectory(NULL));
-    if (rv != SECSuccess) {
-	SECU_PrintPRandOSError(progName);
-	return -1;
-    }
-
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-    if (DecodeAndPrintFile(outFile, inFile, progName)) {
-	SECU_PrintError(progName, "problem decoding data");
-	return -1;
-    }
-    
-    if (NSS_Shutdown() != SECSuccess) {
-        exit(1);
-    }
-
-    return 0;
-}
diff --git a/security/nss/cmd/p7env/Makefile b/security/nss/cmd/p7env/Makefile
deleted file mode 100644
index 9ee2a8f00..000000000
--- a/security/nss/cmd/p7env/Makefile
+++ /dev/null
@@ -1,79 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/p7env/manifest.mn b/security/nss/cmd/p7env/manifest.mn
deleted file mode 100644
index 8378fe2e6..000000000
--- a/security/nss/cmd/p7env/manifest.mn
+++ /dev/null
@@ -1,47 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-CSRCS = p7env.c  
-
-REQUIRES = seccmd 
-
-PROGRAM = p7env
-
diff --git a/security/nss/cmd/p7env/p7env.c b/security/nss/cmd/p7env/p7env.c
deleted file mode 100644
index 0e7e96bb6..000000000
--- a/security/nss/cmd/p7env/p7env.c
+++ /dev/null
@@ -1,275 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * p7env -- A command to create a pkcs7 enveloped data.
- *
- * $Id$
- */
-
-#include "nspr.h"
-#include "secutil.h"
-#include "plgetopt.h"
-#include "secpkcs7.h"
-#include "cert.h"
-#include "certdb.h"
-#include "nss.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#include <stdio.h>
-#include <string.h>
-
-#if (defined(XP_WIN) && !defined(WIN32)) || (defined(__sun) && !defined(SVR4))
-extern int fread(char *, size_t, size_t, FILE*);
-extern int fwrite(char *, size_t, size_t, FILE*);
-extern int fprintf(FILE *, char *, ...);
-#endif
-
-extern void SEC_Init(void);		/* XXX */
-
-
-static void
-Usage(char *progName)
-{
-    fprintf(stderr,
-	    "Usage:  %s -r recipient [-d dbdir] [-i input] [-o output]\n",
-	    progName);
-    fprintf(stderr, "%-20s Nickname of cert to use for encryption\n",
-	    "-r recipient");
-    fprintf(stderr, "%-20s Cert database directory (default is ~/.netscape)\n",
-	    "-d dbdir");
-    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
-	    "-i input");
-    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
-	    "-o output");
-    exit(-1);
-}
-
-struct recipient {
-    struct recipient *next;
-    char *nickname;
-    CERTCertificate *cert;
-};
-
-static void
-EncryptOut(void *arg, const char *buf, unsigned long len)
-{
-   FILE *out;
-
-   out = arg; 
-   fwrite (buf, len, 1, out);
-}
-
-static int
-EncryptFile(FILE *outFile, FILE *inFile, struct recipient *recipients,
-	    char *progName)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    SEC_PKCS7EncoderContext *ecx;
-    struct recipient *rcpt;
-    SECStatus rv;
-
-    if (outFile == NULL || inFile == NULL || recipients == NULL)
-	return -1;
-
-    /* XXX Need a better way to handle that certUsage stuff! */
-    /* XXX keysize? */
-    cinfo = SEC_PKCS7CreateEnvelopedData (recipients->cert,
-					  certUsageEmailRecipient,
-					  NULL, SEC_OID_DES_EDE3_CBC, 0, 
-					  NULL, NULL);
-    if (cinfo == NULL)
-	return -1;
-
-    for (rcpt = recipients->next; rcpt != NULL; rcpt = rcpt->next) {
-	rv = SEC_PKCS7AddRecipient (cinfo, rcpt->cert, certUsageEmailRecipient,
-				    NULL);
-	if (rv != SECSuccess) {
-	    SECU_PrintError(progName, "error adding recipient \"%s\"",
-			    rcpt->nickname);
-	    return -1;
-	}
-    }
-
-    ecx = SEC_PKCS7EncoderStart (cinfo, EncryptOut, outFile, NULL);
-    if (ecx == NULL)
-	return -1;
-
-    for (;;) {
-	char ibuf[1024];
-	int nb;
- 
-	if (feof(inFile))
-	    break;
-	nb = fread(ibuf, 1, sizeof(ibuf), inFile);
-	if (nb == 0) {
-	    if (ferror(inFile)) {
-		PORT_SetError(SEC_ERROR_IO);
-		rv = SECFailure;
-	    }
-	    break;
-	}
-	rv = SEC_PKCS7EncoderUpdate(ecx, ibuf, nb);
-	if (rv != SECSuccess)
-	    break;
-    }
-
-    if (SEC_PKCS7EncoderFinish(ecx, NULL, NULL) != SECSuccess)
-	rv = SECFailure;
-
-    SEC_PKCS7DestroyContentInfo (cinfo);
-
-    if (rv != SECSuccess)
-	return -1;
-
-    return 0;
-}
-
-int
-main(int argc, char **argv)
-{
-    char *progName;
-    FILE *inFile, *outFile;
-    char *certName;
-    CERTCertDBHandle *certHandle;
-    struct recipient *recipients, *rcpt;
-    PLOptState *optstate;
-    PLOptStatus status;
-    SECStatus rv;
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    inFile = NULL;
-    outFile = NULL;
-    certName = NULL;
-    recipients = NULL;
-    rcpt = NULL;
-
-    /*
-     * Parse command line arguments
-     * XXX This needs to be enhanced to allow selection of algorithms
-     * and key sizes (or to look up algorithms and key sizes for each
-     * recipient in the magic database).
-     */
-    optstate = PL_CreateOptState(argc, argv, "d:i:o:r:");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case '?':
-	    Usage(progName);
-	    break;
-
-	  case 'd':
-	    SECU_ConfigDirectory(optstate->value);
-	    break;
-
-	  case 'i':
-	    inFile = fopen(optstate->value, "r");
-	    if (!inFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 'o':
-	    outFile = fopen(optstate->value, "wb");
-	    if (!outFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 'r':
-	    if (rcpt == NULL) {
-		recipients = rcpt = PORT_Alloc (sizeof(struct recipient));
-	    } else {
-		rcpt->next = PORT_Alloc (sizeof(struct recipient));
-		rcpt = rcpt->next;
-	    }
-	    if (rcpt == NULL) {
-		fprintf(stderr, "%s: unable to allocate recipient struct\n",
-			progName);
-		return -1;
-	    }
-	    rcpt->nickname = strdup(optstate->value);
-	    rcpt->cert = NULL;
-	    rcpt->next = NULL;
-	    break;
-	}
-    }
-
-    if (!recipients) Usage(progName);
-
-    if (!inFile) inFile = stdin;
-    if (!outFile) outFile = stdout;
-
-    /* Call the NSS initialization routines */
-    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-    rv = NSS_Init(SECU_ConfigDirectory(NULL));
-    if (rv != SECSuccess) {
-    	SECU_PrintPRandOSError(progName);
-	return -1;
-    }
-
-    /* open cert database */
-    certHandle = CERT_GetDefaultCertDB();
-    if (certHandle == NULL) {
-	return -1;
-    }
-
-    /* find certs */
-    for (rcpt = recipients; rcpt != NULL; rcpt = rcpt->next) {
-	rcpt->cert = CERT_FindCertByNickname(certHandle, rcpt->nickname);
-	if (rcpt->cert == NULL) {
-	    SECU_PrintError(progName,
-			    "the cert for name \"%s\" not found in database",
-			    rcpt->nickname);
-	    return -1;
-	}
-    }
-
-    if (EncryptFile(outFile, inFile, recipients, progName)) {
-	SECU_PrintError(progName, "problem encrypting data");
-	return -1;
-    }
-
-    return 0;
-}
diff --git a/security/nss/cmd/p7sign/Makefile b/security/nss/cmd/p7sign/Makefile
deleted file mode 100644
index 9ee2a8f00..000000000
--- a/security/nss/cmd/p7sign/Makefile
+++ /dev/null
@@ -1,79 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/p7sign/manifest.mn b/security/nss/cmd/p7sign/manifest.mn
deleted file mode 100644
index 4facb6246..000000000
--- a/security/nss/cmd/p7sign/manifest.mn
+++ /dev/null
@@ -1,47 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-CSRCS = p7sign.c  
-
-REQUIRES = seccmd 
-
-PROGRAM = p7sign
-
diff --git a/security/nss/cmd/p7sign/p7sign.c b/security/nss/cmd/p7sign/p7sign.c
deleted file mode 100644
index d489c4556..000000000
--- a/security/nss/cmd/p7sign/p7sign.c
+++ /dev/null
@@ -1,309 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * p7sign -- A command to create a *detached* pkcs7 signature (over a given
- * input file).
- *
- * $Id$
- */
-
-#include "nspr.h"
-#include "plgetopt.h"
-#include "secutil.h"
-#include "secpkcs7.h"
-#include "cert.h"
-#include "certdb.h"
-#include "sechash.h"	/* for HASH_GetHashObject() */
-#include "nss.h"
-#include "pk11func.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#include <stdio.h>
-#include <string.h>
-
-#if (defined(XP_WIN) && !defined(WIN32)) || (defined(__sun) && !defined(SVR4))
-extern int fread(char *, size_t, size_t, FILE*);
-extern int fwrite(char *, size_t, size_t, FILE*);
-extern int fprintf(FILE *, char *, ...);
-#endif
-
-static secuPWData  pwdata          = { PW_NONE, 0 };
-
-static void
-Usage(char *progName)
-{
-    fprintf(stderr,
-	    "Usage:  %s -k keyname [-d keydir] [-i input] [-o output]\n",
-	    progName);
-    fprintf(stderr, "%-20s Nickname of key to use for signature\n",
-	    "-k keyname");
-    fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
-	    "-d keydir");
-    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
-	    "-i input");
-    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
-	    "-o output");
-    fprintf(stderr, "%-20s Encapsulate content in signature message\n",
-	    "-e");
-    fprintf(stderr, "%-20s Password to the key databse\n", "-p");
-    fprintf(stderr, "%-20s password file\n", "-f");
-    exit(-1);
-}
-
-static void
-SignOut(void *arg, const char *buf, unsigned long len)
-{
-   FILE *out;
-
-   out = (FILE*) arg; 
-   fwrite (buf, len, 1, out);
-}
-
-static int
-CreateDigest(SECItem *data, char *digestdata, unsigned int *len, unsigned int maxlen)
-{
-    const SECHashObject *hashObj;
-    void *hashcx;
-
-    /* XXX probably want to extend interface to allow other hash algorithms */
-    hashObj = HASH_GetHashObject(HASH_AlgSHA1);
-
-    hashcx = (* hashObj->create)();
-    if (hashcx == NULL)
-	return -1;
-
-    (* hashObj->begin)(hashcx);
-    (* hashObj->update)(hashcx, data->data, data->len);
-    (* hashObj->end)(hashcx, (unsigned char *)digestdata, len, maxlen);
-    (* hashObj->destroy)(hashcx, PR_TRUE);
-    return 0;
-}
-
-static int
-SignFile(FILE *outFile, PRFileDesc *inFile, CERTCertificate *cert, 
-         PRBool encapsulated)
-{
-    char digestdata[32];
-    unsigned int len;
-    SECItem digest, data2sign;
-    SEC_PKCS7ContentInfo *cinfo;
-    SECStatus rv;
-
-    if (outFile == NULL || inFile == NULL || cert == NULL)
-	return -1;
-
-    /* suck the file in */
-	if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE) != SECSuccess)
-	return -1;
-
-    if (!encapsulated) {
-	/* unfortunately, we must create the digest ourselves */
-	/* SEC_PKCS7CreateSignedData should have a flag to not include */
-	/* the content for non-encapsulated content at encode time, but */
-	/* should always compute the hash itself */
-	if (CreateDigest(&data2sign, digestdata, &len, 32) < 0)
-	    return -1;
-	digest.data = (unsigned char *)digestdata;
-	digest.len = len;
-    }
-
-    /* XXX Need a better way to handle that usage stuff! */
-    cinfo = SEC_PKCS7CreateSignedData (cert, certUsageEmailSigner, NULL,
-				       SEC_OID_SHA1,
-				       encapsulated ? NULL : &digest,
-				       NULL, NULL);
-    if (cinfo == NULL)
-	return -1;
-
-    if (encapsulated) {
-	SEC_PKCS7SetContent(cinfo, (char *)data2sign.data, data2sign.len);
-    }
-
-    rv = SEC_PKCS7IncludeCertChain (cinfo, NULL);
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return -1;
-    }
-
-    rv = SEC_PKCS7Encode (cinfo, SignOut, outFile, NULL,
-			  NULL, &pwdata);
-
-    SEC_PKCS7DestroyContentInfo (cinfo);
-
-    if (rv != SECSuccess)
-	return -1;
-
-    return 0;
-}
-
-int
-main(int argc, char **argv)
-{
-    char *progName;
-    FILE *outFile;
-    PRFileDesc *inFile;
-    char *keyName = NULL;
-    CERTCertDBHandle *certHandle;
-    CERTCertificate *cert;
-    PRBool encapsulated = PR_FALSE;
-    PLOptState *optstate;
-    PLOptStatus status;
-    SECStatus rv;
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    inFile = NULL;
-    outFile = NULL;
-    keyName = NULL;
-
-    /*
-     * Parse command line arguments
-     */
-    optstate = PL_CreateOptState(argc, argv, "ed:k:i:o:p:f:");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case '?':
-	    Usage(progName);
-	    break;
-
-	  case 'e':
-	    /* create a message with the signed content encapsulated */
-	    encapsulated = PR_TRUE;
-	    break;
-
-	  case 'd':
-	    SECU_ConfigDirectory(optstate->value);
-	    break;
-
-	  case 'i':
-	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
-	    if (!inFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 'k':
-	    keyName = strdup(optstate->value);
-	    break;
-
-	  case 'o':
-	    outFile = fopen(optstate->value, "wb");
-	    if (!outFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-	  case 'p':
-            pwdata.source = PW_PLAINTEXT;
-            pwdata.data = strdup (optstate->value);
-            break;
-
-	  case 'f':
-              pwdata.source = PW_FROMFILE;
-              pwdata.data = PORT_Strdup (optstate->value);
-              break;
-	}
-    }
-
-    if (!keyName) Usage(progName);
-
-    if (!inFile) inFile = PR_STDIN;
-    if (!outFile) outFile = stdout;
-
-    /* Call the initialization routines */
-    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-    rv = NSS_Init(SECU_ConfigDirectory(NULL));
-    if (rv != SECSuccess) {
-	SECU_PrintPRandOSError(progName);
-	goto loser;
-    }
-
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-    /* open cert database */
-    certHandle = CERT_GetDefaultCertDB();
-    if (certHandle == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    /* find cert */
-    cert = CERT_FindCertByNickname(certHandle, keyName);
-    if (cert == NULL) {
-	SECU_PrintError(progName,
-		        "the corresponding cert for key \"%s\" does not exist",
-			keyName);
-	rv = SECFailure;
-	goto loser;
-    }
-
-    if (SignFile(outFile, inFile, cert, encapsulated)) {
-	SECU_PrintError(progName, "problem signing data");
-	rv = SECFailure;
-	goto loser;
-    }
-
-loser:
-    if (pwdata.data) {
-        PORT_Free(pwdata.data);
-    }
-    if (keyName) {
-        PORT_Free(keyName);
-    }
-    if (cert) {
-        CERT_DestroyCertificate(cert);
-    }
-    if (inFile && inFile != PR_STDIN) {
-        PR_Close(inFile);
-    }
-    if (outFile && outFile != stdout) {
-        fclose(outFile);
-    }
-    if (NSS_Shutdown() != SECSuccess) {
-        SECU_PrintError(progName, "NSS shutdown:");
-        exit(1);
-    }
-
-    return (rv != SECSuccess);
-}
diff --git a/security/nss/cmd/p7verify/Makefile b/security/nss/cmd/p7verify/Makefile
deleted file mode 100644
index 9ee2a8f00..000000000
--- a/security/nss/cmd/p7verify/Makefile
+++ /dev/null
@@ -1,79 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/p7verify/manifest.mn b/security/nss/cmd/p7verify/manifest.mn
deleted file mode 100644
index f25311772..000000000
--- a/security/nss/cmd/p7verify/manifest.mn
+++ /dev/null
@@ -1,47 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-CSRCS = p7verify.c  
-
-REQUIRES = seccmd 
-
-PROGRAM = p7verify
-
diff --git a/security/nss/cmd/p7verify/p7verify.c b/security/nss/cmd/p7verify/p7verify.c
deleted file mode 100644
index c247fe039..000000000
--- a/security/nss/cmd/p7verify/p7verify.c
+++ /dev/null
@@ -1,308 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * p7verify -- A command to do a verification of a *detached* pkcs7 signature.
- *
- * $Id$
- */
-
-#include "nspr.h"
-#include "secutil.h"
-#include "plgetopt.h"
-#include "secpkcs7.h"
-#include "cert.h"
-#include "certdb.h"
-#include "secoid.h"
-#include "sechash.h"	/* for HASH_GetHashObject() */
-#include "nss.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#include <stdio.h>
-#include <string.h>
-
-#if (defined(XP_WIN) && !defined(WIN32)) || (defined(__sun) && !defined(SVR4))
-extern int fread(char *, size_t, size_t, FILE*);
-extern int fprintf(FILE *, char *, ...);
-#endif
-
-
-static HASH_HashType
-AlgorithmToHashType(SECAlgorithmID *digestAlgorithms)
-{
-
-    SECOidTag tag;
-
-    tag = SECOID_GetAlgorithmTag(digestAlgorithms);
-    
-    switch (tag) {
-      case SEC_OID_MD2:
-	return HASH_AlgMD2;
-      case SEC_OID_MD5:
-	return HASH_AlgMD5;
-      case SEC_OID_SHA1:
-	return HASH_AlgSHA1;
-      default:
-	fprintf(stderr, "should never get here\n");
-	return HASH_AlgNULL;
-    }
-}
-
-static int
-DigestFile(unsigned char *digest, unsigned int *len, unsigned int maxLen,
-	   FILE *inFile, HASH_HashType hashType)
-{
-    int nb;
-    unsigned char ibuf[4096];
-    const SECHashObject *hashObj;
-    void *hashcx;
-
-    hashObj = HASH_GetHashObject(hashType);
-
-    hashcx = (* hashObj->create)();
-    if (hashcx == NULL)
-	return -1;
-
-    (* hashObj->begin)(hashcx);
-
-    for (;;) {
-	if (feof(inFile)) break;
-	nb = fread(ibuf, 1, sizeof(ibuf), inFile);
-	if (nb != sizeof(ibuf)) {
-	    if (nb == 0) {
-		if (ferror(inFile)) {
-		    PORT_SetError(SEC_ERROR_IO);
-		    (* hashObj->destroy)(hashcx, PR_TRUE);
-		    return -1;
-		}
-		/* eof */
-		break;
-	    }
-	}
-	(* hashObj->update)(hashcx, ibuf, nb);
-    }
-
-    (* hashObj->end)(hashcx, digest, len, maxLen);
-    (* hashObj->destroy)(hashcx, PR_TRUE);
-
-    return 0;
-}
-
-
-static void
-Usage(char *progName)
-{
-    fprintf(stderr,
-	    "Usage:  %s -c content -s signature [-d dbdir] [-u certusage]\n",
-	    progName);
-    fprintf(stderr, "%-20s content file that was signed\n",
-	    "-c content");
-    fprintf(stderr, "%-20s file containing signature for that content\n",
-	    "-s signature");
-    fprintf(stderr,
-	    "%-20s Key/Cert database directory (default is ~/.netscape)\n",
-	    "-d dbdir");
-    fprintf(stderr, "%-20s Define the type of certificate usage (default is certUsageEmailSigner)\n",
-	    "-u certusage");
-    fprintf(stderr, "%-25s  0 - certUsageSSLClient\n", " ");
-    fprintf(stderr, "%-25s  1 - certUsageSSLServer\n", " ");
-    fprintf(stderr, "%-25s  2 - certUsageSSLServerWithStepUp\n", " ");
-    fprintf(stderr, "%-25s  3 - certUsageSSLCA\n", " ");
-    fprintf(stderr, "%-25s  4 - certUsageEmailSigner\n", " ");
-    fprintf(stderr, "%-25s  5 - certUsageEmailRecipient\n", " ");
-    fprintf(stderr, "%-25s  6 - certUsageObjectSigner\n", " ");
-    fprintf(stderr, "%-25s  7 - certUsageUserCertImport\n", " ");
-    fprintf(stderr, "%-25s  8 - certUsageVerifyCA\n", " ");
-    fprintf(stderr, "%-25s  9 - certUsageProtectedObjectSigner\n", " ");
-    fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");
-    fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");
-
-    exit(-1);
-}
-
-static int
-HashDecodeAndVerify(FILE *out, FILE *content, PRFileDesc *signature,
-		    SECCertUsage usage, char *progName)
-{
-    SECItem derdata;
-    SEC_PKCS7ContentInfo *cinfo;
-    SEC_PKCS7SignedData *signedData;
-    HASH_HashType digestType;
-    SECItem digest;
-    unsigned char buffer[32];
-
-    if (SECU_ReadDERFromFile(&derdata, signature, PR_FALSE) != SECSuccess) {
-	SECU_PrintError(progName, "error reading signature file");
-	return -1;
-    }
-
-    cinfo = SEC_PKCS7DecodeItem(&derdata, NULL, NULL, NULL, NULL,
-				NULL, NULL, NULL);
-    if (cinfo == NULL)
-	return -1;
-
-    if (! SEC_PKCS7ContentIsSigned(cinfo)) {
-	fprintf (out, "Signature file is pkcs7 data, but not signed.\n");
-	return -1;
-    }
-
-    signedData = cinfo->content.signedData;
-
-    /* assume that there is only one digest algorithm for now */
-    digestType = AlgorithmToHashType(signedData->digestAlgorithms[0]);
-    if (digestType == HASH_AlgNULL) {
-	fprintf (out, "Invalid hash algorithmID\n");
-	return -1;
-    }
-
-    digest.data = buffer;
-    if (DigestFile (digest.data, &digest.len, 32, content, digestType)) {
-	SECU_PrintError (progName, "problem computing message digest");
-	return -1;
-    }
-
-    fprintf(out, "Signature is ");
-    if (SEC_PKCS7VerifyDetachedSignature (cinfo, usage, &digest, digestType,
-					  PR_FALSE))
-	fprintf(out, "valid.\n");
-    else
-	fprintf(out, "invalid (Reason: %s).\n",
-		SECU_Strerror(PORT_GetError()));
-
-    SEC_PKCS7DestroyContentInfo(cinfo);
-    return 0;
-}
-
-
-int
-main(int argc, char **argv)
-{
-    char *progName;
-    FILE *contentFile, *outFile;
-    PRFileDesc *signatureFile;
-    SECCertUsage certUsage = certUsageEmailSigner;
-    PLOptState *optstate;
-    PLOptStatus status;
-    SECStatus rv;
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    contentFile = NULL;
-    signatureFile = NULL;
-    outFile = NULL;
-
-    /*
-     * Parse command line arguments
-     */
-    optstate = PL_CreateOptState(argc, argv, "c:d:o:s:u:");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case '?':
-	    Usage(progName);
-	    break;
-
-	  case 'c':
-	    contentFile = fopen(optstate->value, "r");
-	    if (!contentFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 'd':
-	    SECU_ConfigDirectory(optstate->value);
-	    break;
-
-	  case 'o':
-	    outFile = fopen(optstate->value, "w");
-	    if (!outFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 's':
-	    signatureFile = PR_Open(optstate->value, PR_RDONLY, 0);
-	    if (!signatureFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 'u': {
-	    int usageType;
-
-	    usageType = atoi (strdup(optstate->value));
-	    if (usageType < certUsageSSLClient || usageType > certUsageAnyCA)
-		return -1;
-	    certUsage = (SECCertUsage)usageType;
-	    break;
-	  }
-	      
-	}
-    }
-
-    if (!contentFile) Usage (progName);
-    if (!signatureFile) Usage (progName);
-    if (!outFile) outFile = stdout;
-
-    /* Call the NSS initialization routines */
-    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-    rv = NSS_Init(SECU_ConfigDirectory(NULL));
-    if (rv != SECSuccess) {
-    	SECU_PrintPRandOSError(progName);
-	return -1;
-    }
-
-    if (HashDecodeAndVerify(outFile, contentFile, signatureFile,
-			    certUsage, progName)) {
-	SECU_PrintError(progName, "problem decoding/verifying signature");
-	return -1;
-    }
-
-    if (NSS_Shutdown() != SECSuccess) {
-        exit(1);
-    }
-
-    return 0;
-}
diff --git a/security/nss/cmd/pk11mode/Makefile b/security/nss/cmd/pk11mode/Makefile
deleted file mode 100755
index c342b4f8e..000000000
--- a/security/nss/cmd/pk11mode/Makefile
+++ /dev/null
@@ -1,97 +0,0 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-ifeq ($(OS_ARCH), WINNT)
-
-EXTRA_LIBS += \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
-	$(NULL)
-
-else
-
-EXTRA_SHARED_LIBS += \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-
-endif
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/pk11mode/manifest.mn b/security/nss/cmd/pk11mode/manifest.mn
deleted file mode 100644
index 6059bbd54..000000000
--- a/security/nss/cmd/pk11mode/manifest.mn
+++ /dev/null
@@ -1,48 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-EXPORTS =
-
-CSRCS = pk11mode.c
-
-PROGRAM = pk11mode
-
-REQUIRES = seccmd
diff --git a/security/nss/cmd/pk11mode/pk11mode.c b/security/nss/cmd/pk11mode/pk11mode.c
deleted file mode 100644
index 623c66723..000000000
--- a/security/nss/cmd/pk11mode/pk11mode.c
+++ /dev/null
@@ -1,5335 +0,0 @@
-/*
- * pk11mode.c - Test FIPS or NONFIPS Modes for the NSS PKCS11 api.
- *              The goal of this program is to test every function
- *              entry point of the PKCS11 api at least once.
- *              To test in FIPS mode: pk11mode
- *              To test in NONFIPS mode: pk11mode -n
- *              usage: pk11mode -h
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#include <assert.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdarg.h>
-
-#if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
-#include <unistd.h>
-#include <sys/wait.h>
-#else
-#ifndef NO_FORK_CHECK
-#define NO_FORK_CHECK
-#endif
-#endif
-
-#ifdef _WIN32
-#include <windows.h>
-#define LIB_NAME "softokn3.dll"
-#endif
-#include "prlink.h"
-#include "prprf.h"
-#include "plgetopt.h"
-#include "prenv.h"
-
-#include "pk11table.h"
-
-#define NUM_ELEM(array) (sizeof(array)/sizeof(array[0]))
-
-#ifndef NULL_PTR
-#define NULL_PTR 0
-#endif
-
-/* Returns constant error string for "CRV".
- * Returns "unknown error" if errNum is unknown.
- */
-const char *
-PKM_CK_RVtoStr(CK_RV errNum) {
-    const char * err; 
-
-    err = getName(errNum, ConstResult);
-    
-    if (err) return err;
-    
-    return "unknown error";
-}
-
-#include "pkcs11p.h"
-
-typedef struct CK_C_INITIALIZE_ARGS_NSS {
-    CK_CREATEMUTEX CreateMutex;
-    CK_DESTROYMUTEX DestroyMutex;
-    CK_LOCKMUTEX LockMutex;
-    CK_UNLOCKMUTEX UnlockMutex;
-    CK_FLAGS flags;
-    /* The official PKCS #11 spec does not have a 'LibraryParameters' field, but
-     * a reserved field. NSS needs a way to pass instance-specific information
-     * to the library (like where to find its config files, etc). This
-     * information is usually provided by the installer and passed uninterpreted
-     * by NSS to the library, though NSS does know the specifics of the softoken
-     * version of this parameter. Most compliant PKCS#11 modules expect this
-     * parameter to be NULL, and will return CKR_ARGUMENTS_BAD from
-     * C_Initialize if Library parameters is supplied. */
-    CK_CHAR_PTR *LibraryParameters;
-    /* This field is only present if the LibraryParameters is not NULL. It must
-     * be NULL in all cases */
-    CK_VOID_PTR pReserved;
-} CK_C_INITIALIZE_ARGS_NSS;
-
-#include "pkcs11u.h"
-
-#define MAX_SIG_SZ 128
-#define MAX_CIPHER_SZ 128
-#define MAX_DATA_SZ 64
-#define MAX_DIGEST_SZ 64
-#define HMAC_MAX_LENGTH 64
-#define FIPSMODE 0
-#define NONFIPSMODE 1
-#define HYBRIDMODE 2
-#define NOMODE 3
-int MODE = FIPSMODE;
-
-CK_BBOOL true = CK_TRUE;
-CK_BBOOL false = CK_FALSE;
-static const CK_BYTE PLAINTEXT[] = {"Firefox  Rules!"};
-static const CK_BYTE PLAINTEXT_PAD[] = 
-                                  {"Firefox and thunderbird rule the world!"};
-CK_ULONG NUMTESTS = 0;
-
-static const char * slotFlagName[] = {
-    "CKF_TOKEN_PRESENT",
-    "CKF_REMOVABLE_DEVICE",
-    "CKF_HW_SLOT",
-    "unknown token flag 0x00000008",
-    "unknown token flag 0x00000010",
-    "unknown token flag 0x00000020",
-    "unknown token flag 0x00000040",
-    "unknown token flag 0x00000080",
-    "unknown token flag 0x00000100",
-    "unknown token flag 0x00000200",
-    "unknown token flag 0x00000400",
-    "unknown token flag 0x00000800",
-    "unknown token flag 0x00001000",
-    "unknown token flag 0x00002000",
-    "unknown token flag 0x00004000",
-    "unknown token flag 0x00008000"
-    "unknown token flag 0x00010000",
-    "unknown token flag 0x00020000",
-    "unknown token flag 0x00040000",
-    "unknown token flag 0x00080000",
-    "unknown token flag 0x00100000",
-    "unknown token flag 0x00200000",
-    "unknown token flag 0x00400000",
-    "unknown token flag 0x00800000"
-    "unknown token flag 0x01000000",
-    "unknown token flag 0x02000000",
-    "unknown token flag 0x04000000",
-    "unknown token flag 0x08000000",
-    "unknown token flag 0x10000000",
-    "unknown token flag 0x20000000",
-    "unknown token flag 0x40000000",
-    "unknown token flag 0x80000000"
-};
-
-static const char * tokenFlagName[] = {
-    "CKF_PKM_RNG",
-    "CKF_WRITE_PROTECTED",
-    "CKF_LOGIN_REQUIRED",
-    "CKF_USER_PIN_INITIALIZED",
-    "unknown token flag 0x00000010",
-    "CKF_RESTORE_KEY_NOT_NEEDED",
-    "CKF_CLOCK_ON_TOKEN",
-    "unknown token flag 0x00000080",
-    "CKF_PROTECTED_AUTHENTICATION_PATH",
-    "CKF_DUAL_CRYPTO_OPERATIONS",
-    "CKF_TOKEN_INITIALIZED",
-    "CKF_SECONDARY_AUTHENTICATION",
-    "unknown token flag 0x00001000",
-    "unknown token flag 0x00002000",
-    "unknown token flag 0x00004000",
-    "unknown token flag 0x00008000",
-    "CKF_USER_PIN_COUNT_LOW",
-    "CKF_USER_PIN_FINAL_TRY",
-    "CKF_USER_PIN_LOCKED",
-    "CKF_USER_PIN_TO_BE_CHANGED",
-    "CKF_SO_PIN_COUNT_LOW",
-    "CKF_SO_PIN_FINAL_TRY",
-    "CKF_SO_PIN_LOCKED",
-    "CKF_SO_PIN_TO_BE_CHANGED",
-    "unknown token flag 0x01000000",
-    "unknown token flag 0x02000000",
-    "unknown token flag 0x04000000",
-    "unknown token flag 0x08000000",
-    "unknown token flag 0x10000000",
-    "unknown token flag 0x20000000",
-    "unknown token flag 0x40000000",
-    "unknown token flag 0x80000000"
-};
-
-static const unsigned char TLSClientRandom[] = {
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x0d, 0x90, 0xbb, 0x5e, 0xc6, 0xe1, 0x3f, 0x71,
-    0x0a, 0xa2, 0x70, 0x5a, 0x4f, 0xbc, 0x3f, 0x0d
-};
-static const unsigned char TLSServerRandom[] = {
-    0x00, 0x00, 0x1d, 0x4a, 0x7a, 0x0a, 0xa5, 0x01,
-    0x8e, 0x79, 0x72, 0xde, 0x9e, 0x2f, 0x8a, 0x0d,
-    0xed, 0xb2, 0x5d, 0xf1, 0x14, 0xc2, 0xc6, 0x66,
-    0x95, 0x86, 0xb0, 0x0d, 0x87, 0x2a, 0x2a, 0xc9
-};
-
-typedef enum {
-    CORRECT,
-    BOGUS_CLIENT_RANDOM,
-    BOGUS_CLIENT_RANDOM_LEN,
-    BOGUS_SERVER_RANDOM,
-    BOGUS_SERVER_RANDOM_LEN
-} enum_random_t;
-
-void
-dumpToHash64(const unsigned char *buf, unsigned int bufLen)
-{
-    unsigned int i;
-    for (i = 0; i < bufLen; i += 8) {
-        if (i % 32 == 0)
-            printf("\n");
-        printf(" 0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,",
-               buf[i  ], buf[i+1], buf[i+2], buf[i+3],
-               buf[i+4], buf[i+5], buf[i+6], buf[i+7]);
-    }
-    printf("\n");
-}
-
-
-#ifdef _WIN32
-HMODULE hModule;
-#else
-PRLibrary *lib;
-#endif
-
-/*
-* All api that belongs to pk11mode.c layer start with the prefix PKM_
-*/
-void PKM_LogIt(const char *fmt, ...);
-void PKM_Error(const char *fmt, ...);
-CK_SLOT_ID *PKM_GetSlotList(CK_FUNCTION_LIST_PTR pFunctionList,
-                            CK_ULONG slotID);
-CK_RV PKM_ShowInfo(CK_FUNCTION_LIST_PTR pFunctionList, CK_ULONG slotID);
-CK_RV PKM_InitPWforDB(CK_FUNCTION_LIST_PTR pFunctionList,
-                      CK_SLOT_ID *pSlotList, CK_ULONG slotID,
-                      CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
-CK_RV PKM_Mechanism(CK_FUNCTION_LIST_PTR pFunctionList,
-                    CK_SLOT_ID * pSlotList, CK_ULONG slotID);
-CK_RV PKM_RNG(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID * pSlotList,
-              CK_ULONG slotID);
-CK_RV PKM_SessionLogin(CK_FUNCTION_LIST_PTR pFunctionList,
-                       CK_SLOT_ID *pSlotList, CK_ULONG slotID,
-                       CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
-CK_RV PKM_SecretKey(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID *pSlotList,
-                    CK_ULONG slotID, CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
-CK_RV PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID *pSlotList,
-                    CK_ULONG slotID, CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
-CK_RV PKM_HybridMode(CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen, 
-                     CK_C_INITIALIZE_ARGS_NSS *initArgs);
-CK_RV PKM_FindAllObjects(CK_FUNCTION_LIST_PTR pFunctionList,
-                          CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                          CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
-CK_RV PKM_MultiObjectManagement(CK_FUNCTION_LIST_PTR pFunctionList,
-                                 CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                                 CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
-CK_RV PKM_OperationalState(CK_FUNCTION_LIST_PTR pFunctionList,
-                            CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                            CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
-CK_RV PKM_LegacyFunctions(CK_FUNCTION_LIST_PTR pFunctionList,
-                          CK_SLOT_ID *pSlotList, CK_ULONG slotID,
-                          CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
-CK_RV PKM_AttributeCheck(CK_FUNCTION_LIST_PTR pFunctionList,
-                         CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE obj,
-                         CK_ATTRIBUTE_PTR expected_attrs,
-                         CK_ULONG expected_attrs_count);
-CK_RV PKM_MechCheck(CK_FUNCTION_LIST_PTR pFunctionList,
-                    CK_SESSION_HANDLE hSession, CK_MECHANISM_TYPE mechType,
-                    CK_FLAGS flags, CK_BBOOL check_sizes,
-                    CK_ULONG minkeysize, CK_ULONG maxkeysize);
-CK_RV PKM_TLSKeyAndMacDerive(CK_FUNCTION_LIST_PTR pFunctionList,
-                            CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                            CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen,
-                            CK_MECHANISM_TYPE mechType, enum_random_t rnd);
-CK_RV PKM_TLSMasterKeyDerive(CK_FUNCTION_LIST_PTR pFunctionList,
-                            CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                            CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen,
-                            CK_MECHANISM_TYPE mechType,
-                            enum_random_t rnd);
-CK_RV PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunctionList,
-                       CK_SLOT_ID *pSlotList, CK_ULONG slotID,
-                       CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen);
-CK_RV PKM_DualFuncSign(CK_FUNCTION_LIST_PTR pFunctionList,
-                      CK_SESSION_HANDLE hRwSession,
-                      CK_OBJECT_HANDLE publicKey, CK_OBJECT_HANDLE privateKey,
-                      CK_MECHANISM *sigMech, CK_OBJECT_HANDLE secretKey,
-                      CK_MECHANISM *cryptMech, 
-                      const CK_BYTE *  pData, CK_ULONG pDataLen);
-CK_RV PKM_DualFuncDigest(CK_FUNCTION_LIST_PTR pFunctionList,
-                       CK_SESSION_HANDLE hSession,
-                       CK_OBJECT_HANDLE hSecKey, CK_MECHANISM *cryptMech,
-                       CK_OBJECT_HANDLE hSecKeyDigest, 
-                       CK_MECHANISM *digestMech, 
-                       const CK_BYTE *  pData, CK_ULONG pDataLen); 
-CK_RV PKM_PubKeySign(CK_FUNCTION_LIST_PTR pFunctionList, 
-                     CK_SESSION_HANDLE hRwSession,
-                     CK_OBJECT_HANDLE hPubKey, CK_OBJECT_HANDLE hPrivKey,
-                     CK_MECHANISM *signMech, const CK_BYTE *  pData, 
-                     CK_ULONG dataLen);
-CK_RV PKM_SecKeyCrypt(CK_FUNCTION_LIST_PTR pFunctionList, 
-                      CK_SESSION_HANDLE hSession,
-                      CK_OBJECT_HANDLE hSymKey, CK_MECHANISM *cryptMech,
-                      const CK_BYTE *  pData, CK_ULONG dataLen);
-CK_RV PKM_Hmac(CK_FUNCTION_LIST_PTR pFunctionList, CK_SESSION_HANDLE hSession,
-                CK_OBJECT_HANDLE sKey, CK_MECHANISM *hmacMech, 
-                const CK_BYTE *  pData, CK_ULONG pDataLen);
-CK_RV PKM_Digest(CK_FUNCTION_LIST_PTR pFunctionList, 
-                 CK_SESSION_HANDLE hRwSession,
-                 CK_MECHANISM *digestMech, CK_OBJECT_HANDLE hSecretKey,
-                 const CK_BYTE *  pData, CK_ULONG pDataLen);
-CK_RV PKM_wrapUnwrap(CK_FUNCTION_LIST_PTR pFunctionList,
-                     CK_SESSION_HANDLE hSession, 
-                     CK_OBJECT_HANDLE hPublicKey, 
-                     CK_OBJECT_HANDLE hPrivateKey,
-                     CK_MECHANISM *wrapMechanism,
-                     CK_OBJECT_HANDLE hSecretKey,
-                     CK_ATTRIBUTE *sKeyTemplate,
-                     CK_ULONG skeyTempSize);
-CK_RV PKM_RecoverFunctions(CK_FUNCTION_LIST_PTR pFunctionList, 
-                    CK_SESSION_HANDLE hSession,
-                    CK_OBJECT_HANDLE hPubKey, CK_OBJECT_HANDLE hPrivKey,
-                    CK_MECHANISM *signMech, const CK_BYTE * pData, 
-                    CK_ULONG pDataLen);
-CK_RV PKM_ForkCheck(int expected, CK_FUNCTION_LIST_PTR fList,
-		    PRBool forkAssert, CK_C_INITIALIZE_ARGS_NSS *initArgs);
-
-void  PKM_Help(); 
-void  PKM_CheckPath(char *string);
-char  *PKM_FilePasswd(char *pwFile);
-static PRBool verbose = PR_FALSE;
-
-int main(int argc, char **argv)
-{
-    CK_C_GetFunctionList pC_GetFunctionList;
-    CK_FUNCTION_LIST_PTR pFunctionList;
-    CK_RV crv = CKR_OK;
-    CK_C_INITIALIZE_ARGS_NSS initArgs;
-    CK_SLOT_ID *pSlotList = NULL;
-    CK_TOKEN_INFO tokenInfo;
-    CK_ULONG slotID = 0; /* slotID == 0 for FIPSMODE */
-
-    CK_UTF8CHAR *pwd = NULL;
-    CK_ULONG pwdLen = 0;
-    char *moduleSpec = NULL;
-    char *configDir = NULL;
-    char *dbPrefix = NULL;
-    char *disableUnload = NULL;
-    PRBool doForkTests = PR_TRUE;
-
-    PLOptStatus os;
-    PLOptState *opt = PL_CreateOptState(argc, argv, "nvhf:Fd:p:");
-    while (PL_OPT_EOL != (os = PL_GetNextOpt(opt)))
-    {
-       if (PL_OPT_BAD == os) continue;
-       switch (opt->option)
-        {
-        case 'F':  /* disable fork tests */
-            doForkTests = PR_FALSE;
-            break;
-        case 'n':  /* non fips mode */
-            MODE = NONFIPSMODE;
-            slotID = 1;
-            break;
-        case 'f':  /* password file */
-            pwd = (CK_UTF8CHAR *) PKM_FilePasswd((char *)opt->value);
-            if (!pwd) PKM_Help();
-            break;
-        case 'd':  /* opt_CertDir */
-            if (!opt->value) PKM_Help();
-            configDir = strdup(opt->value);
-            PKM_CheckPath(configDir);
-            break;
-        case 'p':  /* opt_DBPrefix */
-            if (!opt->value) PKM_Help();
-            dbPrefix = strdup(opt->value);
-            break;
-        case 'v':
-            verbose = PR_TRUE;
-            break;
-        case 'h':  /* help message */
-        default:
-            PKM_Help();
-            break;
-        }
-    }
-    PL_DestroyOptState(opt);
-
-    if (!pwd) {
-        pwd = (CK_UTF8CHAR *)strdup("1Mozilla");
-    }
-    pwdLen = strlen((const char*)pwd); 
-    if (!configDir) {
-        configDir = strdup(".");
-    }
-    if (!dbPrefix) {
-        dbPrefix = strdup("");
-    }
-
-    if (doForkTests)
-    {
-        /* first, try to fork without softoken loaded to make sure
-         * everything is OK */
-        crv = PKM_ForkCheck(123, NULL, PR_FALSE, NULL);
-        if (crv != CKR_OK)
-            goto cleanup;
-    }
-
-
-#ifdef _WIN32
-    hModule = LoadLibrary(LIB_NAME);
-    if (hModule == NULL) {
-        PKM_Error( "cannot load %s\n", LIB_NAME);
-        goto cleanup;
-    }
-    if (MODE == FIPSMODE) {
-        /* FIPS mode == FC_GetFunctionList */
-        pC_GetFunctionList = (CK_C_GetFunctionList)
-                             GetProcAddress(hModule, "FC_GetFunctionList");
-    } else {
-        /* NON FIPS mode  == C_GetFunctionList */
-        pC_GetFunctionList = (CK_C_GetFunctionList)
-                             GetProcAddress(hModule, "C_GetFunctionList");
-     }
-    if (pC_GetFunctionList == NULL) {
-        PKM_Error( "cannot load %s\n", LIB_NAME);
-        goto cleanup;
-    }
-#else
-    {
-    char *libname = NULL;
-    /* Get the platform-dependent library name of the NSS cryptographic module */
-    libname = PR_GetLibraryName(NULL, "softokn3");
-    assert(libname != NULL);
-    lib = PR_LoadLibrary(libname);
-    assert(lib != NULL);
-    PR_FreeLibraryName(libname);
-    } 
-    if (MODE == FIPSMODE) {
-        pC_GetFunctionList = (CK_C_GetFunctionList) PR_FindFunctionSymbol(lib,
-        "FC_GetFunctionList");
-        assert(pC_GetFunctionList != NULL);
-        slotID = 0;
-    } else {
-        pC_GetFunctionList = (CK_C_GetFunctionList) PR_FindFunctionSymbol(lib,
-        "C_GetFunctionList");
-        assert(pC_GetFunctionList != NULL);
-        slotID = 1;
-    }
-#endif
-
-    if (MODE == FIPSMODE) {
-        printf("Loaded FC_GetFunctionList for FIPS MODE; slotID %d \n",
-               (int) slotID);
-    } else {
-        printf("loaded C_GetFunctionList for NON FIPS MODE; slotID %d \n",
-                (int) slotID);
-    }
-
-    crv = (*pC_GetFunctionList)(&pFunctionList);
-    assert(crv == CKR_OK);
-
-
-    if (doForkTests)
-    {
-        /* now, try to fork with softoken loaded, but not initialized */
-        crv = PKM_ForkCheck(CKR_CRYPTOKI_NOT_INITIALIZED, pFunctionList,
-			    PR_TRUE, NULL);
-        if (crv != CKR_OK)
-            goto cleanup;
-    }
-    
-    initArgs.CreateMutex = NULL;
-    initArgs.DestroyMutex = NULL;
-    initArgs.LockMutex = NULL;
-    initArgs.UnlockMutex = NULL;
-    initArgs.flags = CKF_OS_LOCKING_OK;
-    moduleSpec = PR_smprintf("configdir='%s' certPrefix='%s' "
-                             "keyPrefix='%s' secmod='secmod.db' flags= ",
-                             configDir, dbPrefix, dbPrefix);
-    initArgs.LibraryParameters = (CK_CHAR_PTR *) moduleSpec;
-    initArgs.pReserved = NULL;
-
-    /*DebugBreak();*/
-    /* FIPSMODE invokes FC_Initialize as pFunctionList->C_Initialize */
-    /* NSS cryptographic module library initialization for the FIPS  */
-    /* Approved mode when FC_Initialize is envoked will perfom       */
-    /* software integrity test, and power-up self-tests before       */
-    /* FC_Initialize returns                                         */
-    crv = pFunctionList->C_Initialize(&initArgs);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Initialize succeeded\n");
-    } else {
-        PKM_Error( "C_Initialize failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-
-    if (doForkTests)
-    {
-        /* Disable core on fork for this test, since we are testing the
-         * pathological case, and if enabled, the child process would dump
-         * core in C_GetTokenInfo .
-         * We can still differentiate the correct from incorrect behavior
-         * by the PKCS#11 return code.
-         */
-        /* try to fork with softoken both loaded and initialized */
-        crv = PKM_ForkCheck(CKR_DEVICE_ERROR, pFunctionList, PR_FALSE, NULL);
-        if (crv != CKR_OK)
-            goto cleanup;
-    }
-
-    if (doForkTests)
-    {
-        /* In this next test, we fork and try to re-initialize softoken in
-         * the child. This should now work because softoken has the ability
-         * to hard reset.
-         */
-        /* try to fork with softoken both loaded and initialized */
-        crv = PKM_ForkCheck(CKR_OK, pFunctionList, PR_TRUE, &initArgs);
-        if (crv != CKR_OK)
-            goto cleanup;
-    }
-
-    crv = PKM_ShowInfo(pFunctionList, slotID);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_ShowInfo succeeded\n");
-    } else {
-        PKM_Error( "PKM_ShowInfo failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-    pSlotList = PKM_GetSlotList(pFunctionList, slotID);
-    if (pSlotList == NULL) {
-        PKM_Error( "PKM_GetSlotList failed with \n");
-        goto cleanup;
-    }
-    crv = pFunctionList->C_GetTokenInfo(pSlotList[slotID], &tokenInfo);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GetTokenInfo succeeded\n\n");
-    } else {
-        PKM_Error( "C_GetTokenInfo failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-
-    if (!(tokenInfo.flags & CKF_USER_PIN_INITIALIZED)) {
-        PKM_LogIt("Initing PW for DB\n");
-        crv = PKM_InitPWforDB(pFunctionList, pSlotList, slotID,
-                        pwd, pwdLen);
-        if (crv == CKR_OK) {
-            PKM_LogIt("PKM_InitPWforDB succeeded\n\n");
-        } else {
-            PKM_Error( "PKM_InitPWforDB failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-            goto cleanup;
-        }
-    } else {
-        PKM_LogIt("using existing DB\n");
-    }
-
-    /* general mechanism by token */ 
-    crv = PKM_Mechanism(pFunctionList, pSlotList, slotID);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_Mechanism succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_Mechanism failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    } 
-    /* RNG example without Login */
-    crv = PKM_RNG(pFunctionList, pSlotList, slotID);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_RNG succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_RNG failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-
-    crv = PKM_SessionLogin(pFunctionList, pSlotList, slotID,
-                           pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_SessionLogin succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_SessionLogin failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-
-    /*
-     * PKM_KeyTest creates RSA,DSA public keys 
-     * and AES, DES3 secret keys.
-     * then does digest, hmac, encrypt/decrypt, signing operations. 
-     */
-    crv = PKM_KeyTests(pFunctionList, pSlotList, slotID,
-                            pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_KeyTests succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_KeyTest failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-
-    crv = PKM_SecretKey(pFunctionList, pSlotList, slotID, pwd, 
-                        pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_SecretKey succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_SecretKey failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-
-    crv = PKM_PublicKey(pFunctionList, pSlotList, slotID,
-                        pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_PublicKey succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_PublicKey failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-    crv = PKM_OperationalState(pFunctionList, pSlotList, slotID,
-                               pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_OperationalState succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_OperationalState failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-    crv = PKM_MultiObjectManagement(pFunctionList, pSlotList, slotID,
-                                    pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_MultiObjectManagement succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_MultiObjectManagement failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-    crv = PKM_LegacyFunctions(pFunctionList, pSlotList, slotID,
-                              pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_LegacyFunctions succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_LegacyFunctions failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-    crv = PKM_TLSKeyAndMacDerive(pFunctionList, pSlotList, slotID,
-                                 pwd, pwdLen,
-                                 CKM_TLS_KEY_AND_MAC_DERIVE, CORRECT);
-
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_TLSKeyAndMacDerive succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_TLSKeyAndMacDerive failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-    crv = PKM_TLSMasterKeyDerive(pFunctionList, pSlotList, slotID,
-                                 pwd, pwdLen,
-                                 CKM_TLS_MASTER_KEY_DERIVE,
-                                 CORRECT);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_TLSMasterKeyDerive succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_TLSMasterKeyDerive failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-    crv = PKM_TLSMasterKeyDerive(pFunctionList, pSlotList, slotID,
-                                 pwd, pwdLen,
-                                 CKM_TLS_MASTER_KEY_DERIVE_DH,
-                                 CORRECT);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_TLSMasterKeyDerive succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_TLSMasterKeyDerive failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-    crv = PKM_FindAllObjects(pFunctionList, pSlotList, slotID,
-                             pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_FindAllObjects succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_FindAllObjects failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-    crv = pFunctionList->C_Finalize(NULL);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Finalize succeeded\n");
-    } else {
-        PKM_Error( "C_Finalize failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-
-    if (doForkTests)
-    {
-        /* try to fork with softoken still loaded, but de-initialized */
-        crv = PKM_ForkCheck(CKR_CRYPTOKI_NOT_INITIALIZED, pFunctionList,
-	                    PR_TRUE, NULL);
-        if (crv != CKR_OK)
-            goto cleanup;
-    }
-
-    if (pSlotList) free(pSlotList);
-
-    /* demonstrate how an application can be in Hybrid mode */
-    /* PKM_HybridMode shows how to switch between NONFIPS */
-    /* mode to FIPS mode */
-
-    PKM_LogIt("Testing Hybrid mode \n");
-    crv = PKM_HybridMode(pwd, pwdLen, &initArgs);
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_HybridMode succeeded\n");
-    } else {
-        PKM_Error( "PKM_HybridMode failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        goto cleanup;
-    }
-
-    if (doForkTests) {
-        /* testing one more C_Initialize / C_Finalize to exercise getpid()
-         * fork check code */
-        crv = pFunctionList->C_Initialize(&initArgs);
-        if (crv == CKR_OK) {
-            PKM_LogIt("C_Initialize succeeded\n");
-        } else {
-            PKM_Error( "C_Initialize failed with 0x%08X, %-26s\n", crv, 
-                       PKM_CK_RVtoStr(crv));
-            goto cleanup;
-        }
-        crv = pFunctionList->C_Finalize(NULL);
-        if (crv == CKR_OK) {
-            PKM_LogIt("C_Finalize succeeded\n");
-        } else {
-            PKM_Error( "C_Finalize failed with 0x%08X, %-26s\n", crv, 
-                       PKM_CK_RVtoStr(crv));
-            goto cleanup;
-        }
-        /* try to C_Initialize / C_Finalize in child. This should succeed */
-        crv = PKM_ForkCheck(CKR_OK, pFunctionList, PR_TRUE, &initArgs);
-    }
-
-    PKM_LogIt("unloading NSS PKCS # 11 softoken and exiting\n");
-
-cleanup:
-
-    if (pwd) {
-        free(pwd);
-    }
-    if (configDir) {
-        free(configDir);
-    }
-    if (dbPrefix) {
-        free(dbPrefix);
-    }
-    if (moduleSpec) {
-        free(moduleSpec);
-    }
-
-#ifdef _WIN32
-    FreeLibrary(hModule);
-#else
-    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
-    if (!disableUnload) {
-        PR_UnloadLibrary(lib);
-    }
-#endif
-    if (CKR_OK == crv && doForkTests && !disableUnload) {
-        /* try to fork with softoken both de-initialized and unloaded */
-        crv = PKM_ForkCheck(123, NULL, PR_TRUE, NULL);
-    }
-
-    printf("**** Total number of TESTS ran in %s is %d. ****\n", 
-          ((MODE == FIPSMODE) ? "FIPS MODE" : "NON FIPS MODE"), (int) NUMTESTS);    
-    if (CKR_OK == crv) {
-        printf("**** ALL TESTS PASSED ****\n");
-    }
-
-    return crv;
-}
-
-/*
-*  PKM_KeyTests
-*
-*
-*/
-
-CK_RV PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunctionList,
-                        CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                        CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
-    CK_SESSION_HANDLE hRwSession;
-
-    CK_RV crv = CKR_OK;
-
-/*** DSA Key ***/
-    CK_MECHANISM dsaParamGenMech;
-    CK_ULONG primeBits = 1024;
-    CK_ATTRIBUTE dsaParamGenTemplate[1]; 
-    CK_OBJECT_HANDLE hDsaParams = CK_INVALID_HANDLE;
-    CK_BYTE DSA_P[128];
-    CK_BYTE DSA_Q[20];
-    CK_BYTE DSA_G[128];
-    CK_MECHANISM dsaKeyPairGenMech;
-    CK_ATTRIBUTE dsaPubKeyTemplate[5]; 
-    CK_ATTRIBUTE dsaPrivKeyTemplate[5]; 
-    CK_OBJECT_HANDLE hDSApubKey = CK_INVALID_HANDLE;
-    CK_OBJECT_HANDLE hDSAprivKey = CK_INVALID_HANDLE;
-
-/**** RSA Key ***/
-    CK_KEY_TYPE rsatype = CKK_RSA;
-    CK_MECHANISM rsaKeyPairGenMech;
-    CK_BYTE subject[] = {"RSA Private Key"};
-    CK_ULONG modulusBits = 1024;
-    CK_BYTE publicExponent[] = {0x01, 0x00, 0x01};
-    CK_BYTE id[] = {"RSA123"};
-    CK_ATTRIBUTE rsaPubKeyTemplate[9]; 
-    CK_ATTRIBUTE rsaPrivKeyTemplate[11]; 
-    CK_OBJECT_HANDLE hRSApubKey = CK_INVALID_HANDLE;
-    CK_OBJECT_HANDLE hRSAprivKey = CK_INVALID_HANDLE;
-
- /*** AES Key ***/
-    CK_MECHANISM sAESKeyMech = {
-        CKM_AES_KEY_GEN, NULL, 0
-    };
-    CK_OBJECT_CLASS class = CKO_SECRET_KEY;
-    CK_KEY_TYPE keyAESType = CKK_AES;
-    CK_UTF8CHAR AESlabel[] = "An AES secret key object";
-    CK_ULONG AESvalueLen = 32;
-    CK_ATTRIBUTE sAESKeyTemplate[9];    
-    CK_OBJECT_HANDLE hAESSecKey;
-
-/*** DES3 Key ***/
-    CK_KEY_TYPE keyDES3Type = CKK_DES3;
-    CK_UTF8CHAR DES3label[] = "An Triple DES secret key object";
-    CK_ULONG DES3valueLen = 56;
-    CK_MECHANISM sDES3KeyGenMechanism = {
-        CKM_DES3_KEY_GEN, NULL, 0
-    };
-    CK_ATTRIBUTE sDES3KeyTemplate[9];
-    CK_OBJECT_HANDLE hDES3SecKey;
-    
-    CK_MECHANISM dsaWithSha1Mech = {
-        CKM_DSA_SHA1, NULL, 0
-    };
-
-    CK_BYTE IV[16];
-    CK_MECHANISM mech_DES3_CBC; 
-    CK_MECHANISM mech_DES3_CBC_PAD; 
-    CK_MECHANISM mech_AES_CBC_PAD;
-    CK_MECHANISM mech_AES_CBC;
-    struct mech_str {
-        CK_ULONG    mechanism;
-        const char *mechanismStr;
-    };
-
-    typedef struct mech_str mech_str;
-
-    mech_str digestMechs[] = {
-        {CKM_SHA_1, "CKM_SHA_1 "},
-        {CKM_SHA256, "CKM_SHA256"},
-        {CKM_SHA384, "CKM_SHA384"},
-        {CKM_SHA512, "CKM_SHA512"}
-    };
-    mech_str hmacMechs[] = {
-        {CKM_SHA_1_HMAC, "CKM_SHA_1_HMAC"}, 
-        {CKM_SHA256_HMAC, "CKM_SHA256_HMAC"},
-        {CKM_SHA384_HMAC, "CKM_SHA384_HMAC"},
-        {CKM_SHA512_HMAC, "CKM_SHA512_HMAC"}
-    };
-    mech_str sigRSAMechs[] = {
-        {CKM_SHA1_RSA_PKCS, "CKM_SHA1_RSA_PKCS"}, 
-        {CKM_SHA256_RSA_PKCS, "CKM_SHA256_RSA_PKCS"},
-        {CKM_SHA384_RSA_PKCS, "CKM_SHA384_RSA_PKCS"},
-        {CKM_SHA512_RSA_PKCS, "CKM_SHA512_RSA_PKCS"}
-    };
-
-    CK_ULONG digestMechsSZ = NUM_ELEM(digestMechs);
-    CK_ULONG sigRSAMechsSZ = NUM_ELEM(sigRSAMechs);
-    CK_ULONG hmacMechsSZ = NUM_ELEM(hmacMechs);
-    CK_MECHANISM mech;
-
-    unsigned int i;
-
-    NUMTESTS++; /* increment NUMTESTS */
-
-    /* DSA key init */
-    dsaParamGenMech.mechanism      = CKM_DSA_PARAMETER_GEN; 
-    dsaParamGenMech.pParameter = NULL_PTR; 
-    dsaParamGenMech.ulParameterLen = 0;
-    dsaParamGenTemplate[0].type = CKA_PRIME_BITS; 
-    dsaParamGenTemplate[0].pValue     = &primeBits; 
-    dsaParamGenTemplate[0].ulValueLen = sizeof(primeBits);
-    dsaPubKeyTemplate[0].type       = CKA_PRIME; 
-    dsaPubKeyTemplate[0].pValue     = DSA_P;
-    dsaPubKeyTemplate[0].ulValueLen = sizeof(DSA_P);
-    dsaPubKeyTemplate[1].type = CKA_SUBPRIME; 
-    dsaPubKeyTemplate[1].pValue = DSA_Q;
-    dsaPubKeyTemplate[1].ulValueLen = sizeof(DSA_Q);
-    dsaPubKeyTemplate[2].type = CKA_BASE; 
-    dsaPubKeyTemplate[2].pValue = DSA_G; 
-    dsaPubKeyTemplate[2].ulValueLen = sizeof(DSA_G);
-    dsaPubKeyTemplate[3].type = CKA_TOKEN; 
-    dsaPubKeyTemplate[3].pValue = &true; 
-    dsaPubKeyTemplate[3].ulValueLen = sizeof(true);
-    dsaPubKeyTemplate[4].type = CKA_VERIFY; 
-    dsaPubKeyTemplate[4].pValue = &true; 
-    dsaPubKeyTemplate[4].ulValueLen = sizeof(true);
-    dsaKeyPairGenMech.mechanism      = CKM_DSA_KEY_PAIR_GEN;
-    dsaKeyPairGenMech.pParameter = NULL_PTR;
-    dsaKeyPairGenMech.ulParameterLen = 0;
-    dsaPrivKeyTemplate[0].type       = CKA_TOKEN;
-    dsaPrivKeyTemplate[0].pValue     = &true; 
-    dsaPrivKeyTemplate[0].ulValueLen = sizeof(true);
-    dsaPrivKeyTemplate[1].type       = CKA_PRIVATE; 
-    dsaPrivKeyTemplate[1].pValue     = &true; 
-    dsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
-    dsaPrivKeyTemplate[2].type       = CKA_SENSITIVE; 
-    dsaPrivKeyTemplate[2].pValue     = &true; 
-    dsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
-    dsaPrivKeyTemplate[3].type       = CKA_SIGN, 
-    dsaPrivKeyTemplate[3].pValue     = &true;
-    dsaPrivKeyTemplate[3].ulValueLen = sizeof(true);
-    dsaPrivKeyTemplate[4].type       = CKA_EXTRACTABLE; 
-    dsaPrivKeyTemplate[4].pValue     = &true; 
-    dsaPrivKeyTemplate[4].ulValueLen = sizeof(true);
-
-    /* RSA key init */
-    rsaKeyPairGenMech.mechanism      = CKM_RSA_PKCS_KEY_PAIR_GEN;
-    rsaKeyPairGenMech.pParameter = NULL_PTR;
-    rsaKeyPairGenMech.ulParameterLen = 0;
-
-    rsaPubKeyTemplate[0].type       = CKA_KEY_TYPE; 
-    rsaPubKeyTemplate[0].pValue     = &rsatype; 
-    rsaPubKeyTemplate[0].ulValueLen = sizeof(rsatype);
-    rsaPubKeyTemplate[1].type       = CKA_PRIVATE; 
-    rsaPubKeyTemplate[1].pValue     = &true; 
-    rsaPubKeyTemplate[1].ulValueLen = sizeof(true);
-    rsaPubKeyTemplate[2].type       = CKA_ENCRYPT;
-    rsaPubKeyTemplate[2].pValue     = &true; 
-    rsaPubKeyTemplate[2].ulValueLen = sizeof(true);
-    rsaPubKeyTemplate[3].type       = CKA_DECRYPT;
-    rsaPubKeyTemplate[3].pValue     = &true;
-    rsaPubKeyTemplate[3].ulValueLen = sizeof(true);
-    rsaPubKeyTemplate[4].type       = CKA_VERIFY;
-    rsaPubKeyTemplate[4].pValue     = &true; 
-    rsaPubKeyTemplate[4].ulValueLen = sizeof(true);
-    rsaPubKeyTemplate[5].type       = CKA_SIGN;
-    rsaPubKeyTemplate[5].pValue     = &true; 
-    rsaPubKeyTemplate[5].ulValueLen = sizeof(true);
-    rsaPubKeyTemplate[6].type       = CKA_WRAP; 
-    rsaPubKeyTemplate[6].pValue     = &true; 
-    rsaPubKeyTemplate[6].ulValueLen = sizeof(true);
-    rsaPubKeyTemplate[7].type       = CKA_MODULUS_BITS; 
-    rsaPubKeyTemplate[7].pValue     = &modulusBits; 
-    rsaPubKeyTemplate[7].ulValueLen = sizeof(modulusBits);
-    rsaPubKeyTemplate[8].type       = CKA_PUBLIC_EXPONENT; 
-    rsaPubKeyTemplate[8].pValue     = publicExponent; 
-    rsaPubKeyTemplate[8].ulValueLen = sizeof (publicExponent);
-
-    rsaPrivKeyTemplate[0].type       = CKA_KEY_TYPE;
-    rsaPrivKeyTemplate[0].pValue     = &rsatype; 
-    rsaPrivKeyTemplate[0].ulValueLen = sizeof(rsatype);
-    rsaPrivKeyTemplate[1].type       = CKA_TOKEN;
-    rsaPrivKeyTemplate[1].pValue     = &true; 
-    rsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
-    rsaPrivKeyTemplate[2].type       = CKA_PRIVATE;
-    rsaPrivKeyTemplate[2].pValue     = &true; 
-    rsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
-    rsaPrivKeyTemplate[3].type       = CKA_SUBJECT; 
-    rsaPrivKeyTemplate[3].pValue     = subject; 
-    rsaPrivKeyTemplate[3].ulValueLen = sizeof(subject);
-    rsaPrivKeyTemplate[4].type       = CKA_ID; 
-    rsaPrivKeyTemplate[4].pValue     = id; 
-    rsaPrivKeyTemplate[4].ulValueLen = sizeof(id);
-    rsaPrivKeyTemplate[5].type       = CKA_SENSITIVE; 
-    rsaPrivKeyTemplate[5].pValue     = &true; 
-    rsaPrivKeyTemplate[5].ulValueLen = sizeof(true);
-    rsaPrivKeyTemplate[6].type       = CKA_ENCRYPT; 
-    rsaPrivKeyTemplate[6].pValue     = &true; 
-    rsaPrivKeyTemplate[6].ulValueLen = sizeof(true);
-    rsaPrivKeyTemplate[7].type       = CKA_DECRYPT; 
-    rsaPrivKeyTemplate[7].pValue     = &true; 
-    rsaPrivKeyTemplate[7].ulValueLen = sizeof(true);
-    rsaPrivKeyTemplate[8].type       = CKA_VERIFY; 
-    rsaPrivKeyTemplate[8].pValue     = &true; 
-    rsaPrivKeyTemplate[8].ulValueLen = sizeof(true);
-    rsaPrivKeyTemplate[9].type       = CKA_SIGN; 
-    rsaPrivKeyTemplate[9].pValue     = &true; 
-    rsaPrivKeyTemplate[9].ulValueLen = sizeof(true);
-    rsaPrivKeyTemplate[10].type       = CKA_UNWRAP; 
-    rsaPrivKeyTemplate[10].pValue     = &true; 
-    rsaPrivKeyTemplate[10].ulValueLen = sizeof(true);
-    
-    /* AES key template */
-    sAESKeyTemplate[0].type       = CKA_CLASS; 
-    sAESKeyTemplate[0].pValue     = &class;
-    sAESKeyTemplate[0].ulValueLen = sizeof(class);
-    sAESKeyTemplate[1].type       = CKA_KEY_TYPE; 
-    sAESKeyTemplate[1].pValue     = &keyAESType; 
-    sAESKeyTemplate[1].ulValueLen = sizeof(keyAESType);
-    sAESKeyTemplate[2].type       = CKA_LABEL;
-    sAESKeyTemplate[2].pValue     = AESlabel; 
-    sAESKeyTemplate[2].ulValueLen = sizeof(AESlabel)-1;
-    sAESKeyTemplate[3].type       = CKA_ENCRYPT; 
-    sAESKeyTemplate[3].pValue     = &true; 
-    sAESKeyTemplate[3].ulValueLen = sizeof(true);
-    sAESKeyTemplate[4].type       = CKA_DECRYPT; 
-    sAESKeyTemplate[4].pValue     = &true; 
-    sAESKeyTemplate[4].ulValueLen = sizeof(true);
-    sAESKeyTemplate[5].type       = CKA_SIGN; 
-    sAESKeyTemplate[5].pValue     = &true; 
-    sAESKeyTemplate[5].ulValueLen = sizeof (true);
-    sAESKeyTemplate[6].type       = CKA_VERIFY; 
-    sAESKeyTemplate[6].pValue     = &true; 
-    sAESKeyTemplate[6].ulValueLen = sizeof(true);
-    sAESKeyTemplate[7].type       = CKA_UNWRAP; 
-    sAESKeyTemplate[7].pValue     = &true; 
-    sAESKeyTemplate[7].ulValueLen = sizeof(true);
-    sAESKeyTemplate[8].type       = CKA_VALUE_LEN; 
-    sAESKeyTemplate[8].pValue     = &AESvalueLen; 
-    sAESKeyTemplate[8].ulValueLen = sizeof(AESvalueLen);
-
-    /* DES3 key template */
-    sDES3KeyTemplate[0].type       = CKA_CLASS;
-    sDES3KeyTemplate[0].pValue     = &class; 
-    sDES3KeyTemplate[0].ulValueLen = sizeof(class);
-    sDES3KeyTemplate[1].type       = CKA_KEY_TYPE; 
-    sDES3KeyTemplate[1].pValue     = &keyDES3Type; 
-    sDES3KeyTemplate[1].ulValueLen = sizeof(keyDES3Type);
-    sDES3KeyTemplate[2].type       = CKA_LABEL; 
-    sDES3KeyTemplate[2].pValue     = DES3label; 
-    sDES3KeyTemplate[2].ulValueLen = sizeof(DES3label)-1;
-    sDES3KeyTemplate[3].type       = CKA_ENCRYPT; 
-    sDES3KeyTemplate[3].pValue     = &true; 
-    sDES3KeyTemplate[3].ulValueLen = sizeof(true);
-    sDES3KeyTemplate[4].type       = CKA_DECRYPT; 
-    sDES3KeyTemplate[4].pValue     = &true; 
-    sDES3KeyTemplate[4].ulValueLen = sizeof(true);
-    sDES3KeyTemplate[5].type       = CKA_UNWRAP; 
-    sDES3KeyTemplate[5].pValue     = &true; 
-    sDES3KeyTemplate[5].ulValueLen = sizeof(true);
-    sDES3KeyTemplate[6].type       = CKA_SIGN, 
-    sDES3KeyTemplate[6].pValue     = &true; 
-    sDES3KeyTemplate[6].ulValueLen = sizeof (true);
-    sDES3KeyTemplate[7].type       = CKA_VERIFY; 
-    sDES3KeyTemplate[7].pValue     = &true; 
-    sDES3KeyTemplate[7].ulValueLen = sizeof(true);
-    sDES3KeyTemplate[8].type       = CKA_VALUE_LEN; 
-    sDES3KeyTemplate[8].pValue     = &DES3valueLen; 
-    sDES3KeyTemplate[8].ulValueLen = sizeof(DES3valueLen);
-    
-    /* mech init */
-    memset(IV, 0x01, sizeof(IV));
-    mech_DES3_CBC.mechanism      = CKM_DES3_CBC; 
-    mech_DES3_CBC.pParameter = IV; 
-    mech_DES3_CBC.ulParameterLen = sizeof(IV);
-    mech_DES3_CBC_PAD.mechanism      = CKM_DES3_CBC_PAD; 
-    mech_DES3_CBC_PAD.pParameter = IV; 
-    mech_DES3_CBC_PAD.ulParameterLen = sizeof(IV);
-    mech_AES_CBC.mechanism      = CKM_AES_CBC; 
-    mech_AES_CBC.pParameter = IV; 
-    mech_AES_CBC.ulParameterLen = sizeof(IV);
-    mech_AES_CBC_PAD.mechanism      = CKM_AES_CBC_PAD; 
-    mech_AES_CBC_PAD.pParameter = IV; 
-    mech_AES_CBC_PAD.ulParameterLen = sizeof(IV);
-
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID],
-                                       CKF_RW_SESSION | CKF_SERIAL_SESSION,
-                                       NULL, NULL, &hRwSession);
-    if (crv == CKR_OK) {
-        PKM_LogIt("Opening a read/write session succeeded\n");
-    } else {
-        PKM_Error( "Opening a read/write session failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    if (MODE == FIPSMODE) {
-        crv = pFunctionList->C_GenerateKey(hRwSession, &sAESKeyMech,
-                                           sAESKeyTemplate,
-                                           NUM_ELEM(sAESKeyTemplate),
-                                           &hAESSecKey);
-        if (crv == CKR_OK) {
-            PKM_Error("C_GenerateKey succeeded when not logged in.\n");
-            return CKR_GENERAL_ERROR;
-        } else {
-            PKM_LogIt("C_GenerateKey returned as EXPECTED with 0x%08X, %-26s\n"
-                      "since not logged in\n", crv, PKM_CK_RVtoStr(crv));
-        }
-        crv = pFunctionList->C_GenerateKeyPair(hRwSession, &rsaKeyPairGenMech,
-                                               rsaPubKeyTemplate,
-                                               NUM_ELEM(rsaPubKeyTemplate),
-                                               rsaPrivKeyTemplate,
-                                               NUM_ELEM(rsaPrivKeyTemplate),
-                                               &hRSApubKey, &hRSAprivKey);
-        if (crv == CKR_OK) {
-            PKM_Error("C_GenerateKeyPair succeeded when not logged in.\n");
-            return CKR_GENERAL_ERROR;
-        } else {
-            PKM_LogIt("C_GenerateKeyPair returned as EXPECTED with 0x%08X, "
-                      "%-26s\n since not logged in\n", crv, 
-                      PKM_CK_RVtoStr(crv));
-        }
-    }
-
-    crv = pFunctionList->C_Login(hRwSession, CKU_USER, pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Login with correct password succeeded\n");
-    } else {
-        PKM_Error("C_Login with correct password failed "
-                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt("Generate an AES key ... \n");
-    /* generate an AES Secret Key */
-    crv = pFunctionList->C_GenerateKey(hRwSession, &sAESKeyMech,
-                                       sAESKeyTemplate,
-                                       NUM_ELEM(sAESKeyTemplate),
-                                       &hAESSecKey);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GenerateKey AES succeeded\n");
-    } else {
-        PKM_Error( "C_GenerateKey AES failed with 0x%08X, %-26s\n", 
-                   crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    
-    PKM_LogIt("Generate an 3DES key ...\n");
-    /* generate an 3DES Secret Key */   
-    crv = pFunctionList->C_GenerateKey(hRwSession, &sDES3KeyGenMechanism,
-                                       sDES3KeyTemplate,
-                                       NUM_ELEM(sDES3KeyTemplate),
-                                       &hDES3SecKey);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GenerateKey DES3 succeeded\n");
-    } else {
-        PKM_Error( "C_GenerateKey failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt("Generate DSA PQG domain parameters ... \n");
-    /* Generate DSA domain parameters PQG */
-    crv = pFunctionList->C_GenerateKey(hRwSession, &dsaParamGenMech,
-                                       dsaParamGenTemplate,
-                                       1,
-                                       &hDsaParams);
-    if (crv == CKR_OK) {
-        PKM_LogIt("DSA domain parameter generation succeeded\n");
-    } else {
-        PKM_Error( "DSA domain parameter generation failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_GetAttributeValue(hRwSession, hDsaParams,
-                                             dsaPubKeyTemplate, 3);
-    if (crv == CKR_OK) {
-        PKM_LogIt("Getting DSA domain parameters succeeded\n");
-    } else {
-        PKM_Error( "Getting DSA domain parameters failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_DestroyObject(hRwSession, hDsaParams);
-    if (crv == CKR_OK) {
-        PKM_LogIt("Destroying DSA domain parameters succeeded\n");
-    } else {
-        PKM_Error( "Destroying DSA domain parameters failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    
-    PKM_LogIt("Generate a DSA key pair ... \n");
-    /* Generate a persistent DSA key pair */
-    crv = pFunctionList->C_GenerateKeyPair(hRwSession, &dsaKeyPairGenMech,
-                                           dsaPubKeyTemplate,
-                                           NUM_ELEM(dsaPubKeyTemplate),
-                                           dsaPrivKeyTemplate,
-                                           NUM_ELEM(dsaPrivKeyTemplate),
-                                           &hDSApubKey, &hDSAprivKey);
-    if (crv == CKR_OK) {
-        PKM_LogIt("DSA key pair generation succeeded\n");
-    } else {
-        PKM_Error( "DSA key pair generation failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    
-    PKM_LogIt("Generate a RSA key pair ... \n");
-    /*** GEN RSA Key ***/
-    crv = pFunctionList->C_GenerateKeyPair(hRwSession, &rsaKeyPairGenMech,
-                                           rsaPubKeyTemplate,
-                                           NUM_ELEM(rsaPubKeyTemplate),
-                                           rsaPrivKeyTemplate,
-                                           NUM_ELEM(rsaPrivKeyTemplate),
-                                           &hRSApubKey, &hRSAprivKey);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GenerateKeyPair created an RSA key pair. \n");
-    } else {
-        PKM_Error("C_GenerateKeyPair failed to create an RSA key pair.\n"
-                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt("**** Generation of keys completed ***** \n");
-    
-    mech.mechanism = CKM_RSA_PKCS;
-    mech.pParameter = NULL;
-    mech.ulParameterLen = 0;
-
-    crv = PKM_wrapUnwrap(pFunctionList,
-                     hRwSession, 
-                     hRSApubKey, hRSAprivKey,
-                     &mech,
-                     hAESSecKey,
-                     sAESKeyTemplate,
-                     NUM_ELEM(sAESKeyTemplate));
-    
-   if (crv == CKR_OK) {
-        PKM_LogIt("PKM_wrapUnwrap using RSA keypair to wrap AES key "
-                  "succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_wrapUnwrap using RSA keypair to wrap AES key failed "
-                   "with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = PKM_wrapUnwrap(pFunctionList,
-                     hRwSession, 
-                     hRSApubKey, hRSAprivKey,
-                     &mech,
-                     hDES3SecKey,
-                     sDES3KeyTemplate,
-                     NUM_ELEM(sDES3KeyTemplate));
-    
-   if (crv == CKR_OK) {
-        PKM_LogIt("PKM_wrapUnwrap using RSA keypair to wrap DES3 key "
-                  "succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_wrapUnwrap using RSA keypair to wrap DES3 key "
-                   "failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = PKM_SecKeyCrypt(pFunctionList, hRwSession,
-                    hAESSecKey, &mech_AES_CBC_PAD,
-                    PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_SecKeyCrypt succeeded \n\n");
-    } else {
-        PKM_Error( "PKM_SecKeyCrypt failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    
-    crv = PKM_SecKeyCrypt(pFunctionList, hRwSession,
-                    hAESSecKey, &mech_AES_CBC,
-                    PLAINTEXT, sizeof(PLAINTEXT));
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_SecKeyCrypt AES succeeded \n\n");
-    } else {
-        PKM_Error( "PKM_SecKeyCrypt failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = PKM_SecKeyCrypt(pFunctionList, hRwSession,
-                    hDES3SecKey, &mech_DES3_CBC,
-                    PLAINTEXT, sizeof(PLAINTEXT));
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_SecKeyCrypt DES3 succeeded \n");
-    } else {
-        PKM_Error( "PKM_SecKeyCrypt DES3 failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = PKM_SecKeyCrypt(pFunctionList, hRwSession,
-                    hDES3SecKey, &mech_DES3_CBC_PAD,
-                    PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_SecKeyCrypt DES3 succeeded \n\n");
-    } else {
-        PKM_Error( "PKM_SecKeyCrypt DES3 failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    
-    mech.mechanism = CKM_RSA_PKCS;
-    crv = PKM_RecoverFunctions(pFunctionList, hRwSession,
-                       hRSApubKey, hRSAprivKey,
-                       &mech,
-                       PLAINTEXT, sizeof(PLAINTEXT));
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_RecoverFunctions for CKM_RSA_PKCS succeeded\n\n");
-    } else {
-        PKM_Error( "PKM_RecoverFunctions failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    mech.pParameter = NULL;
-    mech.ulParameterLen = 0;
-
-    for (i=0; i < sigRSAMechsSZ; i++) {
-
-        mech.mechanism = sigRSAMechs[i].mechanism;
-
-        crv = PKM_PubKeySign(pFunctionList, hRwSession,
-                       hRSApubKey, hRSAprivKey,
-                       &mech,
-                       PLAINTEXT, sizeof(PLAINTEXT));
-        if (crv == CKR_OK) {
-            PKM_LogIt("PKM_PubKeySign succeeded for %-10s\n\n", 
-                sigRSAMechs[i].mechanismStr );
-        } else {
-            PKM_Error( "PKM_PubKeySign failed for %-10s  "
-                "with 0x%08X, %-26s\n", sigRSAMechs[i].mechanismStr, crv, 
-                PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-        crv = PKM_DualFuncSign(pFunctionList, hRwSession,
-                       hRSApubKey, hRSAprivKey,
-                       &mech,
-                       hAESSecKey, &mech_AES_CBC,
-                       PLAINTEXT, sizeof(PLAINTEXT));
-        if (crv == CKR_OK) {
-            PKM_LogIt("PKM_DualFuncSign with AES secret key succeeded "
-                      "for %-10s\n\n", 
-                sigRSAMechs[i].mechanismStr );
-        } else {
-            PKM_Error( "PKM_DualFuncSign with AES secret key failed "
-                       "for %-10s  "
-                "with 0x%08X, %-26s\n", sigRSAMechs[i].mechanismStr, crv, 
-                PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-        crv = PKM_DualFuncSign(pFunctionList, hRwSession,
-                       hRSApubKey, hRSAprivKey,
-                       &mech,
-                       hDES3SecKey, &mech_DES3_CBC,
-                       PLAINTEXT, sizeof(PLAINTEXT));
-        if (crv == CKR_OK) {
-            PKM_LogIt("PKM_DualFuncSign with DES3 secret key succeeded "
-                      "for %-10s\n\n", 
-                sigRSAMechs[i].mechanismStr );
-        } else {
-            PKM_Error( "PKM_DualFuncSign with DES3 secret key failed "
-                       "for %-10s  "
-                "with 0x%08X, %-26s\n", sigRSAMechs[i].mechanismStr, crv, 
-                PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-        crv = PKM_DualFuncSign(pFunctionList, hRwSession,
-                       hRSApubKey, hRSAprivKey,
-                       &mech,
-                       hAESSecKey, &mech_AES_CBC_PAD,
-                       PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
-        if (crv == CKR_OK) {
-            PKM_LogIt("PKM_DualFuncSign with AES secret key CBC_PAD "
-                      "succeeded for %-10s\n\n", 
-                sigRSAMechs[i].mechanismStr );
-        } else {
-            PKM_Error( "PKM_DualFuncSign with AES secret key CBC_PAD "
-                       "failed for %-10s  "
-                "with 0x%08X, %-26s\n", sigRSAMechs[i].mechanismStr, crv, 
-                PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-        crv = PKM_DualFuncSign(pFunctionList, hRwSession,
-                       hRSApubKey, hRSAprivKey,
-                       &mech,
-                       hDES3SecKey, &mech_DES3_CBC_PAD,
-                       PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
-        if (crv == CKR_OK) {
-            PKM_LogIt("PKM_DualFuncSign with DES3 secret key CBC_PAD "
-                      "succeeded for %-10s\n\n", 
-                sigRSAMechs[i].mechanismStr );
-        } else {
-            PKM_Error( "PKM_DualFuncSign with DES3 secret key CBC_PAD "
-                       "failed for %-10s  "
-                "with 0x%08X, %-26s\n", sigRSAMechs[i].mechanismStr, crv, 
-                PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-
-    } /* end of RSA for loop */
-
-    crv = PKM_PubKeySign(pFunctionList, hRwSession,
-                    hDSApubKey, hDSAprivKey,
-                    &dsaWithSha1Mech, PLAINTEXT, sizeof(PLAINTEXT));
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_PubKeySign for DSAwithSHA1 succeeded \n\n");
-    } else {
-        PKM_Error( "PKM_PubKeySign failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = PKM_DualFuncSign(pFunctionList, hRwSession,
-                       hDSApubKey, hDSAprivKey,
-                       &dsaWithSha1Mech,
-                       hAESSecKey, &mech_AES_CBC,
-                       PLAINTEXT, sizeof(PLAINTEXT));
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_DualFuncSign with AES secret key succeeded "
-                "for DSAWithSHA1\n\n");
-    } else {
-        PKM_Error( "PKM_DualFuncSign with AES secret key failed "
-                "for DSAWithSHA1 with 0x%08X, %-26s\n", 
-                crv, PKM_CK_RVtoStr(crv));
-           return crv;
-    }
-    crv = PKM_DualFuncSign(pFunctionList, hRwSession,
-                       hDSApubKey, hDSAprivKey,
-                       &dsaWithSha1Mech,
-                       hDES3SecKey, &mech_DES3_CBC,
-                       PLAINTEXT, sizeof(PLAINTEXT));
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_DualFuncSign with DES3 secret key succeeded "
-                "for DSAWithSHA1\n\n");
-    } else {
-        PKM_Error( "PKM_DualFuncSign with DES3 secret key failed "
-                "for DSAWithSHA1 with 0x%08X, %-26s\n", 
-                crv, PKM_CK_RVtoStr(crv));
-           return crv;
-    }
-    crv = PKM_DualFuncSign(pFunctionList, hRwSession,
-                       hDSApubKey, hDSAprivKey,
-                       &dsaWithSha1Mech,
-                       hAESSecKey, &mech_AES_CBC_PAD,
-                       PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_DualFuncSign with AES secret key CBC_PAD succeeded "
-                "for DSAWithSHA1\n\n");
-    } else {
-        PKM_Error( "PKM_DualFuncSign with AES secret key CBC_PAD failed "
-                "for DSAWithSHA1 with 0x%08X, %-26s\n", 
-                crv, PKM_CK_RVtoStr(crv));
-           return crv;
-    }
-    crv = PKM_DualFuncSign(pFunctionList, hRwSession,
-                       hDSApubKey, hDSAprivKey,
-                       &dsaWithSha1Mech,
-                       hDES3SecKey, &mech_DES3_CBC_PAD,
-                       PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_DualFuncSign with DES3 secret key CBC_PAD succeeded "
-                "for DSAWithSHA1\n\n");
-    } else {
-        PKM_Error( "PKM_DualFuncSign with DES3 secret key CBC_PAD failed "
-                "for DSAWithSHA1 with 0x%08X, %-26s\n", 
-                crv, PKM_CK_RVtoStr(crv));
-           return crv;
-    }
-
-
-    for (i=0; i < digestMechsSZ; i++) {
-        mech.mechanism = digestMechs[i].mechanism;
-        crv = PKM_Digest(pFunctionList, hRwSession,
-                     &mech, hAESSecKey,
-                     PLAINTEXT, sizeof(PLAINTEXT));
-        if (crv == CKR_OK) {
-            PKM_LogIt("PKM_Digest with AES secret key succeeded for %-10s\n\n", 
-                digestMechs[i].mechanismStr);
-        } else {
-            PKM_Error( "PKM_Digest with AES secret key failed for "
-                       "%-10s with 0x%08X,  %-26s\n", 
-                       digestMechs[i].mechanismStr, crv, 
-                       PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-        crv = PKM_DualFuncDigest(pFunctionList, hRwSession,
-                     hAESSecKey, &mech_AES_CBC,
-                     0,&mech,
-                     PLAINTEXT, sizeof(PLAINTEXT));
-        if (crv == CKR_OK) {
-            PKM_LogIt("PKM_DualFuncDigest with AES secret key succeeded\n\n");
-        } else {
-            PKM_Error( "PKM_DualFuncDigest with AES secret key "
-                       "failed with 0x%08X, %-26s\n", crv, 
-                       PKM_CK_RVtoStr(crv));
-        }
-
-        crv = PKM_Digest(pFunctionList, hRwSession,
-                     &mech, hDES3SecKey,
-                     PLAINTEXT, sizeof(PLAINTEXT));
-        if (crv == CKR_OK) {
-            PKM_LogIt("PKM_Digest with DES3 secret key succeeded for %-10s\n\n", 
-                digestMechs[i].mechanismStr);
-        } else {
-            PKM_Error( "PKM_Digest with DES3 secret key failed for "
-                       "%-10s with 0x%08X,  %-26s\n", 
-                       digestMechs[i].mechanismStr, crv, 
-                       PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-        crv = PKM_DualFuncDigest(pFunctionList, hRwSession,
-                     hDES3SecKey, &mech_DES3_CBC,
-                     0,&mech,
-                     PLAINTEXT, sizeof(PLAINTEXT));
-        if (crv == CKR_OK) {
-            PKM_LogIt("PKM_DualFuncDigest DES3 secret key succeeded\n\n");
-        } else {
-            PKM_Error( "PKM_DualFuncDigest DES3 secret key "
-                       "failed with 0x%08X, %-26s\n", crv, 
-                       PKM_CK_RVtoStr(crv));
-        }
-
-        crv = PKM_Digest(pFunctionList, hRwSession,
-                     &mech, 0,
-                     PLAINTEXT, sizeof(PLAINTEXT));
-        if (crv == CKR_OK) {
-            PKM_LogIt("PKM_Digest with no secret key succeeded for %-10s\n\n", 
-                digestMechs[i].mechanismStr );
-        } else {
-            PKM_Error( "PKM_Digest with no secret key failed for %-10s  "
-                "with 0x%08X, %-26s\n", digestMechs[i].mechanismStr, crv, 
-                PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-    } /* end of digest loop */
-
-    for (i=0; i < hmacMechsSZ; i++) {
-        mech.mechanism = hmacMechs[i].mechanism;
-        crv = PKM_Hmac(pFunctionList, hRwSession,
-                      hAESSecKey, &mech,
-                     PLAINTEXT, sizeof(PLAINTEXT));
-        if (crv == CKR_OK) {
-            PKM_LogIt("PKM_Hmac with AES secret key succeeded for %-10s\n\n", 
-                hmacMechs[i].mechanismStr);
-        } else {
-            PKM_Error( "PKM_Hmac with AES secret key failed for %-10s "
-                       "with 0x%08X, %-26s\n", 
-                       hmacMechs[i].mechanismStr, crv, PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-        if ((MODE == FIPSMODE) && (mech.mechanism == CKM_SHA512_HMAC)) break;
-        crv = PKM_Hmac(pFunctionList, hRwSession,
-                      hDES3SecKey, &mech,
-                     PLAINTEXT, sizeof(PLAINTEXT));
-        if (crv == CKR_OK) {
-            PKM_LogIt("PKM_Hmac with DES3 secret key succeeded for %-10s\n\n", 
-                hmacMechs[i].mechanismStr);
-        } else {
-            PKM_Error( "PKM_Hmac with DES3 secret key failed for %-10s "
-                       "with 0x%08X,  %-26s\n", 
-                       hmacMechs[i].mechanismStr, crv, PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-
-    } /* end of hmac loop */
-
-    crv = pFunctionList->C_Logout(hRwSession);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Logout succeeded\n");
-    } else {
-        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_CloseSession(hRwSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    return crv;
-
-}
-
-void PKM_LogIt(const char *fmt, ...) {
-    va_list args;
-    
-    if (verbose) {
-        va_start (args, fmt);
-        if (MODE == FIPSMODE) {
-            printf("FIPS MODE: ");
-        } else if (MODE == NONFIPSMODE) {
-            printf("NON FIPS MODE: ");
-        } else if (MODE == HYBRIDMODE) {
-            printf("Hybrid MODE: ");
-        } 
-        vprintf(fmt, args);
-        va_end(args);
-    }
-}
-
-void PKM_Error(const char *fmt, ...) {
-    va_list args;
-    va_start (args, fmt);
-
-    if (MODE == FIPSMODE) {
-        fprintf(stderr, "\nFIPS MODE PKM_Error: ");
-    } else if (MODE == NONFIPSMODE) {
-        fprintf(stderr, "NON FIPS MODE PKM_Error: ");
-    } else if (MODE == HYBRIDMODE) {
-        fprintf(stderr, "Hybrid MODE PKM_Error: ");
-    } else fprintf(stderr, "NOMODE PKM_Error: ");
-    vfprintf(stderr, fmt, args);
-    va_end(args);
-}
-CK_SLOT_ID *PKM_GetSlotList(CK_FUNCTION_LIST_PTR pFunctionList,
-                            CK_ULONG slotID) {
-    CK_RV crv = CKR_OK;
-    CK_SLOT_ID *pSlotList = NULL;
-    CK_ULONG slotCount;
-    
-    NUMTESTS++; /* increment NUMTESTS */
-
-    /* Get slot list */
-    crv = pFunctionList->C_GetSlotList(CK_FALSE /* all slots */,
-                                       NULL, &slotCount);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_GetSlotList failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return NULL;
-    }
-    PKM_LogIt("C_GetSlotList reported there are %lu slots\n", slotCount);
-    pSlotList = (CK_SLOT_ID *)malloc(slotCount * sizeof(CK_SLOT_ID));
-    if (!pSlotList) {
-        PKM_Error( "failed to allocate slot list\n");
-        return NULL;
-    }
-    crv = pFunctionList->C_GetSlotList(CK_FALSE /* all slots */,
-                                       pSlotList, &slotCount);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_GetSlotList failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        if (pSlotList) free(pSlotList);
-        return NULL;
-    }
-    return pSlotList;
-}
-
-CK_RV PKM_InitPWforDB(CK_FUNCTION_LIST_PTR pFunctionList,
-                      CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                      CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen)  {
-    CK_RV crv = CKR_OK;
-    CK_SESSION_HANDLE hSession;
-    static const CK_UTF8CHAR testPin[] = {"0Mozilla"};
-    static const CK_UTF8CHAR weakPin[] = {"mozilla"};
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID],
-                                       CKF_RW_SESSION | CKF_SERIAL_SESSION,
-                                       NULL, NULL, &hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    PKM_LogIt("CKU_USER 0x%08X \n", CKU_USER); 
-
-    crv = pFunctionList->C_Login(hSession, CKU_SO, NULL, 0);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Login failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    if (MODE == FIPSMODE) {
-        crv = pFunctionList->C_InitPIN(hSession, (CK_UTF8CHAR *) weakPin, 
-                                       strlen((char *)weakPin));
-        if (crv == CKR_OK) {
-            PKM_Error( "C_InitPIN with a weak password succeeded\n");
-            return crv;
-        } else {
-            PKM_LogIt("C_InitPIN with a weak password failed with "
-                      "0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        }
-    }
-    crv = pFunctionList->C_InitPIN(hSession, (CK_UTF8CHAR *) testPin, 
-                                   strlen((char *)testPin));
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_InitPIN succeeded\n");
-    } else {
-        PKM_Error( "C_InitPIN failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_Logout(hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_CloseSession(hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID],
-                                       CKF_RW_SESSION | CKF_SERIAL_SESSION,
-                                       NULL, NULL, &hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt("CKU_USER 0x%08X \n", CKU_USER); 
-
-    crv = pFunctionList->C_Login(hSession, CKU_USER, (CK_UTF8CHAR *) testPin,
-                                 strlen((const char *)testPin));
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Login failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    if (MODE == FIPSMODE) {
-        crv = pFunctionList->C_SetPIN(
-                                     hSession, (CK_UTF8CHAR *) testPin, 
-                                     strlen((const char *)testPin),
-                                     (CK_UTF8CHAR *) weakPin, 
-                                     strlen((const char *)weakPin));
-        if (crv == CKR_OK) {
-            PKM_Error( "C_SetPIN with a weak password succeeded\n");
-            return crv;
-        } else {
-            PKM_LogIt("C_SetPIN with a weak password returned with "
-                      "0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        }
-    }
-    crv = pFunctionList->C_SetPIN(
-                                 hSession, (CK_UTF8CHAR *) testPin, 
-                                 strlen((const char *)testPin),
-                                 pwd, pwdLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_CSetPin failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_Logout(hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_CloseSession(hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    return crv;
-}
-
-CK_RV PKM_ShowInfo(CK_FUNCTION_LIST_PTR pFunctionList, CK_ULONG slotID) {
-    CK_RV crv = CKR_OK;
-    CK_INFO info;
-    CK_SLOT_ID *pSlotList = NULL;
-    unsigned i;
-
-    CK_SLOT_INFO slotInfo;
-    CK_TOKEN_INFO tokenInfo;
-    CK_FLAGS bitflag;
-    
-    NUMTESTS++; /* increment NUMTESTS */
-
-
-    crv = pFunctionList->C_GetInfo(&info);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GetInfo succeeded\n");
-    } else {
-        PKM_Error( "C_GetInfo failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    PKM_LogIt("General information about the PKCS #11 library:\n");
-    PKM_LogIt("    PKCS #11 version: %d.%d\n",
-              (int)info.cryptokiVersion.major,
-              (int)info.cryptokiVersion.minor);
-    PKM_LogIt("    manufacturer ID: %.32s\n", info.manufacturerID);
-    PKM_LogIt("    flags: 0x%08lX\n", info.flags);
-    PKM_LogIt("    library description: %.32s\n", info.libraryDescription);
-    PKM_LogIt("    library version: %d.%d\n",
-              (int)info.libraryVersion.major, (int)info.libraryVersion.minor);
-    PKM_LogIt("\n");
-
-    /* Get slot list */
-    pSlotList = PKM_GetSlotList(pFunctionList, slotID);
-    if (pSlotList == NULL) {
-        PKM_Error( "PKM_GetSlotList failed with \n");
-        return crv;
-    }
-    crv = pFunctionList->C_GetSlotInfo(pSlotList[slotID], &slotInfo);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GetSlotInfo succeeded\n");
-    } else {
-        PKM_Error( "C_GetSlotInfo failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    PKM_LogIt("Information about slot %lu:\n", pSlotList[slotID]);
-    PKM_LogIt("    slot description: %.64s\n", slotInfo.slotDescription);
-    PKM_LogIt("    slot manufacturer ID: %.32s\n", slotInfo.manufacturerID);
-    PKM_LogIt("    flags: 0x%08lX\n", slotInfo.flags);
-    bitflag = 1;
-    for (i = 0; i < sizeof(slotFlagName)/sizeof(slotFlagName[0]); i++) {
-        if (slotInfo.flags & bitflag) {
-            PKM_LogIt("           %s\n", slotFlagName[i]);
-        }
-        bitflag <<= 1;
-    }
-    PKM_LogIt("    slot's hardware version number: %d.%d\n",
-              (int)slotInfo.hardwareVersion.major,
-              (int)slotInfo.hardwareVersion.minor);
-    PKM_LogIt("    slot's firmware version number: %d.%d\n",
-              (int)slotInfo.firmwareVersion.major,
-              (int)slotInfo.firmwareVersion.minor);
-    PKM_LogIt("\n");
-
-    crv = pFunctionList->C_GetTokenInfo(pSlotList[slotID], &tokenInfo);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GetTokenInfo succeeded\n");
-    } else {
-        PKM_Error( "C_GetTokenInfo failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    PKM_LogIt("Information about the token in slot %lu:\n",
-              pSlotList[slotID]);
-    PKM_LogIt("    label: %.32s\n", tokenInfo.label);
-    PKM_LogIt("    device manufacturer ID: %.32s\n",
-              tokenInfo.manufacturerID);
-    PKM_LogIt("    device model: %.16s\n", tokenInfo.model);
-    PKM_LogIt("    device serial number: %.16s\n", tokenInfo.serialNumber);
-    PKM_LogIt("    flags: 0x%08lX\n", tokenInfo.flags);
-    bitflag = 1;
-    for (i = 0; i < sizeof(tokenFlagName)/sizeof(tokenFlagName[0]); i++) {
-        if (tokenInfo.flags & bitflag) {
-            PKM_LogIt("           %s\n", tokenFlagName[i]);
-        }
-        bitflag <<= 1;
-    }
-    PKM_LogIt("    maximum session count: %lu\n",
-              tokenInfo.ulMaxSessionCount);
-    PKM_LogIt("    session count: %lu\n", tokenInfo.ulSessionCount);
-    PKM_LogIt("    maximum read/write session count: %lu\n",
-              tokenInfo.ulMaxRwSessionCount);
-    PKM_LogIt("    read/write session count: %lu\n",
-              tokenInfo.ulRwSessionCount);
-    PKM_LogIt("    maximum PIN length: %lu\n", tokenInfo.ulMaxPinLen);
-    PKM_LogIt("    minimum PIN length: %lu\n", tokenInfo.ulMinPinLen);
-    PKM_LogIt("    total public memory: %lu\n",
-              tokenInfo.ulTotalPublicMemory);
-    PKM_LogIt("    free public memory: %lu\n",
-              tokenInfo.ulFreePublicMemory);
-    PKM_LogIt("    total private memory: %lu\n",
-              tokenInfo.ulTotalPrivateMemory);
-    PKM_LogIt("    free private memory: %lu\n",
-              tokenInfo.ulFreePrivateMemory);
-    PKM_LogIt("    hardware version number: %d.%d\n",
-              (int)tokenInfo.hardwareVersion.major,
-              (int)tokenInfo.hardwareVersion.minor);
-    PKM_LogIt("    firmware version number: %d.%d\n",
-              (int)tokenInfo.firmwareVersion.major,
-              (int)tokenInfo.firmwareVersion.minor);
-    if (tokenInfo.flags & CKF_CLOCK_ON_TOKEN) {
-        PKM_LogIt("    current time: %.16s\n", tokenInfo.utcTime);
-    }
-    PKM_LogIt("PKM_ShowInfo done \n\n");
-    if (pSlotList) free(pSlotList);
-    return crv;
-}
-
-/* PKM_HybridMode                                                         */
-/* The NSS cryptographic module has two modes of operation: FIPS Approved */
-/* mode and NONFIPS Approved mode. The two modes of operation are         */
-/* independent of each other -- they have their own copies of data        */
-/* structures and they are even allowed to be active at the same time.    */
-/* The module is FIPS 140-2 compliant only when the NONFIPS mode          */
-/* is inactive.                                                           */
-/* PKM_HybridMode demostrates how an application can switch between the   */
-/* two modes: FIPS Approved mode and NONFIPS mode.                        */
-CK_RV PKM_HybridMode(CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen, 
-                     CK_C_INITIALIZE_ARGS_NSS *initArgs) {
-
-    CK_C_GetFunctionList pC_GetFunctionList;  /* NONFIPSMode */
-    CK_FUNCTION_LIST_PTR pC_FunctionList;
-    CK_SLOT_ID *pC_SlotList = NULL;
-    CK_ULONG slotID_C = 1;
-    CK_C_GetFunctionList pFC_GetFunctionList; /* FIPSMode */
-    CK_FUNCTION_LIST_PTR pFC_FunctionList;
-    CK_SLOT_ID *pFC_SlotList = NULL;
-    CK_ULONG slotID_FC = 0;
-    CK_RV crv = CKR_OK;
-    CK_SESSION_HANDLE hSession;
-    int origMode = MODE; /* remember the orginal MODE value */ 
-
-    NUMTESTS++; /* increment NUMTESTS */
-    MODE = NONFIPSMODE;
-#ifdef _WIN32
-    /* NON FIPS mode  == C_GetFunctionList */
-    pC_GetFunctionList = (CK_C_GetFunctionList)
-                         GetProcAddress(hModule, "C_GetFunctionList");
-    if (pC_GetFunctionList == NULL) {
-        PKM_Error( "cannot load %s\n", LIB_NAME);
-        return crv;
-    }
-#else
-        pC_GetFunctionList = (CK_C_GetFunctionList) PR_FindFunctionSymbol(lib,
-        "C_GetFunctionList");
-        assert(pC_GetFunctionList != NULL);
-#endif
-    PKM_LogIt("loading C_GetFunctionList for Non FIPS Mode; slotID %d \n",
-              slotID_C);
-    crv = (*pC_GetFunctionList)(&pC_FunctionList);
-    assert(crv == CKR_OK);
-
-    /* invoke C_Initialize as pC_FunctionList->C_Initialize */
-    crv = pC_FunctionList->C_Initialize(initArgs);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Initialize succeeded\n");
-    } else {
-        PKM_Error( "C_Initialize failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    pC_SlotList = PKM_GetSlotList(pC_FunctionList, slotID_C);
-    if (pC_SlotList == NULL) {
-        PKM_Error( "PKM_GetSlotList failed with \n");
-        return crv;
-    }
-    crv = pC_FunctionList->C_OpenSession(pC_SlotList[slotID_C],
-                                         CKF_SERIAL_SESSION,
-                                         NULL, NULL, &hSession);
-    if (crv == CKR_OK) {
-        PKM_LogIt("NONFIPS C_OpenSession succeeded\n");
-    } else {
-        PKM_Error( "C_OpenSession failed for NONFIPS token "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pC_FunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("able to login in NONFIPS token\n");
-    } else {
-        PKM_Error( "Unable to login in to NONFIPS token "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pC_FunctionList->C_Logout(hSession);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Logout succeeded\n");
-    } else {
-        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_ShowInfo(pC_FunctionList, slotID_C);
-    MODE = HYBRIDMODE;
-
-    /* Now load the FIPS token */
-    /* FIPS mode == FC_GetFunctionList */
-    pFC_GetFunctionList = NULL; 
-#ifdef _WIN32
-    pFC_GetFunctionList = (CK_C_GetFunctionList)
-                          GetProcAddress(hModule, "FC_GetFunctionList");
-#else
-     pFC_GetFunctionList = (CK_C_GetFunctionList) PR_FindFunctionSymbol(lib,
-        "FC_GetFunctionList");
-        assert(pFC_GetFunctionList != NULL);
-#endif
-
-    PKM_LogIt("loading FC_GetFunctionList for FIPS Mode; slotID %d \n",
-              slotID_FC);
-    PKM_LogIt("pFC_FunctionList->C_Foo == pFC_FunctionList->FC_Foo\n");
-    if (pFC_GetFunctionList == NULL) {
-        PKM_Error( "unable to load pFC_GetFunctionList\n");
-        return crv;
-    }
-
-    crv = (*pFC_GetFunctionList)(&pFC_FunctionList);
-    assert(crv == CKR_OK);
-
-    /* invoke FC_Initialize as pFunctionList->C_Initialize */
-    crv = pFC_FunctionList->C_Initialize(initArgs);
-    if (crv == CKR_OK) {
-        PKM_LogIt("FC_Initialize succeeded\n");
-    } else {
-        PKM_Error( "FC_Initialize failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    PKM_ShowInfo(pFC_FunctionList, slotID_FC);
-
-    pFC_SlotList = PKM_GetSlotList(pFC_FunctionList, slotID_FC);
-    if (pFC_SlotList == NULL) {
-        PKM_Error( "PKM_GetSlotList failed with \n");
-        return crv;
-    }
-
-    crv = pC_FunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
-    if (crv != CKR_OK) {
-        PKM_LogIt("NONFIPS token cannot log in when FIPS token is loaded\n");
-    } else {
-        PKM_Error("Able to login in to NONFIPS token\n");
-        return crv;
-    }
-    crv = pC_FunctionList->C_CloseSession(hSession);
-    if (crv == CKR_OK) {
-        PKM_LogIt("NONFIPS pC_CloseSession succeeded\n");
-    } else {
-        PKM_Error( "pC_CloseSession failed for NONFIPS token "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt("The module is FIPS 140-2 compliant\n"
-              "only when the NONFIPS Approved mode is inactive by \n"
-              "calling C_Finalize on the NONFIPS token.\n");
-
-
-    /* to go in FIPSMODE you must Finalize the NONFIPS mode pointer */
-    crv = pC_FunctionList->C_Finalize(NULL);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Finalize of NONFIPS Token succeeded\n");
-        MODE = FIPSMODE;
-    } else {
-        PKM_Error( "C_Finalize of NONFIPS Token failed with "
-                   "0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt("*** In FIPS mode!  ***\n");
-
-    /* could do some operations in FIPS MODE */
-
-    crv = pFC_FunctionList->C_Finalize(NULL);
-    if (crv == CKR_OK) {
-        PKM_LogIt("Exiting FIPSMODE by caling FC_Finalize.\n");
-        MODE = NOMODE;
-    } else {
-        PKM_Error( "FC_Finalize failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    if (pC_SlotList) free(pC_SlotList);
-    if (pFC_SlotList) free(pFC_SlotList);
-
-    MODE = origMode; /* set the mode back to the orginal Mode value */
-    PKM_LogIt("PKM_HybridMode test Completed\n\n");
-    return crv;
-}
-
-CK_RV PKM_Mechanism(CK_FUNCTION_LIST_PTR pFunctionList,
-                    CK_SLOT_ID * pSlotList, CK_ULONG slotID) {
-
-    CK_RV crv = CKR_OK;
-    CK_MECHANISM_TYPE *pMechanismList;
-    CK_ULONG mechanismCount;
-    CK_ULONG i;
-    const char * mechName = NULL;
-
-    NUMTESTS++; /* increment NUMTESTS */
-
-    /* Get the mechanism list */
-    crv = pFunctionList->C_GetMechanismList(pSlotList[slotID],
-                                            NULL, &mechanismCount);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_GetMechanismList failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    PKM_LogIt("C_GetMechanismList reported there are %lu mechanisms\n",
-              mechanismCount);
-    pMechanismList = (CK_MECHANISM_TYPE *)
-                     malloc(mechanismCount * sizeof(CK_MECHANISM_TYPE));
-    if (!pMechanismList) {
-        PKM_Error( "failed to allocate mechanism list\n");
-        return crv;
-    }
-    crv = pFunctionList->C_GetMechanismList(pSlotList[slotID],
-                                            pMechanismList, &mechanismCount);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_GetMechanismList failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    PKM_LogIt("C_GetMechanismList returned the mechanism types:\n");
-    if (verbose) {
-        for (i = 1; i <= mechanismCount; i++) {
-            mechName = getName(pMechanismList[(i-1)], ConstMechanism);
-
-            /* output two mechanism name on each line */
-            /* currently the longest known mechansim name length is 37 */
-            if (mechName) {
-                printf("%-40s",mechName);
-            } else {
-                printf("Unknown mechanism: 0x%08lX ", pMechanismList[i]);
-            }    
-            if ((i != 0) && ((i % 2) == 0 )) printf("\n");
-        }
-        printf("\n\n");
-    }
-
-    for ( i = 0; i < mechanismCount; i++ ) {
-        CK_MECHANISM_INFO minfo;
-
-        memset(&minfo, 0, sizeof(CK_MECHANISM_INFO));
-        crv = pFunctionList->C_GetMechanismInfo(pSlotList[slotID],
-                                                pMechanismList[i], &minfo);
-        if ( CKR_OK != crv ) {
-            PKM_Error( "C_GetMechanismInfo(%lu, %lu) returned 0x%08X, %-26s\n",
-                       pSlotList[slotID], pMechanismList[i], crv, 
-                       PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-
-        mechName = getName(pMechanismList[i], ConstMechanism);
-        if (!mechName) mechName = "Unknown mechanism";
-        PKM_LogIt( "    [%lu]: CK_MECHANISM_TYPE = %s 0x%08lX\n", (i+1),
-                   mechName,
-                   pMechanismList[i]);
-        PKM_LogIt( "    ulMinKeySize = %lu\n", minfo.ulMinKeySize);
-        PKM_LogIt( "    ulMaxKeySize = %lu\n", minfo.ulMaxKeySize);
-        PKM_LogIt( "    flags = 0x%08x\n", minfo.flags);
-        PKM_LogIt( "        -> HW = %s\n", minfo.flags & CKF_HW ?
-                   "TRUE" : "FALSE");
-        PKM_LogIt( "        -> ENCRYPT = %s\n", minfo.flags & CKF_ENCRYPT ?
-                   "TRUE" : "FALSE");
-        PKM_LogIt( "        -> DECRYPT = %s\n", minfo.flags & CKF_DECRYPT ?
-                   "TRUE" : "FALSE");
-        PKM_LogIt( "        -> DIGEST = %s\n", minfo.flags & CKF_DIGEST ?
-                   "TRUE" : "FALSE");
-        PKM_LogIt( "        -> SIGN = %s\n", minfo.flags & CKF_SIGN ?
-                   "TRUE" : "FALSE");
-        PKM_LogIt( "        -> SIGN_RECOVER = %s\n", minfo.flags &
-                   CKF_SIGN_RECOVER ? "TRUE" : "FALSE");
-        PKM_LogIt( "        -> VERIFY = %s\n", minfo.flags & CKF_VERIFY ?
-                   "TRUE" : "FALSE");
-        PKM_LogIt( "        -> VERIFY_RECOVER = %s\n",
-                   minfo.flags & CKF_VERIFY_RECOVER ? "TRUE" : "FALSE");
-        PKM_LogIt( "        -> GENERATE = %s\n", minfo.flags & CKF_GENERATE ?
-                   "TRUE" : "FALSE");
-        PKM_LogIt( "        -> GENERATE_KEY_PAIR = %s\n",
-                   minfo.flags & CKF_GENERATE_KEY_PAIR ? "TRUE" : "FALSE");
-        PKM_LogIt( "        -> WRAP = %s\n", minfo.flags & CKF_WRAP ?
-                   "TRUE" : "FALSE");
-        PKM_LogIt( "        -> UNWRAP = %s\n", minfo.flags & CKF_UNWRAP ?
-                   "TRUE" : "FALSE");
-        PKM_LogIt( "        -> DERIVE = %s\n", minfo.flags & CKF_DERIVE ?
-                   "TRUE" : "FALSE");
-        PKM_LogIt( "        -> EXTENSION = %s\n", minfo.flags & CKF_EXTENSION ?
-                   "TRUE" : "FALSE");
-
-        PKM_LogIt( "\n");
-    }
-
-
-    return crv;
-
-}
-
-CK_RV PKM_RNG(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID * pSlotList,
-              CK_ULONG slotID) {
-    CK_SESSION_HANDLE hSession;
-    CK_RV crv = CKR_OK;
-    CK_BYTE randomData[16];
-    CK_BYTE seed[] = {0x01, 0x03, 0x35, 0x55, 0xFF};
-
-    NUMTESTS++; /* increment NUMTESTS */
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
-                                       NULL, NULL, &hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_GenerateRandom(hSession,
-                                          randomData, sizeof randomData);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GenerateRandom without login succeeded\n");
-    } else {
-        PKM_Error( "C_GenerateRandom without login failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_SeedRandom(hSession, seed, sizeof(seed));
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_SeedRandom without login succeeded\n");
-    } else {
-        PKM_Error( "C_SeedRandom without login failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_GenerateRandom(hSession,
-                                          randomData, sizeof randomData);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GenerateRandom without login succeeded\n");
-    } else {
-        PKM_Error( "C_GenerateRandom without login failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_CloseSession(hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    return crv;
-
-}
-
-CK_RV PKM_SessionLogin(CK_FUNCTION_LIST_PTR pFunctionList,
-                       CK_SLOT_ID *pSlotList, CK_ULONG slotID,
-                       CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
-    CK_SESSION_HANDLE hSession;
-    CK_RV crv = CKR_OK;
-    
-    NUMTESTS++; /* increment NUMTESTS */
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
-                                       NULL, NULL, &hSession);
-    if (crv != CKR_OK) {
-        PKM_Error("C_OpenSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_Login(hSession, CKU_USER, (unsigned char *) 
-                                 "netscape", 8);
-    if (crv == CKR_OK) {
-        PKM_Error("C_Login with wrong password succeeded\n");
-        return CKR_FUNCTION_FAILED;
-    } else {
-        PKM_LogIt("As expected C_Login with wrong password returned 0x%08X, "
-                  "%-26s.\n ", crv, PKM_CK_RVtoStr(crv));
-    }
-    crv = pFunctionList->C_Login(hSession, CKU_USER, (unsigned char *) 
-                                 "red hat", 7);
-    if (crv == CKR_OK) {
-        PKM_Error("C_Login with wrong password succeeded\n");
-        return CKR_FUNCTION_FAILED;
-    } else {
-        PKM_LogIt("As expected C_Login with wrong password returned 0x%08X, "
-                  "%-26s.\n ", crv, PKM_CK_RVtoStr(crv));
-    }
-    crv = pFunctionList->C_Login(hSession, CKU_USER, 
-                                 (unsigned char *) "sun", 3);
-    if (crv == CKR_OK) {
-        PKM_Error("C_Login with wrong password succeeded\n");
-        return CKR_FUNCTION_FAILED;
-    } else {
-        PKM_LogIt("As expected C_Login with wrong password returned 0x%08X, "
-                  "%-26s.\n ", crv, PKM_CK_RVtoStr(crv));
-    }
-    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Login with correct password succeeded\n");
-    } else {
-        PKM_Error("C_Login with correct password failed "
-                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_Logout(hSession);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Logout succeeded\n");
-    } else {
-        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_CloseSession(hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    return crv;
-
-}
-
-/*
-* PKM_LegacyFunctions
-*
-* Legacyfunctions exist only for backwards compatibility.
-* C_GetFunctionStatus and C_CancelFunction functions were
-* meant for managing parallel execution of cryptographic functions.
-*
-* C_GetFunctionStatus is a legacy function which should simply return
-* the value CKR_FUNCTION_NOT_PARALLEL.
-*
-* C_CancelFunction is a legacy function which should simply return the
-* value CKR_FUNCTION_NOT_PARALLEL.
-*
-*/
-CK_RV PKM_LegacyFunctions(CK_FUNCTION_LIST_PTR pFunctionList,
-                          CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                          CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
-    CK_SESSION_HANDLE hSession;
-    CK_RV crv = CKR_OK;
-    NUMTESTS++; /* increment NUMTESTS */
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
-                                       NULL, NULL, &hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Login with correct password succeeded\n");
-    } else {
-        PKM_Error( "C_Login with correct password failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_GetFunctionStatus(hSession);
-    if (crv == CKR_FUNCTION_NOT_PARALLEL) {
-        PKM_LogIt("C_GetFunctionStatus correctly"
-                  "returned CKR_FUNCTION_NOT_PARALLEL \n");
-    } else {
-        PKM_Error( "C_GetFunctionStatus failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_CancelFunction(hSession);
-    if (crv == CKR_FUNCTION_NOT_PARALLEL) {
-        PKM_LogIt("C_CancelFunction correctly "
-                  "returned CKR_FUNCTION_NOT_PARALLEL \n");
-    } else {
-        PKM_Error( "C_CancelFunction failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_Logout(hSession);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Logout succeeded\n");
-    } else {
-        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_CloseSession(hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    return crv;
-
-}
-
-/*
-*  PKM_DualFuncDigest - demostrates the Dual-function
-*  cryptograpic functions:
-*
-*   C_DigestEncryptUpdate - multi-part Digest and Encrypt
-*   C_DecryptDigestUpdate - multi-part Decrypt and Digest
-*
-*
-*/
-
-CK_RV PKM_DualFuncDigest(CK_FUNCTION_LIST_PTR pFunctionList,
-                       CK_SESSION_HANDLE hSession,
-                       CK_OBJECT_HANDLE hSecKey, CK_MECHANISM *cryptMech,
-                       CK_OBJECT_HANDLE hSecKeyDigest, 
-                       CK_MECHANISM *digestMech, 
-                       const CK_BYTE *  pData, CK_ULONG pDataLen) {
-    CK_RV crv = CKR_OK;
-    CK_BYTE eDigest[MAX_DIGEST_SZ];
-    CK_BYTE dDigest[MAX_DIGEST_SZ];
-    CK_ULONG ulDigestLen;
-    CK_BYTE ciphertext[MAX_CIPHER_SZ];
-    CK_ULONG ciphertextLen, lastLen;
-    CK_BYTE plaintext[MAX_DATA_SZ];
-    CK_ULONG plaintextLen;
-    unsigned int i;
-
-    memset(eDigest, 0, sizeof(eDigest));
-    memset(dDigest, 0, sizeof(dDigest));
-    memset(ciphertext, 0, sizeof(ciphertext));
-    memset(plaintext, 0, sizeof(plaintext));
-
-    NUMTESTS++; /* increment NUMTESTS */
-
-    /*
-     * First init the Digest and Ecrypt operations
-     */
-    crv = pFunctionList->C_EncryptInit(hSession, cryptMech, hSecKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_DigestInit(hSession, digestMech);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DigestInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    ciphertextLen = sizeof(ciphertext);
-    crv = pFunctionList->C_DigestEncryptUpdate(hSession, (CK_BYTE * ) pData,
-                                               pDataLen,
-                                               ciphertext, &ciphertextLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DigestEncryptUpdate failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    ulDigestLen = sizeof(eDigest);
-    crv = pFunctionList->C_DigestFinal(hSession, eDigest, &ulDigestLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DigestFinal failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-
-    /* get the last piece of ciphertext (length should be 0 */
-    lastLen = sizeof(ciphertext) - ciphertextLen;
-    crv = pFunctionList->C_EncryptFinal(hSession,
-                                      (CK_BYTE * )&ciphertext[ciphertextLen],
-                                      &lastLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_EncryptFinal failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    ciphertextLen = ciphertextLen + lastLen;
-    if (verbose) {
-        printf("ciphertext = ");
-        for (i = 0; i < ciphertextLen; i++) {
-            printf("%02x", (unsigned)ciphertext[i]);
-        }
-        printf("\n");
-        printf("eDigest = ");
-        for (i = 0; i < ulDigestLen; i++) {
-            printf("%02x", (unsigned)eDigest[i]);
-        }
-        printf("\n");
-    }
-
-    /* Decrypt the text */
-    crv = pFunctionList->C_DecryptInit(hSession, cryptMech, hSecKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_DigestInit(hSession, digestMech);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    plaintextLen = sizeof(plaintext);
-    crv = pFunctionList->C_DecryptDigestUpdate(hSession, ciphertext,
-                                               ciphertextLen,
-                                               plaintext,
-                                               &plaintextLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptDigestUpdate failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    lastLen = sizeof(plaintext) - plaintextLen;
-
-    crv = pFunctionList->C_DecryptFinal(hSession,
-                                        (CK_BYTE * )&plaintext[plaintextLen],
-                                        &lastLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptFinal failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    plaintextLen = plaintextLen + lastLen;
-
-    ulDigestLen = sizeof(dDigest);
-    crv = pFunctionList->C_DigestFinal(hSession, dDigest, &ulDigestLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DigestFinal failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    if (plaintextLen != pDataLen) {
-        PKM_Error( "plaintextLen is %lu\n", plaintextLen);
-        return crv;
-    }
-    
-    if (verbose) {
-        printf("plaintext = ");
-        for (i = 0; i < plaintextLen; i++) {
-            printf("%02x", (unsigned)plaintext[i]);
-        }
-        printf("\n");
-        printf("dDigest = ");
-        for (i = 0; i < ulDigestLen; i++) {
-            printf("%02x", (unsigned)dDigest[i]);
-        }
-        printf("\n");
-    }
-    
-    if (memcmp(eDigest, dDigest, ulDigestLen) == 0) {
-        PKM_LogIt("Encrypted Digest equals Decrypted Digest\n");
-    } else {
-        PKM_Error( "Digests don't match\n");
-    }
-
-    if ((plaintextLen == pDataLen) &&
-        (memcmp(plaintext, pData, pDataLen))  == 0) {
-        PKM_LogIt("DualFuncDigest decrypt test case passed\n");
-    } else {
-        PKM_Error( "DualFuncDigest derypt test case failed\n");
-    }
-
-    return crv;
-
-}
-
-/*
-* PKM_SecKeyCrypt - Symmetric key encrypt/decyprt
-*
-*/
-
-CK_RV PKM_SecKeyCrypt(CK_FUNCTION_LIST_PTR pFunctionList, 
-                      CK_SESSION_HANDLE hSession,
-                       CK_OBJECT_HANDLE hSymKey, CK_MECHANISM *cryptMech,
-                       const CK_BYTE *  pData, CK_ULONG dataLen) {
-    CK_RV crv = CKR_OK;
-
-    CK_BYTE cipher1[MAX_CIPHER_SZ];
-    CK_BYTE cipher2[MAX_CIPHER_SZ];
-    CK_BYTE data1[MAX_DATA_SZ];
-    CK_BYTE data2[MAX_DATA_SZ];
-    CK_ULONG cipher1Len =0, cipher2Len =0, lastLen =0;
-    CK_ULONG data1Len =0, data2Len =0;
-    
-    NUMTESTS++; /* increment NUMTESTS */
-
-    memset(cipher1, 0, sizeof(cipher1));
-    memset(cipher2, 0, sizeof(cipher2));
-    memset(data1, 0, sizeof(data1));
-    memset(data2, 0, sizeof(data2));
-
-    /* C_Encrypt */
-    crv = pFunctionList->C_EncryptInit(hSession, cryptMech, hSymKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    cipher1Len = sizeof(cipher1);
-    crv = pFunctionList->C_Encrypt(hSession, (CK_BYTE * ) pData, dataLen,
-                                   cipher1, &cipher1Len);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Encrypt failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /* C_EncryptUpdate */
-    crv = pFunctionList->C_EncryptInit(hSession, cryptMech, hSymKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    cipher2Len = sizeof(cipher2);
-    crv = pFunctionList->C_EncryptUpdate (hSession, (CK_BYTE * ) pData,
-                                          dataLen,
-                                          cipher2, &cipher2Len);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_EncryptUpdate failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    lastLen = sizeof(cipher2) - cipher2Len;
-
-    crv = pFunctionList->C_EncryptFinal(hSession,
-                                    (CK_BYTE * )&cipher2[cipher2Len],
-                                    &lastLen);
-    cipher2Len = cipher2Len + lastLen;
-
-    if ( (cipher1Len == cipher2Len) &&
-         (memcmp(cipher1, cipher2, sizeof(cipher1Len)) == 0) ) {
-        PKM_LogIt("encrypt test case passed\n");
-    } else {
-        PKM_Error( "encrypt test case failed\n");
-        return CKR_GENERAL_ERROR;
-    }
-
-    /* C_Decrypt */
-    crv = pFunctionList->C_DecryptInit(hSession, cryptMech, hSymKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    data1Len = sizeof(data1);
-    crv = pFunctionList->C_Decrypt(hSession, cipher1, cipher1Len,
-                                   data1, &data1Len);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    /* now use C_DecryptUpdate the text */
-    crv = pFunctionList->C_DecryptInit(hSession, cryptMech, hSymKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    data2Len = sizeof(data2);
-    crv = pFunctionList->C_DecryptUpdate(hSession, cipher2,
-                                         cipher2Len,
-                                         data2, &data2Len);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptUpdate failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    lastLen = sizeof(data2) - data2Len;
-    crv = pFunctionList->C_DecryptFinal(hSession,
-                                        (CK_BYTE * )&data2[data2Len],
-                                        &lastLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptFinal failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    data2Len = data2Len + lastLen;
-
-
-    /* Comparison of Decrypt data */
-
-    if ( (data1Len == data2Len) && (dataLen == data1Len) &&
-         (memcmp(data1, pData, dataLen) == 0) &&
-         (memcmp(data2, pData, dataLen) == 0) ) {
-        PKM_LogIt("decrypt test case passed\n");
-    } else {
-        PKM_Error( "derypt test case failed\n");
-    }
-
-    return crv;
-
-}
-    
-
-CK_RV PKM_SecretKey(CK_FUNCTION_LIST_PTR pFunctionList,
-                    CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                    CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
-    CK_SESSION_HANDLE hSession;
-    CK_RV crv = CKR_OK;
-    CK_MECHANISM sAESKeyMech = {
-        CKM_AES_KEY_GEN, NULL, 0
-    };
-    CK_OBJECT_CLASS class = CKO_SECRET_KEY;
-    CK_KEY_TYPE keyAESType = CKK_AES;
-    CK_UTF8CHAR AESlabel[] = "An AES secret key object";
-    CK_ULONG AESvalueLen = 16;
-    CK_ATTRIBUTE sAESKeyTemplate[9];    
-    CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
-
-    CK_BYTE KEY[16];
-    CK_BYTE IV[16];
-    static const CK_BYTE CIPHERTEXT[] = {
-        0x7e,0x6a,0x3f,0x3b,0x39,0x3c,0xf2,0x4b, 
-        0xce,0xcc,0x23,0x6d,0x80,0xfd,0xe0,0xff
-    };
-    CK_BYTE ciphertext[64];
-    CK_BYTE ciphertext2[64];
-    CK_ULONG ciphertextLen, ciphertext2Len, lastLen;
-    CK_BYTE plaintext[32];
-    CK_BYTE plaintext2[32];
-    CK_ULONG plaintextLen, plaintext2Len;
-    CK_BYTE wrappedKey[16];
-    CK_ULONG wrappedKeyLen;
-    CK_MECHANISM aesEcbMech = {
-        CKM_AES_ECB, NULL, 0
-    };
-    CK_OBJECT_HANDLE hTestKey;
-    CK_MECHANISM mech_AES_CBC;
-
-    NUMTESTS++; /* increment NUMTESTS */
-
-    memset(ciphertext, 0, sizeof(ciphertext));
-    memset(ciphertext2, 0, sizeof(ciphertext2));
-    memset(IV, 0x00, sizeof(IV));
-    memset(KEY, 0x00, sizeof(KEY));
-    
-    mech_AES_CBC.mechanism      = CKM_AES_CBC; 
-    mech_AES_CBC.pParameter = IV; 
-    mech_AES_CBC.ulParameterLen = sizeof(IV);
-
-    /* AES key template */
-    sAESKeyTemplate[0].type       = CKA_CLASS; 
-    sAESKeyTemplate[0].pValue     = &class;
-    sAESKeyTemplate[0].ulValueLen = sizeof(class);
-    sAESKeyTemplate[1].type       = CKA_KEY_TYPE; 
-    sAESKeyTemplate[1].pValue     = &keyAESType; 
-    sAESKeyTemplate[1].ulValueLen = sizeof(keyAESType);
-    sAESKeyTemplate[2].type       = CKA_LABEL;
-    sAESKeyTemplate[2].pValue     = AESlabel; 
-    sAESKeyTemplate[2].ulValueLen = sizeof(AESlabel)-1;
-    sAESKeyTemplate[3].type       = CKA_ENCRYPT; 
-    sAESKeyTemplate[3].pValue     = &true; 
-    sAESKeyTemplate[3].ulValueLen = sizeof(true);
-    sAESKeyTemplate[4].type       = CKA_DECRYPT; 
-    sAESKeyTemplate[4].pValue     = &true; 
-    sAESKeyTemplate[4].ulValueLen = sizeof(true);
-    sAESKeyTemplate[5].type       = CKA_SIGN; 
-    sAESKeyTemplate[5].pValue     = &true; 
-    sAESKeyTemplate[5].ulValueLen = sizeof (true);
-    sAESKeyTemplate[6].type       = CKA_VERIFY; 
-    sAESKeyTemplate[6].pValue     = &true; 
-    sAESKeyTemplate[6].ulValueLen = sizeof(true);
-    sAESKeyTemplate[7].type       = CKA_UNWRAP; 
-    sAESKeyTemplate[7].pValue     = &true; 
-    sAESKeyTemplate[7].ulValueLen = sizeof(true);
-    sAESKeyTemplate[8].type       = CKA_VALUE_LEN; 
-    sAESKeyTemplate[8].pValue     = &AESvalueLen; 
-    sAESKeyTemplate[8].ulValueLen = sizeof(AESvalueLen);
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
-                                       NULL, NULL, &hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Login with correct password succeeded\n");
-    } else {
-        PKM_Error( "C_Login with correct password failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt("Generate an AES key ... \n");
-    /* generate an AES Secret Key */
-    crv = pFunctionList->C_GenerateKey(hSession, &sAESKeyMech,
-                                       sAESKeyTemplate,
-                                       NUM_ELEM(sAESKeyTemplate),
-                                       &hKey);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GenerateKey AES succeeded\n");
-    } else {
-        PKM_Error( "C_GenerateKey AES failed with 0x%08X, %-26s\n", 
-                   crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_EncryptInit(hSession, &aesEcbMech, hKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    wrappedKeyLen = sizeof(wrappedKey);
-    crv = pFunctionList->C_Encrypt(hSession, KEY, sizeof(KEY),
-                                   wrappedKey, &wrappedKeyLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Encrypt failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    if (wrappedKeyLen != sizeof(wrappedKey)) {
-        PKM_Error( "wrappedKeyLen is %lu\n", wrappedKeyLen);
-        return crv;
-    }
-    /* Import an encrypted key */
-    crv = pFunctionList->C_UnwrapKey(hSession, &aesEcbMech, hKey,
-                                     wrappedKey, wrappedKeyLen,
-                                     sAESKeyTemplate,
-                                     NUM_ELEM(sAESKeyTemplate),
-                                     &hTestKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_UnwraPKey failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    /* AES Encrypt the text */
-    crv = pFunctionList->C_EncryptInit(hSession, &mech_AES_CBC, hTestKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    ciphertextLen = sizeof(ciphertext);
-    crv = pFunctionList->C_Encrypt(hSession, (CK_BYTE *) PLAINTEXT, 
-                                   sizeof(PLAINTEXT),
-                                   ciphertext, &ciphertextLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Encrypt failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    if ( (ciphertextLen == sizeof(CIPHERTEXT)) &&
-       (memcmp(ciphertext, CIPHERTEXT, ciphertextLen) == 0)) {
-        PKM_LogIt("AES CBCVarKey128 encrypt test case 1 passed\n");
-    } else {
-        PKM_Error( "AES CBCVarKey128 encrypt test case 1 failed\n");
-        return crv;
-    }
-
-    /* now use EncryptUpdate the text */
-    crv = pFunctionList->C_EncryptInit(hSession, &mech_AES_CBC, hTestKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    ciphertext2Len = sizeof(ciphertext2);
-    crv = pFunctionList->C_EncryptUpdate (hSession, (CK_BYTE *) PLAINTEXT,
-                                          sizeof(PLAINTEXT),
-                                          ciphertext2, &ciphertext2Len);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_EncryptUpdate failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    lastLen = sizeof(ciphertext2) - ciphertext2Len;
-
-    crv = pFunctionList->C_EncryptFinal(hSession,
-                                    (CK_BYTE * )&ciphertext2[ciphertext2Len],
-                                    &lastLen);
-    ciphertext2Len = ciphertext2Len + lastLen;
-
-    if ( (ciphertextLen == ciphertext2Len) &&
-         (memcmp(ciphertext, ciphertext2, sizeof(CIPHERTEXT)) == 0) &&
-         (memcmp(ciphertext2, CIPHERTEXT, sizeof(CIPHERTEXT)) == 0)) {
-        PKM_LogIt("AES CBCVarKey128 encrypt test case 2 passed\n");
-    } else {
-        PKM_Error( "AES CBCVarKey128 encrypt test case 2 failed\n");
-        return CKR_GENERAL_ERROR;
-    }
-
-    /* AES CBC Decrypt the text */
-    crv = pFunctionList->C_DecryptInit(hSession, &mech_AES_CBC, hTestKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    plaintextLen = sizeof(plaintext);
-    crv = pFunctionList->C_Decrypt(hSession, ciphertext, ciphertextLen,
-                                   plaintext, &plaintextLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    if ((plaintextLen == sizeof(PLAINTEXT))
-        && (memcmp(plaintext, PLAINTEXT, plaintextLen) == 0)) {
-        PKM_LogIt("AES CBCVarKey128 decrypt test case 1 passed\n");
-    } else {
-        PKM_Error( "AES CBCVarKey128 derypt test case 1 failed\n");
-    }
-    /* now use DecryptUpdate the text */
-    crv = pFunctionList->C_DecryptInit(hSession, &mech_AES_CBC, hTestKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    plaintext2Len = sizeof(plaintext2);
-    crv = pFunctionList->C_DecryptUpdate(hSession, ciphertext2,
-                                         ciphertext2Len,
-                                         plaintext2, &plaintext2Len);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptUpdate failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    lastLen = sizeof(plaintext2) - plaintext2Len;
-    crv = pFunctionList->C_DecryptFinal(hSession,
-                                     (CK_BYTE * )&plaintext2[plaintext2Len],
-                                     &lastLen);
-    plaintext2Len = plaintext2Len + lastLen;
-
-    if ( (plaintextLen == plaintext2Len) &&
-         (memcmp(plaintext, plaintext2, plaintext2Len) == 0) &&
-         (memcmp(plaintext2, PLAINTEXT, sizeof(PLAINTEXT)) == 0)) {
-        PKM_LogIt("AES CBCVarKey128 decrypt test case 2 passed\n");
-    } else {
-        PKM_Error( "AES CBCVarKey128 decrypt test case 2 failed\n");
-        return CKR_GENERAL_ERROR;
-    }
-
-    crv = pFunctionList->C_Logout(hSession);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Logout succeeded\n");
-    } else {
-        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_CloseSession(hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-
-    return crv;
-
-}
-
-CK_RV PKM_PubKeySign(CK_FUNCTION_LIST_PTR pFunctionList, 
-                    CK_SESSION_HANDLE hRwSession,
-                    CK_OBJECT_HANDLE hPubKey, CK_OBJECT_HANDLE hPrivKey,
-                    CK_MECHANISM *signMech, const CK_BYTE *  pData, 
-                    CK_ULONG pDataLen) {
-    CK_RV crv = CKR_OK;
-    CK_BYTE sig[MAX_SIG_SZ];
-    CK_ULONG sigLen = 0 ;
-    
-    NUMTESTS++; /* increment NUMTESTS */
-    memset(sig, 0, sizeof(sig));
-
-    /* C_Sign  */
-    crv = pFunctionList->C_SignInit(hRwSession, signMech, hPrivKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    sigLen = sizeof(sig);
-    crv = pFunctionList->C_Sign(hRwSession, (CK_BYTE * ) pData, pDataLen,
-                                sig, &sigLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Sign failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /* C_Verify the signature */
-    crv = pFunctionList->C_VerifyInit(hRwSession, signMech, hPubKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_Verify(hRwSession, (CK_BYTE * ) pData, pDataLen,
-                                  sig, sigLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Verify succeeded\n");
-    } else {
-        PKM_Error( "C_Verify failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-   /* Check that the mechanism is Multi-part */
-    if (signMech->mechanism == CKM_DSA || 
-        signMech->mechanism == CKM_RSA_PKCS) {
-        return crv;
-    }
-
-    memset(sig, 0, sizeof(sig));
-    /* SignUpdate  */
-    crv = pFunctionList->C_SignInit(hRwSession, signMech, hPrivKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_SignInit failed with 0x%08lX %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_SignUpdate(hRwSession, (CK_BYTE * ) pData, pDataLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Sign failed with 0x%08lX %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    sigLen = sizeof(sig);
-    crv = pFunctionList->C_SignFinal(hRwSession, sig, &sigLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Sign failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /* C_VerifyUpdate the signature  */
-    crv = pFunctionList->C_VerifyInit(hRwSession, signMech,
-                                      hPubKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_VerifyUpdate(hRwSession, (CK_BYTE * ) pData, 
-                                        pDataLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyUpdate failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_VerifyFinal(hRwSession, sig, sigLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_VerifyFinal succeeded\n");
-    } else {
-        PKM_Error( "C_VerifyFinal failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    return crv;
-
-}
-
-CK_RV PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunctionList, 
-                    CK_SLOT_ID * pSlotList,
-                    CK_ULONG slotID, CK_UTF8CHAR_PTR pwd, 
-                    CK_ULONG pwdLen){
-    CK_SESSION_HANDLE hSession;
-    CK_RV crv = CKR_OK;
-
-/*** DSA Key ***/
-    CK_MECHANISM dsaParamGenMech;
-    CK_ULONG primeBits = 1024;
-    CK_ATTRIBUTE dsaParamGenTemplate[1]; 
-    CK_OBJECT_HANDLE hDsaParams = CK_INVALID_HANDLE;
-    CK_BYTE DSA_P[128];
-    CK_BYTE DSA_Q[20];
-    CK_BYTE DSA_G[128];
-    CK_MECHANISM dsaKeyPairGenMech;
-    CK_ATTRIBUTE dsaPubKeyTemplate[5]; 
-    CK_ATTRIBUTE dsaPrivKeyTemplate[5]; 
-    CK_OBJECT_HANDLE hDSApubKey = CK_INVALID_HANDLE;
-    CK_OBJECT_HANDLE hDSAprivKey = CK_INVALID_HANDLE;
-    
-    /* From SHA1ShortMsg.req, Len = 136 */
-    CK_BYTE MSG[] = {
-        0xba, 0x33, 0x95, 0xfb,
-        0x5a, 0xfa, 0x8e, 0x6a,
-        0x43, 0xdf, 0x41, 0x6b,
-        0x32, 0x7b, 0x74, 0xfa,
-        0x44
-    };
-    CK_BYTE MD[] = {
-        0xf7, 0x5d, 0x92, 0xa4,
-        0xbb, 0x4d, 0xec, 0xc3,
-        0x7c, 0x5c, 0x72, 0xfa,
-        0x04, 0x75, 0x71, 0x0a,
-        0x06, 0x75, 0x8c, 0x1d
-    };
-
-    CK_BYTE sha1Digest[20];
-    CK_ULONG sha1DigestLen;
-    CK_BYTE dsaSig[40];
-    CK_ULONG dsaSigLen;
-    CK_MECHANISM sha1Mech = {
-        CKM_SHA_1, NULL, 0
-    };
-    CK_MECHANISM dsaMech = {
-        CKM_DSA, NULL, 0
-    };
-    CK_MECHANISM dsaWithSha1Mech = {
-        CKM_DSA_SHA1, NULL, 0
-    };
-
-    NUMTESTS++; /* increment NUMTESTS */
-
-    /* DSA key init */
-    dsaParamGenMech.mechanism      = CKM_DSA_PARAMETER_GEN; 
-    dsaParamGenMech.pParameter = NULL_PTR; 
-    dsaParamGenMech.ulParameterLen = 0;
-    dsaParamGenTemplate[0].type = CKA_PRIME_BITS; 
-    dsaParamGenTemplate[0].pValue     = &primeBits; 
-    dsaParamGenTemplate[0].ulValueLen = sizeof(primeBits);
-    dsaPubKeyTemplate[0].type       = CKA_PRIME; 
-    dsaPubKeyTemplate[0].pValue     = DSA_P;
-    dsaPubKeyTemplate[0].ulValueLen = sizeof(DSA_P);
-    dsaPubKeyTemplate[1].type = CKA_SUBPRIME; 
-    dsaPubKeyTemplate[1].pValue = DSA_Q;
-    dsaPubKeyTemplate[1].ulValueLen = sizeof(DSA_Q);
-    dsaPubKeyTemplate[2].type = CKA_BASE; 
-    dsaPubKeyTemplate[2].pValue = DSA_G; 
-    dsaPubKeyTemplate[2].ulValueLen = sizeof(DSA_G);
-    dsaPubKeyTemplate[3].type = CKA_TOKEN; 
-    dsaPubKeyTemplate[3].pValue = &true; 
-    dsaPubKeyTemplate[3].ulValueLen = sizeof(true);
-    dsaPubKeyTemplate[4].type = CKA_VERIFY; 
-    dsaPubKeyTemplate[4].pValue = &true; 
-    dsaPubKeyTemplate[4].ulValueLen = sizeof(true);
-    dsaKeyPairGenMech.mechanism      = CKM_DSA_KEY_PAIR_GEN;
-    dsaKeyPairGenMech.pParameter = NULL_PTR;
-    dsaKeyPairGenMech.ulParameterLen = 0;
-    dsaPrivKeyTemplate[0].type       = CKA_TOKEN;
-    dsaPrivKeyTemplate[0].pValue     = &true; 
-    dsaPrivKeyTemplate[0].ulValueLen = sizeof(true);
-    dsaPrivKeyTemplate[1].type       = CKA_PRIVATE; 
-    dsaPrivKeyTemplate[1].pValue     = &true; 
-    dsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
-    dsaPrivKeyTemplate[2].type       = CKA_SENSITIVE; 
-    dsaPrivKeyTemplate[2].pValue     = &true; 
-    dsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
-    dsaPrivKeyTemplate[3].type       = CKA_SIGN, 
-    dsaPrivKeyTemplate[3].pValue     = &true;
-    dsaPrivKeyTemplate[3].ulValueLen = sizeof(true);
-    dsaPrivKeyTemplate[4].type       = CKA_EXTRACTABLE; 
-    dsaPrivKeyTemplate[4].pValue     = &true; 
-    dsaPrivKeyTemplate[4].ulValueLen = sizeof(true);
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID],
-                                       CKF_RW_SESSION | CKF_SERIAL_SESSION,
-                                       NULL, NULL, &hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Login with correct password succeeded\n");
-    } else {
-        PKM_Error( "C_Login with correct password failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt("Generate DSA PQG domain parameters ... \n");
-    /* Generate DSA domain parameters PQG */
-    crv = pFunctionList->C_GenerateKey(hSession, &dsaParamGenMech,
-                                       dsaParamGenTemplate,
-                                       1,
-                                       &hDsaParams);
-    if (crv == CKR_OK) {
-        PKM_LogIt("DSA domain parameter generation succeeded\n");
-    } else {
-        PKM_Error( "DSA domain parameter generation failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_GetAttributeValue(hSession, hDsaParams,
-                                             dsaPubKeyTemplate, 3);
-    if (crv == CKR_OK) {
-        PKM_LogIt("Getting DSA domain parameters succeeded\n");
-    } else {
-        PKM_Error( "Getting DSA domain parameters failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_DestroyObject(hSession, hDsaParams);
-    if (crv == CKR_OK) {
-        PKM_LogIt("Destroying DSA domain parameters succeeded\n");
-    } else {
-        PKM_Error( "Destroying DSA domain parameters failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    
-    PKM_LogIt("Generate a DSA key pair ... \n");
-    /* Generate a persistent DSA key pair */
-    crv = pFunctionList->C_GenerateKeyPair(hSession, &dsaKeyPairGenMech,
-                                           dsaPubKeyTemplate,
-                                           NUM_ELEM(dsaPubKeyTemplate),
-                                           dsaPrivKeyTemplate,
-                                           NUM_ELEM(dsaPrivKeyTemplate),
-                                           &hDSApubKey, &hDSAprivKey);
-    if (crv == CKR_OK) {
-        PKM_LogIt("DSA key pair generation succeeded\n");
-    } else {
-        PKM_Error( "DSA key pair generation failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /* Compute SHA-1 digest */
-    crv = pFunctionList->C_DigestInit(hSession, &sha1Mech);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DigestInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    sha1DigestLen = sizeof(sha1Digest);
-    crv = pFunctionList->C_Digest(hSession, MSG, sizeof(MSG),
-                                  sha1Digest, &sha1DigestLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Digest failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    if (sha1DigestLen != sizeof(sha1Digest)) {
-        PKM_Error( "sha1DigestLen is %lu\n", sha1DigestLen);
-        return crv;
-    }
-
-    if (memcmp(sha1Digest, MD, sizeof(MD)) == 0) {
-        PKM_LogIt("SHA-1 SHA1ShortMsg test case Len = 136 passed\n");
-    } else {
-        PKM_Error( "SHA-1 SHA1ShortMsg test case Len = 136 failed\n");
-    }
-
-    crv = PKM_PubKeySign(pFunctionList, hSession,
-                    hDSApubKey, hDSAprivKey,
-                    &dsaMech, sha1Digest, sizeof(sha1Digest));
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_PubKeySign CKM_DSA succeeded \n");
-    } else {
-        PKM_Error( "PKM_PubKeySign failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = PKM_PubKeySign(pFunctionList, hSession,
-                    hDSApubKey, hDSAprivKey,
-                    &dsaWithSha1Mech, PLAINTEXT, sizeof(PLAINTEXT));
-    if (crv == CKR_OK) {
-        PKM_LogIt("PKM_PubKeySign CKM_DSA_SHA1 succeeded \n");
-    } else {
-        PKM_Error( "PKM_PubKeySign failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /* Sign with DSA */
-    crv = pFunctionList->C_SignInit(hSession, &dsaMech, hDSAprivKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    dsaSigLen = sizeof(dsaSig);
-    crv = pFunctionList->C_Sign(hSession, sha1Digest, sha1DigestLen,
-                                dsaSig, &dsaSigLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Sign failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /* Verify the DSA signature */
-    crv = pFunctionList->C_VerifyInit(hSession, &dsaMech, hDSApubKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_Verify(hSession, sha1Digest, sha1DigestLen,
-                                  dsaSig, dsaSigLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Verify succeeded\n");
-    } else {
-        PKM_Error( "C_Verify failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /* Verify the signature in a different way */
-    crv = pFunctionList->C_VerifyInit(hSession, &dsaWithSha1Mech,
-                                      hDSApubKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_VerifyUpdate(hSession, MSG, 1);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyUpdate failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_VerifyUpdate(hSession, MSG+1, sizeof(MSG)-1);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyUpdate failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_VerifyFinal(hSession, dsaSig, dsaSigLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_VerifyFinal succeeded\n");
-    } else {
-        PKM_Error( "C_VerifyFinal failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /* Verify the signature in a different way */
-    crv = pFunctionList->C_VerifyInit(hSession, &dsaWithSha1Mech,
-                                      hDSApubKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", 
-            crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_VerifyUpdate(hSession, MSG, 1);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyUpdate failed with 0x%08X, %-26s\n", 
-            crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_VerifyUpdate(hSession, MSG+1, sizeof(MSG)-1);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyUpdate failed with 0x%08X, %-26s\n", 
-            crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_VerifyFinal(hSession, dsaSig, dsaSigLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_VerifyFinal of multi update succeeded.\n");
-    } else {
-        PKM_Error("C_VerifyFinal of multi update failed with 0x%08X, %-26s\n", 
-            crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    /* Now modify the data */
-    MSG[0] += 1;
-    /* Compute SHA-1 digest */
-    crv = pFunctionList->C_DigestInit(hSession, &sha1Mech);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DigestInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    sha1DigestLen = sizeof(sha1Digest);
-    crv = pFunctionList->C_Digest(hSession, MSG, sizeof(MSG),
-                                  sha1Digest, &sha1DigestLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Digest failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_VerifyInit(hSession, &dsaMech, hDSApubKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_Verify(hSession, sha1Digest, sha1DigestLen,
-                                  dsaSig, dsaSigLen);
-    if (crv != CKR_SIGNATURE_INVALID) {
-        PKM_Error( "C_Verify of modified data succeeded\n");
-        return crv;
-    } else {
-        PKM_LogIt("C_Verify of modified data returned as EXPECTED "
-            " with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-    }
-
-    crv = pFunctionList->C_Logout(hSession);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Logout succeeded\n");
-    } else {
-        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_CloseSession(hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    return crv;
-
-}
-
-CK_RV PKM_Hmac(CK_FUNCTION_LIST_PTR pFunctionList, CK_SESSION_HANDLE hSession,
-                CK_OBJECT_HANDLE sKey, CK_MECHANISM *hmacMech, 
-                const CK_BYTE *  pData, CK_ULONG pDataLen) {
-
-    CK_RV crv = CKR_OK;
-
-    CK_BYTE hmac1[HMAC_MAX_LENGTH];
-    CK_ULONG hmac1Len = 0;
-    CK_BYTE hmac2[HMAC_MAX_LENGTH];
-    CK_ULONG hmac2Len = 0;
-
-    memset(hmac1, 0, sizeof(hmac1));
-    memset(hmac2, 0, sizeof(hmac2));
-    
-    NUMTESTS++; /* increment NUMTESTS */
-
-    crv = pFunctionList->C_SignInit(hSession, hmacMech, sKey);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_SignInit succeeded\n");
-    } else {
-        PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    hmac1Len = sizeof(hmac1);
-    crv = pFunctionList->C_Sign(hSession, (CK_BYTE * )pData,
-                                pDataLen,
-                                (CK_BYTE * )hmac1, &hmac1Len);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Sign succeeded\n");
-    } else {
-        PKM_Error( "C_Sign failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_SignInit(hSession, hmacMech, sKey);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_SignInit succeeded\n");
-    } else {
-        PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_SignUpdate(hSession, (CK_BYTE * )pData,
-                                      pDataLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_SignUpdate succeeded\n");
-    } else {
-        PKM_Error( "C_SignUpdate failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    hmac2Len = sizeof(hmac2);
-    crv = pFunctionList->C_SignFinal(hSession, (CK_BYTE * )hmac2, &hmac2Len);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_SignFinal succeeded\n");
-    } else {
-        PKM_Error( "C_SignFinal failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    if ((hmac1Len == hmac2Len) && (memcmp(hmac1, hmac2, hmac1Len) == 0) ) {
-        PKM_LogIt("hmacs are equal!\n");
-    } else {
-        PKM_Error("hmacs are not equal!\n");
-    }
-    crv = pFunctionList->C_VerifyInit(hSession, hmacMech, sKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_Verify(hSession, (CK_BYTE * )pData,
-                                  pDataLen,
-                                  (CK_BYTE * ) hmac2, hmac2Len);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Verify of hmac succeeded\n");
-    } else {
-        PKM_Error( "C_Verify failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_VerifyInit(hSession, hmacMech, sKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_VerifyUpdate(hSession, (CK_BYTE * )pData,
-                                  pDataLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_VerifyUpdate of hmac succeeded\n");
-    } else {
-        PKM_Error( "C_VerifyUpdate failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_VerifyFinal(hSession, (CK_BYTE * ) hmac1, 
-                                       hmac1Len);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_VerifyFinal of hmac succeeded\n");
-    } else {
-        PKM_Error( "C_VerifyFinal failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    return crv;
-}
-
-CK_RV PKM_FindAllObjects(CK_FUNCTION_LIST_PTR pFunctionList,
-                         CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                         CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
-    CK_RV crv = CKR_OK;
-
-    CK_SESSION_HANDLE h = (CK_SESSION_HANDLE)0;
-    CK_SESSION_INFO sinfo;
-    CK_ATTRIBUTE_PTR pTemplate;
-    CK_ULONG tnObjects = 0;
-    int curMode;
-    int i;
-    int  number_of_all_known_attribute_types = totalKnownType(ConstAttribute);
-
-    NUMTESTS++; /* increment NUMTESTS */
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
-                                       NULL, NULL, &h);
-    if ( CKR_OK != crv ) {
-        PKM_Error("C_OpenSession(%lu, CKF_SERIAL_SESSION, , )"
-                  "returned 0x%08X, %-26s\n", pSlotList[slotID], crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt( "    Opened a session: handle = 0x%08x\n", h);
-
-    (void)memset(&sinfo, 0, sizeof(CK_SESSION_INFO));
-    crv = pFunctionList->C_GetSessionInfo(h, &sinfo);
-    if ( CKR_OK != crv ) {
-        PKM_LogIt( "C_GetSessionInfo(%lu, ) returned 0x%08X, %-26s\n", h, crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt( "    SESSION INFO:\n");
-    PKM_LogIt( "        slotID = %lu\n", sinfo.slotID);
-    PKM_LogIt( "        state = %lu\n", sinfo.state);
-    PKM_LogIt( "        flags = 0x%08x\n", sinfo.flags);
-#ifdef CKF_EXCLUSIVE_SESSION
-    PKM_LogIt( "            -> EXCLUSIVE SESSION = %s\n", sinfo.flags &
-               CKF_EXCLUSIVE_SESSION ? "TRUE" : "FALSE");
-#endif /* CKF_EXCLUSIVE_SESSION */
-    PKM_LogIt( "            -> RW SESSION = %s\n", sinfo.flags &
-               CKF_RW_SESSION ? "TRUE" : "FALSE");
-    PKM_LogIt( "            -> SERIAL SESSION = %s\n", sinfo.flags &
-               CKF_SERIAL_SESSION ? "TRUE" : "FALSE");
-#ifdef CKF_INSERTION_CALLBACK
-    PKM_LogIt( "            -> INSERTION CALLBACK = %s\n", sinfo.flags &
-               CKF_INSERTION_CALLBACK ? "TRUE" : "FALSE");
-#endif /* CKF_INSERTION_CALLBACK */
-    PKM_LogIt( "        ulDeviceError = %lu\n", sinfo.ulDeviceError);
-    PKM_LogIt( "\n");
-
-    crv = pFunctionList->C_FindObjectsInit(h, NULL, 0);
-    if ( CKR_OK != crv ) {
-        PKM_LogIt( "C_FindObjectsInit(%lu, NULL, 0) returned "
-                   "0x%08X, %-26s\n",
-                   h, crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    pTemplate = (CK_ATTRIBUTE_PTR)calloc(number_of_all_known_attribute_types,
-                                         sizeof(CK_ATTRIBUTE));
-    if ( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
-        PKM_Error(  "[pTemplate memory allocation of %lu bytes failed]\n",
-                    number_of_all_known_attribute_types *
-                    sizeof(CK_ATTRIBUTE));
-        return crv;
-    }
-
-    PKM_LogIt( "    All objects:\n");
-    /* Printing table set to NOMODE */
-    curMode = MODE;
-    MODE = NOMODE; 
-
-    while (1) {
-        CK_OBJECT_HANDLE o = (CK_OBJECT_HANDLE)0;
-        CK_ULONG nObjects = 0;
-        CK_ULONG k;
-        CK_ULONG nAttributes = 0;
-        CK_ATTRIBUTE_PTR pT2;
-        CK_ULONG l;
-        const char * attName = NULL;
-
-        crv = pFunctionList->C_FindObjects(h, &o, 1, &nObjects);
-        if ( CKR_OK != crv ) {
-            PKM_Error(  "C_FindObjects(%lu, , 1, ) returned 0x%08X, %-26s\n", 
-                        h, crv, PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-
-        if ( 0 == nObjects ) {
-            PKM_LogIt( "\n");
-            break;
-        }
-
-        tnObjects++;
-
-        PKM_LogIt( "        OBJECT HANDLE %lu:\n", o);
-
-        k = 0;
-        for (i=0; i < constCount; i++) {
-            if (consts[i].type == ConstAttribute) {
-                pTemplate[k].type = consts[i].value;
-                pTemplate[k].pValue = (CK_VOID_PTR) NULL;
-                pTemplate[k].ulValueLen = 0;
-                k++;
-            }
-            assert(k <= number_of_all_known_attribute_types);
-        }
-
-        crv = pFunctionList->C_GetAttributeValue(h, o, pTemplate,
-                                       number_of_all_known_attribute_types);
-        switch ( crv ) {
-        case CKR_OK:
-        case CKR_ATTRIBUTE_SENSITIVE:
-        case CKR_ATTRIBUTE_TYPE_INVALID:
-        case CKR_BUFFER_TOO_SMALL:
-            break;
-        default:
-            PKM_Error(  "C_GetAtributeValue(%lu, %lu, {all attribute types},"
-                        "%lu) returned 0x%08X, %-26s\n",
-                        h, o, number_of_all_known_attribute_types, crv, 
-                        PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-
-        for ( k = 0; k < (CK_ULONG) number_of_all_known_attribute_types; k++) {
-            if ( -1 != (CK_LONG)pTemplate[k].ulValueLen ) {
-                nAttributes++;
-            }
-        }
-        
-        PKM_LogIt( "            %lu attributes:\n", nAttributes);
-        for ( k = 0; k < (CK_ULONG) number_of_all_known_attribute_types;
-             k++ ) {
-            if ( -1 != (CK_LONG)pTemplate[k].ulValueLen ) {
-                attName = getNameFromAttribute(pTemplate[k].type);
-                if (!attName) {
-                    PKM_Error("Unable to find attribute name update pk11table.c\n");
-                }
-                PKM_LogIt( "                %s 0x%08x (len = %lu)\n",
-                          attName,
-                          pTemplate[k].type,
-                          pTemplate[k].ulValueLen);
-            }
-        }
-        PKM_LogIt( "\n");
-        
-        pT2 = (CK_ATTRIBUTE_PTR)calloc(nAttributes, sizeof(CK_ATTRIBUTE));
-        if ( (CK_ATTRIBUTE_PTR)NULL == pT2 ) {
-            PKM_Error(  "[pT2 memory allocation of %lu bytes failed]\n",
-                        nAttributes * sizeof(CK_ATTRIBUTE));
-            return crv;
-        }
-
-        /* allocate memory for the attribute values */
-        for ( l = 0, k = 0; k < (CK_ULONG) number_of_all_known_attribute_types;
-            k++ ) {
-            if ( -1 != (CK_LONG)pTemplate[k].ulValueLen ) {
-                pT2[l].type = pTemplate[k].type;
-                pT2[l].ulValueLen = pTemplate[k].ulValueLen;
-                if (pT2[l].ulValueLen > 0) {
-                    pT2[l].pValue = (CK_VOID_PTR)malloc(pT2[l].ulValueLen);
-                    if ( (CK_VOID_PTR)NULL == pT2[l].pValue ) {
-                        PKM_Error(  "pValue memory allocation of %lu bytes failed]\n",
-                                  pT2[l].ulValueLen);
-                        return crv;
-                    }
-                } else pT2[l].pValue = (CK_VOID_PTR) NULL;
-                l++;
-            }
-        }
-
-        assert( l == nAttributes );
-
-        crv = pFunctionList->C_GetAttributeValue(h, o, pT2, nAttributes);
-        switch ( crv ) {
-        case CKR_OK:
-        case CKR_ATTRIBUTE_SENSITIVE:
-        case CKR_ATTRIBUTE_TYPE_INVALID:
-        case CKR_BUFFER_TOO_SMALL:
-            break;
-        default:
-            PKM_Error(  "C_GetAtributeValue(%lu, %lu, {existant attribute"
-                        " types}, %lu) returned 0x%08X, %-26s\n",
-                        h, o, nAttributes, crv, PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-
-        for ( l = 0; l < nAttributes; l++ ) {
-            attName = getNameFromAttribute(pT2[l].type);
-            if (!attName) attName = "unknown attribute";
-            PKM_LogIt( "            type = %s len = %ld",
-                       attName, (CK_LONG)pT2[l].ulValueLen);
-
-            if ( -1 == (CK_LONG)pT2[l].ulValueLen ) {
-                ;
-            } else {
-                CK_ULONG m;
-
-                if ( pT2[l].ulValueLen <= 8 ) {
-                    PKM_LogIt( ", value = ");
-                } else {
-                    PKM_LogIt( ", value = \n                ");
-                }
-
-                for ( m = 0; (m < pT2[l].ulValueLen) && (m < 20); m++ ) {
-                    PKM_LogIt( "%02x", (CK_ULONG)(0xff &
-                              ((CK_CHAR_PTR)pT2[l].pValue)[m]));
-                }
-
-                PKM_LogIt( " ");
-
-                for ( m = 0; (m < pT2[l].ulValueLen) && (m < 20); m++ ) {
-                    CK_CHAR c = ((CK_CHAR_PTR)pT2[l].pValue)[m];
-                    if ( (c < 0x20) || (c >= 0x7f) ) {
-                        c = '.';
-                    }
-                    PKM_LogIt( "%c", c);
-                }
-            }
-
-            PKM_LogIt( "\n");
-        }
-
-        PKM_LogIt( "\n");
-
-        for ( l = 0; l < nAttributes; l++ ) {
-            if (pT2[l].pValue) {
-                free(pT2[l].pValue);
-            }
-        }
-        free(pT2);
-    } /* while(1) */
-
-    MODE = curMode; /* reset the logging MODE */
-    
-    crv = pFunctionList->C_FindObjectsFinal(h);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_FindObjectsFinal(%lu) returned 0x%08X, %-26s\n", h, crv, 
-                    PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt( "    (%lu objects total)\n", tnObjects);
-
-    crv = pFunctionList->C_CloseSession(h);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_CloseSession(%lu) returned 0x%08X, %-26s\n", h, crv, 
-                    PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    return crv;
-}
-/* session to create, find, and delete a couple session objects */
-CK_RV PKM_MultiObjectManagement (CK_FUNCTION_LIST_PTR pFunctionList,
-                                 CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                                 CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
-
-    CK_RV crv = CKR_OK;
-
-    CK_SESSION_HANDLE h = (CK_SESSION_HANDLE)0;
-    CK_SESSION_HANDLE h2 = (CK_SESSION_HANDLE)0;
-    CK_ATTRIBUTE one[7], two[7], three[7], delta[1], mask[1];
-    CK_OBJECT_CLASS cko_data = CKO_DATA;
-    char *key = "TEST PROGRAM";
-    CK_ULONG key_len = 0; 
-    CK_OBJECT_HANDLE hOneIn = (CK_OBJECT_HANDLE)0;
-    CK_OBJECT_HANDLE hTwoIn = (CK_OBJECT_HANDLE)0;
-    CK_OBJECT_HANDLE hThreeIn = (CK_OBJECT_HANDLE)0;
-    CK_OBJECT_HANDLE hDeltaIn = (CK_OBJECT_HANDLE)0;
-    CK_OBJECT_HANDLE found[10];
-    CK_ULONG nFound;
-    CK_ULONG   hDeltaLen, hThreeLen = 0;
-
-    CK_TOKEN_INFO tinfo;
-    
-    NUMTESTS++; /* increment NUMTESTS */
-    key_len = sizeof(key);
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID],
-                                       CKF_SERIAL_SESSION, NULL, NULL, &h);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_OpenSession(%lu, CKF_SERIAL_SESSION, , )"
-                    "returned 0x%08X, %-26s\n", pSlotList[slotID], crv, 
-                    PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_Login(h, CKU_USER, pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Login with correct password succeeded\n");
-    } else {
-        PKM_Error( "C_Login with correct password failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-
-    (void)memset(&tinfo, 0, sizeof(CK_TOKEN_INFO));
-    crv = pFunctionList->C_GetTokenInfo(pSlotList[slotID], &tinfo);
-    if ( CKR_OK != crv ) {
-        PKM_Error("C_GetTokenInfo(%lu, ) returned 0x%08X, %-26s\n",
-                  pSlotList[slotID], crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-
-    PKM_LogIt( "    Opened a session: handle = 0x%08x\n", h);
-
-    one[0].type = CKA_CLASS;
-    one[0].pValue = &cko_data;
-    one[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
-    one[1].type = CKA_TOKEN;
-    one[1].pValue = &false;
-    one[1].ulValueLen = sizeof(CK_BBOOL);
-    one[2].type = CKA_PRIVATE;
-    one[2].pValue = &false;
-    one[2].ulValueLen = sizeof(CK_BBOOL);
-    one[3].type = CKA_MODIFIABLE;
-    one[3].pValue = &true;
-    one[3].ulValueLen = sizeof(CK_BBOOL);
-    one[4].type = CKA_LABEL;
-    one[4].pValue = "Test data object one";
-    one[4].ulValueLen = strlen(one[4].pValue);
-    one[5].type = CKA_APPLICATION;
-    one[5].pValue = key;
-    one[5].ulValueLen = key_len;
-    one[6].type = CKA_VALUE;
-    one[6].pValue = "Object one";
-    one[6].ulValueLen = strlen(one[6].pValue);
-
-    two[0].type = CKA_CLASS;
-    two[0].pValue = &cko_data;
-    two[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
-    two[1].type = CKA_TOKEN;
-    two[1].pValue = &false;
-    two[1].ulValueLen = sizeof(CK_BBOOL);
-    two[2].type = CKA_PRIVATE;
-    two[2].pValue = &false;
-    two[2].ulValueLen = sizeof(CK_BBOOL);
-    two[3].type = CKA_MODIFIABLE;
-    two[3].pValue = &true;
-    two[3].ulValueLen = sizeof(CK_BBOOL);
-    two[4].type = CKA_LABEL;
-    two[4].pValue = "Test data object two";
-    two[4].ulValueLen = strlen(two[4].pValue);
-    two[5].type = CKA_APPLICATION;
-    two[5].pValue = key;
-    two[5].ulValueLen = key_len;
-    two[6].type = CKA_VALUE;
-    two[6].pValue = "Object two";
-    two[6].ulValueLen = strlen(two[6].pValue);
-
-    three[0].type = CKA_CLASS;
-    three[0].pValue = &cko_data;
-    three[0].ulValueLen = sizeof(CK_OBJECT_CLASS);
-    three[1].type = CKA_TOKEN;
-    three[1].pValue = &false;
-    three[1].ulValueLen = sizeof(CK_BBOOL);
-    three[2].type = CKA_PRIVATE;
-    three[2].pValue = &false;
-    three[2].ulValueLen = sizeof(CK_BBOOL);
-    three[3].type = CKA_MODIFIABLE;
-    three[3].pValue = &true;
-    three[3].ulValueLen = sizeof(CK_BBOOL);
-    three[4].type = CKA_LABEL;
-    three[4].pValue = "Test data object three";
-    three[4].ulValueLen = strlen(three[4].pValue);
-    three[5].type = CKA_APPLICATION;
-    three[5].pValue = key;
-    three[5].ulValueLen = key_len;
-    three[6].type = CKA_VALUE;
-    three[6].pValue = "Object three";
-    three[6].ulValueLen = strlen(three[6].pValue);
-
-    crv = pFunctionList->C_CreateObject(h, one, 7, &hOneIn);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_CreateObject(%lu, one, 7, ) returned 0x%08X, %-26s\n",
-                    h, crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt( "    Created object one: handle = %lu\n", hOneIn);
-
-    crv = pFunctionList->C_CreateObject(h, two, 7, &hTwoIn);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_CreateObject(%lu, two, 7, ) returned 0x%08X, %-26s\n",
-                    h, crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt( "    Created object two: handle = %lu\n", hTwoIn);
-
-    crv = pFunctionList->C_CreateObject(h, three, 7, &hThreeIn);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_CreateObject(%lu, three, 7, ) returned 0x%08x\n",
-                    h, crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_GetObjectSize(h, hThreeIn, &hThreeLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GetObjectSize succeeded\n");
-    } else {
-        PKM_Error("C_GetObjectSize failed "
-                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt( "    Created object three: handle = %lu\n", hThreeIn);
-
-    delta[0].type = CKA_VALUE;
-    delta[0].pValue = "Copied object";
-    delta[0].ulValueLen = strlen(delta[0].pValue);
-
-    crv = pFunctionList->C_CopyObject(h, hThreeIn, delta, 1, &hDeltaIn);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_CopyObject(%lu, %lu, delta, 1, ) returned "
-                    "0x%08X, %-26s\n",
-                    h, hThreeIn, crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_GetObjectSize(h, hDeltaIn, &hDeltaLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GetObjectSize succeeded\n");
-    } else {
-        PKM_Error("C_GetObjectSize failed "
-                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    if (hThreeLen == hDeltaLen) {
-        PKM_LogIt("Copied object size same as orginal\n");
-    } else {
-        PKM_Error("Copied object different from original\n");
-        return CKR_DEVICE_ERROR;
-    }
-
-    PKM_LogIt( "    Copied object three: new handle = %lu\n", hDeltaIn);
-
-    mask[0].type = CKA_APPLICATION;
-    mask[0].pValue = key;
-    mask[0].ulValueLen = key_len;
-
-    crv = pFunctionList->C_FindObjectsInit(h, mask, 1);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_FindObjectsInit(%lu, mask, 1) returned 0x%08X, %-26s\n",
-                    h, crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    (void)memset(&found, 0, sizeof(found));
-    nFound = 0;
-    crv = pFunctionList->C_FindObjects(h, found, 10, &nFound);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_FindObjects(%lu,, 10, ) returned 0x%08X, %-26s\n",
-                    h, crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    if ( 4 != nFound ) {
-        PKM_Error(  "Found %lu objects, not 4.\n", nFound);
-        return crv;
-    }
-
-    PKM_LogIt( "    Found 4 objects: %lu, %lu, %lu, %lu\n",
-               found[0], found[1], found[2], found[3]);
-
-    crv = pFunctionList->C_FindObjectsFinal(h);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_FindObjectsFinal(%lu) returned 0x%08X, %-26s\n", 
-                    h, crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_DestroyObject(h, hThreeIn);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_DestroyObject(%lu, %lu) returned 0x%08X, %-26s\n", h,
-                    hThreeIn, crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt( "    Destroyed object three (handle = %lu)\n", hThreeIn);
-
-    delta[0].type = CKA_APPLICATION;
-    delta[0].pValue = "Changed application";
-    delta[0].ulValueLen = strlen(delta[0].pValue);
-
-    crv = pFunctionList->C_SetAttributeValue(h, hTwoIn, delta, 1);
-    if ( CKR_OK != crv ) {
-        PKM_Error("C_SetAttributeValue(%lu, %lu, delta, 1) returned "
-                  "0x%08X, %-26s\n",
-                  h, hTwoIn, crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt( "    Changed object two (handle = %lu).\n", hTwoIn);
-
-    /* Can another session find these session objects? */
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
-                                       NULL, NULL, &h2);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_OpenSession(%lu, CKF_SERIAL_SESSION, , )"
-                    " returned 0x%08X, %-26s\n", pSlotList[slotID], crv, 
-                    PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    PKM_LogIt( "    Opened a second session: handle = 0x%08x\n", h2);
-
-    /* mask is still the same */
-
-    crv = pFunctionList->C_FindObjectsInit(h2, mask, 1);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_FindObjectsInit(%lu, mask, 1) returned 0x%08X, %-26s\n",
-                    h2, crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    (void)memset(&found, 0, sizeof(found));
-    nFound = 0;
-    crv = pFunctionList->C_FindObjects(h2, found, 10, &nFound);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_FindObjects(%lu,, 10, ) returned 0x%08X, %-26s\n",
-                    h2, crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    if ( 2 != nFound ) {
-        PKM_Error(  "Found %lu objects, not 2.\n", nFound);
-        return crv;
-    }
-
-    PKM_LogIt( "    Found 2 objects: %lu, %lu\n",
-               found[0], found[1]);
-
-    crv = pFunctionList->C_FindObjectsFinal(h2);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_FindObjectsFinal(%lu) returned 0x%08X, %-26s\n", h2, crv, 
-                    PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_Logout(h);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Logout succeeded\n");
-    } else {
-        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_CloseAllSessions(pSlotList[slotID]);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_CloseAllSessions(%lu) returned 0x%08X, %-26s\n",
-                    pSlotList[slotID], crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt( "\n");
-    return crv;
-}
-
-CK_RV PKM_OperationalState(CK_FUNCTION_LIST_PTR pFunctionList,
-                           CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                           CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
-    CK_SESSION_HANDLE hSession;
-    CK_RV crv = CKR_OK;
-    CK_MECHANISM sAESKeyMech = {
-        CKM_AES_KEY_GEN, NULL, 0
-    };
-    CK_OBJECT_CLASS class = CKO_SECRET_KEY;
-    CK_KEY_TYPE keyAESType = CKK_AES;
-    CK_UTF8CHAR AESlabel[] = "An AES secret key object";
-    CK_ULONG AESvalueLen = 16;
-    CK_ATTRIBUTE sAESKeyTemplate[9];    
-    CK_OBJECT_HANDLE sKey = CK_INVALID_HANDLE;
-    CK_BYTE_PTR     pstate = NULL;
-    CK_ULONG statelen, digestlen, plainlen, plainlen_1, plainlen_2, slen;
-
-    static const CK_UTF8CHAR *plaintext = (CK_UTF8CHAR *)"Firefox rules.";
-    static const CK_UTF8CHAR *plaintext_1 = (CK_UTF8CHAR *)"Thunderbird rules.";
-    static const CK_UTF8CHAR *plaintext_2 = (CK_UTF8CHAR *)
-                                            "Firefox and Thunderbird.";
-
-    char    digest[MAX_DIGEST_SZ], digest_1[MAX_DIGEST_SZ];
-    char    sign[MAX_SIG_SZ];
-    CK_MECHANISM signmech;
-    CK_MECHANISM digestmech;
-
-    NUMTESTS++; /* increment NUMTESTS */
-
-
-    /* AES key template */
-    sAESKeyTemplate[0].type       = CKA_CLASS; 
-    sAESKeyTemplate[0].pValue     = &class;
-    sAESKeyTemplate[0].ulValueLen = sizeof(class);
-    sAESKeyTemplate[1].type       = CKA_KEY_TYPE; 
-    sAESKeyTemplate[1].pValue     = &keyAESType; 
-    sAESKeyTemplate[1].ulValueLen = sizeof(keyAESType);
-    sAESKeyTemplate[2].type       = CKA_LABEL;
-    sAESKeyTemplate[2].pValue     = AESlabel; 
-    sAESKeyTemplate[2].ulValueLen = sizeof(AESlabel)-1;
-    sAESKeyTemplate[3].type       = CKA_ENCRYPT; 
-    sAESKeyTemplate[3].pValue     = &true; 
-    sAESKeyTemplate[3].ulValueLen = sizeof(true);
-    sAESKeyTemplate[4].type       = CKA_DECRYPT; 
-    sAESKeyTemplate[4].pValue     = &true; 
-    sAESKeyTemplate[4].ulValueLen = sizeof(true);
-    sAESKeyTemplate[5].type       = CKA_SIGN; 
-    sAESKeyTemplate[5].pValue     = &true; 
-    sAESKeyTemplate[5].ulValueLen = sizeof (true);
-    sAESKeyTemplate[6].type       = CKA_VERIFY; 
-    sAESKeyTemplate[6].pValue     = &true; 
-    sAESKeyTemplate[6].ulValueLen = sizeof(true);
-    sAESKeyTemplate[7].type       = CKA_UNWRAP; 
-    sAESKeyTemplate[7].pValue     = &true; 
-    sAESKeyTemplate[7].ulValueLen = sizeof(true);
-    sAESKeyTemplate[8].type       = CKA_VALUE_LEN; 
-    sAESKeyTemplate[8].pValue     = &AESvalueLen; 
-    sAESKeyTemplate[8].ulValueLen = sizeof(AESvalueLen);
-
-    signmech.mechanism = CKM_SHA_1_HMAC;
-    signmech.pParameter = NULL;
-    signmech.ulParameterLen = 0;
-    digestmech.mechanism = CKM_SHA256;
-    digestmech.pParameter = NULL;
-    digestmech.ulParameterLen = 0;
-
-
-    plainlen = strlen((char *)plaintext);
-    plainlen_1 = strlen((char *)plaintext_1);
-    plainlen_2 = strlen((char *)plaintext_2);
-    digestlen = MAX_DIGEST_SZ;
-
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
-                                       NULL, NULL, &hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Login with correct password succeeded\n");
-    } else {
-        PKM_Error( "C_Login with correct password failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    PKM_LogIt("Generate an AES key ...\n");
-    /* generate an AES Secret Key */
-    crv = pFunctionList->C_GenerateKey(hSession, &sAESKeyMech,
-                                       sAESKeyTemplate,
-                                       NUM_ELEM(sAESKeyTemplate),
-                                       &sKey);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GenerateKey AES succeeded\n");
-    } else {
-        PKM_Error( "C_GenerateKey AES failed with 0x%08X, %-26s\n", 
-                   crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_SignInit(hSession, &signmech, sKey);
-    if (crv != CKR_OK) {
-        PKM_Error("C_SignInit failed returned 0x%08X, %-26s\n", crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    slen = sizeof(sign);
-    crv = pFunctionList->C_Sign(hSession, (CK_BYTE_PTR)plaintext, plainlen,
-                                (CK_BYTE_PTR)sign, &slen);
-    if (crv != CKR_OK) {
-        PKM_Error("C_Sign failed returned 0x%08X, %-26s\n", crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_DestroyObject(hSession, sKey);
-    if (crv != CKR_OK) {
-        PKM_Error("C_DestroyObject failed returned 0x%08X, %-26s\n", crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    digestlen = MAX_DIGEST_SZ;
-    crv = pFunctionList->C_DigestInit(hSession, &digestmech);
-    if (crv != CKR_OK) {
-        PKM_Error("C_DigestInit failed returned 0x%08X, %-26s\n", crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_DigestUpdate(hSession, (CK_BYTE_PTR)plaintext,
-                                        plainlen);
-    if (crv != CKR_OK) {
-        PKM_Error("C_DigestUpdate failed returned 0x%08X, %-26s\n", crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_GetOperationState(hSession, NULL, &statelen);
-    if (crv != CKR_OK) {
-        PKM_Error("C_GetOperationState failed returned 0x%08X, %-26s\n", crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    pstate = (CK_BYTE_PTR) malloc(statelen * sizeof (CK_BYTE_PTR));
-    crv = pFunctionList->C_GetOperationState(hSession, pstate, &statelen);
-    if (crv != CKR_OK) {
-        PKM_Error("C_GetOperationState failed returned 0x%08X, %-26s\n", crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_DigestUpdate(hSession, (CK_BYTE_PTR)plaintext_1,
-                                        plainlen_1);
-    if (crv != CKR_OK) {
-        PKM_Error("C_DigestUpdate failed returned 0x%08X, %-26s\n", crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_DigestUpdate(hSession, (CK_BYTE_PTR)plaintext_2,
-                                        plainlen_2);
-    if (crv != CKR_OK) {
-        PKM_Error("C_DigestUpdate failed returned 0x%08X, %-26s\n", crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /*
-     *      This will override/negate the above 2 digest_update
-     *      operations
-     */
-    crv = pFunctionList->C_SetOperationState(hSession, pstate, statelen,
-                                             0, 0);
-    if (crv != CKR_OK) {
-        PKM_Error("C_SetOperationState failed returned 0x%08X, %-26s\n", crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_DigestFinal(hSession, (CK_BYTE_PTR)digest,
-                                       &digestlen);
-    if (crv != CKR_OK) {
-        PKM_Error("C_DigestFinal failed returned 0x%08X, %-26s\n", crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    digestlen = MAX_DIGEST_SZ;
-    crv = pFunctionList->C_DigestInit(hSession, &digestmech);
-    if (crv != CKR_OK) {
-        PKM_Error("C_DigestInit failed returned 0x%08X, %-26s\n", crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_Digest(hSession, (CK_BYTE_PTR)plaintext, plainlen,
-                                  (CK_BYTE_PTR)digest_1, &digestlen);
-    if (crv != CKR_OK) {
-        PKM_Error("C_Digest failed returned 0x%08X, %-26s\n", crv, 
-                  PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    if (memcmp(digest, digest_1, digestlen) == 0) {
-        PKM_LogIt("Digest and digest_1 are equal!\n");
-    } else {
-        PKM_Error("Digest and digest_1 are not equal!\n");
-    }
-    crv = pFunctionList->C_Logout(hSession);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Logout succeeded\n");
-    } else {
-        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_CloseSession(hSession);
-    if ( CKR_OK != crv ) {
-        PKM_Error(  "C_CloseSession(%lu) returned 0x%08X, %-26s\n", 
-                    hSession, crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    return crv;
-}
-
-
-/*
-* Recover Functions
-*/
-CK_RV PKM_RecoverFunctions(CK_FUNCTION_LIST_PTR pFunctionList, 
-                    CK_SESSION_HANDLE hSession,
-                    CK_OBJECT_HANDLE hPubKey, CK_OBJECT_HANDLE hPrivKey,
-                    CK_MECHANISM *signMech, const CK_BYTE * pData, 
-                    CK_ULONG pDataLen) {
-    CK_RV crv = CKR_OK;
-    CK_BYTE sig[MAX_SIG_SZ];
-    CK_ULONG sigLen = MAX_SIG_SZ;
-    CK_BYTE recover[MAX_SIG_SZ];
-    CK_ULONG recoverLen = MAX_SIG_SZ;
-    
-    NUMTESTS++; /* increment NUMTESTS */
-    
-    /* initializes a signature operation,
-     *  where the data can be recovered from the signature
-     */
-    crv = pFunctionList->C_SignRecoverInit(hSession, signMech,
-                                           hPrivKey);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_SignRecoverInit succeeded. \n");
-    } else {
-        PKM_Error("C_SignRecoverInit failed.\n"
-                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /* signs single-part data,
-     * where the data can be recovered from the signature
-     */
-    crv = pFunctionList->C_SignRecover(hSession, (CK_BYTE * )pData,
-                                       pDataLen,
-                                       (CK_BYTE * )sig, &sigLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_SignRecover succeeded. \n");
-    } else {
-        PKM_Error("C_SignRecoverInit failed to create an RSA key pair.\n"
-                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /*
-     * initializes a verification operation
-     *where the data is recovered from the signature
-     */
-    crv = pFunctionList->C_VerifyRecoverInit(hSession, signMech,
-                                             hPubKey);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_VerifyRecoverInit succeeded. \n");
-    } else {
-        PKM_Error("C_VerifyRecoverInit failed.\n"
-                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /*
-    * verifies a signature on single-part data,
-    * where the data is recovered from the signature
-    */
-    crv = pFunctionList->C_VerifyRecover(hSession, (CK_BYTE * )sig,
-                                         sigLen,
-                                         (CK_BYTE * )recover, &recoverLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_VerifyRecover succeeded. \n");
-    } else {
-        PKM_Error("C_VerifyRecover failed.\n"
-                  "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    if ((recoverLen == pDataLen)
-        && (memcmp(recover, pData, pDataLen) == 0)) {
-        PKM_LogIt("VerifyRecover test case passed\n");
-    } else {
-        PKM_Error( "VerifyRecover test case failed\n");
-    }
-
-    return crv;
-}
-/*
-* wrapUnwrap
-* wrap the secretkey with the public key.
-* unwrap the secretkey with the private key.
-*/
-CK_RV PKM_wrapUnwrap(CK_FUNCTION_LIST_PTR pFunctionList,
-                     CK_SESSION_HANDLE hSession, 
-                     CK_OBJECT_HANDLE hPublicKey, 
-                     CK_OBJECT_HANDLE hPrivateKey,
-                     CK_MECHANISM *wrapMechanism,
-                     CK_OBJECT_HANDLE hSecretKey,
-                     CK_ATTRIBUTE *sKeyTemplate,
-                     CK_ULONG skeyTempSize) {
-    CK_RV crv = CKR_OK;
-    CK_OBJECT_HANDLE hSecretKeyUnwrapped = CK_INVALID_HANDLE;
-    CK_BYTE wrappedKey[128];
-    CK_ULONG ulWrappedKeyLen = 0;
-
-    NUMTESTS++; /* increment NUMTESTS */
-
-    ulWrappedKeyLen = sizeof(wrappedKey);
-    crv = pFunctionList->C_WrapKey(
-                                  hSession, wrapMechanism,
-                                  hPublicKey, hSecretKey,
-                                  wrappedKey, &ulWrappedKeyLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_WrapKey succeeded\n");
-    } else {
-        PKM_Error( "C_WrapKey failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_UnwrapKey(
-                                    hSession, wrapMechanism, hPrivateKey,
-                                    wrappedKey, ulWrappedKeyLen, sKeyTemplate,
-                                    skeyTempSize,
-                                    &hSecretKeyUnwrapped);
-    if ((crv == CKR_OK) && (hSecretKeyUnwrapped != CK_INVALID_HANDLE)) {
-        PKM_LogIt("C_UnwrapKey succeeded\n");
-    } else {
-        PKM_Error( "C_UnwrapKey failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    return crv;
-}
-
-/*
- * Tests if the object's attributes match the expected_attrs
- */
-CK_RV
-PKM_AttributeCheck(CK_FUNCTION_LIST_PTR pFunctionList,
-                   CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE obj,
-                   CK_ATTRIBUTE_PTR expected_attrs,
-                   CK_ULONG expected_attrs_count)
-{
-    CK_RV crv;
-    CK_ATTRIBUTE_PTR tmp_attrs;
-    unsigned int i;
-    
-    NUMTESTS++; /* increment NUMTESTS */
-
-    /* First duplicate the themplate */
-    tmp_attrs = malloc(expected_attrs_count * sizeof (CK_ATTRIBUTE));
-
-    if (tmp_attrs == NULL) {
-        PKM_Error("Internal test memory failure\n");
-        return (CKR_HOST_MEMORY);
-    }
-
-    for (i = 0; i < expected_attrs_count; i++) {
-        tmp_attrs[i].type = expected_attrs[i].type;
-        tmp_attrs[i].ulValueLen = expected_attrs[i].ulValueLen;
-
-        /* Don't give away the expected one. just zeros */
-        tmp_attrs[i].pValue = calloc(expected_attrs[i].ulValueLen, 1);
-
-        if (tmp_attrs[i].pValue == NULL) {
-            unsigned int j;
-            for (j = 0; j < i; j++)
-                free(tmp_attrs[j].pValue);
-
-            free(tmp_attrs);
-            printf("Internal test memory failure\n");
-            return (CKR_HOST_MEMORY);
-        }
-    }
-
-    /* then get the attributes from the object */
-    crv = pFunctionList->C_GetAttributeValue(hSession, obj, tmp_attrs,
-                                             expected_attrs_count);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_GetAttributeValue failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        crv = CKR_FUNCTION_FAILED;
-        goto out;
-    }
-
-    /* Finally compare with the expected ones */
-    for (i = 0; i < expected_attrs_count; i++) {
-
-        if (memcmp(tmp_attrs[i].pValue, expected_attrs[i].pValue,
-                   expected_attrs[i].ulValueLen) != 0) {
-        PKM_LogIt("comparing attribute type 0x%x with expected  0x%x\n",
-                      tmp_attrs[i].type, expected_attrs[i].type);
-        PKM_LogIt("comparing attribute type value 0x%x with expected 0x%x\n",
-                      tmp_attrs[i].pValue, expected_attrs[i].pValue);
-        /* don't report error at this time */
-        }
-    }
-
-    out:
-    for (i = 0; i < expected_attrs_count; i++)
-        free(tmp_attrs[i].pValue);
-    free(tmp_attrs);
-    return (crv);
-}
-
-/*
- * Check the validity of a mech
- */
-CK_RV
-PKM_MechCheck(CK_FUNCTION_LIST_PTR pFunctionList, CK_SESSION_HANDLE hSession,
-              CK_MECHANISM_TYPE mechType, CK_FLAGS flags,
-              CK_BBOOL check_sizes, CK_ULONG minkeysize, CK_ULONG maxkeysize)
-{
-    CK_SESSION_INFO         sess_info;
-    CK_MECHANISM_INFO       mech_info;
-    CK_RV                   crv;
-
-    NUMTESTS++; /* increment NUMTESTS */
-
-    if ((crv = pFunctionList->C_GetSessionInfo(hSession, &sess_info))
-        != CKR_OK) {
-        PKM_Error( "C_GetSessionInfo failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return (CKR_FUNCTION_FAILED);
-    }
-
-    crv = pFunctionList->C_GetMechanismInfo(0, mechType,
-                                            &mech_info);
-
-
-    crv = pFunctionList->C_GetMechanismInfo(sess_info.slotID, mechType,
-                                            &mech_info);
-
-    if (crv != CKR_OK) {
-        PKM_Error( "C_GetMechanismInfo failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return (CKR_FUNCTION_FAILED);
-    }
-
-    if ((mech_info.flags & flags) == 0) {
-        PKM_Error("0x%x flag missing from mech\n", flags);
-        return (CKR_MECHANISM_INVALID);
-    }
-    if (!check_sizes)
-        return (CKR_OK);
-
-    if (mech_info.ulMinKeySize != minkeysize) {
-        PKM_Error("Bad MinKeySize %d expected %d\n", mech_info.ulMinKeySize,
-                  minkeysize);
-        return (CKR_MECHANISM_INVALID);
-    }
-    if (mech_info.ulMaxKeySize != maxkeysize) {
-        PKM_Error("Bad MaxKeySize %d expected %d\n", mech_info.ulMaxKeySize,
-                  maxkeysize);
-        return (CKR_MECHANISM_INVALID);
-    }
-    return (CKR_OK);
-}
-
-
-
-
-
-/*
- * Can be called with a non-null premaster_key_len for the
- * *_DH mechanisms. In that case, no checking for the matching of
- * the expected results is done.
- * The rnd argument tells which correct/bogus randomInfo to use.
- */
-CK_RV
-PKM_TLSMasterKeyDerive( CK_FUNCTION_LIST_PTR pFunctionList,
-                        CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                        CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen,
-                        CK_MECHANISM_TYPE mechType,
-                        enum_random_t rnd)  {
-    CK_SESSION_HANDLE hSession;
-    CK_RV crv;
-    CK_MECHANISM            mk_mech;
-    CK_VERSION              expected_version, version;
-    CK_OBJECT_CLASS         class = CKO_SECRET_KEY;
-    CK_KEY_TYPE             type = CKK_GENERIC_SECRET;
-    CK_BBOOL                derive_bool = true;
-    CK_ATTRIBUTE            attrs[4];
-    CK_ULONG                attrs_count = 4;
-    CK_OBJECT_HANDLE        pmk_obj = CK_INVALID_HANDLE;
-    CK_OBJECT_HANDLE        mk_obj = CK_INVALID_HANDLE;
-    CK_SSL3_MASTER_KEY_DERIVE_PARAMS mkd_params;
-    CK_MECHANISM            skmd_mech;
-
-    CK_BBOOL isDH = false;
- 
-    NUMTESTS++; /* increment NUMTESTS */
-
-    attrs[0].type       = CKA_CLASS; 
-    attrs[0].pValue     = &class; 
-    attrs[0].ulValueLen = sizeof (class);
-    attrs[1].type       = CKA_KEY_TYPE; 
-    attrs[1].pValue     = &type; 
-    attrs[1].ulValueLen = sizeof (type);
-    attrs[2].type       = CKA_DERIVE; 
-    attrs[2].pValue     = &derive_bool;
-    attrs[2].ulValueLen = sizeof (derive_bool);
-    attrs[3].type       = CKA_VALUE; 
-    attrs[3].pValue     = NULL; 
-    attrs[3].ulValueLen = 0;
-    
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
-                                       NULL, NULL, &hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Login with correct password succeeded\n");
-    } else {
-        PKM_Error( "C_Login with correct password failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /* Before all, check if the mechanism is supported correctly */
-    if (MODE == FIPSMODE) {
-    crv = PKM_MechCheck(pFunctionList, hSession, mechType, CKF_DERIVE, false,
-                        0, 0);
-    if (crv != CKR_OK) {
-        PKM_Error( "PKM_MechCheck failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return (crv);
-    }
-    }
-
-    mk_mech.mechanism = mechType;
-    mk_mech.pParameter = &mkd_params;
-    mk_mech.ulParameterLen = sizeof (mkd_params);
-
-    switch (mechType) {
-    case CKM_TLS_MASTER_KEY_DERIVE_DH:
-        isDH = true;
-        /* FALLTHRU */
-    case CKM_TLS_MASTER_KEY_DERIVE:
-        attrs[3].pValue = NULL;
-        attrs[3].ulValueLen = 0;
-        expected_version.major = 3;
-        expected_version.minor = 1;
-
-        mkd_params.RandomInfo.pClientRandom = (unsigned char * ) TLSClientRandom;
-        mkd_params.RandomInfo.ulClientRandomLen =
-        sizeof (TLSClientRandom);
-        mkd_params.RandomInfo.pServerRandom = (unsigned char * ) TLSServerRandom;
-        mkd_params.RandomInfo.ulServerRandomLen =
-        sizeof (TLSServerRandom);
-        break;
-    }
-    mkd_params.pVersion = (!isDH) ? &version : NULL;
-
-    /* First create the pre-master secret key */
-
-    skmd_mech.mechanism = CKM_SSL3_PRE_MASTER_KEY_GEN;
-    skmd_mech.pParameter = &mkd_params;
-    skmd_mech.ulParameterLen = sizeof (mkd_params);
-
-
-    crv = pFunctionList->C_GenerateKey(hSession, &skmd_mech,
-                                       attrs,
-                                       attrs_count,
-                                       &pmk_obj);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GenerateKey succeeded\n");
-    } else {
-        PKM_Error( "C_GenerateKey failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-
-    }
-    /* Test the bad cases */
-    switch (rnd) {
-    case CORRECT:
-        goto correct;
-
-    case BOGUS_CLIENT_RANDOM:
-        mkd_params.RandomInfo.pClientRandom = NULL;
-        break;
-
-    case BOGUS_CLIENT_RANDOM_LEN:
-        mkd_params.RandomInfo.ulClientRandomLen = 0;
-        break;
-
-    case BOGUS_SERVER_RANDOM:
-        mkd_params.RandomInfo.pServerRandom = NULL;
-        break;
-
-    case BOGUS_SERVER_RANDOM_LEN:
-        mkd_params.RandomInfo.ulServerRandomLen = 0;
-        break;
-    }
-    crv = pFunctionList->C_DeriveKey(hSession, &mk_mech, pmk_obj, NULL, 0,
-                                     &mk_obj);
-    if (crv != CKR_MECHANISM_PARAM_INVALID) {
-        PKM_LogIt( "C_DeriveKey returned as EXPECTED with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-    } else {
-        PKM_Error( "C_DeriveKey did not fail  with  bad data \n" );
-    }
-    goto out;
-
-
-    correct:
-    /* Now derive the master secret key */
-    crv = pFunctionList->C_DeriveKey(hSession, &mk_mech, pmk_obj, NULL, 0,
-                                     &mk_obj);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_DeriveKey succeeded\n");
-    } else {
-        PKM_Error( "C_DeriveKey failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-
-    }
-
-    out:
-    if (pmk_obj != CK_INVALID_HANDLE)
-        (void) pFunctionList->C_DestroyObject(hSession, pmk_obj);
-    if (mk_obj != CK_INVALID_HANDLE)
-        (void) pFunctionList->C_DestroyObject(hSession, mk_obj);
-    crv = pFunctionList->C_Logout(hSession);
-
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Logout succeeded\n");
-    } else {
-        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_CloseSession(hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    return (crv);
-}
-
-
-CK_RV
-PKM_TLSKeyAndMacDerive( CK_FUNCTION_LIST_PTR pFunctionList,
-                        CK_SLOT_ID * pSlotList, CK_ULONG slotID,
-                        CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen,
-                        CK_MECHANISM_TYPE mechType, enum_random_t rnd)
-{
-    CK_SESSION_HANDLE hSession;
-    CK_RV crv;
-    CK_MECHANISM            kmd_mech;
-    CK_MECHANISM            skmd_mech;
-    CK_OBJECT_CLASS         class = CKO_SECRET_KEY;
-    CK_KEY_TYPE             type = CKK_GENERIC_SECRET;
-    CK_BBOOL                derive_bool = true;
-    CK_BBOOL                sign_bool = true, verify_bool = true;
-    CK_BBOOL                encrypt_bool = true, decrypt_bool = true;
-    CK_ULONG                value_len;
-
-    /*
-     * We arrange this template so that:
-     * . Attributes 0-6 are good for a MAC key comparison template.
-     * . Attributes 2-5 are good for the master key creation template.
-     * . Attributes 3-8 are good for a cipher key comparison template.
-     */
-    CK_ATTRIBUTE            attrs[9]; 
-
-    CK_OBJECT_HANDLE        mk_obj = CK_INVALID_HANDLE;
-    CK_SSL3_KEY_MAT_PARAMS km_params;
-    CK_SSL3_KEY_MAT_OUT kmo;
-    CK_BYTE         IVClient[8];
-    CK_BYTE         IVServer[8];
-
-    NUMTESTS++; /* increment NUMTESTS */
-
-    attrs[0].type       = CKA_SIGN;
-    attrs[0].pValue     = &sign_bool; 
-    attrs[0].ulValueLen = sizeof (sign_bool);
-    attrs[1].type       = CKA_VERIFY; 
-    attrs[1].pValue     = &verify_bool; 
-    attrs[1].ulValueLen = sizeof (verify_bool);
-    attrs[2].type       = CKA_KEY_TYPE; 
-    attrs[2].pValue     = &type; 
-    attrs[2].ulValueLen = sizeof (type);
-    attrs[3].type       = CKA_CLASS; 
-    attrs[3].pValue     = &class; 
-    attrs[3].ulValueLen = sizeof (class);
-    attrs[4].type       = CKA_DERIVE; 
-    attrs[4].pValue     = &derive_bool; 
-    attrs[4].ulValueLen = sizeof (derive_bool);
-    attrs[5].type       = CKA_VALUE; 
-    attrs[5].pValue     = NULL; 
-    attrs[5].ulValueLen = 0;
-    attrs[6].type       = CKA_VALUE_LEN; 
-    attrs[6].pValue     = &value_len; 
-    attrs[6].ulValueLen = sizeof (value_len);
-    attrs[7].type       = CKA_ENCRYPT; 
-    attrs[7].pValue     = &encrypt_bool; 
-    attrs[7].ulValueLen = sizeof (encrypt_bool);
-    attrs[8].type       = CKA_DECRYPT; 
-    attrs[8].pValue     = &decrypt_bool; 
-    attrs[8].ulValueLen = sizeof (decrypt_bool);
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
-                                       NULL, NULL, &hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_OpenSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_Login(hSession, CKU_USER, pwd, pwdLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Login with correct password succeeded\n");
-    } else {
-        PKM_Error( "C_Login with correct password failed "
-                   "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-
-    /* Before all, check if the mechanism is supported correctly */
-    if (MODE == FIPSMODE) {
-        crv = PKM_MechCheck(pFunctionList, hSession, mechType, CKF_DERIVE,
-                            CK_TRUE, 48, 48);
-
-        if (crv != CKR_OK) {
-            PKM_Error( "PKM_MechCheck failed with 0x%08X, %-26s\n", crv, 
-                       PKM_CK_RVtoStr(crv));
-            return (crv);
-        }
-    }
-    kmd_mech.mechanism = mechType;
-    kmd_mech.pParameter = &km_params;
-    kmd_mech.ulParameterLen = sizeof (km_params);
-
-    km_params.ulMacSizeInBits = 128;        /* an MD5 based MAC */
-    km_params.ulKeySizeInBits = 192;        /* 3DES key size */
-    km_params.ulIVSizeInBits = 64;          /* 3DES block size */
-    km_params.pReturnedKeyMaterial = &kmo;
-    km_params.bIsExport = false;
-    kmo.hClientMacSecret = CK_INVALID_HANDLE;
-    kmo.hServerMacSecret = CK_INVALID_HANDLE;
-    kmo.hClientKey = CK_INVALID_HANDLE;
-    kmo.hServerKey = CK_INVALID_HANDLE;
-    kmo.pIVClient = IVClient;
-    kmo.pIVServer = IVServer;
-
-    skmd_mech.mechanism = CKM_SSL3_PRE_MASTER_KEY_GEN;
-    skmd_mech.pParameter = &km_params;
-    skmd_mech.ulParameterLen = sizeof (km_params);
-
-
-    crv = pFunctionList->C_GenerateKey(hSession, &skmd_mech,
-                                       &attrs[2],
-                                       4,
-                                       &mk_obj);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_GenerateKey succeeded\n");
-    } else {
-        PKM_Error( "C_GenerateKey failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-        attrs[5].pValue = NULL;
-        attrs[5].ulValueLen = 0;
-
-    km_params.RandomInfo.pClientRandom = (unsigned char *) TLSClientRandom;
-    km_params.RandomInfo.ulClientRandomLen =
-    sizeof (TLSClientRandom);
-    km_params.RandomInfo.pServerRandom = (unsigned char *) TLSServerRandom;
-    km_params.RandomInfo.ulServerRandomLen =
-    sizeof (TLSServerRandom);
-
-    /* Test the bad cases */
-    switch (rnd) {
-    case CORRECT:
-        goto correct;
-
-    case BOGUS_CLIENT_RANDOM:
-        km_params.RandomInfo.pClientRandom = NULL;
-        break;
-
-    case BOGUS_CLIENT_RANDOM_LEN:
-        km_params.RandomInfo.ulClientRandomLen = 0;
-        break;
-
-    case BOGUS_SERVER_RANDOM:
-        km_params.RandomInfo.pServerRandom = NULL;
-        break;
-
-    case BOGUS_SERVER_RANDOM_LEN:
-        km_params.RandomInfo.ulServerRandomLen = 0;
-        break;
-    }
-    crv = pFunctionList->C_DeriveKey(hSession, &kmd_mech, mk_obj, NULL, 0,
-                                     NULL);
-    if (crv != CKR_MECHANISM_PARAM_INVALID) {
-        PKM_Error( "key materials derivation returned unexpected "
-                   "error 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv));
-        (void) pFunctionList->C_DestroyObject(hSession, mk_obj);
-        return (CKR_FUNCTION_FAILED);
-
-    }
-    return (CKR_OK);
-
-    correct:
-    /*
-     * Then use the master key and the client 'n server random data to
-     * derive the key materials
-     */
-    crv = pFunctionList->C_DeriveKey(hSession, &kmd_mech, mk_obj, NULL, 0,
-                                     NULL);
-    if (crv != CKR_OK) {
-        PKM_Error( "Cannot derive the key materials, crv 0x%08X, %-26s\n", 
-                   crv, PKM_CK_RVtoStr(crv));
-        (void) pFunctionList->C_DestroyObject(hSession, mk_obj);
-        return (crv);
-    }
-
-    if (mk_obj != CK_INVALID_HANDLE)
-        (void) pFunctionList->C_DestroyObject(hSession, mk_obj);
-    if (kmo.hClientMacSecret != CK_INVALID_HANDLE)
-        (void) pFunctionList->C_DestroyObject(hSession, kmo.hClientMacSecret);
-    if (kmo.hServerMacSecret != CK_INVALID_HANDLE)
-        (void) pFunctionList->C_DestroyObject(hSession, kmo.hServerMacSecret);
-    if (kmo.hClientKey != CK_INVALID_HANDLE)
-        (void) pFunctionList->C_DestroyObject(hSession, kmo.hClientKey);
-    if (kmo.hServerKey != CK_INVALID_HANDLE)
-        (void) pFunctionList->C_DestroyObject(hSession, kmo.hServerKey);
-
-    crv = pFunctionList->C_Logout(hSession);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_Logout succeeded\n");
-    } else {
-        PKM_Error( "C_Logout failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_CloseSession(hSession);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_CloseSession failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    return (crv);
-}
-
-CK_RV PKM_DualFuncSign(CK_FUNCTION_LIST_PTR pFunctionList,
-                       CK_SESSION_HANDLE hRwSession,
-                       CK_OBJECT_HANDLE publicKey, CK_OBJECT_HANDLE privateKey,
-                       CK_MECHANISM *sigMech,
-                       CK_OBJECT_HANDLE secretKey, CK_MECHANISM *cryptMech,
-                       const CK_BYTE *  pData, CK_ULONG pDataLen) {
-
-    CK_RV crv = CKR_OK;
-    CK_BYTE encryptedData[MAX_CIPHER_SZ];
-    CK_ULONG ulEncryptedDataLen = 0;
-    CK_ULONG ulLastUpdateSize = 0 ;
-    CK_BYTE sig[MAX_SIG_SZ];
-    CK_ULONG ulSigLen = 0;
-    CK_BYTE data[MAX_DATA_SZ];
-    CK_ULONG ulDataLen = 0;
-
-    memset(encryptedData, 0, sizeof(encryptedData));
-    memset(sig, 0, sizeof(sig));
-    memset(data, 0, sizeof(data));
-
-    NUMTESTS++; /* increment NUMTESTS */
-
-    /* Check that the mechanism is Multi-part */
-    if (sigMech->mechanism == CKM_DSA || sigMech->mechanism == CKM_RSA_PKCS) {
-        PKM_Error( "PKM_DualFuncSign must be called with a Multi-part "
-                   "operation mechanism\n");        
-        return CKR_DEVICE_ERROR;
-    }
-
-    /* Sign and Encrypt */
-    if (privateKey == 0 && publicKey == 0) {
-        crv = pFunctionList->C_SignInit(hRwSession, sigMech, secretKey);
-        if (crv != CKR_OK) {
-            PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
-                       PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-    } else {
-        crv = pFunctionList->C_SignInit(hRwSession, sigMech, privateKey);
-        if (crv != CKR_OK) {
-            PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
-                       PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-     }
-    crv = pFunctionList->C_EncryptInit(hRwSession, cryptMech, secretKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_EncryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-
-    ulEncryptedDataLen = sizeof(encryptedData);
-    crv = pFunctionList->C_SignEncryptUpdate(hRwSession, (CK_BYTE * ) pData,
-                                             pDataLen,
-                                             encryptedData,
-                                             &ulEncryptedDataLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Sign failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    ulLastUpdateSize = sizeof(encryptedData) - ulEncryptedDataLen;
-    crv = pFunctionList->C_EncryptFinal(hRwSession,
-         (CK_BYTE * )&encryptedData[ulEncryptedDataLen], &ulLastUpdateSize);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_EncryptFinal failed with 0x%08X, %-26s\n", crv,
-                    PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    ulEncryptedDataLen = ulEncryptedDataLen + ulLastUpdateSize; 
-    ulSigLen = sizeof(sig);
-    crv = pFunctionList->C_SignFinal(hRwSession, sig, &ulSigLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_SignFinal failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /* Decrypt and Verify */
-
-    crv = pFunctionList->C_DecryptInit(hRwSession, cryptMech, secretKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    crv = pFunctionList->C_VerifyInit(hRwSession, sigMech,
-                                      publicKey);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_VerifyInit failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    ulDataLen = sizeof(data);
-    crv = pFunctionList->C_DecryptVerifyUpdate(hRwSession,
-                                               encryptedData,
-                                               ulEncryptedDataLen,
-                                               data, &ulDataLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptVerifyUpdate failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    ulLastUpdateSize = sizeof(data) - ulDataLen;
-    /* Get last little piece of plaintext.  Should have length 0 */
-    crv = pFunctionList->C_DecryptFinal(hRwSession, &data[ulDataLen],
-                                        &ulLastUpdateSize);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DecryptFinal failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    
-    if (ulLastUpdateSize != 0) {
-        crv = pFunctionList->C_VerifyUpdate(hRwSession, &data[ulDataLen],
-                                        ulLastUpdateSize);
-        if (crv != CKR_OK) {
-            PKM_Error( "C_DecryptFinal failed with 0x%08X, %-26s\n", crv, 
-                       PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-    }
-    ulDataLen = ulDataLen + ulLastUpdateSize; 
-
-    /* input for the verify operation is the decrypted data */
-    crv = pFunctionList->C_VerifyFinal(hRwSession, sig, ulSigLen);
-    if (crv == CKR_OK) {
-        PKM_LogIt("C_VerifyFinal succeeded\n");
-    } else {
-        PKM_Error( "C_VerifyFinal failed with 0x%08X, %-26s\n", crv, 
-                   PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    /* Comparison of Decrypted data with inputed data */
-    if ( (ulDataLen == pDataLen) && 
-         (memcmp(data, pData, pDataLen) == 0) ) {
-        PKM_LogIt("PKM_DualFuncSign decrypt test case passed\n");
-    } else {
-        PKM_Error( "PKM_DualFuncSign derypt test case failed\n");
-    }
-
-    return crv;
-
-}
-
-CK_RV PKM_Digest(CK_FUNCTION_LIST_PTR pFunctionList, 
-                 CK_SESSION_HANDLE hSession,
-                 CK_MECHANISM *digestMech, CK_OBJECT_HANDLE hSecretKey,
-                 const CK_BYTE *  pData, CK_ULONG pDataLen) {
-    CK_RV crv = CKR_OK;
-    CK_BYTE digest1[MAX_DIGEST_SZ];
-    CK_ULONG digest1Len = 0 ;
-    CK_BYTE digest2[MAX_DIGEST_SZ];
-    CK_ULONG digest2Len = 0;
-
-    /* Tested with CKM_SHA_1, CKM_SHA256, CKM_SHA384, CKM_SHA512 */
-
-    memset(digest1, 0, sizeof(digest1));
-    memset(digest2, 0, sizeof(digest2));
-    
-    NUMTESTS++; /* increment NUMTESTS */
-
-    crv = pFunctionList->C_DigestInit(hSession, digestMech);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_SignInit failed with 0x%08X, %-26s\n", crv, 
-            PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-    digest1Len = sizeof(digest1);
-    crv = pFunctionList->C_Digest(hSession, (CK_BYTE * ) pData, pDataLen, 
-        digest1, &digest1Len);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_Sign failed with 0x%08X, %-26s\n", crv, 
-            PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-
-    crv = pFunctionList->C_DigestInit(hSession, digestMech);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DigestInit failed with 0x%08X, %-26s\n", crv, 
-            PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    crv = pFunctionList->C_DigestUpdate(hSession, (CK_BYTE * ) pData, pDataLen);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DigestUpdate failed with 0x%08X, %-26s\n", crv, 
-            PKM_CK_RVtoStr(crv));
-        return crv;
-    }
- 	
-    /* C_DigestKey continues a multiple-part message-digesting operation by*/
-    /* digesting the value of a secret key. (only used with C_DigestUpdate)*/
-    if (hSecretKey != 0) {
-        crv = pFunctionList->C_DigestKey(hSession, hSecretKey);
-        if (crv != CKR_OK) {
-            PKM_Error( "C_DigestKey failed with 0x%08X, %-26s\n", crv, 
-                PKM_CK_RVtoStr(crv));
-            return crv;
-        }
-    }
-
-    digest2Len = sizeof(digest2);
-    crv = pFunctionList->C_DigestFinal(hSession, digest2, &digest2Len);
-    if (crv != CKR_OK) {
-        PKM_Error( "C_DigestFinal failed with 0x%08X, %-26s\n", crv, 
-            PKM_CK_RVtoStr(crv));
-        return crv;
-    }
-
-    if (hSecretKey == 0){
-        /* did not digest a secret key so digests should equal */ 
-        if  ( (digest1Len == digest2Len) 
-            && (memcmp(digest1, digest2, digest1Len) == 0) ) {
-                PKM_LogIt("Single and Multiple-part message digest "
-                    "operations successful\n");
-            } else {
-                PKM_Error("Single and Multiple-part message digest "
-                    "operations failed\n");
-            }
-    } else {
-        if  (digest1Len == digest2Len) { 
-            PKM_LogIt("PKM_Digest Single and Multiple-part message digest "
-                "operations successful\n");
-        } else {
-            PKM_Error("PKM_Digest Single and Multiple-part message digest "
-                "operations failed\n");
-        }
-
-    }
-
-    return crv;
-
-}
-
-char * PKM_FilePasswd(char *pwFile)
-{
-    unsigned char phrase[200];
-    PRFileDesc *fd;
-    PRInt32 nb;
-    int i;
-
-    if (!pwFile)
-        return 0;
-
-    fd = PR_Open(pwFile, PR_RDONLY, 0);
-    if (!fd) {
-        fprintf(stderr, "No password file \"%s\" exists.\n", pwFile);
-        return NULL;
-    }
-
-    nb = PR_Read(fd, phrase, sizeof(phrase));
- 
-    PR_Close(fd);
-    /* handle the Windows EOL case */
-    i = 0;
-    while (phrase[i] != '\r' && phrase[i] != '\n' && i < nb) i++;
-    phrase[i] = '\0';
-    if (nb == 0) {
-        fprintf(stderr,"password file contains no data\n");
-        return NULL;
-    }
-    return (char*) strdup((char*)phrase);
-}
-
-void PKM_Help() 
-{
-    PRFileDesc *debug_out = PR_GetSpecialFD(PR_StandardError);
-    PR_fprintf(debug_out, "pk11mode test program usage:\n");
-    PR_fprintf(debug_out, "\t-f <file>   Password File : echo pw > file \n");
-    PR_fprintf(debug_out, "\t-F          Disable Unix fork tests\n");
-    PR_fprintf(debug_out, "\t-n          Non Fips Mode \n");
-    PR_fprintf(debug_out, "\t-d <path>   Database path location\n");
-    PR_fprintf(debug_out, "\t-p <prefix> DataBase prefix\n");
-    PR_fprintf(debug_out, "\t-v          verbose\n");
-    PR_fprintf(debug_out, "\t-h          this help message\n");
-    exit(1);
-}
-
-void PKM_CheckPath(char *string)
-{
-   char *src;
-   char *dest;
-
-   /*
-   * windows support convert any back slashes to
-   * forward slashes.
-   */
-   for (src=string, dest=string; *src; src++,dest++) {
-       if (*src == '\\') {
-           *dest = '/';
-       }
-   }
-   dest--;
-   /* if the last char is a / set it to 0 */
-   if (*dest == '/')
-       *dest = 0;
-
-}
-
-CK_RV PKM_ForkCheck(int expected, CK_FUNCTION_LIST_PTR fList,
-		    PRBool forkAssert, CK_C_INITIALIZE_ARGS_NSS *initArgs)
-{
-    CK_RV crv = CKR_OK;
-#ifndef NO_FORK_CHECK
-    int rc = -1;
-    NUMTESTS++; /* increment NUMTESTS */
-    if (forkAssert) {
-	putenv("NSS_STRICT_NOFORK=1");
-    } else {
-	putenv("NSS_STRICT_NOFORK=0");
-    }
-    pid_t child = fork();
-    switch (child) {
-    case -1:
-        PKM_Error("Fork failed.\n");
-        crv = CKR_DEVICE_ERROR;
-        break;
-    case 0:
-        if (fList) {
-            if (!initArgs) {
-                /* If softoken is loaded, make a PKCS#11 call to C_GetTokenInfo
-                 * in the child. This call should always fail.
-                 * If softoken is uninitialized,
-                 * it fails with CKR_CRYPTOKI_NOT_INITIALIZED.
-                 * If it was initialized in the parent, the fork check should
-                 * kick in, and make it return CKR_DEVICE_ERROR.
-                 */
-                CK_RV child_crv = fList->C_GetTokenInfo(0, NULL);
-                exit(child_crv & 255);
-            } else {
-                /* If softoken is loaded, make a PKCS#11 call to C_Initialize
-                 * in the child. This call should always fail.
-                 * If softoken is uninitialized, this should succeed.
-                 * If it was initialized in the parent, the fork check should
-                 * kick in, and make it return CKR_DEVICE_ERROR.
-                 */
-                CK_RV child_crv = fList->C_Initialize(initArgs);
-                if (CKR_OK == child_crv) {
-                    child_crv = fList->C_Finalize(NULL);
-                }
-                exit(child_crv & 255);
-            }
-        }
-        exit(expected & 255);
-    default:
-        PKM_LogIt("Fork succeeded.\n");
-        pid_t ret = wait(&rc);
-        if (ret != child || (!WIFEXITED(rc)) ||
-            ( (expected & 255) != (WEXITSTATUS(rc) & 255)) ) {
-            int retStatus = -1;
-            if (WIFEXITED(rc)) {
-                retStatus = WEXITSTATUS(rc);
-            }
-            PKM_Error("Child misbehaved.\n");
-            printf("Child return status : %d.\n", retStatus & 255);
-            crv = CKR_DEVICE_ERROR;
-        }
-        break;
-    }
-#endif
-    return crv;
-}
-
diff --git a/security/nss/cmd/pk11util/Makefile b/security/nss/cmd/pk11util/Makefile
deleted file mode 100644
index fe7991878..000000000
--- a/security/nss/cmd/pk11util/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
- 
diff --git a/security/nss/cmd/pk11util/manifest.mn b/security/nss/cmd/pk11util/manifest.mn
deleted file mode 100644
index ff4504fcc..000000000
--- a/security/nss/cmd/pk11util/manifest.mn
+++ /dev/null
@@ -1,55 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-DEFINES += -DNSPR20
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-CSRCS = pk11util.c
-#CSRCS = symkeytest.c 
-
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = seccmd
-
-PROGRAM = pk11util
-#PROGRAM = symkeytest
-
-#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/pk11util/pk11util.c b/security/nss/cmd/pk11util/pk11util.c
deleted file mode 100644
index fc84a2ab9..000000000
--- a/security/nss/cmd/pk11util/pk11util.c
+++ /dev/null
@@ -1,2192 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#include <stdio.h>
-#include <string.h>
-
-#if defined(WIN32)
-#undef __STDC__
-#include "fcntl.h"
-#include "io.h"
-#include <fcntl.h>
-#else
-#include <unistd.h>
-#include <sys/fcntl.h>
-#endif
-
-#include "secutil.h"
-
-
-#include "nspr.h"
-#include "prtypes.h"
-#include "prtime.h"
-#include "prlong.h"
-#include "prinrval.h"
-#include "prenv.h"
-
-#include "pkcs11.h"
-
-#include "pk11table.h"
-
-#ifndef O_BINARY
-#define O_BINARY 0
-#endif
-
-CK_ULONG systemFlags;
-#define FLAG_NEGATE 0x80000000
-#define FLAG_Verify 0x00000001
-#define FLAG_VerifyFile 0x00000002
-#define CKR_QUIT 0x80000000
-
-int ArgSize(ArgType type);
-const char *constLookup(const char *bp, CK_ULONG *value, ConstType *type);
-
-int
-isNum(char c)
-{
-    return (c >= '0' && c <= '9');
-}
-
-int
-isConst(const char *c)
-{
-    CK_ULONG value;
-    ConstType type;
-
-    constLookup(c, &value, &type);
-    return type != ConstNone;
-}
-
-/*
- * see if the variable is really a 'size' function. This
- * function may modify var if it is a size function.
- */
-char *
-isSize(char *var, int *isArray)
-{
-    char *ptr = NULL;
-    char *end;
-    int array = 0;
-
-    if (PL_strncasecmp(var,"sizeof(",/*)*/ 7) == 0) {
-	ptr = var + 7;
-    } else if (PL_strncasecmp(var,"size(",/*)*/ 5) == 0) {
-	ptr = var + 5;
-    } else if (PL_strncasecmp(var,"sizeofarray(",/*)*/ 12) == 0) {
-	ptr = var + 12;
-	array = 1;
-    } else if (PL_strncasecmp(var,"sizea(",/*)*/ 6) == 0) {
-	ptr = var + 6;
-	array = 1;
-    } else {
-	return NULL;
-    }
-    end = strchr(ptr,/*(*/ ')') ;
-    if (end == NULL) {
-	return NULL;
-    }
-    if (isArray) *isArray = array;
-    *end = 0;
-    return ptr;
-}
- 
-void
-printConst(CK_ULONG value, ConstType type, int newLine)
-{
-    int i;
-
-    for (i=0; i < constCount; i++) {
-	if (consts[i].type == type && consts[i].value == value) {
-	    printf("%s",consts[i].name);
-	    break;
-	}
-	if (type == ConstNone && consts[i].value == value) {
-	    printf("%s",consts[i].name);
-	    break;
-	}
-    }
-    if (i == constCount) {
-	if ((type == ConstAvailableSizes) || (type == ConstCurrentSize)) {
-	    printf("%lu",value);
-	} else {
-	    printf("Unknown %s (%lu:0x%lx)",constTypeString[type],value,value);
-	}
-    }
-    if (newLine) {
-	printf("\n");
-    }
-}
-
-ConstType
-getConstFromAttribute(CK_ATTRIBUTE_TYPE type)
-{
-    int i;
-
-    for (i=0; i < constCount; i++) {
-	if (consts[i].type == ConstAttribute && consts[i].value == type) {
-	    return consts[i].attrType;
-	}
-    }
-    return ConstNone;
-}
-
-void
-printChars(const char *name, CK_ULONG size)
-{
-    CK_ULONG i;
-    for (i=0; i < size; i++) {
-	if (name[i] == 0) {
-		break;
-	}
-	printf("%c",name[i]);
-    }
-    printf("\n");
-}
-
-#define DUMP_LEN 16
-void printDump(const unsigned char *buf, int size)
-{
-    int i,j;
-
-    for(i=0; i < size; i+= DUMP_LEN) {
-	printf(" ");
-	for (j=0; j< DUMP_LEN; j++) {
-	    if (i+j < size) {
-		printf("%02x ",buf[i+j]);
-	    } else {
-		printf("   ");
-	    }
-	} 
-	for (j=0; j< DUMP_LEN; j++) {
-	    if (i+j < size) {
-		if (buf[i+j] < ' ' || buf[i+j] >= 0x7f) {
-		    printf(".");
-		} else {
-		    printf("%c",buf[i+j]);
-		}
-	    } else {
-		printf(" ");
-	    }
-	} 
-	printf("\n");
-    }
-}
-
-/*
- * free an argument structure
- */
-void
-argFreeData(Value *arg)
-{
-    if (arg->data && ((arg->type & ArgStatic) == 0)) {
-	if ((arg->type & ArgMask) == ArgAttribute) {
-	    int i;
-	    CK_ATTRIBUTE *template = (CK_ATTRIBUTE *)arg->data;
-
-	    for (i=0; i < arg->arraySize; i++) {
-		free(template[i].pValue);
-	    }
-	}
-	if ((arg->type & ArgMask) == ArgInitializeArgs) {
-	    CK_C_INITIALIZE_ARGS *init = (CK_C_INITIALIZE_ARGS *)arg->data;
-            if (init->LibraryParameters) {
-		free(init->LibraryParameters);
-	    }
-	}
-	free(arg->data);
-    }
-    arg->type &= ~ArgStatic;
-    arg->data = NULL;
-}
-
-void
-argFree(Value *arg)
-{
-    if (arg == NULL) return;
-
-    arg->reference--;
-    if (arg->reference == 0) {
-	if (arg->type & ArgFile) {
-	    free(arg->filename);
-	}
-	argFreeData(arg);
-	free (arg);
-    }
-}
-
-/*
- * free and argument list
- */
-void
-parseFree(Value **ap)
-{
-    int i;
-    for (i=0 ; i < MAX_ARGS; i++) {
-	argFree(ap[i]);
-    }
-}
-
-/*
- * getEnd: how for to the end of this argmument list?
- */
-int
-getEnd(const char *bp)
-{
-    int count = 0;
-
-    while (*bp) {
-        if (*bp == ' ' || *bp == '\t' || *bp == '\n') return count;
-	count++;
-	bp++;
-    }
-    return (count);
-}
-
-
-/*
- * strip: return the first none white space character
- */
-const char *
-strip(const char *bp)
-{
-    while (*bp && (*bp == ' ' || *bp == '\t' || *bp == '\n')) bp++;
-    return bp;
-}
-
-/*
- * read in the next argument into dp ... don't overflow
- */
-const char *
-readChars(const char *bp, char *dp, int max )
-{
-    int count = 1;
-    while (*bp) {
-        if (*bp == ' ' || *bp == '\t' || *bp == '\n' ) {
-	    *dp = 0;
-	    return bp;
-	}
-	*dp++ = *bp++;
-	if (++count == max) break;
-    }
-    while (*bp && (*bp != ' ' && *bp != '\t' && *bp != '\n')) bp++;
-    *dp = 0;
-    return (bp);
-}
-
-Value * varLookup(const char *bp, char *vname, int max, int *error);
-
-CK_ULONG
-getValue(const char *v, int *error)
-{
-    Value * varVal = NULL;
-    CK_ULONG retVal = 0;
-    ConstType type;
-    char tvar[512];
-
-    *error = 0;
-
-    varVal = varLookup( v, tvar, sizeof(tvar), error);
-
-    if (varVal) {
-	if ((varVal->type & ArgMask) == ArgULong) {
-	    retVal = *(CK_ULONG *)varVal->data;
-	} else {
-	    fprintf(stderr,"%s: is not a ulong\n", v);
-	    *error = 1;
-	}
-	argFree(varVal);
-	return retVal;
-    }
-    constLookup(v, &retVal, &type);
-    return retVal;
-}
-
-Value *
-NewValue(ArgType type, CK_ULONG arraySize)
-{
-    Value *value;
-
-    value = (Value *)malloc(sizeof(Value));
-    if (!value) return NULL;
-    value->size = ArgSize(type)*arraySize;
-    value->type = type;
-    value->filename = NULL;
-    value->constType = ConstNone;
-    value->data = (void *)malloc(value->size);
-    if (!value->data) {
-	free(value);
-	return NULL;
-    }
-    value->reference = 1;
-    value->arraySize = (type == ArgChar) ? 1: arraySize;
-
-    memset(value->data, 0, value->size);
-    return value;
-}
-
-#define INVALID_INDEX 0xffffffff
-
-CK_ULONG
-handleArray(char *vname, int *error)
-{
-    char *bracket;
-    CK_ULONG index = INVALID_INDEX;
-
-    if ((bracket = strchr(vname,'[')) != 0) {
-	char *tmpv = bracket+1;
-	*bracket = 0;
-	bracket = strchr(tmpv,']');
-
-	if (bracket == 0) {
-	    fprintf(stderr,"%s: missing closing brace\n", vname);
-	    return INVALID_INDEX;
-	}
-	*bracket = 0;
-
-	index = getValue(tmpv, error);
-	if (*error == 1) {
-	    return INVALID_INDEX;
-	} else if (index == INVALID_INDEX) {
-	    fprintf(stderr, "%s: 0x%lx is an invalid index\n",vname,index);
-	    *error = 1;
-	}
-    }
-    return index;
-}
-
-void *
-makeArrayTarget(const char *vname, const Value *value, CK_ULONG index)
-{
-    char * target;
-    CK_ULONG elementSize;
-
-    if (index >= (CK_ULONG)value->arraySize) {
-	fprintf(stderr, "%s[%lu]: index larger than array size (%d)\n",
-		vname, index, value->arraySize);
-	return NULL;
-    }
-
-    target = (char *)value->data;
-    elementSize = value->size/value->arraySize;
-    target += index * elementSize;
-    return target;
-}
-
-/*
- * look up a variable from the variable chain
- */
-static Variable *varHead = NULL;
-Value *
-varLookup(const char *bp, char *vname, int max, int *error)
-{
-    Variable *current;
-    CK_ULONG index = INVALID_INDEX;
-    int isArray = 0;
-    char *ptr;
-    *error = 0;
-
-    if (bp != NULL) {
-	readChars(bp, vname, max);
-    } 
-
-    /* don't make numbers into variables */
-    if (isNum(vname[0])) {
-	return NULL;
-    }
-    /* nor consts */
-    if (isConst(vname)) {
-	return NULL;
-    }
-    /* handle sizeof() */
-    if ((ptr = isSize(vname, &isArray)) != NULL) {
-	CK_ULONG size;
-	Value  *targetValue = NULL;
-	Value  *sourceValue = varLookup(NULL, ptr, 0, error);
-	if (!sourceValue) {
-	   if (*error == 0) {
-		/* just didn't find it */
-		*error = 1;
-		fprintf(stderr,"Couldn't find variable %s to take size of\n",
-			ptr);
-		return NULL;
-	   }
-	}
-	size = isArray ? sourceValue->arraySize : sourceValue->size;
-	targetValue = NewValue(ArgULong,1);
-	memcpy(targetValue->data, &size, sizeof(size));
-
-	return targetValue;
-    }
-
-    /* modifies vname */
-    index = handleArray(vname, error);
-    if (*error == 1) {
-	return NULL;
-    }
-
-    for (current = varHead; current; current = current->next) {
-	if (PL_strcasecmp(current->vname, vname) == 0) {
-	    char *target;
-	    if (index == INVALID_INDEX) {
-		(current->value->reference)++;
-		return current->value;
-	    }
-	    target = makeArrayTarget(vname, current->value, index);
-	    if (target) {
-		Value *element = NewValue(current->value->type, 1);
-		if (!element) {
-		    fprintf(stderr, "MEMORY ERROR!\n");
-		    *error = 1;
-		}
-		argFreeData(element);
-		element->data = target;
-		element->type |= ArgStatic;
-		return element;
-	    }
-	    *error = 1;
-	    return NULL;
-	}
-    }
-    return NULL;
-}
-
-static CK_RV 
-list(void)
-{
-    Variable *current;
-
-    if (varHead) {
-    	printf(" %10s\t%16s\t%8s\tSize\tElements\n","Name","Type","Const");
-    } else {
-    	printf(" no variables set\n");
-    }
-
-    for (current = varHead; current; current = current->next) {
-    	printf(" %10s\t%16s\t%8s\t%d\t%d\n", current->vname,
-	    valueString[current->value->type&ArgMask],
-	    constTypeString[current->value->constType],
-	    current->value->size, current->value->arraySize);
-    }
-    return CKR_OK;
-}
-
-CK_RV
-printFlags(const char *s, CK_ULONG flags, ConstType type)
-{
-    CK_ULONG i;
-    int needComma = 0;
-
-    printf("%s",s);
-    for (i=1; i ; i=i << 1) {
-	if (flags & i) {
-	   printf("%s",needComma?",":"");
-	   printConst(i, type, 0);
-	   needComma=1;
-	}
-    }
-    if (!needComma) {
-	printf("Empty");
-    }
-    printf("\n");
-    return CKR_OK;
-}
-
-/*
- * add a new variable to the chain
- */
-const char *
-AddVariable(const char *bp, Value **ptr)
-{
-    char vname[512];
-    Variable *current;
-    int index = INVALID_INDEX;
-    int size;
-    int error = 0;
-
-    bp = readChars(bp,vname,sizeof(vname));
-
-    /* don't make numbers into variables */
-    if (isNum(vname[0])) {
-	return bp;
-    }
-    /* or consts */
-    if (isConst(vname)) {
-	return bp;
-    }
-    /* or NULLs */
-    if (vname[0] == 0) {
-	return bp;
-    }
-    /* or sizeof */
-    if (isSize(vname, NULL)) {
-	return bp;
-    }
-    /* arrays values should be written back to the original */
-    index = handleArray(vname, &error);
-    if (error == 1) {
-	return bp;
-    }
-
-
-    for (current = varHead; current; current = current->next) {
-	if (PL_strcasecmp(current->vname,vname) == 0) {
-	    char *target;
-	    /* found a complete object, return the found one */
-	    if (index == INVALID_INDEX) {
-		argFree(*ptr);
-		*ptr = current->value;
-		return bp;
-	    }
-	    /* found an array, update the array element */
-	    target = makeArrayTarget(vname, current->value, index);
-	    if (target) {
-		memcpy(target, (*ptr)->data, (*ptr)->size);
-		argFreeData(*ptr);
-		(*ptr)->data = target;
-		(*ptr)->type |= ArgStatic;
-	    }
-	    return bp;
-	}
-    }
-
-    /* we are looking for an array and didn't find one */
-    if (index != INVALID_INDEX) {
-	return bp;
-    }
-
-
-    current = (Variable *)malloc(sizeof(Variable));
-    size = strlen(vname);
-    current->vname = (char *)malloc(size+1);
-    strcpy(current->vname,vname);
-    current->value = *ptr;
-    (*ptr)->reference++;
-
-    current->next = varHead;
-    varHead = current;
-    return bp;
-}
-
-ArgType
-FindTypeByName(const char *typeName)
-{
-    int i;
-
-    for (i=0; i < valueCount; i++) {
-	if (PL_strcasecmp(typeName,valueString[i]) == 0) {
-	    return (ArgType) i;
-	}
-	if (valueString[i][0] == 'C' && valueString[i][1] == 'K' &&
-	   valueString[i][2] == '_' && 
-			(PL_strcasecmp(typeName,&valueString[i][3]) == 0)) {
-	    return (ArgType) i;
-	}
-    }
-    return ArgNone;
-}
-
-CK_RV 
-ArrayVariable(const char *bp, const char *typeName, CK_ULONG count)
-{
-    ArgType type;
-    Value *value; /* new Value */
-
-    type = FindTypeByName(typeName);
-    if (type == ArgNone) {
-	fprintf(stderr,"Invalid type (%s)\n", typeName);
-	return CKR_FUNCTION_FAILED;
-    }
-    value = NewValue(type, count);
-    (void) AddVariable(bp, &value);
-    return CKR_OK;
-}
-
-#define MAX_TEMPLATE 25
-
-CK_RV 
-ArrayTemplate(const char *bp, char *attributes)
-{
-    char aname[512];
-    CK_ULONG attributeTypes[MAX_TEMPLATE];
-    CK_ATTRIBUTE *template;
-    Value *value; /* new Value */
-    char *ap;
-    int i, count = 0;
-
-    memcpy(aname,attributes,strlen(attributes)+1);
-
-    for (ap = aname, count = 0; ap && *ap && count < MAX_TEMPLATE; count++) {
-	char *cur = ap;
-	ConstType type;
-
-	ap = strchr(ap,',');
-	if (ap) {
-	    *ap++ = 0;
-	}
-
-	(void)constLookup(cur, &attributeTypes[count], &type);
-	if ((type != ConstAttribute) && (type != ConstNone)) {
-	   fprintf(stderr, "Unknown Attribute %s\n", cur);
-	   return CKR_FUNCTION_FAILED;
-	}
-    }
-
-    value = NewValue(ArgAttribute, count);
-
-    template = (CK_ATTRIBUTE *)value->data;
-    for (i=0; i < count ; i++) {
-	template[i].type = attributeTypes[i];
-    }
-    (void) AddVariable(bp, &value);
-    return CKR_OK;
-}
-
-CK_RV
-BuildTemplate(Value *vp)
-{
-    CK_ATTRIBUTE *template = (CK_ATTRIBUTE *)vp->data;
-    int i;
-
-    for (i=0; i < vp->arraySize; i++) {
-	if (((signed long)template[i].ulValueLen) > 0) {
-	    if (template[i].pValue) free(template[i].pValue);
-	    template[i].pValue = malloc(template[i].ulValueLen);
-	}
-    }
-    return CKR_OK;
-}
-
-CK_RV
-SetTemplate(Value *vp, CK_ULONG index, CK_ULONG value)
-{
-    CK_ATTRIBUTE *template = (CK_ATTRIBUTE *)vp->data;
-    int isbool = 0;
-    CK_ULONG len;
-    ConstType attrType;
-
-    if (index >= (CK_ULONG) vp->arraySize) {
-	fprintf(stderr,"index (%lu) greater than array (%d)\n", 
-						index, vp->arraySize);
-	return CKR_ARGUMENTS_BAD;
-    }
-    attrType =  getConstFromAttribute(template[index].type);
-
-    if (attrType == ConstNone) {
-	fprintf(stderr,"can't set index (%lu) because ", index);
-	printConst(template[index].type,ConstAttribute, 0);
-	fprintf(stderr, " is not a CK_BBOOL or CK_ULONG\n");
-	return CKR_ARGUMENTS_BAD;
-    }
-    isbool = (attrType == ConstBool);
-    len = isbool ? sizeof (CK_BBOOL) : sizeof(CK_ULONG);
-    if ((template[index].ulValueLen != len) || (template[index].pValue)) {
-	free(template[index].pValue);
-	template[index].pValue = malloc(len);
-	template[index].ulValueLen = len;
-    }
-    if (isbool) {
-	*(CK_BBOOL *)template[index].pValue = (CK_BBOOL) value;
-    } else {
-	*(CK_ULONG *)template[index].pValue = (CK_ULONG) value;
-    }
-    return CKR_OK;
-
-}
-
-CK_RV
-NewMechanism(const char *bp, CK_ULONG mechType)
-{
-    Value *value; /* new Value */
-    CK_MECHANISM *mechanism;
-
-    value = NewValue(ArgMechanism, 1);
-    mechanism = (CK_MECHANISM *)value->data;
-    mechanism->mechanism = mechType;
-    mechanism->pParameter = NULL;
-    mechanism->ulParameterLen = 0;
-    (void) AddVariable(bp, &value);
-    return CKR_OK;
-}
-
-CK_RV
-NewInitializeArgs(const char *bp, CK_ULONG flags, const char *param)
-{
-    Value *value; /* new Value */
-    CK_C_INITIALIZE_ARGS *init;
-
-    value = NewValue(ArgInitializeArgs, 1);
-    init = (CK_C_INITIALIZE_ARGS *)value->data;
-    init->flags = flags;
-    if (strcmp(param, "null") != 0) {
-        init->LibraryParameters = (CK_CHAR_PTR *)strdup(param);
-    }
-    (void) AddVariable(bp, &value);
-    return CKR_OK;
-}
-
-/*
- * add a new variable to the chain
- */
-CK_RV
-DeleteVariable(const char *bp)
-{
-    char vname[512];
-    Variable **current;
-
-    bp = readChars(bp,vname,sizeof(vname));
-
-    for (current = &varHead; *current; current = &(*current)->next) {
-	if (PL_strcasecmp((*current)->vname,vname) == 0) {
-	        argFree((*current)->value);
-		*current = (*current)->next;
-		break;
-	}
-    }
-    return CKR_OK;
-}
-
-/*
- * convert an octal value to integer
- */   
-CK_ULONG
-otoi(const char *o)
-{
-    CK_ULONG value = 0;
-
-    while (*o) {
-	if ((*o >= '0') && (*o <= '7')) {
-	    value = (value << 3) | (unsigned)(*o - '0');
-	} else {
-	    break;
-	}
-    }
-    return value;
-}
-
-/*
- * convert a hex value to integer
- */   
-CK_ULONG
-htoi(const char *x)
-{
-    CK_ULONG value = 0;
-
-    while (*x) {
-	if ((*x >= '0') && (*x <= '9')) {
-	    value = (value << 4) | (unsigned)(*x - '0');
-	} else if ((*x >= 'a') && (*x <= 'f')) {
-	    value = (value << 4) | (unsigned)(*x - 'a');
-	} else if ((*x >= 'A') && (*x <= 'F')) {
-	    value = (value << 4) | (unsigned)(*x - 'A');
-	} else {
-	    break;
-	}
-    }
-    return value;
-}
-
-
-/*
- * look up or decode a constant value
- */
-const char *
-constLookup(const char *bp, CK_ULONG *value, ConstType *type)
-{
-    char vname[512];
-    int i;
-
-    bp = readChars(bp,vname,sizeof(vname));
-
-    for (i=0; i < constCount; i++) {
-	if ((PL_strcasecmp(consts[i].name,vname) == 0) ||
-		PL_strcasecmp(consts[i].name+5,vname) == 0) {
-	    *value = consts[i].value;
-	    *type = consts[i].type;
-	    return bp;
-	}
-    }
-
-    *type = ConstNone;
-    if (vname[0] == '0' && vname[1] == 'X') {
-	*value = htoi(&vname[2]);
-    } else if (vname[0] == '0') {
-	*value = otoi(&vname[1]);
-    } else {
-    	*value = atoi(vname);
-    }
-    return bp;
-}
-
-int
-ArgSize(ArgType type)
-{
-	int size=0;
-	type &= ArgMask;
-
-	switch (type) {
-    	case ArgNone:
-	    size = 0;
-	    break;
-    	case ArgULong:
-	    size = sizeof(CK_ULONG);
-	    break;
-    	case ArgVar:
-	    size = 1; /* get's changed later */
-	    break;
-    	case ArgChar:
-    	case ArgUTF8:
-	    size = 1;
-	    break;
-    	case ArgInfo:
-	    size = sizeof(CK_INFO);
-	    break;
-    	case ArgSlotInfo:
-	    size = sizeof(CK_SLOT_INFO);
-	    break;
-    	case ArgTokenInfo:
-	    size = sizeof(CK_TOKEN_INFO);
-	    break;
-    	case ArgSessionInfo:
-	    size = sizeof(CK_SESSION_INFO);
-	    break;
-    	case ArgAttribute:
-	    size = sizeof(CK_ATTRIBUTE);
-	    break;
-    	case ArgMechanism:
-	    size = sizeof(CK_MECHANISM);
-	    break;
-    	case ArgMechanismInfo:
-	    size = sizeof(CK_MECHANISM_INFO);
-	    break;
-	case ArgInitializeArgs:
-	    size = sizeof(CK_C_INITIALIZE_ARGS);
-	    break;
-	case ArgFunctionList:
-	    size = sizeof(CK_FUNCTION_LIST);
-	    break;
-	default:
-	    break;
-	}
-
-	return (size);
-}
-
-CK_RV
-restore(const char *filename,Value *ptr)
-{
-    int fd,size;
-
-    fd = open(filename,O_RDONLY|O_BINARY);
-    if (fd < 0) {
-	perror(filename);
-	return CKR_FUNCTION_FAILED;
-    }
-
-    size = read(fd,ptr->data,ptr->size);
-    if (systemFlags & FLAG_VerifyFile) {
-	printDump(ptr->data,ptr->size);
-    }
-    if (size < 0) {
-	perror(filename);
-	return CKR_FUNCTION_FAILED;
-    } else if (size != ptr->size) {
-	fprintf(stderr,"%s: only read %d bytes, needed to read %d bytes\n",
-			filename,size,ptr->size);
-	return CKR_FUNCTION_FAILED;
-    }
-    close(fd);
-    return CKR_OK;
-}
-
-CK_RV
-save(const char *filename,Value *ptr)
-{
-    int fd,size;
-
-    fd = open(filename,O_WRONLY|O_BINARY|O_CREAT,0666);
-    if (fd < 0) {
-	perror(filename);
-	return CKR_FUNCTION_FAILED;
-    }
-
-    size = write(fd,ptr->data,ptr->size);
-    if (size < 0) {
-	perror(filename);
-	return CKR_FUNCTION_FAILED;
-    } else if (size != ptr->size) {
-	fprintf(stderr,"%s: only wrote %d bytes, need to write %d bytes\n",
-			filename,size,ptr->size);
-	return CKR_FUNCTION_FAILED;
-    }
-    close(fd);
-    return CKR_OK;
-}
-
-static CK_RV
-increment(Value *ptr, CK_ULONG value)
-{
-    if ((ptr->type & ArgMask) != ArgULong) {
-	return CKR_ARGUMENTS_BAD;
-    }
-    *(CK_ULONG *)ptr->data += value;
-    return CKR_OK;
-}
-
-static CK_RV
-decrement(Value *ptr, CK_ULONG value)
-{
-    if ((ptr->type & ArgMask) != ArgULong) {
-	return CKR_ARGUMENTS_BAD;
-    }
-    *(CK_ULONG *)ptr->data -= value;
-    return CKR_OK;
-}
-
-CK_RV
-printArg(Value *ptr,int arg_number)
-{
-    ArgType type = ptr->type & ArgMask;
-    CK_INFO *info;
-    CK_SLOT_INFO    *slotInfo;
-    CK_TOKEN_INFO   *tokenInfo;
-    CK_SESSION_INFO *sessionInfo;
-    CK_ATTRIBUTE    *attribute;
-    CK_MECHANISM    *mechanism;
-    CK_MECHANISM_INFO    *mechanismInfo;
-    CK_C_INITIALIZE_ARGS *initArgs;
-    CK_FUNCTION_LIST *functionList;
-    CK_RV ckrv = CKR_OK;
-    ConstType constType;
-
-    if (arg_number) {
-	printf("Arg %d: \n",arg_number);
-    }
-    if (ptr->arraySize > 1) {
-	Value element;
-	int i;
-	int elementSize = ptr->size/ptr->arraySize;
-	char *dp = (char *)ptr->data;
-
-	/* build a temporary Value to hold a single element */
-	element.type = type;
-	element.constType = ptr->constType;
-	element.size = elementSize;
-	element.filename = ptr->filename;
-	element.reference = 1;
-	element.arraySize = 1;
-	for (i=0; i < ptr->arraySize; i++) {
-	    printf(" -----[ %d ] -----\n", i);
-	    element.data = (void *) &dp[i*elementSize];
-	    (void) printArg(&element, 0);
-	}
-	return ckrv;
-    }
-    if (ptr->data == NULL) {
-	printf(" NULL ptr to a %s\n", valueString[type]);
-	return ckrv;
-    }
-    switch (type) {
-    case ArgNone:
-	printf(" None\n");
-	break;
-    case ArgULong:
-	printf(" %lu (0x%lx)\n", *((CK_ULONG *)ptr->data),
-			*((CK_ULONG *)ptr->data));
-	if (ptr->constType != ConstNone) {
-	    printf(" ");
-	    printConst(*(CK_ULONG *)ptr->data,ptr->constType,1);
-	}
-	break;
-    case ArgVar:
-	printf(" %s\n",(char *)ptr->data);
-	break;
-    case ArgUTF8:
-	printf(" %s\n",(char *)ptr->data);
-	break;
-    case ArgChar:
-	printDump(ptr->data,ptr->size);
-	break;
-    case ArgInfo:
-#define VERSION(x) (x).major, (x).minor
-	info = (CK_INFO *)ptr->data;
-	printf(" Cryptoki Version: %d.%02d\n",
-		VERSION(info->cryptokiVersion));
-	printf(" Manufacturer ID: ");
-	printChars((char *)info->manufacturerID,
-        sizeof(info->manufacturerID));
-	printFlags(" Flags: ", info->flags, ConstInfoFlags);
-	printf(" Library Description: ");
-	printChars((char *)info->libraryDescription,
-        sizeof(info->libraryDescription));
-	printf(" Library Version: %d.%02d\n",
-		VERSION(info->libraryVersion));
-	break;
-    case ArgSlotInfo:
-	slotInfo = (CK_SLOT_INFO *)ptr->data;
-	printf(" Slot Description: ");
-	printChars((char *)slotInfo->slotDescription,
-        sizeof(slotInfo->slotDescription));
-	printf(" Manufacturer ID: ");
-	printChars((char *)slotInfo->manufacturerID,
-        sizeof(slotInfo->manufacturerID));
-	printFlags(" Flags: ", slotInfo->flags, ConstSlotFlags);
-	printf(" Hardware Version: %d.%02d\n",
-		VERSION(slotInfo->hardwareVersion));
-	printf(" Firmware Version: %d.%02d\n",
-		VERSION(slotInfo->firmwareVersion));
-	break;
-    case ArgTokenInfo:
-	tokenInfo = (CK_TOKEN_INFO *)ptr->data;
-	printf(" Label: ");
-	printChars((char *) tokenInfo->label,sizeof(tokenInfo->label));
-	printf(" Manufacturer ID: ");
-	printChars((char *)tokenInfo->manufacturerID,
-        sizeof(tokenInfo->manufacturerID));
-	printf(" Model: ");
-	printChars((char *)tokenInfo->model,sizeof(tokenInfo->model));
-	printf(" Serial Number: ");
-	printChars((char *)tokenInfo->serialNumber,
-        sizeof(tokenInfo->serialNumber));
-	printFlags(" Flags: ", tokenInfo->flags, ConstTokenFlags);
-	printf(" Max Session Count: ");
-	printConst(tokenInfo->ulMaxSessionCount, ConstAvailableSizes, 1);
-	printf(" Session Count: ");
-	printConst(tokenInfo->ulSessionCount, ConstCurrentSize, 1);
-	printf(" RW Session Count: ");
-	printConst(tokenInfo->ulMaxRwSessionCount, ConstAvailableSizes, 1);
-	printf(" Max Pin Length : ");
-	printConst(tokenInfo->ulMaxPinLen, ConstCurrentSize, 1);
-	printf(" Min Pin Length : ");
-	printConst(tokenInfo->ulMinPinLen, ConstCurrentSize, 1);
-	printf(" Total Public Memory: ");
-	printConst(tokenInfo->ulTotalPublicMemory, ConstAvailableSizes, 1);
-	printf(" Free Public Memory: ");
-	printConst(tokenInfo->ulFreePublicMemory, ConstCurrentSize, 1);
-	printf(" Total Private Memory: ");
-	printConst(tokenInfo->ulTotalPrivateMemory, ConstAvailableSizes, 1);
-	printf(" Free Private Memory: ");
-	printConst(tokenInfo->ulFreePrivateMemory, ConstCurrentSize, 1);
-	printf(" Hardware Version: %d.%02d\n",
-		VERSION(tokenInfo->hardwareVersion));
-	printf(" Firmware Version: %d.%02d\n",
-		VERSION(tokenInfo->firmwareVersion));
-	printf(" UTC Time: ");
-	printChars((char *)tokenInfo->utcTime,sizeof(tokenInfo->utcTime));
-	break;
-    case ArgSessionInfo:
-	sessionInfo = (CK_SESSION_INFO *)ptr->data;
-	printf(" SlotID: 0x%08lx\n", sessionInfo->slotID);
-	printf(" State: ");
-	printConst(sessionInfo->state, ConstSessionState, 1);
-	printFlags(" Flags: ", sessionInfo->flags, ConstSessionFlags);
-	printf(" Device error: %lu 0x%08lx\n",sessionInfo->ulDeviceError,
-			sessionInfo->ulDeviceError);
-	break;
-    case ArgAttribute:
-	attribute = (CK_ATTRIBUTE *)ptr->data;
-	printf(" Attribute Type: ");
-	printConst(attribute->type, ConstAttribute, 1);
-	printf(" Attribute Data: ");
-	if (attribute->pValue == NULL) {
-	    printf("NULL\n");
-	    printf("Attribute Len: %lu\n",attribute->ulValueLen);
-	} else {
-	    constType = getConstFromAttribute(attribute->type);
-	    if (constType != ConstNone) {
-		CK_ULONG value = (constType == ConstBool) ?
-		    *(CK_BBOOL *)attribute->pValue :
-		    *(CK_ULONG *)attribute->pValue;
-		printConst(value, constType, 1);
-	    } else {
-		printf("\n");
-		printDump(attribute->pValue, attribute->ulValueLen);
-	    }
-	}
-	break;
-    case ArgMechanism:
-	mechanism = (CK_MECHANISM *)ptr->data;
-	printf(" Mechanism Type: ");
-	printConst(mechanism->mechanism, ConstMechanism, 1);
-	printf(" Mechanism Data:\n");
-	printDump(mechanism->pParameter, mechanism->ulParameterLen);
-	break;
-    case ArgMechanismInfo:
-	mechanismInfo = (CK_MECHANISM_INFO *)ptr->data;
-	printf(" Minimum Key Size: %ld\n",mechanismInfo->ulMinKeySize);
-	printf(" Maximum Key Size: %ld\n",mechanismInfo->ulMaxKeySize);
-	printFlags(" Flags: ", mechanismInfo->flags, ConstMechanismFlags);
-	break;
-    case ArgInitializeArgs:
-	initArgs = (CK_C_INITIALIZE_ARGS *)ptr->data;
-	printFlags(" Flags: ", initArgs->flags, ConstInitializeFlags);
-        if (initArgs->LibraryParameters) {
-	    printf("Params: %s\n",(char *)initArgs->LibraryParameters);
-	}
-    case ArgFunctionList:
-	functionList = (CK_FUNCTION_LIST *)ptr->data;
-	printf(" Version: %d.%02d\n", VERSION(functionList->version));
-#ifdef notdef
-#undef CK_NEED_ARG_LIST
-#define CK_PKCS11_FUNCTION_INFO(func) \
-	printf(" %s: 0x%08lx\n", #func, (unsigned long) functionList->func );
-#include "pkcs11f.h"
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-#endif
-    default:
-	ckrv = CKR_ARGUMENTS_BAD;
-	break;
-    }
-
-    return ckrv;
-}
-
-
-/*
- * Feeling ambitious? turn this whole thing into lexx yacc parser
- * with full expressions.
- */
-Value **
-parseArgs(int index, const char * bp)
-{
-    const Commands *cp = &commands[index];
-    int size = strlen(cp->fname);
-    int i;
-    CK_ULONG value;
-    char vname[512];
-    Value **argList,*possible;
-    ConstType constType;
-
-    /*
-     * skip pass the command
-     */
-    if ((cp->fname[0] == 'C') && (cp->fname[1] == '_') && (bp[1] != '_')) {
-	size -= 2;
-    }
-    bp += size;
-
-    /*
-     * Initialize our argument list
-     */
-    argList = (Value **)malloc(sizeof(Value*)*MAX_ARGS);
-    for (i=0; i < MAX_ARGS; i++) { argList[i] = NULL; }
-
-    /*
-     * Walk the argument list parsing it...
-     */
-    for (i=0 ;i < MAX_ARGS; i++) {
-	ArgType type = cp->args[i] & ArgMask;
-	int error;
-
-        /* strip blanks */
-        bp = strip(bp);
-
-	/* if we hit ArgNone, we've nabbed all the arguments we need */
-	if (type == ArgNone) {
-	    break;
-	}
-
-	/* if we run out of space in the line, we weren't given enough
-	 * arguments... */
-	if (*bp == '\0') {
-	    /* we're into optional arguments, ok to quit now */
-	    if (cp->args[i] & ArgOpt) {
-		break;
-	    }
-	    fprintf(stderr,"%s: only %d args found,\n",cp->fname,i);
-	    parseFree(argList);
-	    return NULL;
-	}
-
-	/* collect all the rest of the command line and send
-	 * it as a single argument */
-	if (cp->args[i] & ArgFull) {
-	    int size = strlen(bp)+1;
-	    argList[i] = NewValue(type, size);
-	    memcpy(argList[i]->data, bp, size);
-	    break;
-	}
-
-	/*
-	 * look up the argument in our variable list first... only 
-	 * exception is the new argument type for set...
-	 */
-	error = 0;
-	if ((cp->args[i] != (ArgVar|ArgNew)) && 
-			(possible = varLookup(bp,vname,sizeof(vname),&error))) {
-	   /* ints are only compatible with other ints... all other types
-	    * are interchangeable... */
-	   if (type != ArgVar) { /* ArgVar's match anyone */
-		if ((type == ArgULong) ^ 
-				((possible->type & ArgMask) == ArgULong)) {
-		    fprintf(stderr,"%s: Arg %d incompatible type with <%s>\n",
-				cp->fname,i+1,vname);
-		    argFree(possible);
-		    parseFree(argList);
-		    return NULL;
-		}
-		/*
-		 * ... that is as long as they are big enough...
-		 */
-		if (ArgSize(type) > possible->size) {
-		    fprintf(stderr,
-	        "%s: Arg %d %s is too small (%d bytes needs to be %d bytes)\n",
-	    		cp->fname,i+1,vname,possible->size,ArgSize(type));
-		    argFree(possible);
-		    parseFree(argList);
-		    return NULL;
-		}
-	   }
-	
-	   /* everything looks kosher here, use it */	
-	   argList[i] = possible;
-
-	   bp = readChars(bp,vname,sizeof(vname));
-	   if (cp->args[i] & ArgOut) {
-		possible->type |= ArgOut;
-	   }
-	   continue;
-	}
-
-	if (error == 1) {
-	    parseFree(argList);
-	    return NULL;
-	}
-
-	/* create space for our argument */
-	argList[i] = NewValue(type, 1);
-
-        if ((PL_strncasecmp(bp, "null", 4) == 0)  && ((bp[4] == 0) 
-		|| (bp[4] == ' ') || (bp[4] =='\t') || (bp[4] =='\n'))) {
-	    if (cp->args[i] == ArgULong) {
-		fprintf(stderr, "%s: Arg %d CK_ULONG can't be NULL\n",
-	    							cp->fname,i+1);
-		parseFree(argList);
-		return NULL;
-	    }
-	    argFreeData(argList[i]);
-	    argList[i]->data = NULL;
-	    argList[i]->size = 0;
-	    bp += 4;
-	    if (*bp) bp++;
-	    continue;
-        }
-
-	/* if we're an output variable, we need to add it */
-	if (cp->args[i] & ArgOut) {
-            if (PL_strncasecmp(bp,"file(",5) == 0 /* ) */ ) {
-	        char filename[512];
-		bp = readChars(bp+5,filename,sizeof(filename));
-		size = PL_strlen(filename);
-	    	if ((size > 0) && (/* ( */filename[size-1] == ')')) {
-		    filename[size-1] = 0; 
-		}
-		filename[size] = 0; 
-		argList[i]->filename = (char *)malloc(size+1);
-
-		PL_strcpy(argList[i]->filename,filename);
-
-	    	argList[i]->type |= ArgOut|ArgFile;
-		break;
-	    }
-	    bp = AddVariable(bp,&argList[i]);
-	    argList[i]->type |= ArgOut;
-	    continue;
-	} 
-
-        if (PL_strncasecmp(bp, "file(", 5) == 0 /* ) */ ) {
-	    char filename[512];
-
-	    bp = readChars(bp+5,filename,sizeof(filename));
-	    size = PL_strlen(filename);
-	    if ((size > 0) && ( /* ( */ filename[size-1] == ')')) {
-		filename[size-1] = 0; 
-	    }
-
-	    if (restore(filename,argList[i]) != CKR_OK) {
-		parseFree(argList);
-		return NULL;
-	    }
-	    continue;
-	}
-
-	switch (type) {
-    	case ArgULong:
-	     bp = constLookup(bp, &value, &constType);
-	     *(int *)argList[i]->data = value;
-	     argList[i]->constType = constType;
-	     break;
-    	case ArgVar:
-	     argFreeData(argList[i]);
-	     size = getEnd(bp)+1;
-	     argList[i]->data = (void *)malloc(size);
-	     argList[i]->size = size;
-	     /* fall through */
-    	case ArgInfo:
-    	case ArgSlotInfo:
-    	case ArgTokenInfo:
-    	case ArgSessionInfo:
-    	case ArgAttribute:
-    	case ArgMechanism:
-    	case ArgMechanismInfo:
-    	case ArgInitializeArgs:
-	case ArgUTF8:
-	case ArgChar:
-	     bp = readChars(bp,(char *)argList[i]->data,argList[i]->size);
-    	case ArgNone:
-	default:
-	     break;
-	}
-    }
-
-    return argList;
-}
-
-/* lookup the command in the array */
-int
-lookup(const char *buf)
-{
-    int size,i;
-    int buflen;
-
-    buflen = PL_strlen(buf);
-
-    for ( i = 0; i < commandCount; i++) {
-	size = PL_strlen(commands[i].fname);
-
-	if (size <= buflen) {
-	    if (PL_strncasecmp(buf,commands[i].fname,size) == 0) {
-		return i;
-	    }
-	}
-	if (size-2 <= buflen) {
-	    if (commands[i].fname[0] == 'C' && commands[i].fname[1] == '_' &&
-		(PL_strncasecmp(buf,&commands[i].fname[2],size-2) == 0)) {
-		return i;
-	    }
-	}
-    }
-    fprintf(stderr,"Can't find command %s\n",buf);
-    return -1;
-}
-
-void
-putOutput(Value **ptr)
-{
-    int i;
-
-    for (i=0; i < MAX_ARGS; i++) {
-	ArgType type;
-
-	if (ptr[i] == NULL) break;
-
-	type  = ptr[i]->type;
-
-	ptr[i]->type &= ~ArgOut;
-	if (type == ArgNone) {
-	    break;
-	}
-	if (type & ArgOut) {
-	    (void) printArg(ptr[i],i+1);
-	}
-	if (type & ArgFile) {
-	    save(ptr[i]->filename,ptr[i]);
-	    free(ptr[i]->filename);
-	    ptr[i]->filename= NULL; /* paranoia */
-	}
-    }
-}
-	   
-CK_RV
-unloadModule(Module *module)
-{
-    char *disableUnload = NULL;
-
-    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
-
-    if (module->library && !disableUnload) {
-	PR_UnloadLibrary(module->library);
-    }
-
-    module->library = NULL;
-    module->functionList = NULL;
-
-    return CKR_OK;
-}
-
-CK_RV
-loadModule(Module *module, char *library)
-{
-   PRLibrary *newLibrary;
-   CK_C_GetFunctionList getFunctionList;
-   CK_FUNCTION_LIST *functionList;
-   CK_RV ckrv;
-
-   newLibrary = PR_LoadLibrary(library);
-   if (!newLibrary) {
-	fprintf(stderr,"Couldn't load library %s\n",library);
-	return CKR_FUNCTION_FAILED;
-   }
-   getFunctionList = (CK_C_GetFunctionList) 
-			PR_FindSymbol(newLibrary,"C_GetFunctionList");
-   if (!getFunctionList) {
-	fprintf(stderr,"Couldn't find \"C_GetFunctionList\" in %s\n",library);
-	return CKR_FUNCTION_FAILED;
-   }
-
-   ckrv = (*getFunctionList)(&functionList);
-   if (ckrv != CKR_OK) {
-	return ckrv;
-   }
-   
-   if (module->library) {
-	PR_UnloadLibrary(module->library);
-   }
-
-   module->library = newLibrary;
-   module->functionList = functionList;
-
-   return CKR_OK;
-}
-
-static void
-printHelp(int index, int full)
-{
-    int j;
-    printf(" %s", commands[index].fname);
-    for (j=0; j < MAX_ARGS; j++) {
-	ArgType type = commands[index].args[j] & ArgMask;
-	if (type == ArgNone) {
-	    break;
-	}
-	printf(" %s", valueString[type]);
-    }
-    printf("\n");
-    printf(" %s\n",commands[index].helpString);
-}
-
-/* add Topical help here ! */
-static CK_RV
-printTopicHelp(char *topic)
-{
-    int size,i;
-    int topicLen;
-
-    topicLen = PL_strlen(topic);
-
-    for ( i = 0; i < topicCount; i++) {
-	size = PL_strlen(topics[i].name);
-
-	if (size <= topicLen) {
-	    if (PL_strncasecmp(topic,topics[i].name,size) == 0) {
-		break;
-	    }
-	}
-    }
-
-    if (i == topicCount) {
-	fprintf(stderr,"Can't find topic '%s'\n", topic);
-	return CKR_DATA_INVALID;
-    }
-
-    printf(" %s", topic);
-    printf("\n");
-    printf(" %s\n",topics[i].helpString);
-    return CKR_OK;
-}
-
-static CK_RV
-printGeneralHelp(void)
-{
-    int i;
-    printf(" To get help on commands, select from the list below:");
-    for ( i = 0; i < commandCount; i++) {
-       if (i % 5 == 0) printf("\n");
-       printf("%s,", commands[i].fname);
-    }
-    printf("\n");
-    /* print help topics */
-    printf(" To get help on a topic, select from the list below:");
-    for ( i = 0; i < topicCount; i++) {
-       if (i % 5 == 0) printf("\n");
-       printf("%s,", topics[i].name);
-    }
-    printf("\n");
-   return CKR_OK;
-}
-
-static CK_RV
-quitIf(CK_ULONG a, const char *cmp, CK_ULONG b)
-{
-    if (strcmp(cmp, "<") == 0) {
- 	return (a < b) ? CKR_QUIT : CKR_OK;
-    } else if (strcmp(cmp, ">") == 0) {
- 	return (a > b) ? CKR_QUIT : CKR_OK;
-    } else if (strcmp(cmp, "<=") == 0) {
- 	return (a <= b) ? CKR_QUIT : CKR_OK;
-    } else if (strcmp(cmp, ">=") == 0) {
- 	return (a >= b) ? CKR_QUIT : CKR_OK;
-    } else if (strcmp(cmp, "=") == 0) {
- 	return (a == b) ? CKR_QUIT : CKR_OK;
-    } else if (strcmp(cmp, "!=") == 0) {
- 	return (a != b) ? CKR_QUIT : CKR_OK;
-    }
-    printf("Unkown integer comparator: '%s'\n", cmp);
-    return CKR_ARGUMENTS_BAD;
-}
-
-static CK_RV
-quitIfString(const char *a, const char *cmp, const char *b)
-{
-
-    if (strcmp(cmp, "=") == 0) {
- 	return (strcmp(a,b) == 0) ? CKR_QUIT : CKR_OK;
-    } else if (strcmp(cmp, "!=") == 0) {
- 	return (strcmp(a,b) != 0) ? CKR_QUIT : CKR_OK;
-    }
-    printf("Unkown string comparator: '%s'\n", cmp);
-    return CKR_ARGUMENTS_BAD;
-}
-
-CK_RV run(const char *); 
-CK_RV timeCommand(const char *); 
-CK_RV loop(const char *filename, const char *var, 
-            CK_ULONG start, CK_ULONG end, CK_ULONG step) ;
-
-/*
- * Actually dispatch the function... Bad things happen
- * if these don't match the commands array.
- */
-CK_RV
-do_func(int index, Value **a)
-{
-    int value, helpIndex;
-    static Module module = { NULL, NULL} ;
-    CK_FUNCTION_LIST *func = module.functionList;
-
-    switch (commands[index].fType) {
-    case F_C_Initialize:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_Initialize((void *)a[0]->data);
-    case F_C_Finalize:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_Finalize((void *)a[0]->data);
-    case F_C_GetInfo:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GetInfo((CK_INFO *)a[0]->data);
-    case F_C_GetFunctionList:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GetFunctionList((CK_FUNCTION_LIST **)a[0]->data);
-    case F_C_GetSlotList:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GetSlotList((CK_BBOOL)*(CK_ULONG *)a[0]->data,
-					(CK_SLOT_ID *)a[1]->data,
-					(CK_ULONG *)a[2]->data);
-    case F_C_GetSlotInfo:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GetSlotInfo(*(CK_ULONG *)a[0]->data,
-					(CK_SLOT_INFO *)a[1]->data);
-    case F_C_GetTokenInfo:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GetTokenInfo(*(CK_ULONG *)a[0]->data,
-					(CK_TOKEN_INFO *)a[1]->data);
-    case F_C_GetMechanismList:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	if (a[1]->data) {
-	    a[1]->constType = ConstMechanism;
-	}
-	return func->C_GetMechanismList(*(CK_ULONG *)a[0]->data,
-					(CK_MECHANISM_TYPE*)a[1]->data,
-					(CK_ULONG *)a[2]->data);
-    case F_C_GetMechanismInfo:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GetMechanismInfo(*(CK_ULONG *)a[0]->data,
-					*(CK_ULONG *)a[1]->data,
-					(CK_MECHANISM_INFO *)a[2]->data);
-    case F_C_InitToken:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_InitToken(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data);
-    case F_C_InitPIN:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_InitPIN(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-    case F_C_SetPIN:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_SetPIN(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					*(CK_ULONG *)a[4]->data);
-    case F_C_OpenSession:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_OpenSession(*(CK_ULONG *)a[0]->data,
-					*(CK_ULONG *)a[1]->data,
-					(void *)NULL,
-					(CK_NOTIFY) NULL,
-					(CK_ULONG *)a[2]->data);
-    case F_C_CloseSession:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_CloseSession(*(CK_ULONG *)a[0]->data);
-    case F_C_CloseAllSessions:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_CloseAllSessions(*(CK_ULONG *)a[0]->data);
-    case F_C_GetSessionInfo:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GetSessionInfo(*(CK_ULONG *)a[0]->data,
-					(CK_SESSION_INFO *)a[1]->data);
-    case F_C_GetOperationState:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GetOperationState(*(CK_ULONG *)a[0]->data,
-					(CK_BYTE *)a[1]->data,
-					(CK_ULONG *)a[2]->data);
-    case F_C_SetOperationState:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_SetOperationState(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					*(CK_ULONG *)a[3]->data,
-					*(CK_ULONG *)a[4]->data);
-    case F_C_Login:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_Login(*(CK_ULONG *)a[0]->data,
-					*(CK_ULONG *)a[1]->data,
-					(CK_CHAR *)a[2]->data,
-					*(CK_ULONG *)a[3]->data);
-    case F_C_Logout:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_Logout(*(CK_ULONG *)a[0]->data);
-    case F_C_CreateObject:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_CreateObject(*(CK_ULONG *)a[0]->data,
-					(CK_ATTRIBUTE *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_ULONG *)a[3]->data);
-    case F_C_CopyObject:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_CopyObject(*(CK_ULONG *)a[0]->data,
-					*(CK_ULONG *)a[0]->data,
-					(CK_ATTRIBUTE *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_ULONG *)a[3]->data);
-    case F_C_DestroyObject:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_DestroyObject(*(CK_ULONG *)a[0]->data,
-					*(CK_ULONG *)a[1]->data);
-    case F_C_GetObjectSize:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GetObjectSize(*(CK_ULONG *)a[0]->data,
-					*(CK_ULONG *)a[1]->data,
-					(CK_ULONG *)a[2]->data);
-    case F_C_GetAttributeValue:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GetAttributeValue(*(CK_ULONG *)a[0]->data,
-					*(CK_ULONG *)a[1]->data,
-					(CK_ATTRIBUTE *)a[2]->data,
-					*(CK_ULONG *)a[3]->data);
-    case F_C_SetAttributeValue:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_SetAttributeValue(*(CK_ULONG *)a[0]->data,
-					*(CK_ULONG *)a[1]->data,
-					(CK_ATTRIBUTE *)a[2]->data,
-					*(CK_ULONG *)a[3]->data);
-    case F_C_FindObjectsInit:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_FindObjectsInit(*(CK_ULONG *)a[0]->data,
-					(CK_ATTRIBUTE *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-    case F_C_FindObjects:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_FindObjects(*(CK_ULONG *)a[0]->data,
-					(CK_ULONG *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_ULONG *)a[3]->data);
-    case F_C_FindObjectsFinal:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_FindObjectsFinal(*(CK_ULONG *)a[0]->data);
-    case F_C_EncryptInit:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_EncryptInit(*(CK_ULONG *)a[0]->data,
-					(CK_MECHANISM *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-    case F_C_Encrypt:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_Encrypt(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					(CK_ULONG *)a[4]->data);
-    case F_C_EncryptUpdate:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_EncryptUpdate(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					(CK_ULONG *)a[4]->data);
-    case F_C_EncryptFinal:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_EncryptFinal(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					(CK_ULONG *)a[2]->data);
-    case F_C_DecryptInit:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_DecryptInit(*(CK_ULONG *)a[0]->data,
-					(CK_MECHANISM *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-    case F_C_Decrypt:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_Decrypt(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					(CK_ULONG *)a[4]->data);
-    case F_C_DecryptUpdate:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_DecryptUpdate(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					(CK_ULONG *)a[4]->data);
-    case F_C_DecryptFinal:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_DecryptFinal(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					(CK_ULONG *)a[2]->data);
-    case F_C_DigestInit:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_DigestInit(*(CK_ULONG *)a[0]->data,
-					(CK_MECHANISM *)a[1]->data);
-    case F_C_Digest:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_Digest(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					(CK_ULONG *)a[4]->data);
-    case F_C_DigestUpdate:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_DigestUpdate(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-    case F_C_DigestKey:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_DigestKey(*(CK_ULONG *)a[0]->data,
-					*(CK_ULONG *)a[1]->data);
-    case F_C_DigestFinal:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_DigestFinal(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					(CK_ULONG *)a[2]->data);
-    case F_C_SignInit:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_SignInit(*(CK_ULONG *)a[0]->data,
-					(CK_MECHANISM *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-    case F_C_Sign:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_Sign(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					(CK_ULONG *)a[4]->data);
-    case F_C_SignUpdate:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_SignUpdate(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-    case F_C_SignFinal:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_SignFinal(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					(CK_ULONG *)a[2]->data);
-
-    case F_C_SignRecoverInit:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_SignRecoverInit(*(CK_ULONG *)a[0]->data,
-					(CK_MECHANISM *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-    case F_C_SignRecover:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_SignRecover(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					(CK_ULONG *)a[4]->data);
-    case F_C_VerifyInit:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_VerifyInit(*(CK_ULONG *)a[0]->data,
-					(CK_MECHANISM *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-    case F_C_Verify:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_Verify(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					*(CK_ULONG *)a[4]->data);
-    case F_C_VerifyUpdate:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_VerifyUpdate(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-    case F_C_VerifyFinal:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_VerifyFinal(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-
-    case F_C_VerifyRecoverInit:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_VerifyRecoverInit(*(CK_ULONG *)a[0]->data,
-					(CK_MECHANISM *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-    case F_C_VerifyRecover:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_VerifyRecover(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					(CK_ULONG *)a[4]->data);
-    case F_C_DigestEncryptUpdate:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_DigestEncryptUpdate(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					(CK_ULONG *)a[4]->data);
-    case F_C_DecryptDigestUpdate:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_DecryptDigestUpdate(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					(CK_ULONG *)a[4]->data);
-    case F_C_SignEncryptUpdate:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_SignEncryptUpdate(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					(CK_ULONG *)a[4]->data);
-    case F_C_DecryptVerifyUpdate:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_DecryptVerifyUpdate(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					(CK_ULONG *)a[4]->data);
-    case F_C_GenerateKey:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GenerateKey(*(CK_ULONG *)a[0]->data,
-					(CK_MECHANISM *)a[1]->data,
-					(CK_ATTRIBUTE *)a[2]->data,
-					*(CK_ULONG *)a[3]->data,
-					(CK_ULONG *)a[4]->data);
-    case F_C_GenerateKeyPair:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GenerateKeyPair(*(CK_ULONG *)a[0]->data,
-					(CK_MECHANISM *)a[1]->data,
-					(CK_ATTRIBUTE *)a[2]->data,
-					*(CK_ULONG *)a[3]->data,
-					(CK_ATTRIBUTE *)a[4]->data,
-					*(CK_ULONG *)a[5]->data,
-					(CK_ULONG *)a[6]->data,
-					(CK_ULONG *)a[7]->data);
-    case F_C_WrapKey:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_WrapKey(*(CK_ULONG *)a[0]->data,
-					(CK_MECHANISM *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					*(CK_ULONG *)a[3]->data,
-					(CK_CHAR *)a[5]->data,
-					(CK_ULONG *)a[6]->data);
-    case F_C_UnwrapKey:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_UnwrapKey(*(CK_ULONG *)a[0]->data,
-					(CK_MECHANISM *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_CHAR *)a[3]->data,
-					*(CK_ULONG *)a[4]->data,
-					(CK_ATTRIBUTE *)a[5]->data,
-					*(CK_ULONG *)a[6]->data,
-					(CK_ULONG *)a[7]->data);
-    case F_C_DeriveKey:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_DeriveKey (*(CK_ULONG *)a[0]->data,
-					(CK_MECHANISM *)a[1]->data,
-					*(CK_ULONG *)a[2]->data,
-					(CK_ATTRIBUTE *)a[3]->data,
-					*(CK_ULONG *)a[4]->data,
-					(CK_ULONG *)a[5]->data);
-    case F_C_SeedRandom:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_SeedRandom(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-    case F_C_GenerateRandom:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GenerateRandom(*(CK_ULONG *)a[0]->data,
-					(CK_CHAR *)a[1]->data,
-					*(CK_ULONG *)a[2]->data);
-    case F_C_GetFunctionStatus:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_GetFunctionStatus(*(CK_ULONG *)a[0]->data);
-    case F_C_CancelFunction:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_CancelFunction(*(CK_ULONG *)a[0]->data);
-    case F_C_WaitForSlotEvent:
-	if (!func) return CKR_CRYPTOKI_NOT_INITIALIZED;
-	return func->C_WaitForSlotEvent(*(CK_ULONG *)a[0]->data,
-					(CK_ULONG *)a[1]->data,
-					(void *)a[2]->data);
-    /* set a variable */
-    case F_SetVar:	
-    case F_SetStringVar:	
-	(void) DeleteVariable(a[0]->data);
-	(void) AddVariable(a[0]->data,&a[1]);
-	return CKR_OK;
-    /* print a value */
-    case F_Print:
-	return printArg(a[0],0);
-    case F_SaveVar:
-	return save(a[0]->data,a[1]);
-    case F_RestoreVar:
-	return restore(a[0]->data,a[1]);
-    case F_Delete:
-	return DeleteVariable(a[0]->data);
-    case F_Increment:
-	return increment(a[0], *(CK_ULONG *)a[1]->data);
-    case F_Decrement:
-	return decrement(a[0], *(CK_ULONG *)a[1]->data);
-    case F_List:
-	return list();
-    case F_Run:
-	return run(a[0]->data);
-    case F_Time:
-	return timeCommand(a[0]->data);
-    case F_Load:
-	return loadModule(&module,a[0]->data);
-    case F_Unload:
-	return unloadModule(&module);
-    case F_NewArray:
-	(void) DeleteVariable(a[0]->data);
-	return ArrayVariable(a[0]->data,a[1]->data,*(CK_ULONG *)a[2]->data);
-    case F_NewTemplate:
-	(void) DeleteVariable(a[0]->data);
-	return ArrayTemplate(a[0]->data,a[1]->data);
-    case F_BuildTemplate:
-	return BuildTemplate(a[0]);
-    case F_SetTemplate:
-	return SetTemplate(a[0],
-		*(CK_ULONG *)a[1]->data,
-		*(CK_ULONG *)a[2]->data);
-    case F_NewMechanism:
-	(void) DeleteVariable(a[0]->data);
-	return NewMechanism(a[0]->data,*(CK_ULONG *)a[1]->data);
-    case F_NewInitializeArgs:
-	(void) DeleteVariable(a[0]->data);
-	return NewInitializeArgs(a[0]->data,*(CK_ULONG *)a[1]->data,a[2]->data);
-    case F_System:
-        value = *(int *)a[0]->data;
-	if (value & 0x80000000) {
-	    systemFlags &= ~value;
-	} else {
-	    systemFlags |= value;
-	}
-	return CKR_OK;
-    case F_Loop:
-	return loop(a[0]->data,a[1]->data,*(CK_ULONG *)a[2]->data,
-		*(CK_ULONG *)a[3]->data,*(CK_ULONG *)a[4]->data);
-    case F_Help:
-	if (a[0]) {
-	    helpIndex = lookup(a[0]->data);
-	    if (helpIndex < 0) {
-		return printTopicHelp(a[0]->data);
-	    }
-	    printHelp(helpIndex, 1);
-	    return CKR_OK;
-	}
-	return printGeneralHelp();
-    case F_QuitIfString:
-	return quitIfString(a[0]->data,a[1]->data,a[2]->data);
-    case F_QuitIf:
-	return quitIf(*(CK_ULONG *)a[0]->data,a[1]->data,*(CK_ULONG *)a[2]->data);
-    case F_Quit:
-	return CKR_QUIT;
-    default:
-	fprintf(stderr,
-		"Function %s not yet supported\n",commands[index].fname );
-	return CKR_OK;
-    }
-    /* Not Reached */
-    return CKR_OK;
-}
-
-CK_RV
-processCommand(const char * buf)
-{
-    CK_RV error = CKR_OK;
-    int index;
-    const char *bp;
-    Value **arglist;
-
-    bp = strip(buf);
-    /* allow comments and blank lines in scripts */
-    if ((*bp == '#') || (*bp == 0) || (*bp == '\n')){
-	return CKR_OK;
-    }
-
-    index = lookup(bp);
-
-    if (index < 0) {
-	return CKR_OK;
-    }
-
-    arglist = parseArgs(index,bp);
-    if (arglist == NULL) {
-	return CKR_OK;
-    }
-
-    error = do_func(index,arglist);
-    if (error == CKR_OK) {
-	putOutput(arglist);
-    } else if (error != CKR_QUIT) {
-	printf(">> Error : ");
-	printConst(error, ConstResult, 1);
-    }
-
-    parseFree(arglist);
-    return error;
-}
-
-CK_RV
-timeCommand(const char *command) 
-{
-    CK_RV ckrv;
-    PRIntervalTime startTime = PR_IntervalNow();
-    PRIntervalTime endTime;
-    PRIntervalTime elapsedTime;
-
-    ckrv = processCommand(command);
-
-    endTime = PR_IntervalNow();
-    elapsedTime = endTime - startTime;
-    printf("Time -- %d msec \n", 
-	PR_IntervalToMilliseconds(elapsedTime));
-    
-    return ckrv;
-}
-
-
-
-CK_RV
-process(FILE *inFile,int user)
-{
-    char buf[2048];
-    CK_RV error;
-    CK_RV ckrv = CKR_OK;
-
-    if (user) { printf("pkcs11> "); fflush(stdout); }
-
-    while (fgets(buf,2048,inFile) != NULL) {
-
-	if (!user) printf("* %s",buf);
-	error = processCommand(buf);
-	if (error == CKR_QUIT) {
-	    break;
-	} else if (error != CKR_OK) {
-	    ckrv = error;
-	}
-	if (user) { 
-	    printf("pkcs11> "); fflush(stdout); 
-	}
-    }
-    return ckrv;
-}
-
-CK_RV
-run(const char *filename) 
-{
-    FILE *infile;
-    CK_RV ckrv;
-
-    infile = fopen(filename,"r");
-
-    if (infile == NULL) {
-	perror(filename);
-	return CKR_FUNCTION_FAILED;
-    }
-
-    ckrv = process(infile, 0);
-
-    fclose(infile);
-    return ckrv;
-}
-
-CK_RV
-loop(const char *filename, const char *var, 
-     CK_ULONG start, CK_ULONG end, CK_ULONG step) 
-{
-    CK_ULONG i = 0;
-    Value *value = 0;
-    CK_RV ckrv;
-
-    for (i=start; i < end; i += step)
-    {
-        value = NewValue(ArgULong, 1);
-	*(CK_ULONG *)value->data = i;
-	DeleteVariable(var);
-	AddVariable(var, &value);
-	ckrv = run(filename);
-	argFree(value);
-	if (ckrv == CKR_QUIT) {
-	    break;
-	}
-    }
-    return ckrv;
-}
-
-int
-main(int argc, char **argv)
-{
-    /* I suppose that some day we could parse some arguments */
-    (void) process(stdin, 1);
-    return 0;
-}
diff --git a/security/nss/cmd/pk11util/scripts/dosign b/security/nss/cmd/pk11util/scripts/dosign
deleted file mode 100644
index 33e761f0b..000000000
--- a/security/nss/cmd/pk11util/scripts/dosign
+++ /dev/null
@@ -1,162 +0,0 @@
-Load nsscapi.dll
-C_Initialize NULL
-C_GetSlotList false NULL slotCount
-NewArray slotList CK_ULONG slotCount
-C_GetSlotList false slotList slotCount
-#change the following to the appropriate slot id
-set slotID 1
-#set slotID slotList[0]
-C_GetSlotInfo slotID slotInfo
-C_GetTokenInfo slotID tokenInfo
-C_OpenSession slotID CKF_SERIAL_SESSION session
-#
-#uncomment the following line and include the correct password
-#C_Login session CKU_USER 0000 4 
-#
-# build the search template
-#
-NewTemplate search CKA_CLASS
-SetTemplate search 0 CKO_CERTIFICATE
-NewArray certID CK_ULONG 10
-C_FindObjectsInit session search 1
-C_FindObjects session certID sizeA(certID) count
-C_FindObjectsFinal session
-#
-# now read the cert out
-#
-#NewTemplate derCert CKA_VALUE
-#NewTemplate certName CKA_LABEL,CKA_VALUE
-#C_GetAttributeValue session certID[0] certName sizeA(certName)
-#BuildTemplate certName
-#C_GetAttributeValue session certID[0] certName sizeA(certName)
-#print certName[0]
-Set countm1 count
-Decrement countm1 1
-LoopRun pLabel1 i 0 countm1 1
-Set i 1
-run pLabel1
-NewTemplate id CKA_CLASS,CKA_ID
-C_GetAttributeValue session certID[i] id sizeA(id)
-BuildTemplate id
-C_GetAttributeValue session certID[i] id sizeA(id)
-SetTemplate id 0 CKO_PRIVATE_KEY
-NewArray keyID CK_ULONG 10
-C_FindObjectsInit session id sizeA(id)
-C_FindObjects session keyID sizeA(keyID) count
-C_FindObjectsFinal session
-
-NewMechanism rsaParams CKM_RSA_PKCS
-NewArray sign data 256
-NewArray sdata data 36
-C_SignInit session rsaParams keyID[0]
-print sdata
-C_Sign session sdata sizeof(sdata) sign sizeof(sign)
-save signature sign
-save hash sdata
-NewTemplate privValue CKA_MODULUS,CKA_PUBLIC_EXPONENT
-C_GetAttributeValue session keyID[0] privValue sizeA(privValue)
-BuildTemplate privValue
-C_GetAttributeValue session keyID[0] privValue sizeA(privValue)
-print privValue[0]
-print privValue[1]
-
-# save the public key
-SetTemplate id 0 CKO_PUBLIC_KEY
-NewArray pubkeyID CK_ULONG 10
-C_FindObjectsInit session id sizeA(id)
-C_FindObjects session pubkeyID sizeA(pubkeyID) count
-C_FindObjectsFinal session
-NewTemplate pubkeyValue CKA_MODULUS,CKA_PUBLIC_EXPONENT
-C_GetAttributeValue session pubkeyID[0] pubkeyValue sizeA(pubkeyValue)
-BuildTemplate pubkeyValue
-C_GetAttributeValue session pubkeyID[0] pubkeyValue sizeA(pubkeyValue)
-print pubkeyValue[0]
-print pubkeyValue[1]
-
-
-C_Finalize null
-unload
-
-#
-# Now do the same for using softoken
-#
-load softokn3.dll
-NewInitArg init CKF_OS_LOCKING_OK configdir=./db
-C_Initialize init
-C_GetSlotList false NULL slotCount
-NewArray slotList CK_ULONG slotCount
-C_GetSlotList false slotList slotCount
-#change the following to the appropriate slot id
-set slotID slotList[1]
-#set slotID slotList[0]
-C_GetSlotInfo slotID slotInfo
-C_GetTokenInfo slotID tokenInfo
-C_OpenSession slotID CKF_SERIAL_SESSION session
-NewTemplate search CKA_CLASS
-SetTemplate search 0 CKO_CERTIFICATE
-NewArray certID CK_ULONG 10
-C_FindObjectsInit session search 1
-C_FindObjects session certID sizeA(certID) count
-C_FindObjectsFinal session
-#
-# now read the cert out
-#
-#NewTemplate derCert CKA_VALUE
-#NewTemplate certName CKA_LABEL,CKA_VALUE
-#C_GetAttributeValue session certID[0] certName sizeA(certName)
-#BuildTemplate certName
-#C_GetAttributeValue session certID[0] certName sizeA(certName)
-#print certName[0]
-#Set countm1 count
-#Decrement countm1 1
-#LoopRun pLabel1 i 0 countm1 1
-Set i 0
-run pLabel1
-NewTemplate id CKA_CLASS,CKA_ID
-C_GetAttributeValue session certID[i] id sizeA(id)
-BuildTemplate id
-C_GetAttributeValue session certID[i] id sizeA(id)
-SetTemplate id 0 CKO_PRIVATE_KEY
-NewArray keyID CK_ULONG 10
-C_FindObjectsInit session id sizeA(id)
-C_FindObjects session keyID sizeA(keyID) count
-C_FindObjectsFinal session
-
-NewMechanism rsaParams CKM_RSA_PKCS
-NewArray sign data 256
-NewArray sdata data 36
-C_SignInit session rsaParams keyID[0]
-C_Sign session sdata sizeof(sdata) sign sizeof(sign)
-save signature2 sign
-save hash2 sdata
-
-SetTemplate id 0 CKO_PUBLIC_KEY
-NewArray pubkeyID CK_ULONG 10
-C_FindObjectsInit session id sizeA(id)
-C_FindObjects session pubkeyID sizeA(pubkeyID) count
-C_FindObjectsFinal session
-
-#
-# OK now we use raw unwrap and see what we have...
-#
-NewMechanism rawRsaParams CKM_RSA_X_509
-NewArray vdata data 256
-C_VerifyRecoverInit session rawRsaParams pubkeyID[0]
-C_VerifyRecover session sign sizeof(sign) vdata sizeof(vdata)
-save verify2 vdata
-restore signature sign
-C_VerifyRecoverInit session rawRsaParams pubkeyID[0]
-C_VerifyRecover session sign sizeof(sign) vdata sizeof(vdata)
-save verify vdata
-
-NewTemplate pubkeyValue CKA_MODULUS,CKA_PUBLIC_EXPONENT
-C_GetAttributeValue session pubkeyID[0] pubkeyValue sizeA(pubkeyValue)
-BuildTemplate pubkeyValue
-C_GetAttributeValue session pubkeyID[0] pubkeyValue sizeA(pubkeyValue)
-print pubkeyValue[0]
-print pubkeyValue[1]
-
-
-C_Finalize null
-
-unload
diff --git a/security/nss/cmd/pk11util/scripts/hssign b/security/nss/cmd/pk11util/scripts/hssign
deleted file mode 100644
index 9bcf365cc..000000000
--- a/security/nss/cmd/pk11util/scripts/hssign
+++ /dev/null
@@ -1,48 +0,0 @@
-Load aolkeypk11.dll
-C_Initialize NULL
-C_GetSlotList false NULL slotCount
-NewArray slotList CK_ULONG slotCount
-C_GetSlotList false slotList slotCount
-#change the following to the appropriate slot id
-#set slotID slotList[0]
-set slotID 1
-C_GetSlotInfo slotID slotInfo
-C_GetTokenInfo slotID tokenInfo
-C_OpenSession slotID CK_SESSION_SERIAL session
-#
-#uncomment the following line and include the correct password
-#for authenticated tokens
-#C_Login session CKU_USER 0000 4
-#
-# build the search template
-#
-#NewTemplate search CKA_CLASS
-#SetTemplate search 0 CKO_CERTIFICATE
-#NewArray certID CK_ULONG 1
-#C_FindObjectsInit session search 1
-#C_FindObjects session certID 1 count
-#C_FindObjectsFinal session
-#
-# now read the cert out
-#
-#NewTemplate derCert CKA_VALUE
-#C_GetAttributeValue session certID derCert 1
-#BuildTemplate derCert
-#C_GetAttributeValue session certID derCert 1
-#
-# Do a signature
-#
-NewTemplate search CKA_CLASS
-SetTemplate search 0 CKO_PRIVATE_KEY
-NewArray privateKey CK_ULONG 1
-C_FindObjectsInit session search 1
-C_FindObjects session privateKey 1 count
-C_FindObjectsFinal session
-# sign
-NewMechanism rsaParams CKM_RSA_PKCS
-NewArray sign data 128
-NewArray sdata data 20
-C_SignInit session rsaParams privateKey
-C_Sign session sdata sizeof(sdata) sign sizeof(sign)
-#C_Logout session
-
diff --git a/security/nss/cmd/pk11util/scripts/lcert b/security/nss/cmd/pk11util/scripts/lcert
deleted file mode 100644
index 0f249c3b5..000000000
--- a/security/nss/cmd/pk11util/scripts/lcert
+++ /dev/null
@@ -1,35 +0,0 @@
-Load nsscapi.dll
-C_Initialize NULL
-C_GetSlotList false NULL slotCount
-NewArray slotList CK_ULONG slotCount
-C_GetSlotList false slotList slotCount
-#change the following to the appropriate slot id
-set slotID 1
-#set slotID slotList[0]
-C_GetSlotInfo slotID slotInfo
-C_GetTokenInfo slotID tokenInfo
-C_OpenSession slotID CKF_SERIAL_SESSION session
-#
-#uncomment the following line and include the correct password
-#C_Login session CKU_USER 0000 4 
-#
-# build the search template
-#
-NewTemplate search CKA_CLASS
-SetTemplate search 0 CKO_CERTIFICATE
-NewArray certID CK_ULONG 10
-C_FindObjectsInit session search 1
-C_FindObjects session certID sizeA(certID) count
-C_FindObjectsFinal session
-#
-# now read the cert out
-#
-#NewTemplate derCert CKA_VALUE
-#NewTemplate certName CKA_LABEL,CKA_VALUE
-#C_GetAttributeValue session certID[0] certName sizeA(certName)
-#BuildTemplate certName
-#C_GetAttributeValue session certID[0] certName sizeA(certName)
-#print certName[0]
-Set countm1 count
-Decrement countm1 1
-LoopRun pLabel1 i 0 countm1 1
diff --git a/security/nss/cmd/pk11util/scripts/mechanisms b/security/nss/cmd/pk11util/scripts/mechanisms
deleted file mode 100644
index d103a9c4f..000000000
--- a/security/nss/cmd/pk11util/scripts/mechanisms
+++ /dev/null
@@ -1,11 +0,0 @@
-Load nsscapi.dll
-C_Initialize NULL
-C_GetSlotList false NULL slotCount
-NewArray slotList CK_ULONG slotCount
-C_GetSlotList false slotList slotCount
-
-LoopRun pMechanisms i 0 slotCount 1
-
-#C_Finalize
-#Unload
-
diff --git a/security/nss/cmd/pk11util/scripts/pLabel1 b/security/nss/cmd/pk11util/scripts/pLabel1
deleted file mode 100644
index 0be909bb4..000000000
--- a/security/nss/cmd/pk11util/scripts/pLabel1
+++ /dev/null
@@ -1,6 +0,0 @@
-NewTemplate certName CKA_LABEL,CKA_VALUE
-C_GetAttributeValue session certID[i] certName sizeA(certName)
-BuildTemplate certName
-C_GetAttributeValue session certID[i] certName sizeA(certName)
-print i
-print certName[0]
diff --git a/security/nss/cmd/pk11util/scripts/pMechanisms b/security/nss/cmd/pk11util/scripts/pMechanisms
deleted file mode 100644
index 82e860258..000000000
--- a/security/nss/cmd/pk11util/scripts/pMechanisms
+++ /dev/null
@@ -1,8 +0,0 @@
-#
-# print the mechanism list for a given token
-#
-set slotID slotList[i]
-C_GetMechanismList slotID NULL mechCount
-NewArray mechanismList CK_ULONG  mechcount
-C_GetMechanismList slotID mechanismList mechCount
-print mechanismList
diff --git a/security/nss/cmd/pk11util/scripts/pcert b/security/nss/cmd/pk11util/scripts/pcert
deleted file mode 100644
index c322a8bfe..000000000
--- a/security/nss/cmd/pk11util/scripts/pcert
+++ /dev/null
@@ -1,30 +0,0 @@
-Load aolkeypk11.dll
-C_Initialize NULL
-C_GetSlotList false NULL slotCount
-NewArray slotList CK_ULONG slotCount
-C_GetSlotList false slotList slotCount
-#change the following to the appropriate slot id
-set slotID 1
-#set slotID slotList[0]
-C_GetSlotInfo slotID slotInfo
-C_GetTokenInfo slotID tokenInfo
-C_OpenSession slotID CK_SESSION_SERIAL session
-#
-#uncomment the following line and include the correct password
-#C_Login session CKU_USER 0000 4 
-#
-# build the search template
-#
-NewTemplate search CKA_CLASS
-SetTemplate search 0 CKO_CERTIFICATE
-NewArray certID CK_ULONG 1
-C_FindObjectsInit session search 1
-C_FindObjects session certID 1 count
-C_FindObjectsFinal session
-#
-# now read the cert out
-#
-NewTemplate derCert CKA_VALUE
-C_GetAttributeValue session certID derCert 1
-BuildTemplate derCert
-C_GetAttributeValue session certID derCert 1
diff --git a/security/nss/cmd/pk12util/Makefile b/security/nss/cmd/pk12util/Makefile
deleted file mode 100644
index fe7991878..000000000
--- a/security/nss/cmd/pk12util/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
- 
diff --git a/security/nss/cmd/pk12util/manifest.mn b/security/nss/cmd/pk12util/manifest.mn
deleted file mode 100644
index 4971d7bcf..000000000
--- a/security/nss/cmd/pk12util/manifest.mn
+++ /dev/null
@@ -1,55 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-DEFINES += -DNSPR20
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-CSRCS = \
-	pk12util.c \
-	$(NULL)
-
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = dbm seccmd
-
-PROGRAM = pk12util
-
-# USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/pk12util/pk12util.c b/security/nss/cmd/pk12util/pk12util.c
deleted file mode 100644
index dc08a6009..000000000
--- a/security/nss/cmd/pk12util/pk12util.c
+++ /dev/null
@@ -1,1128 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nspr.h"
-#include "secutil.h"
-#include "pk11func.h"
-#include "pkcs12.h"
-#include "p12plcy.h"
-#include "pk12util.h"
-#include "nss.h"
-#include "secport.h"
-#include "secpkcs5.h"
-#include "certdb.h"
-
-#define PKCS12_IN_BUFFER_SIZE	200
-
-static char *progName;
-PRBool pk12_debugging = PR_FALSE;
-PRBool dumpRawFile;
-
-PRIntn pk12uErrno = 0;
-
-static void
-Usage(char *progName)
-{
-#define FPS PR_fprintf(PR_STDERR,
-    FPS "Usage:	 %s -i importfile [-d certdir] [-P dbprefix] [-h tokenname]\n",
-				 progName);
-    FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
-    FPS "\t\t [-v]\n");
-
-    FPS "Usage:	 %s -l listfile [-d certdir] [-P dbprefix] [-h tokenname]\n",
-				 progName);
-    FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
-    FPS "\t\t [-v]\n");
-
-    FPS "Usage:	 %s -o exportfile -n certname [-d certdir] [-P dbprefix]\n",
-		progName);
-    FPS "\t\t [-c key_cipher] [-C cert_cipher]\n"
-        "\t\t [-m | --key_len keyLen] [--cert_key_len certKeyLen] [-v]\n");
-    FPS "\t\t [-k slotpwfile | -K slotpw]\n"
-		"\t\t [-w p12filepwfile | -W p12filefilepw]\n");
-
-    exit(PK12UERR_USAGE);
-}
-
-static PRBool
-p12u_OpenFile(p12uContext *p12cxt, PRBool fileRead)
-{
-    if(!p12cxt || !p12cxt->filename) {
-	return PR_FALSE;
-    }
-
-    if(fileRead) {
-	p12cxt->file = PR_Open(p12cxt->filename,
-				 PR_RDONLY, 0400);
-    } else {
-	p12cxt->file = PR_Open(p12cxt->filename,
-				 PR_CREATE_FILE | PR_RDWR | PR_TRUNCATE,
-				 0600);
-    }
-
-    if(!p12cxt->file) {
-	p12cxt->error = PR_TRUE;
-	return PR_FALSE;
-    }
-
-    return PR_TRUE;
-}
-
-static void
-p12u_DestroyContext(p12uContext **ppCtx, PRBool removeFile)
-{
-    if(!ppCtx || !(*ppCtx)) {
-	return;
-    }
-
-    if((*ppCtx)->file != NULL) {
-	PR_Close((*ppCtx)->file);
-    }
-
-    if((*ppCtx)->filename != NULL) {
-	if(removeFile) {
-	    PR_Delete((*ppCtx)->filename);
-	}
-	PL_strfree((*ppCtx)->filename);
-	(*ppCtx)->filename = NULL;
-    }
-
-    PR_Free(*ppCtx);
-    *ppCtx = NULL;
-}
-
-static p12uContext *
-p12u_InitContext(PRBool fileImport, char *filename)
-{
-    p12uContext *p12cxt;
-    PRBool fileExist;
-
-    fileExist = fileImport;
-
-    p12cxt = PORT_ZNew(p12uContext);
-    if(!p12cxt) {
-	return NULL;
-    }
-
-    p12cxt->error = PR_FALSE;
-    p12cxt->errorValue = 0;
-    p12cxt->filename = PL_strdup(filename);
-
-    if(!p12u_OpenFile(p12cxt, fileImport)) {
-	p12u_DestroyContext(&p12cxt, PR_FALSE);
-	return NULL;
-    }
-
-    return p12cxt;
-}
-
-SECItem *
-P12U_NicknameCollisionCallback(SECItem *old_nick, PRBool *cancel, void *wincx)
-{
-    char           *nick     = NULL;
-    SECItem        *ret_nick = NULL;
-    CERTCertificate* cert    = (CERTCertificate*)wincx;
-
-    if (!cancel || !cert) {
-	pk12uErrno = PK12UERR_USER_CANCELLED;
-	return NULL;
-    }
-
-    if (!old_nick)
-	fprintf(stdout, "pk12util: no nickname for cert in PKCS12 file.\n");
-
-#if 0
-    /* XXX not handled yet  */
-    *cancel = PR_TRUE;
-    return NULL;
-
-#else
-
-    nick = CERT_MakeCANickname(cert); 
-    if (!nick) {
-    	return NULL;
-    }
-
-    if(old_nick && old_nick->data && old_nick->len &&
-       PORT_Strlen(nick) == old_nick->len &&
-       !PORT_Strncmp((char *)old_nick->data, nick, old_nick->len)) {
-	PORT_Free(nick);
-	PORT_SetError(SEC_ERROR_IO);
-	return NULL;
-    }
-
-    fprintf(stdout, "pk12util: using nickname: %s\n", nick);
-    ret_nick = PORT_ZNew(SECItem);
-    if(ret_nick == NULL) {
-	PORT_Free(nick);
-	return NULL;
-    }
-
-    ret_nick->data = (unsigned char *)nick;
-    ret_nick->len = PORT_Strlen(nick);
-
-    return ret_nick;
-#endif
-}
-
-static SECStatus
-p12u_SwapUnicodeBytes(SECItem *uniItem)
-{
-    unsigned int i;
-    unsigned char a;
-    if((uniItem == NULL) || (uniItem->len % 2)) {
-	return SECFailure;
-    }
-    for(i = 0; i < uniItem->len; i += 2) {
-	a = uniItem->data[i];
-	uniItem->data[i] = uniItem->data[i+1];
-	uniItem->data[i+1] = a;
-    }
-    return SECSuccess;
-}
-
-static PRBool
-p12u_ucs2_ascii_conversion_function(PRBool	   toUnicode,
-				    unsigned char *inBuf,
-				    unsigned int   inBufLen,
-				    unsigned char *outBuf,
-				    unsigned int   maxOutBufLen,
-				    unsigned int  *outBufLen,
-				    PRBool	   swapBytes)
-{
-    SECItem it = { 0 };
-    SECItem *dup = NULL;
-    PRBool ret;
-
-#ifdef DEBUG_CONVERSION
-    if (pk12_debugging) {
-	int i;
-	printf("Converted from:\n");
-	for (i=0; i<inBufLen; i++) {
-	    printf("%2x ", inBuf[i]);
-	    /*if (i%60 == 0) printf("\n");*/
-	}
-	printf("\n");
-    }
-#endif
-    it.data = inBuf;
-    it.len = inBufLen;
-    dup = SECITEM_DupItem(&it);
-    /* If converting Unicode to ASCII, swap bytes before conversion
-     * as neccessary.
-     */
-    if (!toUnicode && swapBytes) {
-	if (p12u_SwapUnicodeBytes(dup) != SECSuccess) {
-	    SECITEM_ZfreeItem(dup, PR_TRUE);
-	    return PR_FALSE;
-	}
-    }
-    /* Perform the conversion. */
-    ret = PORT_UCS2_UTF8Conversion(toUnicode, dup->data, dup->len,
-                                   outBuf, maxOutBufLen, outBufLen);
-    if (dup)
-	SECITEM_ZfreeItem(dup, PR_TRUE);
-
-#ifdef DEBUG_CONVERSION
-    if (pk12_debugging) {
-	int i;
-	printf("Converted to:\n");
-	for (i=0; i<*outBufLen; i++) {
-	    printf("%2x ", outBuf[i]);
-	    /*if (i%60 == 0) printf("\n");*/
-	}
-	printf("\n");
-    }
-#endif
-    return ret;
-}
-
-SECStatus
-P12U_UnicodeConversion(PRArenaPool *arena, SECItem *dest, SECItem *src,
-		       PRBool toUnicode, PRBool swapBytes)
-{
-    unsigned int allocLen;
-    if(!dest || !src) {
-	return SECFailure;
-    }
-    allocLen = ((toUnicode) ? (src->len << 2) : src->len);
-    if(arena) {
-	dest->data = PORT_ArenaZAlloc(arena, allocLen);
-    } else {
-	dest->data = PORT_ZAlloc(allocLen);
-    }
-    if(PORT_UCS2_ASCIIConversion(toUnicode, src->data, src->len,
-				 dest->data, allocLen, &dest->len,
-				 swapBytes) == PR_FALSE) {
-	if(!arena) {
-	    PORT_Free(dest->data);
-	}
-	dest->data = NULL;
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- *
- */
-SECItem *
-P12U_GetP12FilePassword(PRBool confirmPw, secuPWData *p12FilePw)
-{
-    char *p0 = NULL;
-    SECItem *pwItem = NULL;
-
-    if (p12FilePw == NULL || p12FilePw->source == PW_NONE) {
-	char *p1 = NULL;
-	int   rc;
-	for (;;) {
-	    p0 = SECU_GetPasswordString(NULL,
-					"Enter password for PKCS12 file: ");
-	    if (!confirmPw || p0 == NULL)
-		break;
-	    p1 = SECU_GetPasswordString(NULL, "Re-enter password: ");
-	    if (p1 == NULL) {
-		PORT_ZFree(p0, PL_strlen(p0));
-		p0 = NULL;
-		break;
-	    }
-	    rc = PL_strcmp(p0, p1);
-	    PORT_ZFree(p1, PL_strlen(p1));
-	    if (rc == 0)
-		break;
-	    PORT_ZFree(p0, PL_strlen(p0));
-	}
-    } else if (p12FilePw->source == PW_FROMFILE) {
-	p0 = SECU_FilePasswd(NULL, PR_FALSE, p12FilePw->data);
-    } else { /* Plaintext */
-	p0 = PORT_Strdup(p12FilePw->data);
-    }
-
-    if (p0 == NULL) {
-        return NULL;
-    }
-    pwItem = SECITEM_AllocItem(NULL, NULL, PL_strlen(p0) + 1);
-    memcpy(pwItem->data, p0, pwItem->len);
-
-    PORT_ZFree(p0, PL_strlen(p0));
-
-    return pwItem;
-}
-
-SECStatus
-P12U_InitSlot(PK11SlotInfo *slot, secuPWData *slotPw)
-{
-    SECStatus rv;
-
-    /*	New databases, initialize keydb password. */
-    if (PK11_NeedUserInit(slot)) {
-	rv = SECU_ChangePW(slot,
-			   (slotPw->source == PW_PLAINTEXT) ? slotPw->data : 0,
-			   (slotPw->source == PW_FROMFILE) ? slotPw->data : 0);
-	if (rv != SECSuccess) {
-	    SECU_PrintError(progName, "Failed to initialize slot \"%s\"",
-				    PK11_GetSlotName(slot));
-	    return SECFailure;
-	}
-    }
-
-    if (PK11_Authenticate(slot, PR_TRUE, slotPw) != SECSuccess) {
-	SECU_PrintError(progName,
-			 "Failed to authenticate to PKCS11 slot");
-	PORT_SetError(SEC_ERROR_USER_CANCELLED);
-	pk12uErrno = PK12UERR_USER_CANCELLED;
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-/* This routine takes care of getting the PKCS12 file password, then reading and
- * verifying the file. It returns the decoder context and a filled in password.
- * (The password is needed by P12U_ImportPKCS12Object() to import the private
- * key.)
- */
-SEC_PKCS12DecoderContext *
-p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot,
-                    secuPWData *slotPw, secuPWData *p12FilePw)
-{
-    SEC_PKCS12DecoderContext *p12dcx = NULL;
-    p12uContext *p12cxt = NULL;
-    SECItem *pwitem = NULL;
-    SECItem p12file = { 0 };
-    SECStatus rv = SECFailure;
-    PRBool swapUnicode = PR_FALSE;
-    PRBool trypw;
-    int error;
-    
-#ifdef IS_LITTLE_ENDIAN
-    swapUnicode = PR_TRUE;
-#endif
-
-    p12cxt = p12u_InitContext(PR_TRUE, in_file);
-    if(!p12cxt) {
-	SECU_PrintError(progName,"File Open failed: %s", in_file);
-	pk12uErrno = PK12UERR_INIT_FILE;
-        return NULL;
-    }
-
-    /* get the password */
-    pwitem = P12U_GetP12FilePassword(PR_FALSE, p12FilePw);
-    if (!pwitem) {
-	pk12uErrno = PK12UERR_USER_CANCELLED;
-	goto done;
-    }
-
-    if(P12U_UnicodeConversion(NULL, uniPwp, pwitem, PR_TRUE,
-                              swapUnicode) != SECSuccess) {
-	SECU_PrintError(progName,"Unicode conversion failed");
-	pk12uErrno = PK12UERR_UNICODECONV;
-	goto done;
-    }
-    rv = SECU_FileToItem(&p12file, p12cxt->file);
-    if (rv != SECSuccess) {
-        SECU_PrintError(progName,"Failed to read from import file");
-        goto done;
-    }
-
-    do {
-        trypw = PR_FALSE;                  /* normally we do this once */
-        rv = SECFailure;
-        /* init the decoder context */
-        p12dcx = SEC_PKCS12DecoderStart(uniPwp, slot, slotPw,
-                                        NULL, NULL, NULL, NULL, NULL);
-        if(!p12dcx) {
-            SECU_PrintError(progName,"PKCS12 decoder start failed");
-            pk12uErrno = PK12UERR_PK12DECODESTART;
-            break;
-        }
-
-        /* decode the item */
-        rv = SEC_PKCS12DecoderUpdate(p12dcx, p12file.data, p12file.len);
-
-        if(rv != SECSuccess) {
-            error = PR_GetError();
-            if(error == SEC_ERROR_DECRYPTION_DISALLOWED) {
-                PR_SetError(error, 0);
-                break;
-            }
-            SECU_PrintError(progName,"PKCS12 decoding failed");
-            pk12uErrno = PK12UERR_DECODE;
-        }
-
-        /* does the blob authenticate properly? */
-        rv = SEC_PKCS12DecoderVerify(p12dcx);
-        if (rv != SECSuccess) {
-            if(uniPwp->len == 2) {
-                /* this is a null PW, try once more with a zero-length PW
-                   instead of a null string */
-                SEC_PKCS12DecoderFinish(p12dcx);
-                uniPwp->len = 0;
-                trypw = PR_TRUE;
-            }
-            else {
-                SECU_PrintError(progName,"PKCS12 decode not verified");
-                pk12uErrno = PK12UERR_DECODEVERIFY;
-                break;
-            }
-        }
-    } while (trypw == PR_TRUE);
-    /* rv has been set at this point */
-
-
-done:
-    if (rv != SECSuccess) {
-        if (p12dcx != NULL) {
-            SEC_PKCS12DecoderFinish(p12dcx);
-            p12dcx = NULL;
-        }
-        if (uniPwp->data) {
-            SECITEM_ZfreeItem(uniPwp, PR_FALSE);
-            uniPwp->data = NULL;
-        }
-    }
-    PR_Close(p12cxt->file);
-    p12cxt->file = NULL;
-    /* PK11_FreeSlot(slot); */
-    p12u_DestroyContext(&p12cxt, PR_FALSE);
-
-    if (pwitem) {
-	SECITEM_ZfreeItem(pwitem, PR_TRUE);
-    }
-    return p12dcx;
-}
-
-/*
- * given a filename for pkcs12 file, imports certs and keys
- *
- * Change: altitude
- *  I've changed this function so that it takes the keydb and pkcs12 file
- *  passwords from files.  The "pwdKeyDB" and "pwdP12File"
- *  variables have been added for this purpose.
- */
-PRIntn
-P12U_ImportPKCS12Object(char *in_file, PK11SlotInfo *slot,
-			secuPWData *slotPw, secuPWData *p12FilePw)
-{
-    SEC_PKCS12DecoderContext *p12dcx = NULL;
-    SECItem uniPwitem = { 0 };
-    SECStatus rv = SECFailure;
-
-    rv = P12U_InitSlot(slot, slotPw);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "Failed to authenticate to \"%s\"",
-			       			 PK11_GetSlotName(slot));
-	pk12uErrno = PK12UERR_PK11GETSLOT;
-	return rv;
-    }
-
-    rv = SECFailure;
-    p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
-    
-    if(p12dcx == NULL) {
-        goto loser;
-    }
-    
-    /* make sure the bags are okey dokey -- nicknames correct, etc. */
-    rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback);
-    if (rv != SECSuccess) {
-	if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) {
-	    pk12uErrno = PK12UERR_CERTALREADYEXISTS;
-	} else {
-	    pk12uErrno = PK12UERR_DECODEVALIBAGS;
-	}
-	SECU_PrintError(progName,"PKCS12 decode validate bags failed");
-	goto loser;
-    }
-
-    /* stuff 'em in */
-    rv = SEC_PKCS12DecoderImportBags(p12dcx);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName,"PKCS12 decode import bags failed");
-	pk12uErrno = PK12UERR_DECODEIMPTBAGS;
-	goto loser;
-    }
-
-    fprintf(stdout, "%s: PKCS12 IMPORT SUCCESSFUL\n", progName);
-    rv = SECSuccess;
-
-loser:
-    if (p12dcx) {
-	SEC_PKCS12DecoderFinish(p12dcx);
-    }
-    
-    if (uniPwitem.data) {
-	SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
-    }
-    
-    return rv;
-}
-
-static void
-p12u_DoPKCS12ExportErrors()
-{
-    int error_value;
-
-    error_value = PORT_GetError();
-    if ((error_value == SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY) ||
-	(error_value == SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME) ||
-	(error_value == SEC_ERROR_PKCS12_UNABLE_TO_WRITE)) {
-	fprintf(stderr, SECU_ErrorStringRaw((int16)error_value));
-    } else if(error_value == SEC_ERROR_USER_CANCELLED) {
-	;
-    } else {
-	fprintf(stderr, SECU_ErrorStringRaw(SEC_ERROR_EXPORTING_CERTIFICATES));
-    }
-}
-
-static void
-p12u_WriteToExportFile(void *arg, const char *buf, unsigned long len)
-{
-    p12uContext *p12cxt = arg;
-    int writeLen;
-
-    if(!p12cxt || (p12cxt->error == PR_TRUE)) {
-	return;
-    }
-
-    if(p12cxt->file == NULL) {
-	p12cxt->errorValue = SEC_ERROR_PKCS12_UNABLE_TO_WRITE;
-	p12cxt->error = PR_TRUE;
-	return;
-    }
-
-    writeLen = PR_Write(p12cxt->file, (unsigned char *)buf, (int32)len);
-
-    if(writeLen != (int)len) {
-	PR_Close(p12cxt->file);
-	PL_strfree(p12cxt->filename);
-	p12cxt->filename = NULL;
-	p12cxt->file = NULL;
-	p12cxt->errorValue = SEC_ERROR_PKCS12_UNABLE_TO_WRITE;
-	p12cxt->error = PR_TRUE;
-    }
-}
-
-
-void
-P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot,
-		SECOidTag cipher, SECOidTag certCipher, 
-		secuPWData *slotPw, secuPWData *p12FilePw)
-{
-    SEC_PKCS12ExportContext *p12ecx = NULL;
-    SEC_PKCS12SafeInfo *keySafe = NULL, *certSafe = NULL;
-    SECItem *pwitem = NULL;
-    p12uContext *p12cxt = NULL;
-    CERTCertList* certlist = NULL;
-    CERTCertListNode* node = NULL;
-    PK11SlotInfo* slot = NULL;
-
-    if (P12U_InitSlot(inSlot, slotPw) != SECSuccess) {
-	SECU_PrintError(progName,"Failed to authenticate to \"%s\"",
-			  PK11_GetSlotName(inSlot));
-	pk12uErrno = PK12UERR_PK11GETSLOT;
-	goto loser;
-    }
-    certlist = PK11_FindCertsFromNickname(nn, slotPw);
-    if(!certlist) {
-	SECU_PrintError(progName,"find user certs from nickname failed");
-	pk12uErrno = PK12UERR_FINDCERTBYNN;
-	return;
-    }
-
-    if ((SECSuccess != CERT_FilterCertListForUserCerts(certlist)) ||
-        CERT_LIST_EMPTY(certlist)) {
-        PR_fprintf(PR_STDERR, "%s: no user certs from given nickname\n",
-                   progName);
-        pk12uErrno = PK12UERR_FINDCERTBYNN;
-        goto loser;
-    }
-
-    /*	Password to use for PKCS12 file.  */
-    pwitem = P12U_GetP12FilePassword(PR_TRUE, p12FilePw);
-    if(!pwitem) {
-	goto loser;
-    }
-
-    p12cxt = p12u_InitContext(PR_FALSE, outfile); 
-    if(!p12cxt) {
-	SECU_PrintError(progName,"Initialization failed: %s", outfile);
-	pk12uErrno = PK12UERR_INIT_FILE;
-	goto loser;
-    }
-
-    if (certlist) {
-        CERTCertificate* cert = NULL;
-        node = CERT_LIST_HEAD(certlist);
-        if (node) {
-            cert = node->cert;
-        }
-        if (cert) {
-            slot = cert->slot; /* use the slot from the first matching
-                certificate to create the context . This is for keygen */
-        }
-    }
-    if (!slot) {
-        SECU_PrintError(progName,"cert does not have a slot");
-        pk12uErrno = PK12UERR_FINDCERTBYNN;
-        goto loser;
-    }
-    p12ecx = SEC_PKCS12CreateExportContext(NULL, NULL, slot, slotPw);
-    if(!p12ecx) {
-        SECU_PrintError(progName,"export context creation failed");
-        pk12uErrno = PK12UERR_EXPORTCXCREATE;
-        goto loser;
-    }
-
-    if(SEC_PKCS12AddPasswordIntegrity(p12ecx, pwitem, SEC_OID_SHA1)
-       != SECSuccess) {
-        SECU_PrintError(progName,"PKCS12 add password integrity failed");
-        pk12uErrno = PK12UERR_PK12ADDPWDINTEG;
-        goto loser;
-    }
-
-    for (node = CERT_LIST_HEAD(certlist);
-         !CERT_LIST_END(node,certlist);
-	 node=CERT_LIST_NEXT(node)) {
-        CERTCertificate* cert = node->cert;
-        if (!cert->slot) {
-            SECU_PrintError(progName,"cert does not have a slot");
-            pk12uErrno = PK12UERR_FINDCERTBYNN;
-            goto loser;
-        }
-    
-        keySafe = SEC_PKCS12CreateUnencryptedSafe(p12ecx);
-        if(certCipher == SEC_OID_UNKNOWN) {
-            certSafe = keySafe;
-        } else {
-            certSafe = 
-		SEC_PKCS12CreatePasswordPrivSafe(p12ecx, pwitem, certCipher);
-        }
-    
-        if(!certSafe || !keySafe) {
-            SECU_PrintError(progName,"key or cert safe creation failed");
-            pk12uErrno = PK12UERR_CERTKEYSAFE;
-            goto loser;
-        }
-    
-        if(SEC_PKCS12AddCertAndKey(p12ecx, certSafe, NULL, cert,
-            CERT_GetDefaultCertDB(), keySafe, NULL, PR_TRUE, pwitem, cipher)
-            != SECSuccess) {
-                SECU_PrintError(progName,"add cert and key failed");
-                pk12uErrno = PK12UERR_ADDCERTKEY;
-                goto loser;
-        }
-    }
-
-    CERT_DestroyCertList(certlist);
-    certlist = NULL;
-
-    if(SEC_PKCS12Encode(p12ecx, p12u_WriteToExportFile, p12cxt)
-                        != SECSuccess) {
-        SECU_PrintError(progName,"PKCS12 encode failed");
-        pk12uErrno = PK12UERR_ENCODE;
-        goto loser;
-    }
-
-    p12u_DestroyContext(&p12cxt, PR_FALSE);
-    SECITEM_ZfreeItem(pwitem, PR_TRUE);
-    fprintf(stdout, "%s: PKCS12 EXPORT SUCCESSFUL\n", progName);
-    SEC_PKCS12DestroyExportContext(p12ecx);
-
-    return;
-
-loser:
-    SEC_PKCS12DestroyExportContext(p12ecx);
-
-    if (certlist) {
-        CERT_DestroyCertList(certlist);
-        certlist = NULL;
-    }    
-
-    p12u_DestroyContext(&p12cxt, PR_TRUE);
-    if(pwitem) {
-        SECITEM_ZfreeItem(pwitem, PR_TRUE);
-    }
-    p12u_DoPKCS12ExportErrors();
-    return;
-}
-
-
-PRIntn
-P12U_ListPKCS12File(char *in_file, PK11SlotInfo *slot,
-			secuPWData *slotPw, secuPWData *p12FilePw)
-{
-    SEC_PKCS12DecoderContext *p12dcx = NULL;
-    SECItem uniPwitem = { 0 };
-    SECStatus rv = SECFailure;
-    const SEC_PKCS12DecoderItem *dip;
-
-    p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
-    /* did the blob authenticate properly? */
-    if(p12dcx == NULL) {
-	SECU_PrintError(progName,"PKCS12 decode not verified");
-	pk12uErrno = PK12UERR_DECODEVERIFY;
-        goto loser;
-    }
-    rv = SEC_PKCS12DecoderIterateInit(p12dcx);
-    if(rv != SECSuccess) {
-	SECU_PrintError(progName,"PKCS12 decode iterate bags failed");
-	pk12uErrno = PK12UERR_DECODEIMPTBAGS;
-        rv = SECFailure;
-    } else {
-	int fileCounter = 0;
-        while (SEC_PKCS12DecoderIterateNext(p12dcx, &dip) == SECSuccess) {
-            switch (dip->type) {
-                case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-                    printf("Certificate");
-		    if (dumpRawFile) {
-			PRFileDesc * fd;
-			char fileName[20];
-			sprintf(fileName, "file%04d.der", ++fileCounter);
-			fd = PR_Open(fileName,
-				     PR_CREATE_FILE | PR_RDWR | PR_TRUNCATE,
-				     0600);
-			if (!fd) {
-			    SECU_PrintError(progName,
-			                    "Cannot create output file");
-			} else {
-			    PR_Write(fd, dip->der->data, dip->der->len);
-			    PR_Close(fd);
-			}
-		    } else 
-                    if (SECU_PrintSignedData(stdout, dip->der,
-                            (dip->hasKey) ? "(has private key)" : "",
-                             0, SECU_PrintCertificate) != 0) {
-                        SECU_PrintError(progName,"PKCS12 print cert bag failed");
-                    }
-                    if (dip->friendlyName != NULL) {
-                        printf("    Friendly Name: %s\n\n",
-                                dip->friendlyName->data);
-                    }
-		    if (dip->shroudAlg) {
-			SECU_PrintAlgorithmID(stdout, dip->shroudAlg,
-						 "Encryption algorithm",1);
-		    }
-                    break;
-                case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-                case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-                    printf("Key");
-                    if (dip->type == SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID)
-                        printf("(shrouded)");
-                    printf(":\n");
-                    if (dip->friendlyName != NULL) {
-                        printf("    Friendly Name: %s\n\n",
-                                dip->friendlyName->data);
-                    }
-		    if (dip->shroudAlg) {
-			SECU_PrintAlgorithmID(stdout, dip->shroudAlg,
-						 "Encryption algorithm",1);
-		    }
-                    break;
-                default:
-                    printf("unknown bag type(%d): %s\n\n", dip->type,
-                            SECOID_FindOIDTagDescription(dip->type));
-                    break;
-            }
-        }
-        rv = SECSuccess;
-    }
-
-loser:
-    
-    if (p12dcx) {
-	SEC_PKCS12DecoderFinish(p12dcx);
-    }
-    
-    if (uniPwitem.data) {
-	SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
-    }
-    
-    return rv;
-}
-
-/*
- * use the oid table description to map a user input string to a particular
- * oid.
- */
-SECOidTag
-PKCS12U_MapCipherFromString(char *cipherString, int keyLen)
-{
-    SECOidTag tag;
-    SECOidData *oid;
-    SECOidTag cipher;
-
-    /* future enhancement: accept dotted oid spec? */
-
-    /* future enhancement: provide 'friendlier' typed in names for
-     * pbe mechanisms.
-     */
-
-    /* look for the oid tag by Description */
-    cipher = SEC_OID_UNKNOWN;
-    for (tag=1;  (oid=SECOID_FindOIDByTag(tag)) != NULL ; tag++) {
-	/* only interested in oids that we actually understand */
-	if (oid->mechanism == CKM_INVALID_MECHANISM) {
-	    continue;
-	}
-	if (PORT_Strcasecmp(oid->desc, cipherString) != 0) {
-	    continue;
-	}
-	/* we found a match... get the PBE version of this
-	 * cipher... */
-	if (!SEC_PKCS5IsAlgorithmPBEAlgTag(tag)) {
-	    cipher = SEC_PKCS5GetPBEAlgorithm(tag, keyLen);
-	    /* no eqivalent PKCS5/PKCS12 cipher, use the raw
-	     * encryption tag we got and pass it directly in,
-	     * pkcs12 will use the pkcsv5 mechanism */
-	    if (cipher == SEC_OID_PKCS5_PBES2) {
-		cipher = tag;
-	    } else if (cipher == SEC_OID_PKCS5_PBMAC1) {
-		/* make sure we have not macing ciphers here */
-		cipher = SEC_OID_UNKNOWN;
-	    }
-	} else {
-		cipher = tag;
-	}
-	break;
-    }
-    return cipher;
-}
-
-static void
-p12u_EnableAllCiphers()
-{
-    SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1);
-    SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1);
-    SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1);
-    SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1);
-    SEC_PKCS12EnableCipher(PKCS12_DES_56, 1);
-    SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1);
-    SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
-}
-
-static PRUintn
-P12U_Init(char *dir, char *dbprefix, PRBool listonly)
-{
-    SECStatus rv;
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-    if (listonly && NSS_NoDB_Init("") == SECSuccess) {
-        rv = SECSuccess;
-    }
-    else {
-        rv = NSS_Initialize(dir,dbprefix,dbprefix,"secmod.db",0);
-    }
-    if (rv != SECSuccess) {
-    	SECU_PrintPRandOSError(progName);
-        exit(-1);
-    }
-
-    /* setup unicode callback functions */
-    PORT_SetUCS2_ASCIIConversionFunction(p12u_ucs2_ascii_conversion_function);
-    /* use the defaults for UCS4-UTF8 and UCS2-UTF8 */
-
-    p12u_EnableAllCiphers();
-
-    return 0;
-}
-
-enum {
-    opt_CertDir = 0,
-    opt_TokenName,
-    opt_Import,
-    opt_SlotPWFile,
-    opt_SlotPW,
-    opt_List,
-    opt_Nickname,
-    opt_Export,
-    opt_Raw,
-    opt_P12FilePWFile,
-    opt_P12FilePW,
-    opt_DBPrefix,
-    opt_Debug,
-    opt_Cipher,
-    opt_CertCipher,
-    opt_KeyLength,
-    opt_CertKeyLength
-};
-
-static secuCommandFlag pk12util_options[] =
-{
-    { /* opt_CertDir	       */ 'd', PR_TRUE,	 0, PR_FALSE },
-    { /* opt_TokenName	       */ 'h', PR_TRUE,	 0, PR_FALSE },
-    { /* opt_Import	       */ 'i', PR_TRUE,	 0, PR_FALSE },
-    { /* opt_SlotPWFile	       */ 'k', PR_TRUE,	 0, PR_FALSE },
-    { /* opt_SlotPW	       */ 'K', PR_TRUE,	 0, PR_FALSE },
-    { /* opt_List              */ 'l', PR_TRUE,  0, PR_FALSE },
-    { /* opt_Nickname	       */ 'n', PR_TRUE,	 0, PR_FALSE },
-    { /* opt_Export	       */ 'o', PR_TRUE,	 0, PR_FALSE },
-    { /* opt_Raw   	       */ 'r', PR_FALSE, 0, PR_FALSE },
-    { /* opt_P12FilePWFile     */ 'w', PR_TRUE,	 0, PR_FALSE },
-    { /* opt_P12FilePW	       */ 'W', PR_TRUE,	 0, PR_FALSE },
-    { /* opt_DBPrefix	       */ 'P', PR_TRUE,	 0, PR_FALSE },
-    { /* opt_Debug	       */ 'v', PR_FALSE, 0, PR_FALSE },
-    { /* opt_Cipher	       */ 'c', PR_TRUE,  0, PR_FALSE },
-    { /* opt_CertCipher	       */ 'C', PR_TRUE,  0, PR_FALSE },
-    { /* opt_KeyLength         */ 'm', PR_TRUE,  0, PR_FALSE, "key_len" },
-    { /* opt_CertKeyLength     */ 0, PR_TRUE,  0, PR_FALSE, "cert_key_len" }
-};
-
-int
-main(int argc, char **argv)
-{
-    secuPWData slotPw = { PW_NONE, NULL };
-    secuPWData p12FilePw = { PW_NONE, NULL };
-    PK11SlotInfo *slot;
-    char *slotname = NULL;
-    char *import_file = NULL;
-    char *export_file = NULL;
-    char *dbprefix = "";
-    SECStatus rv;
-    SECOidTag cipher = 
-            SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC;
-    SECOidTag certCipher;
-    int keyLen = 0;
-    int certKeyLen = 0;
-
-    secuCommand pk12util;
-    pk12util.numCommands = 0;
-    pk12util.commands = 0;
-    pk12util.numOptions = sizeof(pk12util_options) / sizeof(secuCommandFlag);
-    pk12util.options = pk12util_options;
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    rv = SECU_ParseCommandLine(argc, argv, progName, &pk12util);
-
-    if (rv != SECSuccess)
-	Usage(progName);
-
-    pk12_debugging = pk12util.options[opt_Debug].activated;
-
-    if ((pk12util.options[opt_Import].activated +
-	pk12util.options[opt_Export].activated +
-        pk12util.options[opt_List].activated) != 1) {
-	Usage(progName);
-    }
-
-    if (pk12util.options[opt_Export].activated &&
-       !pk12util.options[opt_Nickname].activated) {
-	Usage(progName);
-    }
-
-    slotname = SECU_GetOptionArg(&pk12util, opt_TokenName);
-
-    import_file = (pk12util.options[opt_List].activated) ?
-                    SECU_GetOptionArg(&pk12util, opt_List) :
-                    SECU_GetOptionArg(&pk12util, opt_Import);
-    export_file = SECU_GetOptionArg(&pk12util, opt_Export);
-
-    if (pk12util.options[opt_P12FilePWFile].activated) {
-	p12FilePw.source = PW_FROMFILE;
-	p12FilePw.data = PORT_Strdup(pk12util.options[opt_P12FilePWFile].arg);
-    }
-
-    if (pk12util.options[opt_P12FilePW].activated) {
-	p12FilePw.source = PW_PLAINTEXT;
-	p12FilePw.data = PORT_Strdup(pk12util.options[opt_P12FilePW].arg);
-    }
-
-    if (pk12util.options[opt_SlotPWFile].activated) {
-	slotPw.source = PW_FROMFILE;
-	slotPw.data = PORT_Strdup(pk12util.options[opt_SlotPWFile].arg);
-    }
-
-    if (pk12util.options[opt_SlotPW].activated) {
-	slotPw.source = PW_PLAINTEXT;
-	slotPw.data = PORT_Strdup(pk12util.options[opt_SlotPW].arg);
-    }
-
-    if (pk12util.options[opt_CertDir].activated) {
-	SECU_ConfigDirectory(pk12util.options[opt_CertDir].arg);
-    }
-    if (pk12util.options[opt_DBPrefix].activated) {
-    	dbprefix = pk12util.options[opt_DBPrefix].arg;
-    }
-    if (pk12util.options[opt_Raw].activated) {
-    	dumpRawFile = PR_TRUE;
-    }
-    if (pk12util.options[opt_KeyLength].activated) {
-    	keyLen = atoi(pk12util.options[opt_KeyLength].arg);
-    }
-    if (pk12util.options[opt_CertKeyLength].activated) {
-    	certKeyLen = atoi(pk12util.options[opt_CertKeyLength].arg);
-    }
-		
-    P12U_Init(SECU_ConfigDirectory(NULL), dbprefix,
-                pk12util.options[opt_List].activated);
-
-    if (!slotname || PL_strcmp(slotname, "internal") == 0)
-	slot = PK11_GetInternalKeySlot();
-    else
-	slot = PK11_FindSlotByName(slotname);
-
-    if (!slot) {
-	SECU_PrintError(progName,"Invalid slot \"%s\"", slotname);
-	pk12uErrno = PK12UERR_PK11GETSLOT;
-	goto done;
-    }
-
-    if (pk12util.options[opt_Cipher].activated) {
-	char *cipherString = pk12util.options[opt_Cipher].arg;
-
-	cipher = PKCS12U_MapCipherFromString(cipherString, keyLen);
-	/* We only want encryption PBE's. make sure we don't have
-	 * any MAC pbes */
-	if (cipher == SEC_OID_UNKNOWN) {
-	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	    SECU_PrintError(progName, "Algorithm: \"%s\"", cipherString);
-	    pk12uErrno = PK12UERR_INVALIDALGORITHM;
-	    goto done;
-	}
-    }
-
-    certCipher = PK11_IsFIPS() ? SEC_OID_UNKNOWN :
-                SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
-    if (pk12util.options[opt_CertCipher].activated) {
-	char *cipherString = pk12util.options[opt_CertCipher].arg;
-
-	if (PORT_Strcasecmp(cipherString, "none") == 0) {
-	    certCipher = SEC_OID_UNKNOWN;
-	} else {
-	    certCipher = PKCS12U_MapCipherFromString(cipherString, certKeyLen);
-	    /* If the user requested a cipher and we didn't find it, then
-	     * don't just silently not encrypt. */
-	    if (cipher == SEC_OID_UNKNOWN) {
-		PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-		SECU_PrintError(progName, "Algorithm: \"%s\"", cipherString);
-		pk12uErrno = PK12UERR_INVALIDALGORITHM;
-		goto done;
-	    }
-	}
-    }
-	   
-
-    if (pk12util.options[opt_Import].activated) {
-	P12U_ImportPKCS12Object(import_file, slot,  &slotPw, &p12FilePw);
-
-    } else if (pk12util.options[opt_Export].activated) {
-	P12U_ExportPKCS12Object(pk12util.options[opt_Nickname].arg,
-			export_file, slot, cipher, certCipher, 
-			&slotPw, &p12FilePw);
-        
-    } else if (pk12util.options[opt_List].activated) {
-	P12U_ListPKCS12File(import_file, slot, &slotPw, &p12FilePw);
-                                           
-    } else {
-	Usage(progName);
-	pk12uErrno = PK12UERR_USAGE;
-    }
-
-done:
-    if (slotPw.data != NULL)
-	PORT_ZFree(slotPw.data, PL_strlen(slotPw.data));
-    if (p12FilePw.data != NULL)
-	PORT_ZFree(p12FilePw.data, PL_strlen(p12FilePw.data));
-    if (slot) 
-    	PK11_FreeSlot(slot);
-    if (NSS_Shutdown() != SECSuccess) {
-	pk12uErrno = 1;
-    }
-    return pk12uErrno;
-}
diff --git a/security/nss/cmd/pk12util/pk12util.h b/security/nss/cmd/pk12util/pk12util.h
deleted file mode 100644
index 53751a33e..000000000
--- a/security/nss/cmd/pk12util/pk12util.h
+++ /dev/null
@@ -1,73 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * ERROR codes in pk12util
- * - should be organized better later
- */
-#define PK12UERR_USER_CANCELLED 1
-#define PK12UERR_USAGE 2
-#define PK12UERR_CERTDB_OPEN 8
-#define PK12UERR_KEYDB_OPEN 9
-#define PK12UERR_INIT_FILE 10
-#define PK12UERR_UNICODECONV 11
-#define PK12UERR_TMPDIGCREATE 12
-#define PK12UERR_PK11GETSLOT 13
-#define PK12UERR_PK12DECODESTART 14
-#define PK12UERR_IMPORTFILEREAD 15
-#define PK12UERR_DECODE 16
-#define PK12UERR_DECODEVERIFY 17
-#define PK12UERR_DECODEVALIBAGS 18
-#define PK12UERR_DECODEIMPTBAGS 19
-#define PK12UERR_CERTALREADYEXISTS 20
-#define PK12UERR_PATCHDB 22
-#define PK12UERR_GETDEFCERTDB 23
-#define PK12UERR_FINDCERTBYNN 24
-#define PK12UERR_EXPORTCXCREATE 25
-#define PK12UERR_PK12ADDPWDINTEG 26
-#define PK12UERR_CERTKEYSAFE 27
-#define PK12UERR_ADDCERTKEY 28
-#define PK12UERR_ENCODE 29
-#define PK12UERR_INVALIDALGORITHM 30
-
-
-/* additions for importing and exporting PKCS 12 files */
-typedef struct p12uContextStr {
-    char        *filename;    /* name of file */
-	PRFileDesc  *file;        /* pointer to file */
-	PRBool       error;       /* error occurred? */
-	int          errorValue;  /* which error occurred? */
-} p12uContext;
diff --git a/security/nss/cmd/platlibs.mk b/security/nss/cmd/platlibs.mk
deleted file mode 100644
index 18b480e43..000000000
--- a/security/nss/cmd/platlibs.mk
+++ /dev/null
@@ -1,263 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# set RPATH-type linker instructions here so they can be used in the shared
-# version and in the mixed (static nss libs/shared NSPR libs) version.
-
-ifeq ($(OS_ARCH), SunOS) 
-ifeq ($(BUILD_SUN_PKG), 1)
-ifeq ($(USE_64), 1)
-EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1/64:/usr/lib/mps/64'
-else
-EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps'
-endif
-else
-EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib'
-endif
-endif
-
-ifeq ($(OS_ARCH), Linux)
-ifeq ($(USE_64), 1)
-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib'
-else
-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib'
-endif
-endif
-
-ifeq ($(OS_ARCH), HP-UX) 
-ifeq ($(OS_TEST), ia64)
-EXTRA_SHARED_LIBS += -Wl,+b,'$$ORIGIN/../lib'
-else
-# pa-risc
-ifeq ($(USE_64), 1)
-EXTRA_SHARED_LIBS += \
--Wl,+b,'$$ORIGIN/../../lib/pa20_64:$$ORIGIN/../../lib/64:$$ORIGIN/../lib'
-else
-EXTRA_SHARED_LIBS += -Wl,+b,'$$ORIGIN/../lib'
-endif
-endif
-endif
-
-SQLITE=-lsqlite3
-
-ifdef NSS_DISABLE_DBM
-DBMLIB = $(NULL)
-else
-DBMLIB = $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) 
-endif
-
-ifdef USE_STATIC_LIBS
-
-# can't do this in manifest.mn because OS_ARCH isn't defined there.
-ifeq ($(OS_ARCH), WINNT)
-
-DEFINES += -DNSS_USE_STATIC_LIBS
-# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-
-PKIXLIB = \
-	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixpki.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX)
-
-EXTRA_LIBS += \
-	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \
-	$(CRYPTOLIB) \
-	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
-	$(PKIXLIB) \
-	$(DBMLIB) \
-	$(DIST)/lib/$(LIB_PREFIX)sqlite3.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
-	$(NULL)
-
-# $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
-#OS_LIBS += \
-	wsock32.lib \
-	winmm.lib \
-	$(NULL)
-else
-
-# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-
-PKIXLIB = \
-	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixpki.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX)
-
-EXTRA_LIBS += \
-	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
-	$(CRYPTOLIB) \
-	$(DBMLIB) \
-	$(PKIXLIB) \
-	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
-	$(NULL)
-
-ifeq ($(OS_ARCH), AIX) 
-EXTRA_SHARED_LIBS += -brtl 
-endif
-
-# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
-# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
-EXTRA_SHARED_LIBS += \
-	-L$(DIST)/lib \
-	$(SQLITE) \
-	-L$(NSSUTIL_LIB_DIR) \
-	-lnssutil3 \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-endif
-
-ifeq ($(OS_TARGET), SunOS)
-OS_LIBS += -lbsm
-endif
-
-else # USE_STATIC_LIBS
-# can't do this in manifest.mn because OS_ARCH isn't defined there.
-ifeq ($(OS_ARCH), WINNT)
-
-# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-EXTRA_LIBS += \
-	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \
-	$(DIST)/lib/$(IMPORT_LIB_PREFIX)smime3$(IMPORT_LIB_SUFFIX) \
-	$(DIST)/lib/$(IMPORT_LIB_PREFIX)ssl3$(IMPORT_LIB_SUFFIX) \
-	$(DIST)/lib/$(IMPORT_LIB_PREFIX)nss3$(IMPORT_LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4$(IMPORT_LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4$(IMPORT_LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4$(IMPORT_LIB_SUFFIX) \
-	$(NULL)
-
-# $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
-#OS_LIBS += \
-	wsock32.lib \
-	winmm.lib \
-	$(NULL)
-else
-
-# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-EXTRA_LIBS += \
-	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
-	$(NULL)
-
-ifeq ($(OS_ARCH), AIX) 
-EXTRA_SHARED_LIBS += -brtl 
-endif
-
-# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
-# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
-EXTRA_SHARED_LIBS += \
-	-L$(DIST)/lib \
-	-lssl3 \
-	-lsmime3 \
-	-lnss3 \
-	-L$(NSSUTIL_LIB_DIR) \
-	-lnssutil3 \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-endif
-
-endif # USE_STATIC_LIBS
-
-# If a platform has a system zlib, set USE_SYSTEM_ZLIB to 1 and
-# ZLIB_LIBS to the linker command-line arguments for the system zlib
-# (for example, -lz) in the platform's config file in coreconf.
-ifndef USE_SYSTEM_ZLIB
-ZLIB_LIBS = $(DIST)/lib/$(LIB_PREFIX)zlib.$(LIB_SUFFIX)
-endif
-
-JAR_LIBS = $(DIST)/lib/$(LIB_PREFIX)jar.$(LIB_SUFFIX) \
-	$(ZLIB_LIBS) \
-	$(NULL)
diff --git a/security/nss/cmd/platrules.mk b/security/nss/cmd/platrules.mk
deleted file mode 100644
index f32a75d18..000000000
--- a/security/nss/cmd/platrules.mk
+++ /dev/null
@@ -1,51 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-show:
-	@echo "DEFINES 		= ${DEFINES}"
-	@echo "EXTRA_LIBS	= >$(EXTRA_LIBS)<"
-	@echo "IMPORT_LIBRARY 	= $(IMPORT_LIBRARY)"
-	@echo "LIBRARY 		= $(LIBRARY)"
-	@echo "OBJS 		= $(OBJS)"
-	@echo "OS_ARCH 		= $(OS_ARCH)"
-	@echo "PROGRAM 		= >$(PROGRAM)<"
-	@echo "PROGRAMS 	= $(PROGRAMS)"
-	@echo "SHARED_LIBRARY 	= $(SHARED_LIBRARY)"
-	@echo "TARGETS 		= >$(TARGETS)<"
-
-showplatform:
-	@echo $(PLATFORM)
diff --git a/security/nss/cmd/pp/Makefile b/security/nss/cmd/pp/Makefile
deleted file mode 100644
index 9ee2a8f00..000000000
--- a/security/nss/cmd/pp/Makefile
+++ /dev/null
@@ -1,79 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/pp/manifest.mn b/security/nss/cmd/pp/manifest.mn
deleted file mode 100644
index 698a1e7f7..000000000
--- a/security/nss/cmd/pp/manifest.mn
+++ /dev/null
@@ -1,51 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH	= ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-REQUIRES = seccmd dbm 
-
-DEFINES = -DNSPR20
-
-CSRCS = pp.c
-
-PROGRAM	= pp
diff --git a/security/nss/cmd/pp/pp.c b/security/nss/cmd/pp/pp.c
deleted file mode 100644
index e29eaff8f..000000000
--- a/security/nss/cmd/pp/pp.c
+++ /dev/null
@@ -1,190 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Pretty-print some well-known BER or DER encoded data (e.g. certificates,
- * keys, pkcs7)
- *
- * $Id$
- */
-
-#include "secutil.h"
-
-#if defined(__sun) && !defined(SVR4)
-extern int fprintf(FILE *, char *, ...);
-#endif
-
-#include "plgetopt.h"
-
-#include "pk11func.h"
-#include "nspr.h"
-#include "nss.h"
-
-static void Usage(char *progName)
-{
-    fprintf(stderr,
-	    "Usage:  %s -t type [-a] [-i input] [-o output]\n",
-	    progName);
-    fprintf(stderr, "%-20s Specify the input type (must be one of %s,\n",
-	    "-t type", SEC_CT_PRIVATE_KEY);
-    fprintf(stderr, "%-20s %s, %s, %s,\n", "", SEC_CT_PUBLIC_KEY,
-	    SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
-    fprintf(stderr, "%-20s %s or %s)\n", "", SEC_CT_PKCS7, SEC_CT_CRL);    
-    fprintf(stderr, "%-20s Input is in ascii encoded form (RFC1113)\n",
-	    "-a");
-    fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
-	    "-i input");
-    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
-	    "-o output");
-    exit(-1);
-}
-
-int main(int argc, char **argv)
-{
-    int rv, ascii;
-    char *progName;
-    FILE *outFile;
-    PRFileDesc *inFile;
-    SECItem der, data;
-    char *typeTag;
-    PLOptState *optstate;
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    ascii = 0;
-    inFile = 0;
-    outFile = 0;
-    typeTag = 0;
-    optstate = PL_CreateOptState(argc, argv, "at:i:o:");
-    while ( PL_GetNextOpt(optstate) == PL_OPT_OK ) {
-	switch (optstate->option) {
-	  case '?':
-	    Usage(progName);
-	    break;
-
-	  case 'a':
-	    ascii = 1;
-	    break;
-
-	  case 'i':
-	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
-	    if (!inFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 'o':
-	    outFile = fopen(optstate->value, "w");
-	    if (!outFile) {
-		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
-			progName, optstate->value);
-		return -1;
-	    }
-	    break;
-
-	  case 't':
-	    typeTag = strdup(optstate->value);
-	    break;
-	}
-    }
-    PL_DestroyOptState(optstate);
-    if (!typeTag) Usage(progName);
-
-    if (!inFile) inFile = PR_STDIN;
-    if (!outFile) outFile = stdout;
-
-    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-    rv = NSS_NoDB_Init(NULL);
-    if (rv != SECSuccess) {
-	fprintf(stderr, "%s: NSS_NoDB_Init failed (%s)\n",
-		progName, SECU_Strerror(PORT_GetError()));
-	exit(1);
-    }
-    SECU_RegisterDynamicOids();
-
-    rv = SECU_ReadDERFromFile(&der, inFile, ascii);
-    if (rv != SECSuccess) {
-	fprintf(stderr, "%s: SECU_ReadDERFromFile failed\n", progName);
-	exit(1);
-    }
-
-    /* Data is untyped, using the specified type */
-    data.data = der.data;
-    data.len = der.len;
-
-    /* Pretty print it */
-    if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0) {
-	rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0,
-			     SECU_PrintCertificate);
-    } else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_REQUEST) == 0) {
-	rv = SECU_PrintSignedData(outFile, &data, "Certificate Request", 0,
-			     SECU_PrintCertificateRequest);
-    } else if (PORT_Strcmp (typeTag, SEC_CT_CRL) == 0) {
-	rv = SECU_PrintSignedData (outFile, &data, "CRL", 0, SECU_PrintCrl);
-#ifdef HAVE_EPV_TEMPLATE
-    } else if (PORT_Strcmp(typeTag, SEC_CT_PRIVATE_KEY) == 0) {
-	rv = SECU_PrintPrivateKey(outFile, &data, "Private Key", 0);
-#endif
-    } else if (PORT_Strcmp(typeTag, SEC_CT_PUBLIC_KEY) == 0) {
-	rv = SECU_PrintSubjectPublicKeyInfo(outFile, &data, "Public Key", 0);
-    } else if (PORT_Strcmp(typeTag, SEC_CT_PKCS7) == 0) {
-	rv = SECU_PrintPKCS7ContentInfo(outFile, &data,
-					"PKCS #7 Content Info", 0);
-    } else {
-	fprintf(stderr, "%s: don't know how to print out '%s' files\n",
-		progName, typeTag);
-	SECU_PrintAny(outFile, &data, "File contains", 0);
-	return -1;
-    }
-
-    if (inFile != PR_STDIN)
-	PR_Close(inFile);
-    PORT_Free(der.data);
-    if (rv) {
-	fprintf(stderr, "%s: problem converting data (%s)\n",
-		progName, SECU_Strerror(PORT_GetError()));
-    }
-    if (NSS_Shutdown() != SECSuccess) {
-	fprintf(stderr, "%s: NSS_Shutdown failed (%s)\n",
-		progName, SECU_Strerror(PORT_GetError()));
-	rv = SECFailure;
-    }
-    PR_Cleanup();
-    return rv;
-}
diff --git a/security/nss/cmd/pwdecrypt/Makefile b/security/nss/cmd/pwdecrypt/Makefile
deleted file mode 100644
index 4d209348e..000000000
--- a/security/nss/cmd/pwdecrypt/Makefile
+++ /dev/null
@@ -1,77 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
diff --git a/security/nss/cmd/pwdecrypt/manifest.mn b/security/nss/cmd/pwdecrypt/manifest.mn
deleted file mode 100644
index f0d6c4e6e..000000000
--- a/security/nss/cmd/pwdecrypt/manifest.mn
+++ /dev/null
@@ -1,58 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = \
-	pwdecrypt.c \
-	$(NULL)
-
-# headers for the MODULE (defined above) are implicitly required.
-REQUIRES = dbm seccmd
-
-# WINNT uses EXTRA_LIBS as the list of libs to link in.
-# Unix uses     OS_LIBS for that purpose.
-# We can solve this via conditional makefile code, but 
-# can't do this in manifest.mn because OS_ARCH isn't defined there.
-# So, look in the local Makefile for the defines for the list of libs.
-
-PROGRAM = pwdecrypt
-
-#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/pwdecrypt/pwdecrypt.c b/security/nss/cmd/pwdecrypt/pwdecrypt.c
deleted file mode 100644
index 6a23238dd..000000000
--- a/security/nss/cmd/pwdecrypt/pwdecrypt.c
+++ /dev/null
@@ -1,374 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Test program for SDR (Secret Decoder Ring) functions.
- *
- * $Id$
- */
-
-#include "nspr.h"
-#include "string.h"
-#include "nss.h"
-#include "secutil.h"
-#include "cert.h"
-#include "pk11func.h"
-#include "nssb64.h"
-
-#include "plgetopt.h"
-#include "pk11sdr.h"
-
-#define DEFAULT_VALUE "Test"
-
-static void
-synopsis (char *program_name)
-{
-    PRFileDesc *pr_stderr;
-
-    pr_stderr = PR_STDERR;
-    PR_fprintf (pr_stderr,
-	"Usage:\t%s [-i <input-file>] [-o <output-file>] [-d <dir>]\n"
-        "      \t[-l logfile] [-p pwd] [-f pwfile]\n", program_name);
-}
-
-
-static void
-short_usage (char *program_name)
-{
-    PR_fprintf (PR_STDERR,
-		"Type %s -H for more detailed descriptions\n",
-		program_name);
-    synopsis (program_name);
-}
-
-
-static void
-long_usage (char *program_name)
-{
-    PRFileDesc *pr_stderr;
-
-    pr_stderr = PR_STDERR;
-    synopsis (program_name);
-    PR_fprintf (pr_stderr, "\nDecode encrypted passwords (and other data).\n");
-    PR_fprintf (pr_stderr, 
-	"This program reads in standard configuration files looking\n"
-	"for base 64 encoded data. Data that looks like it's base 64 encode\n"
-	"is decoded an passed to the NSS SDR code. If the decode and decrypt\n"
-	"is successful, then decrypted data is outputted in place of the\n"
-	"original base 64 data. If the decode or decrypt fails, the original\n"
-	"data is written and the reason for failure is logged to the \n"
-	"optional logfile.\n");
-    PR_fprintf (pr_stderr,
-		"  %-13s Read stream including encrypted data from "
-	        "\"read_file\"\n",
-		"-i read_file");
-    PR_fprintf (pr_stderr,
-		"  %-13s Write results to \"write_file\"\n",
-		"-o write_file");
-    PR_fprintf (pr_stderr,
-		"  %-13s Find security databases in \"dbdir\"\n",
-		"-d dbdir");
-    PR_fprintf (pr_stderr,
-		"  %-13s Log failed decrypt/decode attempts to \"log_file\"\n",
-		"-l log_file");
-    PR_fprintf (pr_stderr,
-		"  %-13s Token password\n",
-		"-p pwd");
-    PR_fprintf (pr_stderr,
-		"  %-13s Password file\n",
-		"-f pwfile");
-}
-
-/*
- * base64 table only used to identify the end of a base64 string 
- */
-static unsigned char b64[256] = {
-/*   0: */        0,      0,      0,      0,      0,      0,      0,      0,
-/*   8: */        0,      0,      0,      0,      0,      0,      0,      0,
-/*  16: */        0,      0,      0,      0,      0,      0,      0,      0,
-/*  24: */        0,      0,      0,      0,      0,      0,      0,      0,
-/*  32: */        0,      0,      0,      0,      0,      0,      0,      0,
-/*  40: */        0,      0,      0,      1,      0,      0,      0,      1,
-/*  48: */        1,      1,      1,      1,      1,      1,      1,      1,
-/*  56: */        1,      1,      0,      0,      0,      0,      0,      0,
-/*  64: */        0,      1,      1,      1,      1,      1,      1,      1,
-/*  72: */        1,      1,      1,      1,      1,      1,      1,      1,
-/*  80: */        1,      1,      1,      1,      1,      1,      1,      1,
-/*  88: */        1,      1,      1,      0,      0,      0,      0,      0,
-/*  96: */        0,      1,      1,      1,      1,      1,      1,      1,
-/* 104: */        1,      1,      1,      1,      1,      1,      1,      1,
-/* 112: */        1,      1,      1,      1,      1,      1,      1,      1,
-/* 120: */        1,      1,      1,      0,      0,      0,      0,      0,
-/* 128: */        0,      0,      0,      0,      0,      0,      0,      0
-};
-
-enum {
-   false = 0,
-   true = 1
-} bool;
-
-int
-isatobchar(int c) { return b64[c] != 0; }
-
-
-#define MAX_STRING 256
-int
-getData(FILE *inFile,char **inString) {
-    int len = 0;
-    int space = MAX_STRING;
-    int oneequal = false;
-    int c;
-    char *string = (char *) malloc(space);
-
-    string[len++]='M';
-
-    while ((c = getc(inFile)) != EOF) {
-	if (len >= space) {
-	    char *newString;
-
-	    space *= 2;
-	    newString = (char *)realloc(string,space);
-	    if (newString == NULL) {
-		ungetc(c,inFile);
-		break;
-	    }
-	    string = newString;
-	}
-	string[len++] = c;
-	if (!isatobchar(c)) {
-	   if (c == '=') {
-		if (oneequal) {
-		    break;
-		}
-		oneequal = true;
-		continue;
-	   } else {
-	       ungetc(c,inFile);
-	       len--;
-	       break;
-	   }
-	}
-	if (oneequal) {
-	   ungetc(c,inFile);
-	   len--;
-	   break;
-	}
-    }
-    if (len >= space) {
-	space += 2;
-	string = (char *)realloc(string,space);
-    }
-    string[len++] = 0;
-    *inString = string;
-    return true;
-}
-
-int
-main (int argc, char **argv)
-{
-    int		 retval = 0;  /* 0 - test succeeded.  -1 - test failed */
-    SECStatus	 rv;
-    PLOptState	*optstate;
-    char	*program_name;
-    char  *input_file = NULL; 	/* read encrypted data from here (or create) */
-    char  *output_file = NULL;	/* write new encrypted data here */
-    char  *log_file = NULL;	/* write new encrypted data here */
-    FILE	*inFile = stdin;
-    FILE	*outFile = stdout;
-    FILE	*logFile = NULL;
-    PLOptStatus optstatus;
-    SECItem	result;
-    int		c;
-    secuPWData  pwdata = { PW_NONE, NULL };
-
-    result.data = 0;
-
-    program_name = PL_strrchr(argv[0], '/');
-    program_name = program_name ? (program_name + 1) : argv[0];
-
-    optstate = PL_CreateOptState (argc, argv, "Hd:f:i:o:l:p:?");
-    if (optstate == NULL) {
-	SECU_PrintError (program_name, "PL_CreateOptState failed");
-	return 1;
-    }
-
-    while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case '?':
-	    short_usage (program_name);
-	    return 1;
-
-	  case 'H':
-	    long_usage (program_name);
-	    return 1;
-
-	  case 'd':
-	    SECU_ConfigDirectory(optstate->value);
-	    break;
-
-          case 'i':
-            input_file = PL_strdup(optstate->value);
-            break;
-
-          case 'o':
-            output_file = PL_strdup(optstate->value);
-            break;
-
-          case 'l':
-            log_file = PL_strdup(optstate->value);
-            break;
-
-          case 'f':
-            pwdata.source = PW_FROMFILE;
-            pwdata.data = PL_strdup(optstate->value);
-            break;
-
-          case 'p':
-            pwdata.source = PW_PLAINTEXT;
-            pwdata.data = PL_strdup(optstate->value);
-            break;
-
-	}
-    }
-    PL_DestroyOptState(optstate);
-    if (optstatus == PL_OPT_BAD) {
-	short_usage (program_name);
-	return 1;
-    }
-
-    if (input_file) {
-      inFile = fopen(input_file,"r");
-      if (inFile == NULL) {
-	perror(input_file);
-	return 1;
-      }
-      PR_Free(input_file);
-    }
-    if (output_file) {
-      outFile = fopen(output_file,"w+");
-      if (outFile == NULL) {
-	perror(output_file);
-	return 1;
-      }
-      PR_Free(output_file);
-    }
-    if (log_file) {
-      logFile = fopen(log_file,"w+");
-      if (logFile == NULL) {
-	perror(log_file);
-	return 1;
-      }
-      PR_Free(log_file);
-    }
-
-    /*
-     * Initialize the Security libraries.
-     */
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-    rv = NSS_Init(SECU_ConfigDirectory(NULL));
-    if (rv != SECSuccess) {
-	SECU_PrintError (program_name, "NSS_Init failed");
-	retval = 1;
-	goto prdone;
-    }
-
-    /* Get the encrypted result, either from the input file
-     * or from encrypting the plaintext value
-     */
-
-    while ((c = getc(inFile)) != EOF) {
-	if (c == 'M') {
-	   char *dataString = NULL;
-	   SECItem *inText;
-
-	   rv = getData(inFile, &dataString);
-	   if (!rv) {
-		fputs(dataString,outFile);
-		free(dataString);
-		continue;
-	   }
-	   inText = NSSBase64_DecodeBuffer(NULL, NULL, dataString,
-							strlen(dataString));
-	   if ((inText == NULL) || (inText->len == 0)) {
-		if (logFile) {
-		    fprintf(logFile,"Base 64 decode failed on <%s>\n",
-								dataString);
-		    fprintf(logFile," Error %x: %s\n",PORT_GetError(),
-			SECU_Strerror(PORT_GetError()));
-		}
-		fputs(dataString,outFile);
-		free(dataString);
-		continue;
-	   }
-	   result.data = NULL;
-	   result.len  = 0;
-	   rv = PK11SDR_Decrypt(inText, &result, &pwdata);
-	   SECITEM_FreeItem(inText, PR_TRUE);
-	   if (rv != SECSuccess) {
-		if (logFile) {
-		    fprintf(logFile,"SDR decrypt failed on <%s>\n",
-								dataString);
-		    fprintf(logFile," Error %x: %s\n",PORT_GetError(),
-			SECU_Strerror(PORT_GetError()));
-		}
-		fputs(dataString,outFile);
-		free(dataString);
-		SECITEM_ZfreeItem(&result, PR_FALSE);
-		continue;
-	   }
-	   /* result buffer has no extra space for a NULL */
-	   fprintf(outFile, "%.*s", result.len, result.data);
-	   SECITEM_ZfreeItem(&result, PR_FALSE);
-         } else {
-	   putc(c,outFile);
-         }
-    }
-
-    fclose(outFile);
-    fclose(inFile);
-    if (logFile) {
-	fclose(logFile);
-    }
-
-    if (NSS_Shutdown() != SECSuccess) {
-	SECU_PrintError (program_name, "NSS_Shutdown failed");
-       exit(1);
-    }
-
-prdone:
-    PR_Cleanup ();
-    return retval;
-}
diff --git a/security/nss/cmd/rsaperf/Makefile b/security/nss/cmd/rsaperf/Makefile
deleted file mode 100644
index 7df60581b..000000000
--- a/security/nss/cmd/rsaperf/Makefile
+++ /dev/null
@@ -1,78 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/rsaperf/defkey.c b/security/nss/cmd/rsaperf/defkey.c
deleted file mode 100644
index 1cc04c785..000000000
--- a/security/nss/cmd/rsaperf/defkey.c
+++ /dev/null
@@ -1,325 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* This key is the 1024-bit test key used for speed testing of RSA private 
-** key ops.
-*/
-#include "seccomon.h"
-#include "secoidt.h"
-#include "lowkeyti.h"
-
-#undef CONST
-#define CONST
-
-static CONST unsigned char default_n1024[128] = {
-0xc2,0xae,0x96,0x89,0xaf,0xce,0xd0,0x7b,0x3b,0x35,0xfd,0x0f,0xb1,0xf4,0x7a,0xd1,
-0x3c,0x7d,0xb5,0x86,0xf2,0x68,0x36,0xc9,0x97,0xe6,0x82,0x94,0x86,0xaa,0x05,0x39,
-0xec,0x11,0x51,0xcc,0x5c,0xa1,0x59,0xba,0x29,0x18,0xf3,0x28,0xf1,0x9d,0xe3,0xae,
-0x96,0x5d,0x6d,0x87,0x73,0xf6,0xf6,0x1f,0xd0,0x2d,0xfb,0x2f,0x7a,0x13,0x7f,0xc8,
-0x0c,0x7a,0xe9,0x85,0xfb,0xce,0x74,0x86,0xf8,0xef,0x2f,0x85,0x37,0x73,0x0f,0x62,
-0x4e,0x93,0x17,0xb7,0x7e,0x84,0x9a,0x94,0x11,0x05,0xca,0x0d,0x31,0x4b,0x2a,0xc8,
-0xdf,0xfe,0xe9,0x0c,0x13,0xc7,0xf2,0xad,0x19,0x64,0x28,0x3c,0xb5,0x6a,0xc8,0x4b,
-0x79,0xea,0x7c,0xce,0x75,0x92,0x45,0x3e,0xa3,0x9d,0x64,0x6f,0x04,0x69,0x19,0x17
-};
-
-static CONST unsigned char default_e1024[3] = { 0x01,0x00,0x01 };
-
-static CONST unsigned char default_d1024[128] = {
-0x13,0xcb,0xbc,0xf2,0xf3,0x35,0x8c,0x6d,0x7b,0x6f,0xd9,0xf3,0xa6,0x9c,0xbd,0x80,
-0x59,0x2e,0x4f,0x2f,0x11,0xa7,0x17,0x2b,0x18,0x8f,0x0f,0xe8,0x1a,0x69,0x5f,0x6e,
-0xac,0x5a,0x76,0x7e,0xd9,0x4c,0x6e,0xdb,0x47,0x22,0x8a,0x57,0x37,0x7a,0x5e,0x94,
-0x7a,0x25,0xb5,0xe5,0x78,0x1d,0x3c,0x99,0xaf,0x89,0x7d,0x69,0x2e,0x78,0x9d,0x1d,
-0x84,0xc8,0xc1,0xd7,0x1a,0xb2,0x6d,0x2d,0x8a,0xd9,0xab,0x6b,0xce,0xae,0xb0,0xa0,
-0x58,0x55,0xad,0x5c,0x40,0x8a,0xd6,0x96,0x08,0x8a,0xe8,0x63,0xe6,0x3d,0x6c,0x20,
-0x49,0xc7,0xaf,0x0f,0x25,0x73,0xd3,0x69,0x43,0x3b,0xf2,0x32,0xf8,0x3d,0x5e,0xee,
-0x7a,0xca,0xd6,0x94,0x55,0xe5,0xbd,0x25,0x34,0x8d,0x63,0x40,0xb5,0x8a,0xc3,0x01
-};
-
-static CONST unsigned char default_p1024[64] = {
-0xf6,0x3c,0x3f,0x56,0x58,0x4f,0xb3,0x82,0x0c,0xf0,0x5b,0x42,0x36,0x1c,0x93,0xde,
-0x9b,0x32,0x01,0xb1,0x48,0xf8,0x00,0x57,0x9b,0xc1,0xbe,0x66,0xc2,0xbb,0xea,0x7c,
-0x75,0x29,0x2c,0x22,0xaa,0x7c,0xaf,0xbd,0x0d,0x3f,0xb0,0x64,0x97,0xf0,0x88,0x25,
-0xcb,0x8d,0xc7,0x19,0x0a,0x75,0x44,0xa4,0x5a,0xc3,0xb5,0xb9,0x85,0xea,0x27,0xa7
-};
-
-static CONST unsigned char default_q1024[64] = {
-0xca,0x66,0xfa,0x18,0x6a,0x46,0x36,0x1c,0x46,0xfe,0x47,0xe9,0x7e,0x52,0x83,0x8a,
-0xbb,0x72,0x13,0xcc,0x83,0x56,0x3d,0x64,0x22,0xdd,0xfa,0x7c,0x61,0x99,0xea,0xa4,
-0xb3,0x0e,0x8f,0x79,0x10,0xab,0xba,0x4a,0x73,0xd1,0x48,0x40,0x34,0x34,0xd3,0xd2,
-0x54,0x92,0xbe,0xf5,0xc8,0xc4,0x60,0x5f,0xd3,0xf7,0xce,0xbe,0x60,0x3e,0xb1,0x11
-};
-
-static CONST unsigned char default_dModP1024[64] = {
-0x8e,0x80,0xbf,0x87,0x11,0x04,0xcf,0x36,0x6c,0x96,0x8d,0xb9,0xfb,0xe6,0xfe,0x0c,
-0xce,0x74,0x5a,0x56,0x67,0x8c,0x5f,0x66,0x54,0x56,0x04,0x03,0x24,0x9f,0xec,0x4c,
-0xaa,0xe1,0x71,0x11,0x7e,0xe9,0x3a,0x2b,0x87,0x07,0x5c,0xe6,0x5a,0xa8,0x71,0xa2,
-0xad,0xf3,0x17,0x4e,0x7e,0xa6,0xef,0x5a,0xce,0xcc,0x84,0xd7,0x21,0x91,0x29,0xf1
-};
-
-static CONST unsigned char default_dModQ1024[64] = {
-0x87,0x60,0x1d,0x02,0xdb,0x82,0x1e,0x8b,0x07,0x48,0xe8,0x5c,0x59,0xeb,0x62,0xa4,
-0x15,0xff,0x95,0x12,0x82,0xfd,0xd9,0x8d,0xf2,0x6c,0x3a,0x2f,0x9b,0x30,0x51,0x6a,
-0xdb,0x80,0x6f,0xa1,0xef,0xee,0x8c,0x69,0x63,0xd1,0xa4,0xdb,0x9c,0x8f,0x80,0xe5,
-0xfb,0x3f,0x33,0x8e,0x3d,0x3c,0x6b,0xa1,0x6c,0xab,0x20,0x92,0xe0,0xd8,0xcd,0xa1
-};
-
-static CONST unsigned char default_qInvModP1024[64] = {
-0xce,0xcf,0x5a,0xad,0xc4,0x8c,0x44,0x91,0x3a,0xbc,0x7b,0xf8,0x80,0xf8,0x53,0xf5,
-0x12,0x84,0x8c,0x9c,0x6b,0x33,0x93,0x0d,0xa1,0x11,0xea,0xfa,0x4a,0xc1,0xeb,0x48,
-0xdc,0x44,0x86,0x93,0x1b,0x98,0xc7,0x82,0x22,0x68,0x30,0x44,0xd7,0x62,0x1b,0x90,
-0x54,0x07,0x4b,0x66,0xa7,0xc5,0x75,0x5a,0x72,0x77,0x92,0xdd,0x6c,0xf3,0x37,0xab
-};
-
-static CONST unsigned char default_n2048[256] = {
-0xb3,0x9b,0x57,0x2c,0x15,0xdf,0x6c,0x6b,0xfc,0x04,0x83,0x02,0xf5,0xb3,0x2c,0x87,
-0x1b,0x9c,0xbf,0x6c,0x46,0x1d,0xdd,0xe2,0xc0,0x6d,0xfe,0xf9,0x00,0xd1,0x85,0x91,
-0x17,0x0d,0x43,0x67,0xa1,0x1f,0x8b,0xcd,0x22,0x8a,0x93,0xdc,0x9f,0xf0,0x45,0x9e,
-0x58,0x0f,0x99,0x87,0xe6,0x60,0xdf,0x8c,0x1a,0xa3,0x8f,0xc3,0x6c,0xa0,0x49,0x3a,
-0xdb,0x7f,0xd0,0xda,0x48,0x47,0xe3,0xd6,0x1f,0x29,0xcb,0xf2,0x1d,0xf3,0x81,0xd0,
-0x4d,0xf1,0x64,0xcf,0x42,0x8e,0x0f,0xe0,0x10,0x18,0x4c,0x75,0xce,0x96,0x09,0x2e,
-0x52,0xa6,0x96,0xa9,0xe1,0xab,0x3e,0x6f,0xa5,0xd3,0xee,0xd8,0xb2,0x4f,0x17,0x08,
-0x6d,0x43,0xd4,0xb3,0x1c,0x8a,0x4a,0x43,0x06,0xb5,0xab,0xfb,0xf4,0x34,0x2f,0x2f,
-0xe1,0x43,0x7b,0xe0,0x93,0xd0,0xaa,0x42,0xa3,0xb7,0xb7,0x43,0x52,0xeb,0xf3,0x64,
-0x9a,0xbc,0xa7,0xf2,0x39,0xad,0xe4,0x62,0x7d,0xbc,0x31,0x8f,0xbf,0x59,0x93,0x62,
-0x88,0xc5,0xd1,0x62,0x2d,0xe3,0xc7,0x75,0xf9,0xb8,0x00,0x96,0xe0,0x05,0x87,0x35,
-0x86,0x5d,0xeb,0x7c,0x20,0xf6,0xb2,0xb1,0x65,0x1f,0xdc,0x74,0xec,0xf4,0x0e,0xd1,
-0xf2,0x2d,0x06,0x47,0x02,0xc5,0x18,0xdb,0x19,0xb9,0x1b,0x40,0x90,0xc8,0x74,0x5c,
-0xf6,0xe8,0x17,0x64,0xf4,0xcf,0xd3,0x17,0xeb,0xd6,0x0d,0x2b,0xec,0x2a,0x9b,0xcf,
-0xc4,0xf5,0xcc,0x9a,0xc3,0x5c,0x2e,0xf1,0x98,0x25,0x2b,0xe4,0x01,0x02,0x15,0x36,
-0xe1,0xe0,0x2b,0xbe,0xdf,0x23,0xf1,0xde,0x2f,0x1b,0xbb,0x44,0xa7,0x12,0x2c,0x9d
-};
-
-static CONST unsigned char default_e2048[3] = { 0x01,0x00,0x01 };
-
-static CONST unsigned char default_d2048[256] = {
-0x0f,0x03,0x3f,0x08,0x1a,0x53,0xf0,0x96,0x1e,0x1c,0xaa,0x6e,0xc6,0xe6,0xd1,0x24,
-0x01,0xf4,0xda,0x33,0x4c,0xb1,0x16,0x68,0xeb,0xb8,0xc6,0x05,0x3e,0x42,0x45,0x2d,
-0xd9,0x85,0x6c,0x4a,0xef,0x36,0xd9,0xd2,0xad,0xbe,0x73,0x99,0x8f,0x6c,0xe0,0x04,
-0xda,0x4b,0x83,0x83,0xce,0x87,0xee,0x67,0xa1,0x9a,0x66,0x5b,0xe9,0x6a,0x84,0x74,
-0x7d,0x00,0x74,0x0e,0xaa,0xd8,0x07,0x7d,0x50,0x61,0x88,0x00,0x96,0xec,0x51,0xbf,
-0x7d,0xa4,0x5d,0xce,0xcd,0x3b,0x5e,0xac,0x55,0xec,0x12,0x08,0x0e,0xda,0x8f,0xad,
-0xe5,0x8e,0xb3,0x2d,0x44,0x05,0xb2,0x54,0x56,0xc2,0x1e,0x46,0xd2,0xb0,0xb5,0xb6,
-0x28,0x9b,0xf0,0xdd,0x7f,0xd7,0x37,0x59,0xde,0xe7,0xb4,0x96,0x7c,0xd5,0x17,0xd4,
-0x7e,0xe0,0xcb,0xb3,0x3c,0x5f,0x72,0x30,0xbe,0x3c,0x81,0x82,0x8e,0xb9,0xc6,0xa7,
-0x23,0x71,0xf5,0x6f,0xd7,0x56,0xe4,0xee,0x3b,0x2d,0x8f,0x3e,0x43,0x98,0xc8,0xe8,
-0x95,0xfd,0xc3,0x73,0xd3,0x8e,0x38,0x01,0xa5,0xc6,0xbe,0x0c,0x6b,0x6b,0x4f,0x13,
-0x2f,0x66,0x8b,0x85,0xe3,0x9e,0x12,0xc0,0x52,0x60,0xec,0x4a,0xcb,0xfa,0x7e,0x7c,
-0x20,0x9a,0x11,0x16,0x1a,0xb7,0x96,0xd6,0x00,0x7a,0x04,0x7b,0x17,0xcc,0x4c,0x43,
-0xdc,0xd0,0x64,0x45,0x45,0xd3,0x21,0x06,0x8b,0xd6,0xb0,0xf0,0xbf,0x20,0x56,0xfd,
-0x11,0x9c,0x1d,0x82,0xcd,0x34,0x16,0x75,0x63,0xac,0x51,0xd5,0x55,0xb4,0x35,0x0a,
-0xc3,0x8c,0x47,0x01,0x8e,0x99,0x95,0xc5,0x99,0x21,0x79,0x66,0x1a,0xa6,0xb0,0xe9
-};
-
-static CONST unsigned char default_p2048[128] = {
-0xd7,0xaa,0xb4,0x8d,0xb1,0x23,0x67,0x80,0x7b,0x98,0xf7,0xe6,0xfd,0x6d,0x5c,0x98,
-0x34,0x89,0x97,0xbd,0xa8,0x88,0xdd,0xb3,0xe6,0xbc,0x5f,0xb8,0xd6,0xa5,0x14,0x00,
-0x4a,0x54,0x1a,0xbf,0x65,0x64,0x7d,0x39,0x55,0xff,0x27,0x0f,0x2f,0x99,0x57,0xe6,
-0x69,0x89,0x1c,0xc4,0x89,0xff,0xe4,0x1f,0xa5,0x47,0xea,0x1e,0x47,0x07,0xf7,0x46,
-0xa5,0x3a,0x25,0x70,0x9e,0x6d,0xe3,0x83,0xc1,0x9d,0x75,0xf5,0x67,0xb5,0x7f,0x5c,
-0xf8,0x24,0xff,0x85,0x11,0x53,0xff,0x0e,0xbc,0x57,0x6f,0xc7,0x2a,0x36,0xbd,0xdd,
-0x0b,0xe5,0x25,0x04,0x1f,0x48,0xbc,0xdd,0xd6,0x13,0xb8,0xe9,0xfd,0x00,0xba,0x37,
-0x13,0x63,0xc2,0xd4,0x70,0xf8,0x4b,0x09,0x71,0xa8,0xbe,0xca,0x0d,0x68,0x16,0x5f
-};
-
-static CONST unsigned char default_q2048[128] = {
-0xd5,0x32,0x38,0x82,0x14,0xed,0xd1,0x90,0x51,0xef,0x17,0xa2,0x9b,0xc3,0xb0,0x45,
-0x86,0x64,0xbe,0xce,0x8f,0x85,0x78,0x18,0x7a,0xf8,0x3a,0xb7,0x17,0x7b,0x5d,0xf3,
-0xe9,0xd7,0x9d,0xb3,0x2f,0x96,0x35,0x96,0x60,0x38,0xe7,0x96,0xc3,0x08,0xe6,0xf1,
-0xb8,0x16,0xc0,0x1d,0xc9,0x6f,0xd3,0x99,0x14,0x8e,0xd3,0x6a,0x2b,0x6c,0x4d,0xd1,
-0x71,0x1c,0x4c,0x38,0x72,0x18,0x23,0xf9,0xd1,0x6c,0xa2,0x87,0xfe,0x33,0xc2,0x9d,
-0x6e,0xd0,0x80,0x62,0x44,0x7b,0x3a,0x4d,0x2f,0xff,0x5f,0x73,0xe5,0x53,0x32,0x18,
-0x14,0xb2,0xdb,0x6b,0x25,0x7b,0xac,0xb4,0x3b,0x1e,0x5e,0xcd,0xec,0x01,0x99,0xdb,
-0x0c,0x1f,0xc2,0xa6,0x50,0x1d,0x6d,0x7b,0x58,0x75,0x04,0x89,0x5d,0x87,0x86,0x83
-};
-
-static CONST unsigned char default_dModP2048[128] = {
-0xc0,0xba,0x16,0x1b,0xc1,0x3e,0xc8,0x51,0xb3,0x22,0x21,0xf7,0x54,0x66,0x14,0xa7,
-0x17,0xdc,0x15,0xb4,0x31,0x16,0x0e,0x39,0xa4,0x6a,0x96,0x88,0x11,0x98,0xf7,0xe4,
-0xc2,0x87,0xa2,0x57,0x83,0xfe,0x67,0x41,0x83,0xae,0x3e,0x73,0x7d,0xaf,0xe5,0x33,
-0x4d,0x00,0x70,0xaa,0xda,0x3f,0xc8,0xd6,0xd6,0xd7,0x0b,0x4a,0xff,0x63,0x09,0x01,
-0x22,0xca,0x71,0x86,0xd0,0xad,0x96,0xf1,0xb9,0x66,0x43,0x71,0x88,0xba,0x53,0x14,
-0xfb,0xd3,0xe4,0x5c,0x3f,0xfd,0xf6,0x22,0x6f,0x01,0x1c,0x2c,0xb9,0x76,0xad,0xf9,
-0x09,0x96,0x3e,0x9c,0x0e,0x70,0xec,0x06,0xba,0x36,0x69,0xbb,0x00,0x93,0x53,0xd5,
-0xc0,0x08,0x18,0xa5,0xcc,0x46,0xb6,0x97,0xbb,0xf0,0x76,0x7f,0x0d,0xb8,0x04,0xb5
-};
-
-static CONST unsigned char default_dModQ2048[128] = {
-0xa9,0x18,0xfd,0x43,0x07,0xf0,0x9d,0x50,0x77,0xfc,0x48,0xe5,0xdb,0xe0,0x39,0xd6,
-0xdb,0x42,0xdb,0x28,0xa1,0x23,0x7e,0xdf,0x03,0xe2,0x11,0x48,0x19,0xa2,0xeb,0x21,
-0x44,0xaf,0x95,0x50,0x83,0x85,0x03,0x99,0xf3,0x56,0x0f,0x32,0x40,0x1d,0xb6,0x77,
-0xb0,0xc8,0xb2,0xb6,0xad,0x88,0x39,0xef,0xe8,0x23,0x64,0xc2,0x88,0x10,0x8e,0x24,
-0x7a,0x2f,0xb4,0xb0,0xec,0xa6,0x03,0x1a,0xe9,0xa5,0xdd,0xc0,0x39,0xba,0xba,0x38,
-0xfe,0xa4,0xf7,0xbf,0x79,0x8b,0xb7,0xf1,0x73,0x09,0x7d,0x9f,0x42,0x1c,0x5b,0xd6,
-0x47,0xcc,0x99,0x46,0x81,0xe3,0x77,0x57,0x38,0xb0,0xdd,0x07,0x3d,0x93,0x03,0x82,
-0x7f,0x3a,0x4d,0xbc,0x76,0x3c,0xf1,0x12,0x6d,0x55,0xdb,0x34,0x4c,0xef,0xea,0x9b
-};
-
-static CONST unsigned char default_qInvModP2048[128] = {
-0x77,0xd9,0x45,0xd4,0xd2,0xd1,0x46,0xa8,0xaf,0x57,0x8f,0x5e,0x4f,0x6b,0x24,0x0f,
-0xb4,0xaa,0xff,0x92,0x86,0x78,0xa8,0xc1,0x69,0x9c,0x54,0xe9,0x81,0xa1,0x9c,0x26,
-0x11,0x5d,0xfa,0xff,0x70,0x9e,0xa3,0xf3,0xe3,0x78,0x41,0x2b,0x31,0x35,0x09,0xa2,
-0x5c,0x5f,0x6e,0x4d,0xad,0xeb,0x4a,0xe0,0xb1,0xce,0x2c,0x22,0x59,0x72,0x4c,0x17,
-0xad,0x71,0x5c,0x25,0xca,0x4f,0x00,0xc6,0xee,0x63,0x10,0x8e,0xf7,0xbe,0xa4,0x55,
-0x22,0x0d,0x2c,0xb9,0xe5,0xa9,0x72,0x07,0xa2,0xb1,0x29,0xf2,0x4a,0x9f,0xde,0x70,
-0x0c,0x28,0xb7,0x60,0x12,0x9d,0x4b,0x04,0xd7,0xe3,0xd7,0xc5,0x71,0xdf,0x5c,0xc0,
-0x65,0x75,0x6e,0xfb,0xc6,0x3e,0x61,0x4c,0xc2,0xdf,0xb3,0xd3,0xba,0x17,0x36,0x24
-};
-
-static struct NSSLOWKEYPrivateKeyStr rsaPriv;
-
-NSSLOWKEYPrivateKey *
-getDefaultRSAPrivateKey(int keysize)
-{
-    if (rsaPriv.keyType != NSSLOWKEYRSAKey) {
-
-	/* leaving arena uninitialized. It isn't used in this test. */
-
-	rsaPriv.keyType                     = NSSLOWKEYRSAKey;
-
-	/* leaving arena   uninitialized. It isn't used. */
-	/* leaving version uninitialized. It isn't used. */
-
-        if (keysize == 2048) {
-	    rsaPriv.u.rsa.modulus.data          =        default_n2048;
-	    rsaPriv.u.rsa.modulus.len           = sizeof default_n2048;
-	    rsaPriv.u.rsa.publicExponent.data   =        default_e2048;
-	    rsaPriv.u.rsa.publicExponent.len    = sizeof default_e2048;
-	    rsaPriv.u.rsa.privateExponent.data  =        default_d2048;
-	    rsaPriv.u.rsa.privateExponent.len   = sizeof default_d2048;
-	    rsaPriv.u.rsa.prime1.data           =        default_p2048;
-	    rsaPriv.u.rsa.prime1.len            = sizeof default_p2048;
-	    rsaPriv.u.rsa.prime2.data           =        default_q2048;
-	    rsaPriv.u.rsa.prime2.len            = sizeof default_q2048;
-	    rsaPriv.u.rsa.exponent1.data        =        default_dModP2048;
-	    rsaPriv.u.rsa.exponent1.len         = sizeof default_dModP2048;
-	    rsaPriv.u.rsa.exponent2.data        =        default_dModQ2048;
-	    rsaPriv.u.rsa.exponent2.len         = sizeof default_dModQ2048;
-	    rsaPriv.u.rsa.coefficient.data      =        default_qInvModP2048;
-	    rsaPriv.u.rsa.coefficient.len       = sizeof default_qInvModP2048;
-	} else {
-	    rsaPriv.u.rsa.modulus.data          =        default_n1024;
-	    rsaPriv.u.rsa.modulus.len           = sizeof default_n1024;
-	    rsaPriv.u.rsa.publicExponent.data   =        default_e1024;
-	    rsaPriv.u.rsa.publicExponent.len    = sizeof default_e1024;
-	    rsaPriv.u.rsa.privateExponent.data  =        default_d1024;
-	    rsaPriv.u.rsa.privateExponent.len   = sizeof default_d1024;
-	    rsaPriv.u.rsa.prime1.data           =        default_p1024;
-	    rsaPriv.u.rsa.prime1.len            = sizeof default_p1024;
-	    rsaPriv.u.rsa.prime2.data           =        default_q1024;
-	    rsaPriv.u.rsa.prime2.len            = sizeof default_q1024;
-	    rsaPriv.u.rsa.exponent1.data        =        default_dModP1024;
-	    rsaPriv.u.rsa.exponent1.len         = sizeof default_dModP1024;
-	    rsaPriv.u.rsa.exponent2.data        =        default_dModQ1024;
-	    rsaPriv.u.rsa.exponent2.len         = sizeof default_dModQ1024;
-	    rsaPriv.u.rsa.coefficient.data      =        default_qInvModP1024;
-	    rsaPriv.u.rsa.coefficient.len       = sizeof default_qInvModP1024;
-	}
-    }
-    return &rsaPriv;
-}
-
-static struct NSSLOWKEYPublicKeyStr rsaPub;
-
-NSSLOWKEYPublicKey *
-getDefaultRSAPublicKey(int keysize)
-{
-    if (rsaPub.keyType != NSSLOWKEYRSAKey) {
-
-	rsaPub.keyType			   = NSSLOWKEYRSAKey;
-
-        if (keysize == 2048) {
-	    rsaPub.u.rsa.modulus.data          =        default_n2048;
-	    rsaPub.u.rsa.modulus.len           = sizeof default_n2048;
-
-	    rsaPub.u.rsa.publicExponent.data   =        default_e2048;
-	    rsaPub.u.rsa.publicExponent.len    = sizeof default_e2048;
-	} else {
-	    rsaPub.u.rsa.modulus.data          =        default_n1024;
-	    rsaPub.u.rsa.modulus.len           = sizeof default_n1024;
-
-	    rsaPub.u.rsa.publicExponent.data   =        default_e1024;
-	    rsaPub.u.rsa.publicExponent.len    = sizeof default_e1024;
-	}
-    }
-    return &rsaPub;
-}
-
-/*  modPop = 536, privPop = 531, ex1Pop = 261, ex2Pop = 257
- *  After 46 tries, found this key:
- *  Version: 0 (0x0)
- *  Modulus:
- *      c2:ae:96:89:af:ce:d0:7b:3b:35:fd:0f:b1:f4:7a:d1:3c:7d:b5:
- *      86:f2:68:36:c9:97:e6:82:94:86:aa:05:39:ec:11:51:cc:5c:a1:
- *      59:ba:29:18:f3:28:f1:9d:e3:ae:96:5d:6d:87:73:f6:f6:1f:d0:
- *      2d:fb:2f:7a:13:7f:c8:0c:7a:e9:85:fb:ce:74:86:f8:ef:2f:85:
- *      37:73:0f:62:4e:93:17:b7:7e:84:9a:94:11:05:ca:0d:31:4b:2a:
- *      c8:df:fe:e9:0c:13:c7:f2:ad:19:64:28:3c:b5:6a:c8:4b:79:ea:
- *      7c:ce:75:92:45:3e:a3:9d:64:6f:04:69:19:17
- *  Public Exponent: 65537 (0x10001)
- *  Private Exponent:
- *      13:cb:bc:f2:f3:35:8c:6d:7b:6f:d9:f3:a6:9c:bd:80:59:2e:4f:
- *      2f:11:a7:17:2b:18:8f:0f:e8:1a:69:5f:6e:ac:5a:76:7e:d9:4c:
- *      6e:db:47:22:8a:57:37:7a:5e:94:7a:25:b5:e5:78:1d:3c:99:af:
- *      89:7d:69:2e:78:9d:1d:84:c8:c1:d7:1a:b2:6d:2d:8a:d9:ab:6b:
- *      ce:ae:b0:a0:58:55:ad:5c:40:8a:d6:96:08:8a:e8:63:e6:3d:6c:
- *      20:49:c7:af:0f:25:73:d3:69:43:3b:f2:32:f8:3d:5e:ee:7a:ca:
- *      d6:94:55:e5:bd:25:34:8d:63:40:b5:8a:c3:01
- *  Prime 1:
- *      f6:3c:3f:56:58:4f:b3:82:0c:f0:5b:42:36:1c:93:de:9b:32:01:
- *      b1:48:f8:00:57:9b:c1:be:66:c2:bb:ea:7c:75:29:2c:22:aa:7c:
- *      af:bd:0d:3f:b0:64:97:f0:88:25:cb:8d:c7:19:0a:75:44:a4:5a:
- *      c3:b5:b9:85:ea:27:a7
- *  Prime 2:
- *      ca:66:fa:18:6a:46:36:1c:46:fe:47:e9:7e:52:83:8a:bb:72:13:
- *      cc:83:56:3d:64:22:dd:fa:7c:61:99:ea:a4:b3:0e:8f:79:10:ab:
- *      ba:4a:73:d1:48:40:34:34:d3:d2:54:92:be:f5:c8:c4:60:5f:d3:
- *      f7:ce:be:60:3e:b1:11
- *  Exponent 1:
- *      8e:80:bf:87:11:04:cf:36:6c:96:8d:b9:fb:e6:fe:0c:ce:74:5a:
- *      56:67:8c:5f:66:54:56:04:03:24:9f:ec:4c:aa:e1:71:11:7e:e9:
- *      3a:2b:87:07:5c:e6:5a:a8:71:a2:ad:f3:17:4e:7e:a6:ef:5a:ce:
- *      cc:84:d7:21:91:29:f1
- *  Exponent 2:
- *      87:60:1d:02:db:82:1e:8b:07:48:e8:5c:59:eb:62:a4:15:ff:95:
- *      12:82:fd:d9:8d:f2:6c:3a:2f:9b:30:51:6a:db:80:6f:a1:ef:ee:
- *      8c:69:63:d1:a4:db:9c:8f:80:e5:fb:3f:33:8e:3d:3c:6b:a1:6c:
- *      ab:20:92:e0:d8:cd:a1
- *  Coefficient:
- *      ce:cf:5a:ad:c4:8c:44:91:3a:bc:7b:f8:80:f8:53:f5:12:84:8c:
- *      9c:6b:33:93:0d:a1:11:ea:fa:4a:c1:eb:48:dc:44:86:93:1b:98:
- *      c7:82:22:68:30:44:d7:62:1b:90:54:07:4b:66:a7:c5:75:5a:72:
- *      77:92:dd:6c:f3:37:ab
- */
diff --git a/security/nss/cmd/rsaperf/manifest.mn b/security/nss/cmd/rsaperf/manifest.mn
deleted file mode 100644
index 2c820e3ce..000000000
--- a/security/nss/cmd/rsaperf/manifest.mn
+++ /dev/null
@@ -1,56 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-DEPTH	= ../../..
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-INCLUDES += -I$(CORE_DEPTH)/nss/lib/softoken
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-REQUIRES = dbm seccmd 
-
-# DIRS = 
-
-CSRCS	= rsaperf.c defkey.c 
-
-PROGRAM	= rsaperf
-
-USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/rsaperf/rsaperf.c b/security/nss/cmd/rsaperf/rsaperf.c
deleted file mode 100644
index 78b707255..000000000
--- a/security/nss/cmd/rsaperf/rsaperf.c
+++ /dev/null
@@ -1,714 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "seccomon.h"
-#include "cert.h"
-#include "secutil.h"
-#include "nspr.h"
-#include "nss.h"
-#include "blapi.h"
-#include "plgetopt.h"
-#include "lowkeyi.h"
-#include "pk11pub.h"
-
-
-#define DEFAULT_ITERS           10
-#define DEFAULT_DURATION        10
-#define DEFAULT_KEY_BITS        1024
-#define MIN_KEY_BITS            512
-#define MAX_KEY_BITS            65536
-#define BUFFER_BYTES            MAX_KEY_BITS / 8
-#define DEFAULT_THREADS         1
-#define DEFAULT_EXPONENT        0x10001
-
-extern NSSLOWKEYPrivateKey * getDefaultRSAPrivateKey(void);
-extern NSSLOWKEYPublicKey  * getDefaultRSAPublicKey(void);
-
-secuPWData pwData = { PW_NONE, NULL };
-
-typedef struct TimingContextStr TimingContext;
-
-struct TimingContextStr {
-    PRTime start;
-    PRTime end;
-    PRTime interval;
-
-    long  days;     
-    int   hours;    
-    int   minutes;  
-    int   seconds;  
-    int   millisecs;
-};
-
-TimingContext *CreateTimingContext(void) {
-    return PORT_Alloc(sizeof(TimingContext));
-}
-
-void DestroyTimingContext(TimingContext *ctx) {
-    PORT_Free(ctx);
-}
-
-void TimingBegin(TimingContext *ctx, PRTime begin) {
-    ctx->start = begin;
-}
-
-static void timingUpdate(TimingContext *ctx) {
-    PRInt64 tmp, remaining;
-    PRInt64 L1000,L60,L24;
-
-    LL_I2L(L1000,1000);
-    LL_I2L(L60,60);
-    LL_I2L(L24,24);
-
-    LL_DIV(remaining, ctx->interval, L1000);
-    LL_MOD(tmp, remaining, L1000);
-    LL_L2I(ctx->millisecs, tmp);
-    LL_DIV(remaining, remaining, L1000);
-    LL_MOD(tmp, remaining, L60);
-    LL_L2I(ctx->seconds, tmp);
-    LL_DIV(remaining, remaining, L60);
-    LL_MOD(tmp, remaining, L60);
-    LL_L2I(ctx->minutes, tmp);
-    LL_DIV(remaining, remaining, L60);
-    LL_MOD(tmp, remaining, L24);
-    LL_L2I(ctx->hours, tmp);
-    LL_DIV(remaining, remaining, L24);
-    LL_L2I(ctx->days, remaining);
-}
-
-void TimingEnd(TimingContext *ctx, PRTime end) {
-    ctx->end = end;
-    LL_SUB(ctx->interval, ctx->end, ctx->start);
-    PORT_Assert(LL_GE_ZERO(ctx->interval));
-    timingUpdate(ctx);
-}
-
-void TimingDivide(TimingContext *ctx, int divisor) {
-    PRInt64 tmp;
-
-    LL_I2L(tmp, divisor);
-    LL_DIV(ctx->interval, ctx->interval, tmp);
-
-    timingUpdate(ctx);
-}
-
-char *TimingGenerateString(TimingContext *ctx) {
-    char *buf = NULL;
-
-    if (ctx->days != 0) {
-	buf = PR_sprintf_append(buf, "%d days", ctx->days);
-    }
-    if (ctx->hours != 0) {
-	if (buf != NULL) buf = PR_sprintf_append(buf, ", ");
-	buf = PR_sprintf_append(buf, "%d hours", ctx->hours);
-    }
-    if (ctx->minutes != 0) {
-	if (buf != NULL) buf = PR_sprintf_append(buf, ", ");
-	buf = PR_sprintf_append(buf, "%d minutes", ctx->minutes);
-    }
-    if (buf != NULL) buf = PR_sprintf_append(buf, ", and ");
-    if (!buf && ctx->seconds == 0) {
-	int interval;
-	LL_L2I(interval, ctx->interval);
-    	if (ctx->millisecs < 100) 
-	    buf = PR_sprintf_append(buf, "%d microseconds", interval);
-	else
-	    buf = PR_sprintf_append(buf, "%d milliseconds", ctx->millisecs);
-    } else if (ctx->millisecs == 0) {
-	buf = PR_sprintf_append(buf, "%d seconds", ctx->seconds);
-    } else {
-	buf = PR_sprintf_append(buf, "%d.%03d seconds",
-				ctx->seconds, ctx->millisecs);
-    }
-    return buf;
-}
-
-void
-Usage(char *progName)
-{
-    fprintf(stderr, "Usage: %s [-s | -e] [-i iterations | -p period] "
-            "[-t threads]\n[-n none [-k keylength] [ [-g] -x exponent] |\n"
-            " -n token:nickname [-d certdir] [-w password] |\n"
-            " -h token [-d certdir] [-w password] [-g] [-k keylength] "
-            "[-x exponent] [-f pwfile]\n",
-	    progName);
-    fprintf(stderr, "%-20s Cert database directory (default is ~/.netscape)\n",
-	    "-d certdir");
-    fprintf(stderr, "%-20s How many operations to perform\n", "-i iterations");
-    fprintf(stderr, "%-20s How many seconds to run\n", "-p period");
-    fprintf(stderr, "%-20s Perform signing (private key) operations\n", "-s");
-    fprintf(stderr, "%-20s Perform encryption (public key) operations\n","-e");
-    fprintf(stderr, "%-20s Nickname of certificate or key, prefixed "
-            "by optional token name\n", "-n nickname");
-    fprintf(stderr, "%-20s PKCS#11 token to perform operation with.\n",
-            "-h token");
-    fprintf(stderr, "%-20s key size in bits, from %d to %d\n", "-k keylength",
-            MIN_KEY_BITS, MAX_KEY_BITS);
-    fprintf(stderr, "%-20s token password\n", "-w password");
-    fprintf(stderr, "%-20s temporary key generation. Not for token keys.\n",
-            "-g");
-    fprintf(stderr, "%-20s set public exponent for keygen\n", "-x");
-    fprintf(stderr, "%-20s Number of execution threads (default 1)\n",
-            "-t threads");
-    exit(-1);
-}
-
-static void
-dumpBytes( unsigned char * b, int l)
-{
-    int i;
-    if (l <= 0)
-        return;
-    for (i = 0; i < l; ++i) {
-        if (i % 16 == 0)
-            printf("\t");
-        printf(" %02x", b[i]);
-        if (i % 16 == 15)
-            printf("\n");
-    }
-    if ((i % 16) != 0)
-        printf("\n");
-}
-
-static void
-dumpItem( SECItem * item, const char * description)
-{
-    if (item->len & 1 && item->data[0] == 0) {
-	printf("%s: (%d bytes)\n", description, item->len - 1);
-	dumpBytes(item->data + 1, item->len - 1);
-    } else {
-	printf("%s: (%d bytes)\n", description, item->len);
-	dumpBytes(item->data, item->len);
-    }
-}
-
-void
-printPrivKey(NSSLOWKEYPrivateKey * privKey)
-{
-    RSAPrivateKey *rsa = &privKey->u.rsa;
-
-    dumpItem( &rsa->modulus, 		"n");
-    dumpItem( &rsa->publicExponent, 	"e");
-    dumpItem( &rsa->privateExponent, 	"d");
-    dumpItem( &rsa->prime1, 		"P");
-    dumpItem( &rsa->prime2, 		"Q");
-    dumpItem( &rsa->exponent1, 	        "d % (P-1)");
-    dumpItem( &rsa->exponent2, 	        "d % (Q-1)");
-    dumpItem( &rsa->coefficient, 	"(Q ** -1) % P");
-    puts("");
-}
-
-typedef SECStatus (* RSAOp)(void *               key, 
-			    unsigned char *      output,
-		            unsigned char *      input);
-
-typedef struct {
-    SECKEYPublicKey* pubKey;
-    SECKEYPrivateKey* privKey;
-} PK11Keys;
-
-
-SECStatus PK11_PublicKeyOp (SECKEYPublicKey*     key,
-			    unsigned char *      output,
-		            unsigned char *      input)
-{
-    return PK11_PubEncryptRaw(key, output, input, key->u.rsa.modulus.len,
-                              NULL);
-}
-
-SECStatus PK11_PrivateKeyOp (PK11Keys*            keys,
-			     unsigned char *      output,
-		             unsigned char *      input)
-{
-    unsigned outLen = 0;
-    return PK11_PrivDecryptRaw(keys->privKey,
-                               output, &outLen,
-                               keys->pubKey->u.rsa.modulus.len, input,
-                               keys->pubKey->u.rsa.modulus.len);
-}
-typedef struct ThreadRunDataStr ThreadRunData;
-
-struct ThreadRunDataStr {
-    const PRBool        *doIters;
-    const void          *rsaKey;
-    const unsigned char *buf;
-    RSAOp                fn;
-    int                  seconds;
-    long                 iters;
-    long                 iterRes;
-    PRErrorCode          errNum;
-    SECStatus            status;
-};
-
-
-void ThreadExecFunction(void *data)
-{
-    ThreadRunData *tdata = (ThreadRunData*)data;
-    unsigned char buf2[BUFFER_BYTES];
-
-    tdata->status = SECSuccess;
-    if (*tdata->doIters) {
-        long i = tdata->iters;
-        tdata->iterRes = 0;
-        while (i--) {
-            SECStatus rv = tdata->fn((void*)tdata->rsaKey, buf2,
-                                     (unsigned char*)tdata->buf);
-            if (rv != SECSuccess) {
-                tdata->errNum = PORT_GetError();
-                tdata->status = rv;
-                break;
-            }
-            tdata->iterRes++;
-        }
-    } else {
-        PRIntervalTime total = PR_SecondsToInterval(tdata->seconds);
-        PRIntervalTime start = PR_IntervalNow();
-        tdata->iterRes = 0;
-        while (PR_IntervalNow() - start < total) {
-            SECStatus rv = tdata->fn((void*)tdata->rsaKey, buf2,
-                                     (unsigned char*)tdata->buf);
-            if (rv != SECSuccess) {
-                tdata->errNum = PORT_GetError();
-                tdata->status = rv;
-                break;
-            }
-            tdata->iterRes++;
-        }
-    }
-}
-
-#define INT_ARG(arg,def) atol(arg)>0?atol(arg):def
-
-int
-main(int argc, char **argv)
-{
-    TimingContext *	  timeCtx       = NULL;
-    SECKEYPublicKey *	  pubHighKey    = NULL;
-    SECKEYPrivateKey *    privHighKey   = NULL;
-    NSSLOWKEYPrivateKey * privKey       = NULL;
-    NSSLOWKEYPublicKey *  pubKey        = NULL;
-    CERTCertificate *	  cert          = NULL;
-    char *		  progName      = NULL;
-    char *		  secDir 	= NULL;
-    char *		  nickname 	= NULL;
-    char *                slotname      = NULL;
-    long                  keybits     = 0;
-    RSAOp                 fn;
-    void *                rsaKey        = NULL;
-    PLOptState *          optstate;
-    PLOptStatus           optstatus;
-    long 		  iters 	= DEFAULT_ITERS;
-    int		 	  i;
-    PRBool 		  doPriv 	= PR_FALSE;
-    PRBool 		  doPub 	= PR_FALSE;
-    int 		  rv;
-    unsigned char 	  buf[BUFFER_BYTES];
-    unsigned char 	  buf2[BUFFER_BYTES];
-    int                   seconds       = DEFAULT_DURATION;
-    PRBool                doIters       = PR_FALSE;
-    PRBool                doTime        = PR_FALSE;
-    PRBool                useTokenKey   = PR_FALSE; /* use PKCS#11 token
-                                                       object key */
-    PRBool                useSessionKey = PR_FALSE; /* use PKCS#11 session
-                                                       object key */
-    PRBool                useBLKey = PR_FALSE;      /* use freebl */
-    PK11SlotInfo*         slot          = NULL;     /* slot for session
-                                                       object key operations */
-    PRBool                doKeyGen      = PR_FALSE;
-    int                   publicExponent  = DEFAULT_EXPONENT;
-    PK11Keys keys;
-    int peCount = 0;
-    CK_BYTE pubEx[4];
-    SECItem pe;
-    RSAPublicKey          pubKeyStr;
-    int                   threadNum     = DEFAULT_THREADS;
-    ThreadRunData      ** runDataArr = NULL;
-    PRThread           ** threadsArr = NULL;
-    int                   calcThreads = 0;
-
-    progName = strrchr(argv[0], '/');
-    if (!progName)
-	progName = strrchr(argv[0], '\\');
-    progName = progName ? progName+1 : argv[0];
-
-    optstate = PL_CreateOptState(argc, argv, "d:ef:gh:i:k:n:p:st:w:x:");
-    while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	case '?':
-	    Usage(progName);
-	    break;
-	case 'd':
-	    secDir = PORT_Strdup(optstate->value);
-	    break;
-	case 'i':
-	    iters = INT_ARG(optstate->value, DEFAULT_ITERS);
-	    doIters = PR_TRUE;
-	    break;
-	case 's':
-	    doPriv = PR_TRUE;
-	    break;
-	case 'e':
-	    doPub = PR_TRUE;
-	    break;
-	case 'g':
-	    doKeyGen = PR_TRUE;
-	    break;
-	case 'n':
-	    nickname = PORT_Strdup(optstate->value);
-            /* for compatibility, nickname of "none" means go to freebl */
-            if (nickname && strcmp(nickname, "none")) {
-	        useTokenKey = PR_TRUE;
-            } else {
-                useBLKey = PR_TRUE;
-            }
-	    break;
-	case 'p':
-	    seconds = INT_ARG(optstate->value, DEFAULT_DURATION);
-	    doTime = PR_TRUE;
-            break;
-	case 'h':
-	    slotname = PORT_Strdup(optstate->value);
-	    useSessionKey = PR_TRUE;
-	    break;
-	case 'k':
-	    keybits = INT_ARG(optstate->value, DEFAULT_KEY_BITS);
-	    break;
-	case 'w':
-	    pwData.data = PORT_Strdup(optstate->value);;
-	    pwData.source = PW_PLAINTEXT;
-	    break;
-        case 'f':
-            pwData.data = PORT_Strdup(optstate->value);
-            pwData.source = PW_FROMFILE;
-            break;
-	case 'x':
-	    /*  -x public exponent (for RSA keygen)  */
-	    publicExponent = INT_ARG(optstate->value, DEFAULT_EXPONENT);
-	    break;
-	case 't':
-	    threadNum = INT_ARG(optstate->value, DEFAULT_THREADS);
-	    break;
-	}
-    }
-    if (optstatus == PL_OPT_BAD)
-	Usage(progName);
-
-    if ((doPriv && doPub) || (doIters && doTime) ||
-        ((useTokenKey + useSessionKey + useBLKey) != PR_TRUE) ||
-        (useTokenKey && keybits) || (useTokenKey && doKeyGen) ||
-        (keybits && (keybits<MIN_KEY_BITS || keybits>MAX_KEY_BITS))) {
-        Usage(progName);
-    }
-
-    if (!doPriv && !doPub) doPriv = PR_TRUE;
-
-    if (doIters && doTime) Usage(progName);
-
-    if (!doTime) {
-        doIters = PR_TRUE;
-    }
-
-    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-    secDir = SECU_ConfigDirectory(secDir);
-
-    if (useTokenKey || useSessionKey) {
-	rv = NSS_Init(secDir);
-	if (rv != SECSuccess) {
-	    fprintf(stderr, "NSS_Init failed.\n");
-	    exit(1);
-	}
-    } else {
-	rv = NSS_NoDB_Init(NULL);
-	if (rv != SECSuccess) {
-	    fprintf(stderr, "NSS_NoDB_Init failed.\n");
-	    exit(1);
-	}
-    }
-
-    if (useTokenKey) {
-        CK_OBJECT_HANDLE kh = CK_INVALID_HANDLE;
-        CERTCertDBHandle* certdb = NULL;
-	certdb = CERT_GetDefaultCertDB();
-        
-        cert = PK11_FindCertFromNickname(nickname, &pwData);
-        if (cert == NULL) {
-            fprintf(stderr,
-                    "Can't find certificate by name \"%s\"\n", nickname);
-            exit(1);
-        }
-        pubHighKey = CERT_ExtractPublicKey(cert);
-        if (pubHighKey == NULL) {
-            fprintf(stderr, "Can't extract public key from certificate");
-            exit(1);
-        }
-
-        if (doPub) {
-            /* do public key ops */
-            fn = (RSAOp)PK11_PublicKeyOp;
-            rsaKey = (void *) pubHighKey;
-                
-            kh = PK11_ImportPublicKey(cert->slot, pubHighKey, PR_FALSE);
-            if (CK_INVALID_HANDLE == kh) {
-                fprintf(stderr,
-                        "Unable to import public key to certificate slot.");
-                exit(1);
-            }
-            pubHighKey->pkcs11Slot = PK11_ReferenceSlot(cert->slot);
-            pubHighKey->pkcs11ID = kh;
-            printf("Using PKCS#11 for RSA encryption with token %s.\n",
-                   PK11_GetTokenName(cert->slot));
-        } else {
-            /* do private key ops */
-            privHighKey = PK11_FindKeyByAnyCert(cert, &pwData);
-            if (privHighKey == NULL) {
-                fprintf(stderr,
-                        "Can't find private key by name \"%s\"\n", nickname);
-                exit(1);
-            }
-    
-            SECKEY_CacheStaticFlags(privHighKey);
-            fn = (RSAOp)PK11_PrivateKeyOp;
-            keys.privKey = privHighKey;
-            keys.pubKey = pubHighKey;
-            rsaKey = (void *) &keys;
-            printf("Using PKCS#11 for RSA decryption with token %s.\n",
-                   PK11_GetTokenName(privHighKey->pkcs11Slot));
-        }        
-    } else
-
-    if (useSessionKey) {
-        /* use PKCS#11 session key objects */
-        PK11RSAGenParams   rsaparams;
-        void             * params;
-
-        slot = PK11_FindSlotByName(slotname); /* locate target slot */
-        if (!slot) {
-            fprintf(stderr, "Can't find slot \"%s\"\n", slotname);
-            exit(1);
-        }
-
-        doKeyGen = PR_TRUE; /* Always do a keygen for session keys.
-                               Import of hardcoded key is not supported */
-        /* do a temporary keygen in selected slot */        
-        if (!keybits) {
-            keybits = DEFAULT_KEY_BITS;
-        }
-
-        printf("Using PKCS#11 with %ld bits session key in token %s.\n",
-               keybits, PK11_GetTokenName(slot));
-
-        rsaparams.keySizeInBits = keybits;
-        rsaparams.pe = publicExponent;
-        params = &rsaparams;
-
-        fprintf(stderr,"\nGenerating RSA key. This may take a few moments.\n");
-
-        privHighKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
-                                           params, &pubHighKey, PR_FALSE,
-                                           PR_FALSE, (void*)&pwData);
-        if (!privHighKey) {
-            fprintf(stderr,
-                    "Key generation failed in token \"%s\"\n",
-                    PK11_GetTokenName(slot));
-            exit(1);
-        }
-
-        SECKEY_CacheStaticFlags(privHighKey);
-        
-        fprintf(stderr,"Keygen completed.\n");
-
-        if (doPub) {
-            /* do public key operations */
-            fn = (RSAOp)PK11_PublicKeyOp;
-            rsaKey = (void *) pubHighKey;
-        } else {
-            /* do private key operations */
-            fn = (RSAOp)PK11_PrivateKeyOp;
-            keys.privKey = privHighKey;
-            keys.pubKey = pubHighKey;
-            rsaKey = (void *) &keys;
-        }        
-    } else
-        
-    {
-        /* use freebl directly */
-        if (!keybits) {
-            keybits = DEFAULT_KEY_BITS;
-        }
-        if (!doKeyGen) {
-            if (keybits != DEFAULT_KEY_BITS) {
-                doKeyGen = PR_TRUE;
-            }
-        }
-        printf("Using freebl with %ld bits key.\n", keybits);
-        if (doKeyGen) {
-            fprintf(stderr,"\nGenerating RSA key. "
-                    "This may take a few moments.\n");
-            for (i=0; i < 4; i++) {
-                if (peCount || (publicExponent & ((unsigned long)0xff000000L >>
-                                                  (i*8)))) {
-                    pubEx[peCount] =  (CK_BYTE)((publicExponent >>
-                                                 (3-i)*8) & 0xff);
-                    peCount++;
-                }
-            }
-            pe.len = peCount;
-            pe.data = &pubEx[0];
-            pe.type = siBuffer;
-
-            rsaKey = RSA_NewKey(keybits, &pe);
-            fprintf(stderr,"Keygen completed.\n");
-        } else {
-            /* use a hardcoded key */
-            printf("Using hardcoded %ld bits key.\n", keybits);
-            if (doPub) {
-                pubKey = getDefaultRSAPublicKey();
-            } else {
-                privKey = getDefaultRSAPrivateKey();
-            }
-        }
-
-        if (doPub) {
-            /* do public key operations */
-            fn = (RSAOp)RSA_PublicKeyOp;
-            if (rsaKey) {
-                /* convert the RSAPrivateKey to RSAPublicKey */
-                pubKeyStr.arena = NULL;
-                pubKeyStr.modulus = ((RSAPrivateKey*)rsaKey)->modulus;
-                pubKeyStr.publicExponent =
-                    ((RSAPrivateKey*)rsaKey)->publicExponent;
-                rsaKey = &pubKeyStr;
-            } else {
-                /* convert NSSLOWKeyPublicKey to RSAPublicKey */
-                rsaKey = (void *)(&pubKey->u.rsa);
-            }
-            PORT_Assert(rsaKey);
-        } else {
-            /* do private key operations */
-            fn = (RSAOp)RSA_PrivateKeyOp;
-            if (privKey) {
-                /* convert NSSLOWKeyPrivateKey to RSAPrivateKey */
-                rsaKey = (void *)(&privKey->u.rsa);
-            }
-            PORT_Assert(rsaKey);
-        }
-    }
-
-    memset(buf, 1, sizeof buf);
-    rv = fn(rsaKey, buf2, buf);
-    if (rv != SECSuccess) {
-	PRErrorCode errNum;
-	const char * errStr = NULL;
-
-	errNum = PORT_GetError();
-	if (errNum)
-	    errStr = SECU_Strerror(errNum);
-	else
-	    errNum = rv;
-	if (!errStr)
-	    errStr = "(null)";
-	fprintf(stderr, "Error in RSA operation: %d : %s\n", errNum, errStr);
-	exit(1);
-    }
-
-    threadsArr = (PRThread**)PORT_Alloc(threadNum*sizeof(PRThread*));
-    runDataArr = (ThreadRunData**)PORT_Alloc(threadNum*sizeof(ThreadRunData*));
-    timeCtx = CreateTimingContext();
-    TimingBegin(timeCtx, PR_Now());
-    for (i = 0;i < threadNum;i++) {
-        runDataArr[i] = (ThreadRunData*)PORT_Alloc(sizeof(ThreadRunData));
-        runDataArr[i]->fn = fn;
-        runDataArr[i]->buf = buf;
-        runDataArr[i]->doIters = &doIters;
-        runDataArr[i]->rsaKey = rsaKey;
-        runDataArr[i]->seconds = seconds;
-        runDataArr[i]->iters = iters;
-        threadsArr[i] = 
-            PR_CreateThread(PR_USER_THREAD,
-                 ThreadExecFunction,
-                 (void*) runDataArr[i],
-                 PR_PRIORITY_NORMAL,
-                 PR_GLOBAL_THREAD,
-                 PR_JOINABLE_THREAD,
-                 0);
-    }
-    iters = 0;
-    calcThreads = 0;
-    for (i = 0;i < threadNum;i++, calcThreads++)
-    {
-        PR_JoinThread(threadsArr[i]);
-        if (runDataArr[i]->status != SECSuccess) {
-            const char * errStr = SECU_Strerror(runDataArr[i]->errNum);
-            fprintf(stderr, "Thread %d: Error in RSA operation: %d : %s\n",
-                    i, runDataArr[i]->errNum, errStr);
-            calcThreads -= 1;
-        } else {
-            iters += runDataArr[i]->iterRes;
-        }
-        PORT_Free((void*)runDataArr[i]);
-    }
-    PORT_Free(runDataArr);
-    PORT_Free(threadsArr);
-
-    TimingEnd(timeCtx, PR_Now());
-    
-    printf("%ld iterations in %s\n",
-	   iters, TimingGenerateString(timeCtx));
-    printf("%.2f operations/s .\n", ((double)(iters)*(double)1000000.0) /
-           (double)timeCtx->interval );
-    TimingDivide(timeCtx, iters);
-    printf("one operation every %s\n", TimingGenerateString(timeCtx));
-
-    if (pubHighKey) {
-        SECKEY_DestroyPublicKey(pubHighKey);
-    }
-
-    if (privHighKey) {
-         SECKEY_DestroyPrivateKey(privHighKey);
-    }
-
-    if (cert) {
-        CERT_DestroyCertificate(cert);
-    }
-
-    if (NSS_Shutdown() != SECSuccess) {
-        exit(1);
-    }
-
-    return 0;
-}
diff --git a/security/nss/cmd/samples/cert b/security/nss/cmd/samples/cert
deleted file mode 100644
index 3f8ec48df..000000000
--- a/security/nss/cmd/samples/cert
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB7TCCAVYCAgMaMA0GCSqGSIb3DQEBBAUAMEcxCzAJBgNVBAYTAlVTMRAwDgYD
-VQQLEwdUZXN0IENBMSYwJAYDVQQKEx1OZXRzY2FwZSBDb21tdW5pY2F0aW9ucyBD
-b3JwLjAeFw05NTEyMDgwMjQwMjdaFw05NjAzMDcwMjQwMjdaMDgxFjAUBgNVBAMT
-DURhdmlkIGthcmx0b24xETAPBgNVBAoTCE5ldHNjYXBlMQswCQYDVQQGEwJVUzCB
-nTANBgkqhkiG9w0BAQEFAAOBiwAwgYcCgYEAltV2TH+QxqlgfUFk+UyiYAjByxrC
-dCSIa/FwRaPceLvE7ycD9L6AC4JA6k58E6ICsr/Y8TsXT4UmZhhLNc50VgSo8cGQ
-lajqIDvntq8M1uCXiVOnXmIAqoB6E8GiqW+9evOkgkumMksSwXiXAhMM7vJt3IU6
-b+FwdF5cRs0u1FUCAQMwDQYJKoZIhvcNAQEEBQADgYEAkFdr3ypcvI2+Xgwfp7+d
-YtN7w4UnQ7LR9FKmlnBauTVLmUtichn/O3WMT9cYTtZm5QQVRaE3qrGh0Nr6Ko1E
-nIHowd36TN45zkFraWoATfCV/f+P37WaADp20l2ryEY0Jpe4gnoeZ0+/ffoxyajC
-LZEJL6Dv2Ed83cebLjYxKsI=
-
------END CERTIFICATE-----
-
diff --git a/security/nss/cmd/samples/cert0 b/security/nss/cmd/samples/cert0
deleted file mode 100644
index 05cdc8553..000000000
--- a/security/nss/cmd/samples/cert0
+++ /dev/null
diff --git a/security/nss/cmd/samples/cert1 b/security/nss/cmd/samples/cert1
deleted file mode 100644
index 38a7d299a..000000000
--- a/security/nss/cmd/samples/cert1
+++ /dev/null
diff --git a/security/nss/cmd/samples/cert2 b/security/nss/cmd/samples/cert2
deleted file mode 100644
index 147c3eb9e..000000000
--- a/security/nss/cmd/samples/cert2
+++ /dev/null
diff --git a/security/nss/cmd/samples/pkcs7.ber b/security/nss/cmd/samples/pkcs7.ber
deleted file mode 100644
index 6e3814c37..000000000
--- a/security/nss/cmd/samples/pkcs7.ber
+++ /dev/null
diff --git a/security/nss/cmd/samples/pkcs7bday.ber b/security/nss/cmd/samples/pkcs7bday.ber
deleted file mode 100644
index 0ee6cfc13..000000000
--- a/security/nss/cmd/samples/pkcs7bday.ber
+++ /dev/null
diff --git a/security/nss/cmd/samples/pkcs7cnet.ber b/security/nss/cmd/samples/pkcs7cnet.ber
deleted file mode 100644
index df2bb2dd1..000000000
--- a/security/nss/cmd/samples/pkcs7cnet.ber
+++ /dev/null
diff --git a/security/nss/cmd/samples/pkcs7news.ber b/security/nss/cmd/samples/pkcs7news.ber
deleted file mode 100644
index c46a1786d..000000000
--- a/security/nss/cmd/samples/pkcs7news.ber
+++ /dev/null
diff --git a/security/nss/cmd/samples/x509v3.der b/security/nss/cmd/samples/x509v3.der
deleted file mode 100644
index 1ada57c56..000000000
--- a/security/nss/cmd/samples/x509v3.der
+++ /dev/null
diff --git a/security/nss/cmd/samples/x509v3.txt b/security/nss/cmd/samples/x509v3.txt
deleted file mode 100644
index dde307697..000000000
--- a/security/nss/cmd/samples/x509v3.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-MIIByzCCAXWgAwIBAgIBADANBgkqhkiG9w0BAQQFADBLMQswCQYDVQQGEwJVUzEW
-MBQGA1UEChMNVmVyaVNpZ24gSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxDjAM
-BgNVBAMTBUphc29uMB4XDTk1MDgwODA3MDAwMFoXDTk2MDgwNzA3MDAwMFowSzEL
-MAkGA1UEBhMCVVMxFjAUBgNVBAoTDVZlcmlTaWduIEluYy4xFDASBgNVBAsTC0Vu
-Z2luZWVyaW5nMQ4wDAYDVQQDEwVKYXNvbjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC
-QQCvpXRU9t3NPFXvxJz2vuxX4zI55AA+xY1PsAEadhwWEMF2EnpG8woF4EGTwLdx
-xrw3Eirzu5RAAhqegCN1aPVBAgMBAAGjRDBCMBQGA2FiYwEB/wQKZXh0ZW5zaW9u
-MTAUBgNkZWYBAf8ECmV4dGVuc2lvbjIwFAYDZ2hpAQH/BApleHRlbnNpb24zMA0G
-CSqGSIb3DQEBBAUAA0EAawLNWFSYMtywAqkSYJb1gejljqi9QAtLZIM2ui+RCTP2
-jEjW5bp4oU1RX2iBSfU+MdEZx9DpMNjqBLrgOy1Djw==
diff --git a/security/nss/cmd/sdrtest/Makefile b/security/nss/cmd/sdrtest/Makefile
deleted file mode 100644
index 4d209348e..000000000
--- a/security/nss/cmd/sdrtest/Makefile
+++ /dev/null
@@ -1,77 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
diff --git a/security/nss/cmd/sdrtest/manifest.mn b/security/nss/cmd/sdrtest/manifest.mn
deleted file mode 100644
index 383f1e83c..000000000
--- a/security/nss/cmd/sdrtest/manifest.mn
+++ /dev/null
@@ -1,58 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = \
-	sdrtest.c \
-	$(NULL)
-
-# headers for the MODULE (defined above) are implicitly required.
-REQUIRES = dbm seccmd
-
-# WINNT uses EXTRA_LIBS as the list of libs to link in.
-# Unix uses     OS_LIBS for that purpose.
-# We can solve this via conditional makefile code, but 
-# can't do this in manifest.mn because OS_ARCH isn't defined there.
-# So, look in the local Makefile for the defines for the list of libs.
-
-PROGRAM = sdrtest
-
-#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/sdrtest/sdrtest.c b/security/nss/cmd/sdrtest/sdrtest.c
deleted file mode 100644
index a50eb23e1..000000000
--- a/security/nss/cmd/sdrtest/sdrtest.c
+++ /dev/null
@@ -1,451 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Test program for SDR (Secret Decoder Ring) functions.
- *
- * $Id$
- */
-
-#include "nspr.h"
-#include "string.h"
-#include "nss.h"
-#include "secutil.h"
-#include "cert.h"
-#include "pk11func.h"
-
-#include "plgetopt.h"
-#include "pk11sdr.h"
-#include "nssb64.h"
-
-#define DEFAULT_VALUE "Test"
-static const char default_value[] = { DEFAULT_VALUE };
-
-PRFileDesc *pr_stderr;
-PRBool      verbose = PR_FALSE;
-
-static void
-synopsis (char *program_name)
-{
-    PR_fprintf (pr_stderr, 
-"Usage: %s [<common>] -i <input-file>\n"
-"       %s [<common>]  -o <output-file>\n"
-"       <common> [-d dir] [-v] [-t text] [-a] [-f pwfile | -p pwd]\n",
-	program_name, program_name);
-}
-
-static void
-short_usage (char *program_name)
-{
-    PR_fprintf (pr_stderr,
-		"Type %s -H for more detailed descriptions\n",
-		program_name);
-    synopsis (program_name);
-}
-
-
-static void
-long_usage (char *program_name)
-{
-    synopsis (program_name);
-    PR_fprintf (pr_stderr, "\nSecret Decoder Test:\n");
-    PR_fprintf (pr_stderr,
-		"  %-13s Read encrypted data from \"file\"\n",
-		"-i file");
-    PR_fprintf (pr_stderr,
-		"  %-13s Write newly generated encrypted data to \"file\"\n",
-		"-o file");
-    PR_fprintf (pr_stderr,
-		"  %-13s Use \"text\" as the plaintext for encryption and verification\n",
-		"-t text");
-    PR_fprintf (pr_stderr,
-		"  %-13s Find security databases in \"dbdir\"\n",
-		"-d dbdir");
-    PR_fprintf (pr_stderr,
-		"  %-13s read the password from \"pwfile\"\n",
-		"-f pwfile");
-    PR_fprintf (pr_stderr,
-		"  %-13s supply \"password\" on the command line\n",
-		"-p password");
-}
-
-int 
-readStdin(SECItem * result)
-{
-  int bufsize = 0;
-  int cc;
-  int wanted  = 8192;
-
-  result->len = 0;
-  result->data = NULL;
-  do {
-    if (bufsize < wanted) {
-      unsigned char * tmpData = (unsigned char *)realloc(result->data, wanted);
-      if (!tmpData) {
-	if (verbose) PR_fprintf(pr_stderr, "Allocation of buffer failed\n");
-	return -1;
-      }
-      result->data = tmpData;
-      bufsize = wanted;
-    }
-    cc = PR_Read(PR_STDIN, result->data + result->len, bufsize - result->len);
-    if (cc > 0) {
-      result->len += (unsigned)cc;
-      if (result->len >= wanted) 
-        wanted *= 2;
-    }
-  } while (cc > 0);
-  return cc;
-}
-
-int
-readInputFile(const char * filename, SECItem * result)
-{
-  PRFileDesc *file /* = PR_OpenFile(input_file, 0) */;
-  PRFileInfo info;
-  PRStatus s;
-  PRInt32 count;
-  int retval = -1;
-
-  file = PR_Open(filename, PR_RDONLY, 0);
-  if (!file) {
-    if (verbose) PR_fprintf(pr_stderr, "Open of file %s failed\n", filename);
-    goto loser;
-  }
-
-  s = PR_GetOpenFileInfo(file, &info);
-  if (s != PR_SUCCESS) {
-    if (verbose) PR_fprintf(pr_stderr, "File info operation failed\n");
-    goto file_loser;
-  }
-
-  result->len = info.size;
-  result->data = (unsigned char *)malloc(result->len);
-  if (!result->data) {
-    if (verbose) PR_fprintf(pr_stderr, "Allocation of buffer failed\n");
-    goto file_loser;
-  }
-
-  count = PR_Read(file, result->data, result->len);
-  if (count != result->len) {
-    if (verbose) PR_fprintf(pr_stderr, "Read failed\n");
-    goto file_loser;
-  }
-  retval = 0;
-
-file_loser:
-  PR_Close(file);
-loser:
-  return retval;
-}
-
-int
-main (int argc, char **argv)
-{
-    int		 retval = 0;  /* 0 - test succeeded.  -1 - test failed */
-    SECStatus	 rv;
-    PLOptState	*optstate;
-    PLOptStatus  optstatus;
-    char	*program_name;
-    const char  *input_file = NULL; 	/* read encrypted data from here (or create) */
-    const char  *output_file = NULL;	/* write new encrypted data here */
-    const char  *value = default_value;	/* Use this for plaintext */
-    SECItem     data;
-    SECItem     result = {0, 0, 0};
-    SECItem     text;
-    PRBool      ascii = PR_FALSE;
-    secuPWData  pwdata = { PW_NONE, 0 };
-
-    pr_stderr = PR_STDERR;
-    result.data = 0;
-    text.data = 0; text.len = 0;
-
-    program_name = PL_strrchr(argv[0], '/');
-    program_name = program_name ? (program_name + 1) : argv[0];
-
-    optstate = PL_CreateOptState (argc, argv, "?Had:i:o:t:vf:p:");
-    if (optstate == NULL) {
-	SECU_PrintError (program_name, "PL_CreateOptState failed");
-	return -1;
-    }
-
-    while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case '?':
-	    short_usage (program_name);
-	    return retval;
-
-	  case 'H':
-	    long_usage (program_name);
-	    return retval;
-
-	  case 'a':
-	    ascii = PR_TRUE;
-	    break;
-
-	  case 'd':
-	    SECU_ConfigDirectory(optstate->value);
-	    break;
-
-          case 'i':
-            input_file = optstate->value;
-            break;
-
-          case 'o':
-            output_file = optstate->value;
-            break;
-
-          case 't':
-            value = optstate->value;
-            break;
-
-	  case 'f':
-	    if (pwdata.data) {
-		PORT_Free(pwdata.data);
-		short_usage(program_name);
-		return -1;
-	    }
-	    pwdata.source = PW_FROMFILE;
-	    pwdata.data = PORT_Strdup(optstate->value);
-	    break;
-
-	  case 'p':
-	    if (pwdata.data) {
-		PORT_Free(pwdata.data);
-		short_usage(program_name);
-		return -1;
-	    }
-	    pwdata.source = PW_PLAINTEXT;
-	    pwdata.data = PORT_Strdup(optstate->value);
-	    break;
-
-          case 'v':
-            verbose = PR_TRUE;
-            break;
-	}
-    }
-    PL_DestroyOptState(optstate);
-    if (optstatus == PL_OPT_BAD) {
-	short_usage (program_name);
-	return -1;
-    }
-    if (!output_file && !input_file && value == default_value) {
-	short_usage (program_name);
-	PR_fprintf (pr_stderr, "Must specify at least one of -t, -i or -o \n");
-	return -1;
-    }
-
-    /*
-     * Initialize the Security libraries.
-     */
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-    if (output_file) {
-	rv = NSS_InitReadWrite(SECU_ConfigDirectory(NULL));
-    } else {
-	rv = NSS_Init(SECU_ConfigDirectory(NULL));
-    }
-    if (rv != SECSuccess) {
-	SECU_PrintError(program_name, "NSS_Init failed");
-	retval = -1;
-	goto prdone;
-    }
-
-    /* Convert value into an item */
-    data.data = (unsigned char *)value;
-    data.len = strlen(value);
-
-    /* Get the encrypted result, either from the input file
-     * or from encrypting the plaintext value
-     */
-    if (input_file)
-    {
-      if (verbose) printf("Reading data from %s\n", input_file);
-
-      if (!strcmp(input_file, "-")) {
-	retval = readStdin(&result);
-        ascii = PR_TRUE;
-      } else {
-        retval = readInputFile(input_file, &result);
-      }
-      if (retval != 0) 
-	goto loser;
-      if (ascii) {
-	/* input was base64 encoded.  Decode it. */
-	SECItem newResult = {0, 0, 0};
-	SECItem *ok = NSSBase64_DecodeBuffer(NULL, &newResult, 
-	                       (const char *)result.data, result.len);
-	if (!ok) {
-	  SECU_PrintError(program_name, "Base 64 decode failed");
-	  retval = -1;
-	  goto loser;
-	}
-	free(result.data);
-	result = *ok;
-      }
-    }
-    else
-    {
-      SECItem keyid = { 0, 0, 0 };
-      SECItem outBuf = { 0, 0, 0 };
-      PK11SlotInfo *slot = NULL;
-
-      /* sigh, initialize the key database */
-      slot = PK11_GetInternalKeySlot();
-      if (slot && PK11_NeedUserInit(slot)) {
-	switch (pwdata.source) {
-	case PW_FROMFILE:
-	    rv = SECU_ChangePW(slot, 0, pwdata.data);
-	    break;
-	case PW_PLAINTEXT:
-	    rv = SECU_ChangePW(slot, pwdata.data, 0);
-	    break;
-	default:
-            rv = SECU_ChangePW(slot, "", 0);
-	    break;
-	}
-        if (rv != SECSuccess) {
-            SECU_PrintError(program_name, "Failed to initialize slot \"%s\"",
-                                    PK11_GetSlotName(slot));
-            return SECFailure;
-        }
-      }
-      if (slot) {
-	PK11_FreeSlot(slot);
-      }
-
-      rv = PK11SDR_Encrypt(&keyid, &data, &result, &pwdata);
-      if (rv != SECSuccess) {
-        if (verbose) 
-	  SECU_PrintError(program_name, "Encrypt operation failed\n");
-        retval = -1;
-        goto loser;
-      }
-
-      if (verbose) printf("Encrypted result is %d bytes long\n", result.len);
-
-      if (!strcmp(output_file, "-")) {
-        ascii = PR_TRUE;
-      }
-
-      if (ascii) {
-      	/* base64 encode output. */
-	char * newResult = NSSBase64_EncodeItem(NULL, NULL, 0, &result);
-	if (!newResult) {
-	  SECU_PrintError(program_name, "Base 64 encode failed\n");
-	  retval = -1;
-	  goto loser;
-	}
-	outBuf.data = (unsigned char *)newResult;
-	outBuf.len  = strlen(newResult);
-	if (verbose) 
-	  printf("Base 64 encoded result is %d bytes long\n", outBuf.len);
-      } else {
-	outBuf = result;
-      }
-
-      /* -v printf("Result is %.*s\n", text.len, text.data); */
-      if (output_file) {
-         PRFileDesc *file;
-         PRInt32 count;
-
-         if (verbose) printf("Writing result to %s\n", output_file);
-	 if (!strcmp(output_file, "-")) {
-	   file = PR_STDOUT;
-	 } else {
-	   /* Write to file */
-	   file = PR_Open(output_file, PR_CREATE_FILE|PR_WRONLY, 0666);
-	 }
-         if (!file) {
-            if (verbose) 
-		SECU_PrintError(program_name, 
-                                "Open of output file %s failed\n",
-                                output_file);
-            retval = -1;
-            goto loser;
-         }
-
-         count = PR_Write(file, outBuf.data, outBuf.len);
-
-	 if (file == PR_STDOUT) {
-	   puts("");
-	 } else {
-	   PR_Close(file);
-	 }
-
-         if (count != outBuf.len) {
-           if (verbose) SECU_PrintError(program_name, "Write failed\n");
-           retval = -1;
-           goto loser;
-         }
-	 if (ascii) {
-	   free(outBuf.data);
-	 }
-      }
-    }
-
-    /* Decrypt the value */
-    rv = PK11SDR_Decrypt(&result, &text, &pwdata);
-    if (rv != SECSuccess) {
-      if (verbose) SECU_PrintError(program_name, "Decrypt operation failed\n");
-      retval = -1; 
-      goto loser;
-    }
-
-    if (verbose) printf("Decrypted result is \"%.*s\"\n", text.len, text.data);
-
-    /* Compare to required value */
-    if (text.len != data.len || memcmp(data.data, text.data, text.len) != 0)
-    {
-      if (verbose) PR_fprintf(pr_stderr, "Comparison failed\n");
-      retval = -1;
-      goto loser;
-    }
-
-loser:
-    if (text.data) free(text.data);
-    if (result.data) free(result.data);
-    if (NSS_Shutdown() != SECSuccess) {
-       exit(1);
-    }
-
-prdone:
-    PR_Cleanup ();
-    if (pwdata.data) {
-	PORT_Free(pwdata.data);
-    }
-    return retval;
-}
diff --git a/security/nss/cmd/selfserv/Makefile b/security/nss/cmd/selfserv/Makefile
deleted file mode 100644
index 4de295a9c..000000000
--- a/security/nss/cmd/selfserv/Makefile
+++ /dev/null
@@ -1,78 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/selfserv/manifest.mn b/security/nss/cmd/selfserv/manifest.mn
deleted file mode 100644
index f1f1516f3..000000000
--- a/security/nss/cmd/selfserv/manifest.mn
+++ /dev/null
@@ -1,52 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-DEFINES += -DNSPR20
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = selfserv.c
-
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = seccmd dbm 
-
-PROGRAM = selfserv
-
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
deleted file mode 100644
index 4c3d8e322..000000000
--- a/security/nss/cmd/selfserv/selfserv.c
+++ /dev/null
@@ -1,2293 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* -r flag is interepreted as follows:
- *	1 -r  means request, not require, on initial handshake.
- *	2 -r's mean request  and require, on initial handshake.
- *	3 -r's mean request, not require, on second handshake.
- *	4 -r's mean request  and require, on second handshake.
- */
-#include <stdio.h>
-#include <string.h>
-
-#include "secutil.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#if defined(_WINDOWS)
-#include <process.h>	/* for getpid() */
-#endif
-
-#include <signal.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <stdarg.h>
-
-#include "nspr.h"
-#include "prio.h"
-#include "prerror.h"
-#include "prnetdb.h"
-#include "prclist.h"
-#include "plgetopt.h"
-#include "pk11func.h"
-#include "secitem.h"
-#include "nss.h"
-#include "ssl.h"
-#include "sslproto.h"
-#include "cert.h"
-#include "certt.h"
-
-#ifndef PORT_Sprintf
-#define PORT_Sprintf sprintf
-#endif
-
-#ifndef PORT_Strstr
-#define PORT_Strstr strstr
-#endif
-
-#ifndef PORT_Malloc
-#define PORT_Malloc PR_Malloc
-#endif
-
-int NumSidCacheEntries = 1024;
-
-static int handle_connection( PRFileDesc *, PRFileDesc *, int );
-
-static const char envVarName[] = { SSL_ENV_VAR_NAME };
-static const char inheritableSockName[] = { "SELFSERV_LISTEN_SOCKET" };
-
-#define DEFAULT_BULK_TEST 16384
-#define MAX_BULK_TEST     1048576 /* 1 MB */
-static PRBool testBulk;
-static PRUint32 testBulkSize       = DEFAULT_BULK_TEST;
-static PRUint32 testBulkTotal;
-static char* testBulkBuf;
-static PRDescIdentity log_layer_id = PR_INVALID_IO_LAYER;
-static PRFileDesc *loggingFD;
-static PRIOMethods loggingMethods;
-
-static PRBool logStats;
-static PRBool loggingLayer;
-static int logPeriod = 30;
-static PRUint32 loggerOps;
-static PRUint32 loggerBytes;
-static PRUint32 loggerBytesTCP;
-static PRUint32 bulkSentChunks;
-
-const int ssl2CipherSuites[] = {
-    SSL_EN_RC4_128_WITH_MD5,			/* A */
-    SSL_EN_RC4_128_EXPORT40_WITH_MD5,		/* B */
-    SSL_EN_RC2_128_CBC_WITH_MD5,		/* C */
-    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,	/* D */
-    SSL_EN_DES_64_CBC_WITH_MD5,			/* E */
-    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,		/* F */
-    0
-};
-
-const int ssl3CipherSuites[] = {
-    -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
-    -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA	 * b */
-    SSL_RSA_WITH_RC4_128_MD5,			/* c */
-    SSL_RSA_WITH_3DES_EDE_CBC_SHA,		/* d */
-    SSL_RSA_WITH_DES_CBC_SHA,			/* e */
-    SSL_RSA_EXPORT_WITH_RC4_40_MD5,		/* f */
-    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,		/* g */
-    -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA,	 * h */
-    SSL_RSA_WITH_NULL_MD5,			/* i */
-    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,		/* j */
-    SSL_RSA_FIPS_WITH_DES_CBC_SHA,		/* k */
-    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,	/* l */
-    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,	        /* m */
-    SSL_RSA_WITH_RC4_128_SHA,			/* n */
-    -1, /* TLS_DHE_DSS_WITH_RC4_128_SHA, 	 * o */
-    -1, /* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,	 * p */
-    -1, /* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,	 * q */
-    -1, /* SSL_DHE_RSA_WITH_DES_CBC_SHA,	 * r */
-    -1, /* SSL_DHE_DSS_WITH_DES_CBC_SHA,	 * s */
-    -1, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA,	 * t */
-    -1, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA,	 * u */
-    TLS_RSA_WITH_AES_128_CBC_SHA,     	    	/* v */
-    -1, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA,	 * w */
-    -1, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA,	 * x */
-    TLS_RSA_WITH_AES_256_CBC_SHA,     	    	/* y */
-    SSL_RSA_WITH_NULL_SHA,			/* z */
-    0
-};
-
-/* data and structures for shutdown */
-static int	stopping;
-
-static PRBool  noDelay;
-static int     requestCert;
-static int	verbose;
-static SECItem	bigBuf;
-
-static PRThread * acceptorThread;
-
-static PRLogModuleInfo *lm;
-
-#define PRINTF  if (verbose)  printf
-#define FPRINTF if (verbose) fprintf
-#define FLUSH	if (verbose) { fflush(stdout); fflush(stderr); }
-#define VLOG(arg) PR_LOG(lm,PR_LOG_DEBUG,arg)
-
-static void
-Usage(const char *progName)
-{
-    fprintf(stderr, 
-
-"Usage: %s -n rsa_nickname -p port [-3BDENRSTbjlmrsuvx] [-w password]\n"
-"         [-t threads] [-i pid_file] [-c ciphers] [-d dbdir] [-g numblocks]\n"
-"         [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
-#ifdef NSS_ENABLE_ECC
-"         [-C SSLCacheEntries] [-e ec_nickname]\n"
-#else
-"         [-C SSLCacheEntries]\n"
-#endif /* NSS_ENABLE_ECC */
-"-S means disable SSL v2\n"
-"-3 means disable SSL v3\n"
-"-T means disable TLS\n"
-"-B bypasses the PKCS11 layer for SSL encryption and MACing\n"
-"-q checks for bypassability\n"
-"-D means disable Nagle delays in TCP\n"
-"-E means disable export ciphersuites and SSL step down key gen\n"
-"-R means disable detection of rollback from TLS to SSL3\n"
-"-b means try binding to the port and exit\n"
-"-m means test the model-socket feature of SSL_ImportFD.\n"
-"-r flag is interepreted as follows:\n"
-"    1 -r  means request, not require, cert on initial handshake.\n"
-"    2 -r's mean request  and require, cert on initial handshake.\n"
-"    3 -r's mean request, not require, cert on second handshake.\n"
-"    4 -r's mean request  and require, cert on second handshake.\n"
-"-s means disable SSL socket locking for performance\n"
-"-u means enable Session Ticket extension for TLS.\n"
-"-v means verbose output\n"
-"-x means use export policy.\n"
-"-L seconds means log statistics every 'seconds' seconds (default=30).\n"
-"-M maxProcs tells how many processes to run in a multi-process server\n"
-"-N means do NOT use the server session cache.  Incompatible with -M.\n"
-"-t threads -- specify the number of threads to use for connections.\n"
-"-i pid_file file to write the process id of selfserve\n"
-"-l means use local threads instead of global threads\n"
-"-g numblocks means test throughput by sending total numblocks chunks\n"
-"    of size 16kb to the client, 0 means unlimited (default=0)\n"
-"-j means measure TCP throughput (for use with -g option)\n"
-"-C SSLCacheEntries sets the maximum number of entries in the SSL\n" 
-"    session cache\n"
-"-c ciphers   Letter(s) chosen from the following list\n"
-"A    SSL2 RC4 128 WITH MD5\n"
-"B    SSL2 RC4 128 EXPORT40 WITH MD5\n"
-"C    SSL2 RC2 128 CBC WITH MD5\n"
-"D    SSL2 RC2 128 CBC EXPORT40 WITH MD5\n"
-"E    SSL2 DES 64 CBC WITH MD5\n"
-"F    SSL2 DES 192 EDE3 CBC WITH MD5\n"
-"\n"
-"c    SSL3 RSA WITH RC4 128 MD5\n"
-"d    SSL3 RSA WITH 3DES EDE CBC SHA\n"
-"e    SSL3 RSA WITH DES CBC SHA\n"
-"f    SSL3 RSA EXPORT WITH RC4 40 MD5\n"
-"g    SSL3 RSA EXPORT WITH RC2 CBC 40 MD5\n"
-"i    SSL3 RSA WITH NULL MD5\n"
-"j    SSL3 RSA FIPS WITH 3DES EDE CBC SHA\n"
-"k    SSL3 RSA FIPS WITH DES CBC SHA\n"
-"l    SSL3 RSA EXPORT WITH DES CBC SHA\t(new)\n"
-"m    SSL3 RSA EXPORT WITH RC4 56 SHA\t(new)\n"
-"n    SSL3 RSA WITH RC4 128 SHA\n"
-"v    SSL3 RSA WITH AES 128 CBC SHA\n"
-"y    SSL3 RSA WITH AES 256 CBC SHA\n"
-"z    SSL3 RSA WITH NULL SHA\n"
-"\n"
-":WXYZ  Use cipher with hex code { 0xWX , 0xYZ } in TLS\n"
-	,progName);
-}
-
-static const char *
-errWarn(char * funcString)
-{
-    PRErrorCode  perr      = PR_GetError();
-    const char * errString = SECU_Strerror(perr);
-
-    fprintf(stderr, "selfserv: %s returned error %d:\n%s\n",
-            funcString, perr, errString);
-    return errString;
-}
-
-static void
-errExit(char * funcString)
-{
-    errWarn(funcString);
-    exit(3);
-}
-
-
-/**************************************************************************
-** 
-** Routines for disabling SSL ciphers.
-**
-**************************************************************************/
-
-/* disable all the SSL cipher suites */
-void
-disableAllSSLCiphers(void)
-{
-    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
-    int             i            = SSL_NumImplementedCiphers;
-    SECStatus       rv;
-
-    while (--i >= 0) {
-	PRUint16 suite = cipherSuites[i];
-        rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
-	if (rv != SECSuccess) {
-	    printf("SSL_CipherPrefSetDefault rejected suite 0x%04x (i = %d)\n",
-	    	   suite, i);
-	    errWarn("SSL_CipherPrefSetDefault");
-	}
-    }
-}
-
-/* disable all the export SSL cipher suites */
-SECStatus
-disableExportSSLCiphers(void)
-{
-    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
-    int             i            = SSL_NumImplementedCiphers;
-    SECStatus       rv           = SECSuccess;
-    SSLCipherSuiteInfo info;
-
-    while (--i >= 0) {
-	PRUint16 suite = cipherSuites[i];
-	SECStatus status;
-	status = SSL_GetCipherSuiteInfo(suite, &info, sizeof info);
-	if (status != SECSuccess) {
-	    printf("SSL_GetCipherSuiteInfo rejected suite 0x%04x (i = %d)\n",
-		   suite, i);
-	    errWarn("SSL_GetCipherSuiteInfo");
-	    rv = SECFailure;
-	    continue;
-	}
-	if (info.cipherSuite != suite) {
-	    printf(
-"SSL_GetCipherSuiteInfo returned wrong suite! Wanted 0x%04x, Got 0x%04x\n",
-		   suite, i);
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    rv = SECFailure;
-	    continue;
-	}
-	/* should check here that info.length >= offsetof isExportable */
-	if (info.isExportable) {
-	    status = SSL_CipherPolicySet(suite, SSL_NOT_ALLOWED);
-	    if (status != SECSuccess) {
-		printf("SSL_CipherPolicySet rejected suite 0x%04x (i = %d)\n",
-		       suite, i);
-		errWarn("SSL_CipherPolicySet");
-		rv = SECFailure;
-	    }
-	}
-    }
-    return rv;
-}
-
-static SECStatus
-mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
-		     PRBool isServer)
-{
-    SECStatus rv;
-    CERTCertificate *    peerCert;
-
-    peerCert = SSL_PeerCertificate(fd);
-
-    PRINTF("selfserv: Subject: %s\nselfserv: Issuer : %s\n",
-           peerCert->subjectName, peerCert->issuerName);
-
-    rv = SSL_AuthCertificate(arg, fd, checkSig, isServer);
-
-    if (rv == SECSuccess) {
-	PRINTF("selfserv: -- SSL3: Certificate Validated.\n");
-    } else {
-    	int err = PR_GetError();
-	FPRINTF(stderr, "selfserv: -- SSL3: Certificate Invalid, err %d.\n%s\n", 
-                err, SECU_Strerror(err));
-    }
-    CERT_DestroyCertificate(peerCert);
-    FLUSH;
-    return rv;  
-}
-
-void
-printSSLStatistics()
-{
-    SSL3Statistics *  ssl3stats = SSL_GetStatistics();
-
-    printf(
-	"selfserv: %ld cache hits; %ld cache misses, %ld cache not reusable\n"
-	"          %ld stateless resumes, %ld ticket parse failures\n",
-	ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses,
-	ssl3stats->hch_sid_cache_not_ok, ssl3stats->hch_sid_stateless_resumes,
-	ssl3stats->hch_sid_ticket_parse_failures);
-}
-
-void 
-printSecurityInfo(PRFileDesc *fd)
-{
-    CERTCertificate * cert      = NULL;
-    SECStatus         result;
-    SSLChannelInfo    channel;
-    SSLCipherSuiteInfo suite;
-
-    if (verbose)
-	printSSLStatistics();
-
-    result = SSL_GetChannelInfo(fd, &channel, sizeof channel);
-    if (result == SECSuccess && 
-        channel.length == sizeof channel && 
-	channel.cipherSuite) {
-	result = SSL_GetCipherSuiteInfo(channel.cipherSuite, 
-					&suite, sizeof suite);
-	if (result == SECSuccess) {
-	    FPRINTF(stderr, 
-	    "selfserv: SSL version %d.%d using %d-bit %s with %d-bit %s MAC\n",
-	       channel.protocolVersion >> 8, channel.protocolVersion & 0xff,
-	       suite.effectiveKeyBits, suite.symCipherName, 
-	       suite.macBits, suite.macAlgorithmName);
-	    FPRINTF(stderr, 
-	    "selfserv: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n",
-	       channel.authKeyBits, suite.authAlgorithmName,
-	       channel.keaKeyBits,  suite.keaTypeName);
-    	}
-    }
-    if (requestCert)
-	cert = SSL_PeerCertificate(fd);
-    else
-	cert = SSL_LocalCertificate(fd);
-    if (cert) {
-	char * ip = CERT_NameToAscii(&cert->issuer);
-	char * sp = CERT_NameToAscii(&cert->subject);
-        if (sp) {
-	    FPRINTF(stderr, "selfserv: subject DN: %s\n", sp);
-	    PORT_Free(sp);
-	}
-        if (ip) {
-	    FPRINTF(stderr, "selfserv: issuer  DN: %s\n", ip);
-	    PORT_Free(ip);
-	}
-	CERT_DestroyCertificate(cert);
-	cert = NULL;
-    }
-    FLUSH;
-}
-
-static int MakeCertOK;
-
-static SECStatus
-myBadCertHandler( void *arg, PRFileDesc *fd)
-{
-    int err = PR_GetError();
-    if (!MakeCertOK)
-	fprintf(stderr, 
-	    "selfserv: -- SSL: Client Certificate Invalid, err %d.\n%s\n", 
-            err, SECU_Strerror(err));
-    return (MakeCertOK ? SECSuccess : SECFailure);
-}
-
-/**************************************************************************
-** Begin thread management routines and data.
-**************************************************************************/
-#define MIN_THREADS 3
-#define DEFAULT_THREADS 8
-#define MAX_THREADS 4096
-#define MAX_PROCS 25
-static int  maxThreads = DEFAULT_THREADS;
-
-
-typedef struct jobStr {
-    PRCList     link;
-    PRFileDesc *tcp_sock;
-    PRFileDesc *model_sock;
-    int         requestCert;
-} JOB;
-
-static PZLock    * qLock; /* this lock protects all data immediately below */
-static PRLock    * lastLoadedCrlLock; /* this lock protects lastLoadedCrl variable */
-static PZCondVar * jobQNotEmptyCv;
-static PZCondVar * freeListNotEmptyCv;
-static PZCondVar * threadCountChangeCv;
-static int  threadCount;
-static PRCList  jobQ;
-static PRCList  freeJobs;
-static JOB *jobTable;
-
-SECStatus
-setupJobs(int maxJobs)
-{
-    int i;
-
-    jobTable = (JOB *)PR_Calloc(maxJobs, sizeof(JOB));
-    if (!jobTable)
-    	return SECFailure;
-
-    PR_INIT_CLIST(&jobQ);
-    PR_INIT_CLIST(&freeJobs);
-
-    for (i = 0; i < maxJobs; ++i) {
-	JOB * pJob = jobTable + i;
-	PR_APPEND_LINK(&pJob->link, &freeJobs);
-    }
-    return SECSuccess;
-}
-
-typedef int startFn(PRFileDesc *a, PRFileDesc *b, int c);
-
-typedef enum { rs_idle = 0, rs_running = 1, rs_zombie = 2 } runState;
-
-typedef struct perThreadStr {
-    PRFileDesc *a;
-    PRFileDesc *b;
-    int         c;
-    int         rv;
-    startFn  *  startFunc;
-    PRThread *  prThread;
-    runState	state;
-} perThread;
-
-static perThread *threads;
-
-void
-thread_wrapper(void * arg)
-{
-    perThread * slot = (perThread *)arg;
-
-    slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->c);
-
-    /* notify the thread exit handler. */
-    PZ_Lock(qLock);
-    slot->state = rs_zombie;
-    --threadCount;
-    PZ_NotifyAllCondVar(threadCountChangeCv);
-    PZ_Unlock(qLock);
-}
-
-int 
-jobLoop(PRFileDesc *a, PRFileDesc *b, int c)
-{
-    PRCList * myLink = 0;
-    JOB     * myJob;
-
-    PZ_Lock(qLock);
-    do {
-	myLink = 0;
-	while (PR_CLIST_IS_EMPTY(&jobQ) && !stopping) {
-            PZ_WaitCondVar(jobQNotEmptyCv, PR_INTERVAL_NO_TIMEOUT);
-	}
-	if (!PR_CLIST_IS_EMPTY(&jobQ)) {
-	    myLink = PR_LIST_HEAD(&jobQ);
-	    PR_REMOVE_AND_INIT_LINK(myLink);
-	}
-	PZ_Unlock(qLock);
-	myJob = (JOB *)myLink;
-	/* myJob will be null when stopping is true and jobQ is empty */
-	if (!myJob) 
-	    break;
-	handle_connection( myJob->tcp_sock, myJob->model_sock, 
-			   myJob->requestCert);
-	PZ_Lock(qLock);
-	PR_APPEND_LINK(myLink, &freeJobs);
-	PZ_NotifyCondVar(freeListNotEmptyCv);
-    } while (PR_TRUE);
-    return 0;
-}
-
-
-SECStatus
-launch_threads(
-    startFn    *startFunc,
-    PRFileDesc *a,
-    PRFileDesc *b,
-    int         c,
-    PRBool      local)
-{
-    int i;
-    SECStatus rv = SECSuccess;
-
-    /* create the thread management serialization structs */
-    qLock               = PZ_NewLock(nssILockSelfServ);
-    jobQNotEmptyCv      = PZ_NewCondVar(qLock);
-    freeListNotEmptyCv  = PZ_NewCondVar(qLock);
-    threadCountChangeCv = PZ_NewCondVar(qLock);
-
-    /* create monitor for crl reload procedure */
-    lastLoadedCrlLock   = PR_NewLock();
-
-    /* allocate the array of thread slots */
-    threads = PR_Calloc(maxThreads, sizeof(perThread));
-    if ( NULL == threads )  {
-        fprintf(stderr, "Oh Drat! Can't allocate the perThread array\n");
-        return SECFailure;
-    }
-    /* 5 is a little extra, intended to keep the jobQ from underflowing. 
-    ** That is, from going empty while not stopping and clients are still
-    ** trying to contact us.
-    */
-    rv = setupJobs(maxThreads + 5);
-    if (rv != SECSuccess)
-    	return rv;
-
-    PZ_Lock(qLock);
-    for (i = 0; i < maxThreads; ++i) {
-    	perThread * slot = threads + i;
-
-	slot->state = rs_running;
-	slot->a = a;
-	slot->b = b;
-	slot->c = c;
-	slot->startFunc = startFunc;
-	slot->prThread = PR_CreateThread(PR_USER_THREAD, 
-			thread_wrapper, slot, PR_PRIORITY_NORMAL, 
-                        (PR_TRUE==local)?PR_LOCAL_THREAD:PR_GLOBAL_THREAD,
-                        PR_UNJOINABLE_THREAD, 0);
-	if (slot->prThread == NULL) {
-	    printf("selfserv: Failed to launch thread!\n");
-	    slot->state = rs_idle;
-	    rv = SECFailure;
-	    break;
-	} 
-
-	++threadCount;
-    }
-    PZ_Unlock(qLock); 
-
-    return rv;
-}
-
-#define DESTROY_CONDVAR(name) if (name) { \
-        PZ_DestroyCondVar(name); name = NULL; }
-#define DESTROY_LOCK(name) if (name) { \
-        PZ_DestroyLock(name); name = NULL; }
-	
-
-void
-terminateWorkerThreads(void)
-{
-    VLOG(("selfserv: server_thead: waiting on stopping"));
-    PZ_Lock(qLock);
-    PZ_NotifyAllCondVar(jobQNotEmptyCv);
-    while (threadCount > 0) {
-	PZ_WaitCondVar(threadCountChangeCv, PR_INTERVAL_NO_TIMEOUT);
-    }
-    /* The worker threads empty the jobQ before they terminate. */
-    PORT_Assert(PR_CLIST_IS_EMPTY(&jobQ));
-    PZ_Unlock(qLock); 
-
-    DESTROY_CONDVAR(jobQNotEmptyCv);
-    DESTROY_CONDVAR(freeListNotEmptyCv);
-    DESTROY_CONDVAR(threadCountChangeCv);
-
-    PR_DestroyLock(lastLoadedCrlLock);
-    DESTROY_LOCK(qLock);
-    PR_Free(jobTable);
-    PR_Free(threads);
-}
-
-static void 
-logger(void *arg)
-{
-    PRFloat64 seconds;
-    PRFloat64 opsPerSec;
-    PRIntervalTime period;
-    PRIntervalTime previousTime;
-    PRIntervalTime latestTime;
-    PRUint32 previousOps;
-    PRUint32 ops;
-    PRIntervalTime logPeriodTicks = PR_TicksPerSecond();
-    PRFloat64 secondsPerTick = 1.0 / (PRFloat64)logPeriodTicks;
-    int iterations = 0;
-    int secondsElapsed = 0;
-    static PRInt64 totalPeriodBytes = 0;
-    static PRInt64 totalPeriodBytesTCP = 0;
-
-    previousOps = loggerOps;
-    previousTime = PR_IntervalNow();
- 
-    for (;;) {
-        /* OK, implementing a new sleep algorithm here... always sleep 
-         * for 1 second but print out info at the user-specified interval.
-         * This way, we don't overflow all of our PR_Atomic* functions and 
-         * we don't have to use locks. 
-         */
-        PR_Sleep(logPeriodTicks);
-        secondsElapsed++;
-        totalPeriodBytes +=  PR_AtomicSet(&loggerBytes, 0);
-        totalPeriodBytesTCP += PR_AtomicSet(&loggerBytesTCP, 0);
-        if (secondsElapsed != logPeriod) {
-            continue;
-        }
-        /* when we reach the user-specified logging interval, print out all
-         * data 
-         */
-        secondsElapsed = 0;
-        latestTime = PR_IntervalNow();
-        ops = loggerOps;
-        period = latestTime - previousTime;
-        seconds = (PRFloat64) period*secondsPerTick;
-        opsPerSec = (ops - previousOps) / seconds;
-
-        if (testBulk) {
-            if (iterations == 0) {
-                if (loggingLayer == PR_TRUE) {
-                    printf("Conn.--------App Data--------TCP Data\n");
-                } else {
-                    printf("Conn.--------App Data\n");
-                }
-            }
-            if (loggingLayer == PR_TRUE) {
-                printf("%4.d       %5.3f MB/s      %5.3f MB/s\n", ops, 
-                    totalPeriodBytes / (seconds * 1048576.0), 
-                    totalPeriodBytesTCP / (seconds * 1048576.0));
-            } else {
-                printf("%4.d       %5.3f MB/s\n", ops, 
-                    totalPeriodBytes / (seconds * 1048576.0));
-            }
-            totalPeriodBytes = 0;
-            totalPeriodBytesTCP = 0;
-            /* Print the "legend" every 20 iterations */
-            iterations = (iterations + 1) % 20; 
-        } else {
-            printf("%.2f ops/second, %d threads\n", opsPerSec, threadCount);
-        }
-
-        fflush(stdout);
-        previousOps = ops;
-        previousTime = latestTime;
-        if (stopping) {
-            break;
-        }
-    }
-}
-
-
-/**************************************************************************
-** End   thread management routines.
-**************************************************************************/
-
-PRBool useModelSocket  = PR_FALSE;
-PRBool disableSSL2     = PR_FALSE;
-PRBool disableSSL3     = PR_FALSE;
-PRBool disableTLS      = PR_FALSE;
-PRBool disableRollBack = PR_FALSE;
-PRBool NoReuse         = PR_FALSE;
-PRBool hasSidCache     = PR_FALSE;
-PRBool disableStepDown = PR_FALSE;
-PRBool bypassPKCS11    = PR_FALSE;
-PRBool disableLocking  = PR_FALSE;
-PRBool testbypass      = PR_FALSE;
-PRBool enableSessionTickets = PR_FALSE;
-
-static const char stopCmd[] = { "GET /stop " };
-static const char getCmd[]  = { "GET " };
-static const char EOFmsg[]  = { "EOF\r\n\r\n\r\n" };
-static const char outHeader[] = {
-    "HTTP/1.0 200 OK\r\n"
-    "Server: Generic Web Server\r\n"
-    "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n"
-    "Content-type: text/plain\r\n"
-    "\r\n"
-};
-static const char crlCacheErr[]  = { "CRL ReCache Error: " };
-
-PRUint16 cipherlist[100];
-int nciphers;
-
-void
-savecipher(int c)
-{
-    if (nciphers < sizeof cipherlist / sizeof (cipherlist[0]))
-	cipherlist[nciphers++] = (PRUint16)c;
-}
-
-
-#ifdef FULL_DUPLEX_CAPABLE
-
-struct lockedVarsStr {
-    PZLock *	lock;
-    int		count;
-    int		waiters;
-    PZCondVar *	condVar;
-};
-
-typedef struct lockedVarsStr lockedVars;
-
-void 
-lockedVars_Init( lockedVars * lv)
-{
-    lv->count   = 0;
-    lv->waiters = 0;
-    lv->lock    = PZ_NewLock(nssILockSelfServ);
-    lv->condVar = PZ_NewCondVar(lv->lock);
-}
-
-void
-lockedVars_Destroy( lockedVars * lv)
-{
-    PZ_DestroyCondVar(lv->condVar);
-    lv->condVar = NULL;
-
-    PZ_DestroyLock(lv->lock);
-    lv->lock = NULL;
-}
-
-void
-lockedVars_WaitForDone(lockedVars * lv)
-{
-    PZ_Lock(lv->lock);
-    while (lv->count > 0) {
-    	PZ_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT);
-    }
-    PZ_Unlock(lv->lock);
-}
-
-int	/* returns count */
-lockedVars_AddToCount(lockedVars * lv, int addend)
-{
-    int rv;
-
-    PZ_Lock(lv->lock);
-    rv = lv->count += addend;
-    if (rv <= 0) {
-	PZ_NotifyCondVar(lv->condVar);
-    }
-    PZ_Unlock(lv->lock);
-    return rv;
-}
-
-int
-do_writes(
-    PRFileDesc *	ssl_sock,
-    PRFileDesc *	model_sock,
-    int         	requestCert
-    )
-{
-    int			sent  = 0;
-    int 		count = 0;
-    lockedVars *	lv = (lockedVars *)model_sock;
-
-    VLOG(("selfserv: do_writes: starting"));
-    while (sent < bigBuf.len) {
-
-	count = PR_Write(ssl_sock, bigBuf.data + sent, bigBuf.len - sent);
-	if (count < 0) {
-	    errWarn("PR_Write bigBuf");
-	    break;
-	}
-	FPRINTF(stderr, "selfserv: PR_Write wrote %d bytes from bigBuf\n", count );
-	sent += count;
-    }
-    if (count >= 0) {	/* last write didn't fail. */
-    	PR_Shutdown(ssl_sock, PR_SHUTDOWN_SEND);
-    }
-
-    /* notify the reader that we're done. */
-    lockedVars_AddToCount(lv, -1);
-    FLUSH;
-    VLOG(("selfserv: do_writes: exiting"));
-    return (sent < bigBuf.len) ? SECFailure : SECSuccess;
-}
-
-static int 
-handle_fdx_connection(
-    PRFileDesc *       tcp_sock,
-    PRFileDesc *       model_sock,
-    int                requestCert
-    )
-{
-    PRFileDesc *       ssl_sock	= NULL;
-    SECStatus          result;
-    int                firstTime = 1;
-    lockedVars         lv;
-    PRSocketOptionData opt;
-    char               buf[10240];
-
-
-    VLOG(("selfserv: handle_fdx_connection: starting"));
-    opt.option             = PR_SockOpt_Nonblocking;
-    opt.value.non_blocking = PR_FALSE;
-    PR_SetSocketOption(tcp_sock, &opt);
-
-    if (useModelSocket && model_sock) {
-	SECStatus rv;
-	ssl_sock = SSL_ImportFD(model_sock, tcp_sock);
-	if (!ssl_sock) {
-	    errWarn("SSL_ImportFD with model");
-	    goto cleanup;
-	}
-	rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 1);
-	if (rv != SECSuccess) {
-	    errWarn("SSL_ResetHandshake");
-	    goto cleanup;
-	}
-    } else {
-	ssl_sock = tcp_sock;
-    }
-
-    lockedVars_Init(&lv);
-    lockedVars_AddToCount(&lv, 1);
-
-    /* Attempt to launch the writer thread. */
-    result = launch_thread(do_writes, ssl_sock, (PRFileDesc *)&lv, 
-                           requestCert);
-
-    if (result == SECSuccess) 
-      do {
-	/* do reads here. */
-	int count;
-	count = PR_Read(ssl_sock, buf, sizeof buf);
-	if (count < 0) {
-	    errWarn("FDX PR_Read");
-	    break;
-	}
-	FPRINTF(stderr, "selfserv: FDX PR_Read read %d bytes.\n", count );
-	if (firstTime) {
-	    firstTime = 0;
-	    printSecurityInfo(ssl_sock);
-	}
-    } while (lockedVars_AddToCount(&lv, 0) > 0);
-
-    /* Wait for writer to finish */
-    lockedVars_WaitForDone(&lv);
-    lockedVars_Destroy(&lv);
-    FLUSH;
-
-cleanup:
-    if (ssl_sock) {
-	PR_Close(ssl_sock);
-    } else if (tcp_sock) {
-	PR_Close(tcp_sock);
-    }
-
-    VLOG(("selfserv: handle_fdx_connection: exiting"));
-    return SECSuccess;
-}
-
-#endif
-
-static SECItem *lastLoadedCrl = NULL;
-
-static SECStatus
-reload_crl(PRFileDesc *crlFile)
-{
-    SECItem *crlDer;
-    CERTCertDBHandle *certHandle = CERT_GetDefaultCertDB();
-    SECStatus rv;
-
-    /* Read in the entire file specified with the -f argument */
-    crlDer = PORT_Malloc(sizeof(SECItem));
-    if (!crlDer) {
-        errWarn("Can not allocate memory.");
-        return SECFailure;
-    }
-
-    rv = SECU_ReadDERFromFile(crlDer, crlFile, PR_FALSE);
-    if (rv != SECSuccess) {
-        errWarn("Unable to read input file.");
-        PORT_Free(crlDer);
-        return SECFailure;
-    }
-
-    PR_Lock(lastLoadedCrlLock);
-    rv = CERT_CacheCRL(certHandle, crlDer);
-    if (rv == SECSuccess) {
-        SECItem *tempItem = crlDer;
-        if (lastLoadedCrl != NULL) {
-            rv = CERT_UncacheCRL(certHandle, lastLoadedCrl);
-            if (rv != SECSuccess) {
-                errWarn("Unable to uncache crl.");
-                goto loser;
-            }
-            crlDer = lastLoadedCrl;
-        } else {
-            crlDer = NULL;
-        }
-        lastLoadedCrl = tempItem;
-    }
-
-  loser:
-    PR_Unlock(lastLoadedCrlLock);
-    SECITEM_FreeItem(crlDer, PR_TRUE);
-    return rv;
-}
-
-void stop_server()
-{
-    stopping = 1;
-    PR_Interrupt(acceptorThread);
-    PZ_TraceFlush();
-}
-
-int
-handle_connection( 
-    PRFileDesc *tcp_sock,
-    PRFileDesc *model_sock,
-    int         requestCert
-    )
-{
-    PRFileDesc *       ssl_sock = NULL;
-    PRFileDesc *       local_file_fd = NULL;
-    char  *            post;
-    char  *            pBuf;			/* unused space at end of buf */
-    const char *       errString;
-    PRStatus           status;
-    int                bufRem;			/* unused bytes at end of buf */
-    int                bufDat;			/* characters received in buf */
-    int                newln    = 0;		/* # of consecutive newlns */
-    int                firstTime = 1;
-    int                reqLen;
-    int                rv;
-    int                numIOVs;
-    PRSocketOptionData opt;
-    PRIOVec            iovs[16];
-    char               msgBuf[160];
-    char               buf[10240];
-    char               fileName[513];
-    char               proto[128];
-    PRDescIdentity     aboveLayer = PR_INVALID_IO_LAYER;
-
-    pBuf   = buf;
-    bufRem = sizeof buf;
-
-    VLOG(("selfserv: handle_connection: starting"));
-    opt.option             = PR_SockOpt_Nonblocking;
-    opt.value.non_blocking = PR_FALSE;
-    PR_SetSocketOption(tcp_sock, &opt);
-
-    VLOG(("selfserv: handle_connection: starting\n"));
-    if (useModelSocket && model_sock) {
-	SECStatus rv;
-	ssl_sock = SSL_ImportFD(model_sock, tcp_sock);
-	if (!ssl_sock) {
-	    errWarn("SSL_ImportFD with model");
-	    goto cleanup;
-	}
-	rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 1);
-	if (rv != SECSuccess) {
-	    errWarn("SSL_ResetHandshake");
-	    goto cleanup;
-	}
-    } else {
-	ssl_sock = tcp_sock;
-    }
-
-    if (loggingLayer) {
-        /* find the layer where our new layer is to be pushed */
-        aboveLayer = PR_GetLayersIdentity(ssl_sock->lower);
-        if (aboveLayer == PR_INVALID_IO_LAYER) {
-            errExit("PRGetUniqueIdentity");
-        }
-        /* create the new layer - this is a very cheap operation */
-        loggingFD = PR_CreateIOLayerStub(log_layer_id, &loggingMethods);
-        if (!loggingFD)
-            errExit("PR_CreateIOLayerStub");
-        /* push the layer below ssl but above TCP */
-        rv = PR_PushIOLayer(ssl_sock, aboveLayer, loggingFD);
-        if (rv != PR_SUCCESS) {
-            errExit("PR_PushIOLayer");
-        }
-    }
-
-    if (noDelay) {
-	opt.option         = PR_SockOpt_NoDelay;
-	opt.value.no_delay = PR_TRUE;
-	status = PR_SetSocketOption(ssl_sock, &opt);
-	if (status != PR_SUCCESS) {
-	    errWarn("PR_SetSocketOption(PR_SockOpt_NoDelay, PR_TRUE)");
-            if (ssl_sock) {
-	        PR_Close(ssl_sock);
-            }
-	    return SECFailure;
-	}
-    }
-
-    while (1) {
-	newln = 0;
-	reqLen     = 0;
-	rv = PR_Read(ssl_sock, pBuf, bufRem - 1);
-	if (rv == 0 || 
-	    (rv < 0 && PR_END_OF_FILE_ERROR == PR_GetError())) {
-	    if (verbose)
-		errWarn("HDX PR_Read hit EOF");
-	    break;
-	}
-	if (rv < 0) {
-	    errWarn("HDX PR_Read");
-	    goto cleanup;
-	}
-	/* NULL termination */
-	pBuf[rv] = 0;
-	if (firstTime) {
-	    firstTime = 0;
-	    printSecurityInfo(ssl_sock);
-	}
-
-	pBuf   += rv;
-	bufRem -= rv;
-	bufDat = pBuf - buf;
-	/* Parse the input, starting at the beginning of the buffer.
-	 * Stop when we detect two consecutive \n's (or \r\n's) 
-	 * as this signifies the end of the GET or POST portion.
-	 * The posted data follows.
-	 */
-	while (reqLen < bufDat && newln < 2) {
-	    int octet = buf[reqLen++];
-	    if (octet == '\n') {
-		newln++;
-	    } else if (octet != '\r') {
-		newln = 0;
-	    }
-	}
-
-	/* came to the end of the buffer, or second newln
-	 * If we didn't get an empty line (CRLFCRLF) then keep on reading.
-	 */
-	if (newln < 2) 
-	    continue;
-
-	/* we're at the end of the HTTP request.
-	 * If the request is a POST, then there will be one more
-	 * line of data.
-	 * This parsing is a hack, but ok for SSL test purposes.
-	 */
-	post = PORT_Strstr(buf, "POST ");
-	if (!post || *post != 'P') 
-	    break;
-
-	/* It's a post, so look for the next and final CR/LF. */
-	/* We should parse content length here, but ... */
-	while (reqLen < bufDat && newln < 3) {
-	    int octet = buf[reqLen++];
-	    if (octet == '\n') {
-		newln++;
-	    }
-	}
-	if (newln == 3)
-	    break;
-    } /* read loop */
-
-    bufDat = pBuf - buf;
-    if (bufDat) do {	/* just close if no data */
-	/* Have either (a) a complete get, (b) a complete post, (c) EOF */
-	if (reqLen > 0 && !strncmp(buf, getCmd, sizeof getCmd - 1)) {
-	    char *      fnBegin = buf + 4;
-	    char *      fnEnd;
-	    PRFileInfo  info;
-	    /* try to open the file named.  
-	     * If successful, then write it to the client.
-	     */
-	    fnEnd = strpbrk(fnBegin, " \r\n");
-	    if (fnEnd) {
-		int fnLen = fnEnd - fnBegin;
-		if (fnLen < sizeof fileName) {
-                    char *real_fileName = fileName;
-                    char *protoEnd = NULL;
-                    strncpy(fileName, fnBegin, fnLen);
-                    fileName[fnLen] = 0;	/* null terminate */
-                    if ((protoEnd = strstr(fileName, "://")) != NULL) {
-                        int protoLen = PR_MIN(protoEnd - fileName, sizeof(proto) - 1);
-                        PL_strncpy(proto, fileName, protoLen);
-                        proto[protoLen] = 0;
-                        real_fileName= protoEnd + 3;
-                    } else {
-                        proto[0] = 0;
-                    }
-		    status = PR_GetFileInfo(real_fileName, &info);
-		    if (status == PR_SUCCESS &&
-			info.type == PR_FILE_FILE &&
-			info.size >= 0 ) {
-			local_file_fd = PR_Open(real_fileName, PR_RDONLY, 0);
-		    }
-		}
-	    }
-	}
-	/* if user has requested client auth in a subsequent handshake,
-	 * do it here.
-	 */
-	if (requestCert > 2) { /* request cert was 3 or 4 */
-	    CERTCertificate *  cert =  SSL_PeerCertificate(ssl_sock);
-	    if (cert) {
-		CERT_DestroyCertificate(cert);
-	    } else {
-		rv = SSL_OptionSet(ssl_sock, SSL_REQUEST_CERTIFICATE, 1);
-		if (rv < 0) {
-		    errWarn("second SSL_OptionSet SSL_REQUEST_CERTIFICATE");
-		    break;
-		}
-		rv = SSL_OptionSet(ssl_sock, SSL_REQUIRE_CERTIFICATE, 
-				(requestCert == 4));
-		if (rv < 0) {
-		    errWarn("second SSL_OptionSet SSL_REQUIRE_CERTIFICATE");
-		    break;
-		}
-		rv = SSL_ReHandshake(ssl_sock, PR_TRUE);
-		if (rv != 0) {
-		    errWarn("SSL_ReHandshake");
-		    break;
-		}
-		rv = SSL_ForceHandshake(ssl_sock);
-		if (rv < 0) {
-		    errWarn("SSL_ForceHandshake");
-		    break;
-		}
-	    }
-	}
-
-	numIOVs = 0;
-
-	iovs[numIOVs].iov_base = (char *)outHeader;
-	iovs[numIOVs].iov_len  = (sizeof(outHeader)) - 1;
-	numIOVs++;
-
-	if (local_file_fd) {
-	    PRInt32     bytes;
-	    int         errLen;
-	    if (!PL_strlen(proto) || !PL_strcmp(proto, "file")) {
-                bytes = PR_TransmitFile(ssl_sock, local_file_fd, outHeader,
-                                        sizeof outHeader - 1,
-                                        PR_TRANSMITFILE_KEEP_OPEN,
-                                        PR_INTERVAL_NO_TIMEOUT);
-                if (bytes >= 0) {
-                    bytes -= sizeof outHeader - 1;
-                    FPRINTF(stderr, 
-                            "selfserv: PR_TransmitFile wrote %d bytes from %s\n",
-                            bytes, fileName);
-                    break;
-                }
-                errString = errWarn("PR_TransmitFile");
-                errLen = PORT_Strlen(errString);
-                errLen = PR_MIN(errLen, sizeof msgBuf - 1);
-                PORT_Memcpy(msgBuf, errString, errLen);
-                msgBuf[errLen] = 0;
-                
-                iovs[numIOVs].iov_base = msgBuf;
-                iovs[numIOVs].iov_len  = PORT_Strlen(msgBuf);
-                numIOVs++;
-            }
-            if (!PL_strcmp(proto, "crl")) {
-                if (reload_crl(local_file_fd) == SECFailure) {
-                    errString = errWarn("CERT_CacheCRL");
-                    if (!errString)
-                        errString = "Unknow error";
-                    PR_snprintf(msgBuf, sizeof(msgBuf), "%s%s ",
-                                crlCacheErr, errString);
-                    
-                    iovs[numIOVs].iov_base = msgBuf;
-                    iovs[numIOVs].iov_len  = PORT_Strlen(msgBuf);
-                    numIOVs++;
-                } else {
-                    FPRINTF(stderr, 
-                            "selfserv: CRL %s reloaded.\n",
-                            fileName);
-                    break;
-                }
-            }
-	} else if (reqLen <= 0) {	/* hit eof */
-	    PORT_Sprintf(msgBuf, "Get or Post incomplete after %d bytes.\r\n",
-			 bufDat);
-
-	    iovs[numIOVs].iov_base = msgBuf;
-	    iovs[numIOVs].iov_len  = PORT_Strlen(msgBuf);
-	    numIOVs++;
-	} else if (reqLen < bufDat) {
-	    PORT_Sprintf(msgBuf, "Discarded %d characters.\r\n", 
-	                 bufDat - reqLen);
-
-	    iovs[numIOVs].iov_base = msgBuf;
-	    iovs[numIOVs].iov_len  = PORT_Strlen(msgBuf);
-	    numIOVs++;
-	}
-
-	if (reqLen > 0) {
-	    if (verbose > 1) 
-	    	fwrite(buf, 1, reqLen, stdout);	/* display it */
-
-	    iovs[numIOVs].iov_base = buf;
-	    iovs[numIOVs].iov_len  = reqLen;
-	    numIOVs++;
-	}
-
-        /* Don't add the EOF if we want to test bulk encryption */
-        if (!testBulk) {
-            iovs[numIOVs].iov_base = (char *)EOFmsg;
-            iovs[numIOVs].iov_len  = sizeof EOFmsg - 1;
-            numIOVs++;
-        }
-
-	rv = PR_Writev(ssl_sock, iovs, numIOVs, PR_INTERVAL_NO_TIMEOUT);
-	if (rv < 0) {
-	    errWarn("PR_Writev");
-	    break;
-	}
-
-        /* Send testBulkTotal chunks to the client. Unlimited if 0. */
-        if (testBulk) {
-            while (0 < (rv = PR_Write(ssl_sock, testBulkBuf, testBulkSize))) {
-                PR_AtomicAdd(&loggerBytes, rv);
-                PR_AtomicIncrement(&bulkSentChunks);
-                if ((bulkSentChunks > testBulkTotal) && (testBulkTotal != 0))
-                    break;
-            }
-
-            /* There was a write error, so close this connection. */
-            if (bulkSentChunks <= testBulkTotal) {
-                errWarn("PR_Write");
-            }
-            PR_AtomicDecrement(&loggerOps);
-            break;
-        }
-    } while (0);
-
-cleanup:
-    if (ssl_sock) {
-        PR_Close(ssl_sock);
-    } else if (tcp_sock) {
-        PR_Close(tcp_sock);
-    }
-    if (local_file_fd)
-	PR_Close(local_file_fd);
-    VLOG(("selfserv: handle_connection: exiting\n"));
-
-    /* do a nice shutdown if asked. */
-    if (!strncmp(buf, stopCmd, sizeof stopCmd - 1)) {
-        VLOG(("selfserv: handle_connection: stop command"));
-        stop_server();
-    }
-    VLOG(("selfserv: handle_connection: exiting"));
-    return SECSuccess;	/* success */
-}
-
-#ifdef XP_UNIX
-
-void sigusr1_handler(int sig)
-{
-    VLOG(("selfserv: sigusr1_handler: stop server"));
-    stop_server();
-}
-
-#endif
-
-SECStatus
-do_accepts(
-    PRFileDesc *listen_sock,
-    PRFileDesc *model_sock,
-    int         requestCert
-    )
-{
-    PRNetAddr   addr;
-    PRErrorCode  perr;
-#ifdef XP_UNIX
-    struct sigaction act;
-#endif
-
-    VLOG(("selfserv: do_accepts: starting"));
-    PR_SetThreadPriority( PR_GetCurrentThread(), PR_PRIORITY_HIGH);
-
-    acceptorThread = PR_GetCurrentThread();
-#ifdef XP_UNIX
-    /* set up the signal handler */
-    act.sa_handler = sigusr1_handler;
-    sigemptyset(&act.sa_mask);
-    act.sa_flags = 0;
-    if (sigaction(SIGUSR1, &act, NULL)) {
-        fprintf(stderr, "Error installing signal handler.\n");
-        exit(1);
-    }
-#endif
-    while (!stopping) {
-	PRFileDesc *tcp_sock;
-	PRCList    *myLink;
-
-	FPRINTF(stderr, "\n\n\nselfserv: About to call accept.\n");
-	tcp_sock = PR_Accept(listen_sock, &addr, PR_INTERVAL_NO_TIMEOUT);
-	if (tcp_sock == NULL) {
-    	    perr      = PR_GetError();
-	    if ((perr != PR_CONNECT_RESET_ERROR &&
-	         perr != PR_PENDING_INTERRUPT_ERROR) || verbose) {
-		errWarn("PR_Accept");
-	    } 
-	    if (perr == PR_CONNECT_RESET_ERROR) {
-		FPRINTF(stderr, 
-		        "Ignoring PR_CONNECT_RESET_ERROR error - continue\n");
-		continue;
-	    }
-	    stopping = 1;
-	    break;
-	}
-
-        VLOG(("selfserv: do_accept: Got connection\n"));
-
-        if (logStats) {
-            PR_AtomicIncrement(&loggerOps);
-        }
-
-	PZ_Lock(qLock);
-	while (PR_CLIST_IS_EMPTY(&freeJobs) && !stopping) {
-            PZ_WaitCondVar(freeListNotEmptyCv, PR_INTERVAL_NO_TIMEOUT);
-	}
-	if (stopping) {
-	    PZ_Unlock(qLock);
-            if (tcp_sock) {
-	        PR_Close(tcp_sock);
-            }
-	    break;
-	}
-	myLink = PR_LIST_HEAD(&freeJobs);
-	PR_REMOVE_AND_INIT_LINK(myLink);
-	/* could release qLock here and reaquire it 7 lines below, but 
-	** why bother for 4 assignment statements? 
-	*/
-	{
-	    JOB * myJob = (JOB *)myLink;
-	    myJob->tcp_sock    = tcp_sock;
-	    myJob->model_sock  = model_sock;
-	    myJob->requestCert = requestCert;
-	}
-
-	PR_APPEND_LINK(myLink, &jobQ);
-	PZ_NotifyCondVar(jobQNotEmptyCv);
-	PZ_Unlock(qLock);
-    }
-
-    FPRINTF(stderr, "selfserv: Closing listen socket.\n");
-    VLOG(("selfserv: do_accepts: exiting"));
-    if (listen_sock) {
-        PR_Close(listen_sock);
-    }
-    return SECSuccess;
-}
-
-PRFileDesc *
-getBoundListenSocket(unsigned short port)
-{
-    PRFileDesc *       listen_sock;
-    int                listenQueueDepth = 5 + (2 * maxThreads);
-    PRStatus	       prStatus;
-    PRNetAddr          addr;
-    PRSocketOptionData opt;
-
-    addr.inet.family = PR_AF_INET;
-    addr.inet.ip     = PR_INADDR_ANY;
-    addr.inet.port   = PR_htons(port);
-
-    listen_sock = PR_NewTCPSocket();
-    if (listen_sock == NULL) {
-	errExit("PR_NewTCPSocket");
-    }
-
-    opt.option = PR_SockOpt_Nonblocking;
-    opt.value.non_blocking = PR_FALSE;
-    prStatus = PR_SetSocketOption(listen_sock, &opt);
-    if (prStatus < 0) {
-        PR_Close(listen_sock);
-	errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
-    }
-
-    opt.option=PR_SockOpt_Reuseaddr;
-    opt.value.reuse_addr = PR_TRUE;
-    prStatus = PR_SetSocketOption(listen_sock, &opt);
-    if (prStatus < 0) {
-        PR_Close(listen_sock);
-	errExit("PR_SetSocketOption(PR_SockOpt_Reuseaddr)");
-    }
-
-#ifndef WIN95
-    /* Set PR_SockOpt_Linger because it helps prevent a server bind issue
-     * after clean shutdown . See bug 331413 .
-     * Don't do it in the WIN95 build configuration because clean shutdown is
-     * not implemented, and PR_SockOpt_Linger causes a hang in ssl.sh .
-     * See bug 332348 */
-    opt.option=PR_SockOpt_Linger;
-    opt.value.linger.polarity = PR_TRUE;
-    opt.value.linger.linger = PR_SecondsToInterval(1);
-    prStatus = PR_SetSocketOption(listen_sock, &opt);
-    if (prStatus < 0) {
-        PR_Close(listen_sock);
-        errExit("PR_SetSocketOption(PR_SockOpt_Linger)");
-    }
-#endif
-
-    prStatus = PR_Bind(listen_sock, &addr);
-    if (prStatus < 0) {
-        PR_Close(listen_sock);
-	errExit("PR_Bind");
-    }
-
-    prStatus = PR_Listen(listen_sock, listenQueueDepth);
-    if (prStatus < 0) {
-        PR_Close(listen_sock);
-	errExit("PR_Listen");
-    }
-    return listen_sock;
-}
-
-PRInt32 PR_CALLBACK 
-logWritev (
-    PRFileDesc     *fd,
-    const PRIOVec  *iov,
-    PRInt32         size, 
-    PRIntervalTime  timeout )
-{
-    PRInt32 rv = (fd->lower->methods->writev)(fd->lower, iov, size, 
-        timeout);
-    /* Add the amount written, but not if there's an error */
-    if (rv > 0) 
-        PR_AtomicAdd(&loggerBytesTCP, rv);
-    return rv;
-}
-    
-PRInt32 PR_CALLBACK 
-logWrite (
-    PRFileDesc  *fd, 
-    const void  *buf, 
-    PRInt32      amount)
-{   
-    PRInt32 rv = (fd->lower->methods->write)(fd->lower, buf, amount);
-    /* Add the amount written, but not if there's an error */
-    if (rv > 0) 
-        PR_AtomicAdd(&loggerBytesTCP, rv);
-    
-    return rv;
-}
-
-PRInt32 PR_CALLBACK 
-logSend (
-    PRFileDesc     *fd, 
-    const void     *buf, 
-    PRInt32         amount, 
-    PRIntn          flags, 
-    PRIntervalTime  timeout)
-{
-    PRInt32 rv = (fd->lower->methods->send)(fd->lower, buf, amount, 
-        flags, timeout);
-    /* Add the amount written, but not if there's an error */
-    if (rv > 0) 
-        PR_AtomicAdd(&loggerBytesTCP, rv);
-    return rv;
-}
- 
-void initLoggingLayer(void)
-{   
-    /* get a new layer ID */
-    log_layer_id = PR_GetUniqueIdentity("Selfserv Logging");
-    if (log_layer_id == PR_INVALID_IO_LAYER)
-        errExit("PR_GetUniqueIdentity");
-    
-    /* setup the default IO methods with my custom write methods */
-    memcpy(&loggingMethods, PR_GetDefaultIOMethods(), sizeof(PRIOMethods));
-    loggingMethods.writev = logWritev;
-    loggingMethods.write  = logWrite;
-    loggingMethods.send   = logSend;
-}
-
-void
-server_main(
-    PRFileDesc *        listen_sock,
-    int                 requestCert, 
-    SECKEYPrivateKey ** privKey,
-    CERTCertificate **  cert)
-{
-    PRFileDesc *model_sock	= NULL;
-    int         rv;
-    SSLKEAType  kea;
-    SECStatus	secStatus;
-
-    if (useModelSocket) {
-    	model_sock = PR_NewTCPSocket();
-	if (model_sock == NULL) {
-	    errExit("PR_NewTCPSocket on model socket");
-	}
-	model_sock = SSL_ImportFD(NULL, model_sock);
-	if (model_sock == NULL) {
-	    errExit("SSL_ImportFD");
-	}
-    } else {
-	model_sock = listen_sock = SSL_ImportFD(NULL, listen_sock);
-	if (listen_sock == NULL) {
-	    errExit("SSL_ImportFD");
-	}
-    }
-
-    /* do SSL configuration. */
-    rv = SSL_OptionSet(model_sock, SSL_SECURITY,
-        !(disableSSL2 && disableSSL3 && disableTLS));
-    if (rv < 0) {
-	errExit("SSL_OptionSet SSL_SECURITY");
-    }
-
-    rv = SSL_OptionSet(model_sock, SSL_ENABLE_SSL3, !disableSSL3);
-    if (rv != SECSuccess) {
-	errExit("error enabling SSLv3 ");
-    }
-
-    rv = SSL_OptionSet(model_sock, SSL_ENABLE_TLS, !disableTLS);
-    if (rv != SECSuccess) {
-	errExit("error enabling TLS ");
-    }
-
-    rv = SSL_OptionSet(model_sock, SSL_ENABLE_SSL2, !disableSSL2);
-    if (rv != SECSuccess) {
-	errExit("error enabling SSLv2 ");
-    }
-    
-    rv = SSL_OptionSet(model_sock, SSL_ROLLBACK_DETECTION, !disableRollBack);
-    if (rv != SECSuccess) {
-	errExit("error enabling RollBack detection ");
-    }
-    if (disableStepDown) {
-	rv = SSL_OptionSet(model_sock, SSL_NO_STEP_DOWN, PR_TRUE);
-	if (rv != SECSuccess) {
-	    errExit("error disabling SSL StepDown ");
-	}
-    }
-    if (bypassPKCS11) {
-       rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, PR_TRUE);
-	if (rv != SECSuccess) {
-	    errExit("error enabling PKCS11 bypass ");
-	}
-    }
-    if (disableLocking) {
-       rv = SSL_OptionSet(model_sock, SSL_NO_LOCKS, PR_TRUE);
-	if (rv != SECSuccess) {
-	    errExit("error disabling SSL socket locking ");
-	}
-    } 
-    if (enableSessionTickets) {
-	rv = SSL_OptionSet(model_sock, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
-	if (rv != SECSuccess) {
-	    errExit("error enabling Session Ticket extension ");
-	}
-    }
-
-    for (kea = kt_rsa; kea < kt_kea_size; kea++) {
-	if (cert[kea] != NULL) {
-	    secStatus = SSL_ConfigSecureServer(model_sock, 
-	    		cert[kea], privKey[kea], kea);
-	    if (secStatus != SECSuccess)
-		errExit("SSL_ConfigSecureServer");
-	}
-    }
-
-    if (bigBuf.data) { /* doing FDX */
-	rv = SSL_OptionSet(model_sock, SSL_ENABLE_FDX, 1);
-	if (rv < 0) {
-	    errExit("SSL_OptionSet SSL_ENABLE_FDX");
-	}
-    }
-
-    if (NoReuse) {
-        rv = SSL_OptionSet(model_sock, SSL_NO_CACHE, 1);
-        if (rv < 0) {
-            errExit("SSL_OptionSet SSL_NO_CACHE");
-        }
-    }
-
-    /* This cipher is not on by default. The Acceptance test
-     * would like it to be. Turn this cipher on.
-     */
-
-    secStatus = SSL_CipherPrefSetDefault( SSL_RSA_WITH_NULL_MD5, PR_TRUE);
-    if ( secStatus != SECSuccess ) {
-	errExit("SSL_CipherPrefSetDefault:SSL_RSA_WITH_NULL_MD5");
-    }
-
-
-    if (requestCert) {
-	SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, 
-	                        (void *)CERT_GetDefaultCertDB());
-	if (requestCert <= 2) { 
-	    rv = SSL_OptionSet(model_sock, SSL_REQUEST_CERTIFICATE, 1);
-	    if (rv < 0) {
-		errExit("first SSL_OptionSet SSL_REQUEST_CERTIFICATE");
-	    }
-	    rv = SSL_OptionSet(model_sock, SSL_REQUIRE_CERTIFICATE, 
-	                    (requestCert == 2));
-	    if (rv < 0) {
-		errExit("first SSL_OptionSet SSL_REQUIRE_CERTIFICATE");
-	    }
-	}
-    }
-
-    if (MakeCertOK)
-	SSL_BadCertHook(model_sock, myBadCertHandler, NULL);
-
-    /* end of ssl configuration. */
-
-
-    /* Now, do the accepting, here in the main thread. */
-    rv = do_accepts(listen_sock, model_sock, requestCert);
-
-    terminateWorkerThreads();
-
-    if (useModelSocket && model_sock) {
-        if (model_sock) {
-            PR_Close(model_sock);
-        }
-    }
-
-}
-
-SECStatus
-readBigFile(const char * fileName)
-{
-    PRFileInfo  info;
-    PRStatus	status;
-    SECStatus	rv	= SECFailure;
-    int		count;
-    int		hdrLen;
-    PRFileDesc *local_file_fd = NULL;
-
-    status = PR_GetFileInfo(fileName, &info);
-
-    if (status == PR_SUCCESS &&
-	info.type == PR_FILE_FILE &&
-	info.size > 0 &&
-	NULL != (local_file_fd = PR_Open(fileName, PR_RDONLY, 0))) {
-
-	hdrLen      = PORT_Strlen(outHeader);
-	bigBuf.len  = hdrLen + info.size;
-	bigBuf.data = PORT_Malloc(bigBuf.len + 4095);
-	if (!bigBuf.data) {
-	    errWarn("PORT_Malloc");
-	    goto done;
-	}
-
-	PORT_Memcpy(bigBuf.data, outHeader, hdrLen);
-
-	count = PR_Read(local_file_fd, bigBuf.data + hdrLen, info.size);
-	if (count != info.size) {
-	    errWarn("PR_Read local file");
-	    goto done;
-	}
-	rv = SECSuccess;
-done:
-        if (local_file_fd) {
-            PR_Close(local_file_fd);
-        }
-    }
-    return rv;
-}
-
-int          numChildren;
-PRProcess *  child[MAX_PROCS];
-
-PRProcess *
-haveAChild(int argc, char **argv, PRProcessAttr * attr)
-{
-    PRProcess *  newProcess;
-
-    newProcess = PR_CreateProcess(argv[0], argv, NULL, attr);
-    if (!newProcess) {
-	errWarn("Can't create new process.");
-    } else {
-	child[numChildren++] = newProcess;
-    }
-    return newProcess;
-}
-
-void
-beAGoodParent(int argc, char **argv, int maxProcs, PRFileDesc * listen_sock)
-{
-    PRProcess *     newProcess;
-    PRProcessAttr * attr;
-    int             i;
-    PRInt32         exitCode;
-    PRStatus        rv;
-
-    rv = PR_SetFDInheritable(listen_sock, PR_TRUE);
-    if (rv != PR_SUCCESS)
-	errExit("PR_SetFDInheritable");
-
-    attr = PR_NewProcessAttr();
-    if (!attr)
-	errExit("PR_NewProcessAttr");
-
-    rv = PR_ProcessAttrSetInheritableFD(attr, listen_sock, inheritableSockName);
-    if (rv != PR_SUCCESS)
-	errExit("PR_ProcessAttrSetInheritableFD");
-
-    for (i = 0; i < maxProcs; ++i) {
-	newProcess = haveAChild(argc, argv, attr);
-	if (!newProcess) 
-	    break;
-    }
-
-    rv = PR_SetFDInheritable(listen_sock, PR_FALSE);
-    if (rv != PR_SUCCESS)
-	errExit("PR_SetFDInheritable");
-
-    while (numChildren > 0) {
-	newProcess = child[numChildren - 1];
-	PR_WaitProcess(newProcess, &exitCode);
-	fprintf(stderr, "Child %d exited with exit code %x\n", 
-		numChildren, exitCode);
-	numChildren--;
-    }
-    exit(0);
-}
-
-#define HEXCHAR_TO_INT(c, i) \
-    if (((c) >= '0') && ((c) <= '9')) { \
-	i = (c) - '0'; \
-    } else if (((c) >= 'a') && ((c) <= 'f')) { \
-	i = (c) - 'a' + 10; \
-    } else if (((c) >= 'A') && ((c) <= 'F')) { \
-	i = (c) - 'A' + 10; \
-    } else if ((c) == '\0') { \
-	fprintf(stderr, "Invalid length of cipher string (-c :WXYZ).\n"); \
-	exit(9); \
-    } else { \
-	fprintf(stderr, "Non-hex char in cipher string (-c :WXYZ).\n"); \
-	exit(9); \
-    } 
-
-int
-main(int argc, char **argv)
-{
-    char *               progName    = NULL;
-    char *               nickName    = NULL;
-#ifdef NSS_ENABLE_ECC
-    char *               ecNickName   = NULL;
-#endif
-    const char *         fileName    = NULL;
-    char *               cipherString= NULL;
-    const char *         dir         = ".";
-    char *               passwd      = NULL;
-    char *               pwfile      = NULL;
-    const char *         pidFile     = NULL;
-    char *               tmp;
-    char *               envString;
-    PRFileDesc *         listen_sock;
-    CERTCertificate *    cert   [kt_kea_size] = { NULL };
-    SECKEYPrivateKey *   privKey[kt_kea_size] = { NULL };
-    int                  optionsFound = 0;
-    int                  maxProcs     = 1;
-    unsigned short       port        = 0;
-    SECStatus            rv;
-    PRStatus             prStatus;
-    PRBool               bindOnly = PR_FALSE;
-    PRBool               useExportPolicy = PR_FALSE;
-    PRBool               useLocalThreads = PR_FALSE;
-    PLOptState		*optstate;
-    PLOptStatus          status;
-    PRThread             *loggerThread = NULL;
-    PRBool               debugCache = PR_FALSE; /* bug 90518 */
-    char                 emptyString[] = { "" };
-    char*                certPrefix = emptyString;
-    PRUint32             protos = 0;
-    SSL3Statistics      *ssl3stats;
-    PRUint32             i;
-    secuPWData  pwdata = { PW_NONE, 0 };
- 
-    tmp = strrchr(argv[0], '/');
-    tmp = tmp ? tmp + 1 : argv[0];
-    progName = strrchr(tmp, '\\');
-    progName = progName ? progName + 1 : tmp;
-
-    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
-    /* please keep this list of options in ASCII collating sequence.
-    ** numbers, then capital letters, then lower case, alphabetical. 
-    */
-    optstate = PL_CreateOptState(argc, argv, 
-        "2:3BC:DEL:M:NP:RSTbc:d:e:f:g:hi:jlmn:op:qrst:uvw:xy");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	++optionsFound;
-	switch(optstate->option) {
-	case '2': fileName = optstate->value; break;
-
-	case '3': disableSSL3 = PR_TRUE; break;
-
-	case 'B': bypassPKCS11 = PR_TRUE; break;
-
-        case 'C': if (optstate->value) NumSidCacheEntries = PORT_Atoi(optstate->value); break;
-
-	case 'D': noDelay = PR_TRUE; break;
-	case 'E': disableStepDown = PR_TRUE; break;
-
-        case 'L':
-            logStats = PR_TRUE;
-	    if (optstate->value == NULL) {
-	    	logPeriod = 30;
-	    } else {
-                logPeriod  = PORT_Atoi(optstate->value);
-                if (logPeriod <= 0) logPeriod = 30;
-	    }
-            break;
-
-	case 'M': 
-	    maxProcs = PORT_Atoi(optstate->value); 
-	    if (maxProcs < 1)         maxProcs = 1;
-	    if (maxProcs > MAX_PROCS) maxProcs = MAX_PROCS;
-	    break;
-
-	case 'N': NoReuse = PR_TRUE; break;
-
-	case 'R': disableRollBack = PR_TRUE; break;
-        
-        case 'S': disableSSL2 = PR_TRUE; break;
-
-	case 'T': disableTLS = PR_TRUE; break;
-
-	case 'b': bindOnly = PR_TRUE; break;
-
-	case 'c': cipherString = PORT_Strdup(optstate->value); break;
-
-	case 'd': dir = optstate->value; break;
-
-#ifdef NSS_ENABLE_ECC
-	case 'e': ecNickName = PORT_Strdup(optstate->value); break;
-#endif /* NSS_ENABLE_ECC */
-
-	case 'f':
-            pwdata.source = PW_FROMFILE;
-            pwdata.data = pwfile = PORT_Strdup(optstate->value);
-            break;
-
-        case 'g': 
-            testBulk = PR_TRUE;
-            testBulkTotal = PORT_Atoi(optstate->value);
-            break;
-
-	case 'h': Usage(progName); exit(0); break;
-
-	case 'i': pidFile = optstate->value; break;
-
-        case 'j': 
-            initLoggingLayer(); 
-            loggingLayer = PR_TRUE;
-            break;
-
-        case 'l': useLocalThreads = PR_TRUE; break;
-
-	case 'm': useModelSocket = PR_TRUE; break;
-
-	case 'n': nickName = PORT_Strdup(optstate->value); break;
-
-	case 'P': certPrefix = PORT_Strdup(optstate->value); break;
-
-	case 'o': MakeCertOK = 1; break;
-
-	case 'p': port = PORT_Atoi(optstate->value); break;
-
-	case 'q': testbypass = PR_TRUE; break;
-
-	case 'r': ++requestCert; break;
-
-	case 's': disableLocking = PR_TRUE; break;
-
-	case 't':
-	    maxThreads = PORT_Atoi(optstate->value);
-	    if ( maxThreads > MAX_THREADS ) maxThreads = MAX_THREADS;
-	    if ( maxThreads < MIN_THREADS ) maxThreads = MIN_THREADS;
-	    break;
-
-	case 'u': enableSessionTickets = PR_TRUE; break;
-
-	case 'v': verbose++; break;
-
-	case 'w':
-            pwdata.source = PW_PLAINTEXT;
-            pwdata.data = passwd = PORT_Strdup(optstate->value);
-            break;
-
-	case 'x': useExportPolicy = PR_TRUE; break;
-
-	case 'y': debugCache = PR_TRUE; break;
-
-	default:
-	case '?':
-	    fprintf(stderr, "Unrecognized or bad option specified.\n");
-	    fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
-	    exit(4);
-	    break;
-	}
-    }
-    PL_DestroyOptState(optstate);
-    if (status == PL_OPT_BAD) {
-	fprintf(stderr, "Unrecognized or bad option specified.\n");
-	fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
-	exit(5);
-    }
-    if (!optionsFound) {
-	Usage(progName);
-	exit(51);
-    } 
-
-    /* The -b (bindOnly) option is only used by the ssl.sh test
-     * script on Linux to determine whether a previous selfserv
-     * process has fully died and freed the port.  (Bug 129701)
-     */
-    if (bindOnly) {
-	listen_sock = getBoundListenSocket(port);
-	if (!listen_sock) {
-	    exit(1);
-	}
-        if (listen_sock) {
-            PR_Close(listen_sock);
-        }
-	exit(0);
-    }
-
-    if ((nickName == NULL)
- #ifdef NSS_ENABLE_ECC
-						&& (ecNickName == NULL)
- #endif
-    ) {
-
-	fprintf(stderr, "Required arg '-n' (rsa nickname) not supplied.\n");
-	fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
-        exit(6);
-    }
-
-    if (port == 0) {
-	fprintf(stderr, "Required argument 'port' must be non-zero value\n");
-	exit(7);
-    }
-
-    if (NoReuse && maxProcs > 1) {
-	fprintf(stderr, "-M and -N options are mutually exclusive.\n");
-	exit(14);
-    }
-
-    if (pidFile) {
-	FILE *tmpfile=fopen(pidFile,"w+");
-
-	if (tmpfile) {
-	    fprintf(tmpfile,"%d",getpid());
-	    fclose(tmpfile);
-	}
-    }
-
-    /* allocate and initialize app data for bulk encryption testing */
-    if (testBulk) {
-        testBulkBuf = PORT_Malloc(testBulkSize);
-        if (testBulkBuf == NULL)
-            errExit("Out of memory: testBulkBuf");
-        for (i = 0; i < testBulkSize; i++)
-            testBulkBuf[i] = i;
-    }
-
-    envString = getenv(envVarName);
-    tmp = getenv("TMP");
-    if (!tmp)
-	tmp = getenv("TMPDIR");
-    if (!tmp)
-	tmp = getenv("TEMP");
-    if (envString) {
-	/* we're one of the children in a multi-process server. */
-	listen_sock = PR_GetInheritedFD(inheritableSockName);
-	if (!listen_sock)
-	    errExit("PR_GetInheritedFD");
-#ifndef WINNT
-	/* we can't do this on NT because it breaks NSPR and
-	PR_Accept will fail on the socket in the child process if
-	the socket state is change to non inheritable
-	It is however a security issue to leave it accessible,
-	but it is OK for a test server such as selfserv.
-	NSPR should fix it eventually . see bugzilla 101617
-	and 102077
-	*/
-	prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE);
-	if (prStatus != PR_SUCCESS)
-	    errExit("PR_SetFDInheritable");
-#endif
-	rv = SSL_InheritMPServerSIDCache(envString);
-	if (rv != SECSuccess)
-	    errExit("SSL_InheritMPServerSIDCache");
-    	hasSidCache = PR_TRUE;
-    } else if (maxProcs > 1) {
-	/* we're going to be the parent in a multi-process server.  */
-	listen_sock = getBoundListenSocket(port);
-	rv = SSL_ConfigMPServerSIDCache(NumSidCacheEntries, 0, 0, tmp);
-	if (rv != SECSuccess)
-	    errExit("SSL_ConfigMPServerSIDCache");
-    	hasSidCache = PR_TRUE;
-	beAGoodParent(argc, argv, maxProcs, listen_sock);
-	exit(99); /* should never get here */
-    } else {
-	/* we're an ordinary single process server. */
-	listen_sock = getBoundListenSocket(port);
-	prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE);
-	if (prStatus != PR_SUCCESS)
-	    errExit("PR_SetFDInheritable");
-	if (!NoReuse) {
-	    rv = SSL_ConfigServerSessionIDCache(NumSidCacheEntries, 
-	                                        0, 0, tmp);
-	    if (rv != SECSuccess)
-		errExit("SSL_ConfigServerSessionIDCache");
-	    hasSidCache = PR_TRUE;
-	}
-    }
-
-    lm = PR_NewLogModule("TestCase");
-
-    if (fileName)
-    	readBigFile(fileName);
-
-    /* set our password function */
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-    /* Call the NSS initialization routines */
-    rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
-    if (rv != SECSuccess) {
-    	fputs("NSS_Init failed.\n", stderr);
-		exit(8);
-    }
-
-    /* set the policy bits true for all the cipher suites. */
-    if (useExportPolicy) {
-	NSS_SetExportPolicy();
-	if (disableStepDown) {
-	    fputs("selfserv: -x and -E options may not be used together\n", 
-	          stderr);
-	    exit(98);
-	}
-    } else {
-	NSS_SetDomesticPolicy();
-	if (disableStepDown) {
-	    rv = disableExportSSLCiphers();
-	    if (rv != SECSuccess) {
-		errExit("error disabling export ciphersuites ");
-	    }
-    	}
-    }
-
-    /* all the SSL2 and SSL3 cipher suites are enabled by default. */
-    if (cipherString) {
-    	char *cstringSaved = cipherString;
-    	int ndx;
-
-	/* disable all the ciphers, then enable the ones we want. */
-	disableAllSSLCiphers();
-
-	while (0 != (ndx = *cipherString++)) {
-	    int  cipher;
-
-	    if (ndx == ':') {
-		int ctmp;
-
-		cipher = 0;
-		HEXCHAR_TO_INT(*cipherString, ctmp)
-		cipher |= (ctmp << 12);
-		cipherString++;
-		HEXCHAR_TO_INT(*cipherString, ctmp)
-		cipher |= (ctmp << 8);
-		cipherString++;
-		HEXCHAR_TO_INT(*cipherString, ctmp)
-		cipher |= (ctmp << 4);
-		cipherString++;
-		HEXCHAR_TO_INT(*cipherString, ctmp)
-		cipher |= ctmp;
-		cipherString++;
-	    } else {
-		const int *cptr;
-
-		if (! isalpha(ndx)) {
-		    fprintf(stderr, 
-			    "Non-alphabetic char in cipher string (-c arg).\n");
-		    exit(9);
-		}
-		cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
-		for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) 
-		    /* do nothing */;
-	    }
-	    if (cipher > 0) {
-		SECStatus status;
-		status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED);
-		if (status != SECSuccess) 
-		    SECU_PrintError(progName, "SSL_CipherPrefSet()");
-	    } else {
-		fprintf(stderr, 
-			"Invalid cipher specification (-c arg).\n");
-		exit(9);
-	    }
-	}
-	PORT_Free(cstringSaved);
-    }
-
-    if (testbypass) {
-	const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
-	int             i            = SSL_NumImplementedCiphers;
-	PRBool		enabled;
-
-	for (i=0; i < SSL_NumImplementedCiphers; i++, cipherSuites++) {
-	    if (SSL_CipherPrefGetDefault(*cipherSuites, &enabled) == SECSuccess
-				    && enabled)
-		savecipher(*cipherSuites);		    
-	}
-	protos = (disableTLS ? 0 : SSL_CBP_TLS1_0) +
-		 (disableSSL3 ? 0 : SSL_CBP_SSL3);
-    }
-
-    if (nickName) {
-	cert[kt_rsa] = PK11_FindCertFromNickname(nickName, &pwdata);
-	if (cert[kt_rsa] == NULL) {
-	    fprintf(stderr, "selfserv: Can't find certificate %s\n", nickName);
-	    exit(10);
-	}
-	privKey[kt_rsa] = PK11_FindKeyByAnyCert(cert[kt_rsa], &pwdata);
-	if (privKey[kt_rsa] == NULL) {
-	    fprintf(stderr, "selfserv: Can't find Private Key for cert %s\n", 
-	            nickName);
-	    exit(11);
-	}
-	if (testbypass) {
-	    PRBool bypassOK;
-	    if (SSL_CanBypass(cert[kt_rsa], privKey[kt_rsa], protos, cipherlist, 
-	                      nciphers, &bypassOK, &pwdata) != SECSuccess) {
-		SECU_PrintError(progName, "Bypass test failed %s\n", nickName);
-		exit(14);
-	    }
-	    fprintf(stderr, "selfserv: %s can%s bypass\n", nickName,
-		    bypassOK ? "" : "not");
-	}
-    }
-#ifdef NSS_ENABLE_ECC
-    if (ecNickName) {
-	cert[kt_ecdh] = PK11_FindCertFromNickname(ecNickName, &pwdata);
-	if (cert[kt_ecdh] == NULL) {
-	    fprintf(stderr, "selfserv: Can't find certificate %s\n",
-		    ecNickName);
-	    exit(13);
-	}
-	privKey[kt_ecdh] = PK11_FindKeyByAnyCert(cert[kt_ecdh], &pwdata);
-	if (privKey[kt_ecdh] == NULL) {
-	    fprintf(stderr, "selfserv: Can't find Private Key for cert %s\n", 
-	            ecNickName);
-	    exit(11);
-	}	    
-	if (testbypass) {
-	    PRBool bypassOK;
-	    if (SSL_CanBypass(cert[kt_ecdh], privKey[kt_ecdh], protos, cipherlist,
-			      nciphers, &bypassOK, &pwdata) != SECSuccess) {
-		SECU_PrintError(progName, "Bypass test failed %s\n", ecNickName);
-		exit(15);
-	    }
-	    fprintf(stderr, "selfserv: %s can%s bypass\n", ecNickName,
-		    bypassOK ? "" : "not");
-       }
-    }
-#endif /* NSS_ENABLE_ECC */
-
-    if (testbypass)
-	goto cleanup;
-
-/* allocate the array of thread slots, and launch the worker threads. */
-    rv = launch_threads(&jobLoop, 0, 0, requestCert, useLocalThreads);
-
-    if (rv == SECSuccess && logStats) {
-	loggerThread = PR_CreateThread(PR_SYSTEM_THREAD, 
-			logger, NULL, PR_PRIORITY_NORMAL, 
-                        useLocalThreads ? PR_LOCAL_THREAD:PR_GLOBAL_THREAD,
-                        PR_JOINABLE_THREAD, 0);
-	if (loggerThread == NULL) {
-	    fprintf(stderr, "selfserv: Failed to launch logger thread!\n");
-	    rv = SECFailure;
-	} 
-    }
-
-    if (rv == SECSuccess) {
-	server_main(listen_sock, requestCert, privKey, cert);
-    }
-
-    VLOG(("selfserv: server_thread: exiting"));
-
-cleanup:
-    printSSLStatistics();
-    ssl3stats = SSL_GetStatistics();
-    if (ssl3stats->hch_sid_ticket_parse_failures != 0) {
-	fprintf(stderr, "selfserv: Experienced ticket parse failure(s)\n");
-	exit(1);
-    }
-
-    {
-	int i;
-	for (i=0; i<kt_kea_size; i++) {
-	    if (cert[i]) {
-		CERT_DestroyCertificate(cert[i]);
-	    }
-	    if (privKey[i]) {
-		SECKEY_DestroyPrivateKey(privKey[i]);
-	    }
-	}
-    }
-
-    if (debugCache) {
-	nss_DumpCertificateCacheInfo();
-    }
-
-    if (nickName) {
-        PORT_Free(nickName);
-    }
-    if (passwd) {
-        PORT_Free(passwd);
-    }
-    if (pwfile) {
-        PORT_Free(pwfile);
-    }
-    if (certPrefix && certPrefix != emptyString) {                            
-        PORT_Free(certPrefix);
-    }
- #ifdef NSS_ENABLE_ECC
-    if (ecNickName) {
-        PORT_Free(ecNickName);
-    }
- #endif
-
-    if (hasSidCache) {
-	SSL_ShutdownServerSessionIDCache();
-    }
-    if (NSS_Shutdown() != SECSuccess) {
-	SECU_PrintError(progName, "NSS_Shutdown");
-        if (loggerThread) {
-            PR_JoinThread(loggerThread);
-        }
-	PR_Cleanup();
-	exit(1);
-    }
-    PR_Cleanup();
-    printf("selfserv: normal termination\n");
-    return 0;
-}
-
diff --git a/security/nss/cmd/shlibsign/Makefile b/security/nss/cmd/shlibsign/Makefile
deleted file mode 100644
index d62858548..000000000
--- a/security/nss/cmd/shlibsign/Makefile
+++ /dev/null
@@ -1,122 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-ifeq ($(OS_ARCH), WINNT)
-
-EXTRA_LIBS += \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
-	$(NULL)
-
-else
-
-EXTRA_SHARED_LIBS += \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-
-endif
-
-
-# sign any and all shared libraries that contain the word freebl
-
-CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX)
-CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX))
-CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX)
-CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk)
-
-MD_LIB_RELEASE_FILES = $(CHECKLOC)
-ALL_TRASH += $(CHECKLOC)
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
-SRCDIR = $(call core_abspath,.)
-
-%.chk: %.$(DLL_SUFFIX) 
-ifeq ($(OS_TARGET), OS2)
-	cd $(OBJDIR) ; cmd.exe /c $(SRCDIR)/sign.cmd $(DIST) \
-	$(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
-	$(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
-else
-	cd $(OBJDIR) ; sh $(SRCDIR)/sign.sh $(call core_abspath,$(DIST)) \
-	$(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
-	$(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
-endif
-
-libs install :: $(CHECKLOC)
-
diff --git a/security/nss/cmd/shlibsign/mangle/Makefile b/security/nss/cmd/shlibsign/mangle/Makefile
deleted file mode 100644
index 6bda58cac..000000000
--- a/security/nss/cmd/shlibsign/mangle/Makefile
+++ /dev/null
@@ -1,97 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-ifeq ($(OS_ARCH), WINNT)
-
-EXTRA_LIBS += \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
-	$(NULL)
-
-else
-
-EXTRA_SHARED_LIBS += \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-
-endif
-
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../../platrules.mk
-
diff --git a/security/nss/cmd/shlibsign/mangle/mangle.c b/security/nss/cmd/shlibsign/mangle/mangle.c
deleted file mode 100644
index 30b1daca3..000000000
--- a/security/nss/cmd/shlibsign/mangle/mangle.c
+++ /dev/null
@@ -1,175 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Test program to mangle 1 bit in a binary
- *
- * $Id$
- */
-
-#include "nspr.h"
-#include "plstr.h"
-#include "plgetopt.h"
-#include "prio.h"
-
-static PRFileDesc *pr_stderr;
-static void
-usage (char *program_name)
-{
-
-    PR_fprintf (pr_stderr, "Usage:");
-    PR_fprintf (pr_stderr, "%s -i shared_library_name -o byte_offset -b bit\n", program_name);
-}
-
-
-int
-main (int argc, char **argv)
-{
-    /* buffers and locals */
-    PLOptState	*optstate;
-    char	*programName;
-    char	cbuf;
-
-    /* parameter set variables */
-    const char  *libFile = NULL; 	
-    int bitOffset = -1;
-
-    /* return values */
-    int		 retval = 2;  /* 0 - test succeeded.
-			       * 1 - illegal args 
-			       * 2 - function failed */
-    PRFileDesc *fd = NULL;
-    int bytesRead;
-    int bytesWritten;
-    PROffset32   offset = -1;
-    PROffset32   pos;
-
-    programName = PL_strrchr(argv[0], '/');
-    programName = programName ? (programName + 1) : argv[0];
-
-    pr_stderr = PR_STDERR;
-
-    optstate = PL_CreateOptState (argc, argv, "i:o:b:");
-    if (optstate == NULL) {
-	return 1;
-    }
-
-    while (PL_GetNextOpt (optstate) == PL_OPT_OK) {
-	switch (optstate->option) {
-          case 'i':
-            libFile = optstate->value;
-            break;
-
-          case 'o':
-            offset = atoi(optstate->value);
-            break;
-
-          case 'b':
-            bitOffset = atoi(optstate->value);
-            break;
-	}
-    }
-
-    if (libFile == NULL) {
-	usage(programName);
-	return 1;
-    }
-    if ((bitOffset >= 8) || (bitOffset < 0)) {
-	usage(programName);
-	return 1;
-    }
-
-    /* open the target signature file */
-    fd = PR_OpenFile(libFile,PR_RDWR,0666);
-    if (fd == NULL ) {
-	/* lperror(libFile); */
-	PR_fprintf(pr_stderr,"Couldn't Open %s\n",libFile);
-	goto loser;
-    }
-
-    if (offset < 0) { /* convert to positive offset */
-	pos = PR_Seek(fd, offset, PR_SEEK_END);
-	if (pos == -1) {
-	    PR_fprintf(pr_stderr,"Seek for read on %s (to %d) failed\n", 
-		       libFile, offset);
-	    goto loser;
-	}
-	offset = pos;
-    }
-
-    /* read the byte */
-    pos = PR_Seek(fd, offset, PR_SEEK_SET);
-    if (pos != offset) {
-	PR_fprintf(pr_stderr,"Seek for read on %s (to %d) failed\n", 
-	           libFile, offset);
-	goto loser;
-    }
-    bytesRead = PR_Read(fd, &cbuf, 1);
-    if (bytesRead != 1) {
-	PR_fprintf(pr_stderr,"Read on %s (to %d) failed\n", libFile, offset);
-	goto loser;
-    }
-
-    PR_fprintf(pr_stderr,"Changing byte 0x%08x (%d): from %02x (%d) to ", 
-		offset, offset, (unsigned char)cbuf, (unsigned char)cbuf);
-    /* change it */
-    cbuf ^= 1 << bitOffset;
-    PR_fprintf(pr_stderr,"%02x (%d)\n", 
-               (unsigned char)cbuf, (unsigned char)cbuf);
-
-    /* write it back out */
-    pos = PR_Seek(fd, offset, PR_SEEK_SET);
-    if (pos != offset) {
-	PR_fprintf(pr_stderr,"Seek for write on %s (to %d) failed\n", 
-	           libFile, offset);
-	goto loser;
-    }
-    bytesWritten = PR_Write(fd, &cbuf, 1);
-    if (bytesWritten != 1) {
-	PR_fprintf(pr_stderr,"Write on %s (to %d) failed\n", libFile, offset);
-	goto loser;
-    }
-
-    retval = 0;
-
-loser:
-    if (fd)
-	PR_Close(fd);
-    PR_Cleanup ();
-    return retval;
-}
-
-/*#DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" */
diff --git a/security/nss/cmd/shlibsign/mangle/manifest.mn b/security/nss/cmd/shlibsign/mangle/manifest.mn
deleted file mode 100644
index 613076adf..000000000
--- a/security/nss/cmd/shlibsign/mangle/manifest.mn
+++ /dev/null
@@ -1,56 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\"
-
-CSRCS = \
-	mangle.c \
-	$(NULL)
-
-
-# headers for the MODULE (defined above) are implicitly required.
-REQUIRES = 
-
-PROGRAM = mangle
-
-USE_STATIC_LIBS = 1
-
diff --git a/security/nss/cmd/shlibsign/manifest.mn b/security/nss/cmd/shlibsign/manifest.mn
deleted file mode 100644
index ca460771f..000000000
--- a/security/nss/cmd/shlibsign/manifest.mn
+++ /dev/null
@@ -1,62 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\"
-
-CSRCS = \
-	shlibsign.c \
-	$(NULL)
-
-# headers for the MODULE (defined above) are implicitly required.
-REQUIRES = dbm seccmd
-
-# WINNT uses EXTRA_LIBS as the list of libs to link in.
-# Unix uses     OS_LIBS for that purpose.
-# We can solve this via conditional makefile code, but 
-# can't do this in manifest.mn because OS_ARCH isn't defined there.
-# So, look in the local Makefile for the defines for the list of libs.
-
-PROGRAM = shlibsign
-
-DIRS = mangle
-
-#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/shlibsign/shlibsign.c b/security/nss/cmd/shlibsign/shlibsign.c
deleted file mode 100644
index db100557d..000000000
--- a/security/nss/cmd/shlibsign/shlibsign.c
+++ /dev/null
@@ -1,1123 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * shlibsign creates the checksum (.chk) files for the NSS libraries,
- * libsoftokn3/softokn3 and libfreebl/freebl (platforms can have 
- * multiple freebl variants), that contain the NSS cryptograhic boundary.
- *
- * The generated .chk files must be put in the same directory as
- * the NSS libraries they were generated for.
- *
- * When in FIPS 140 mode, the NSS Internal FIPS PKCS #11 Module will
- * compute the checksum for the NSS cryptographic boundary libraries
- * and compare the checksum with the value in .chk file.
- *
- * $Id$
- */
-
-#ifdef XP_UNIX
-#define USES_LINKS 1
-#endif
-
-#include <assert.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdarg.h>
-
-#ifdef USES_LINKS
-#include <unistd.h>
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#endif
-
-/* nspr headers */
-#include "prlink.h"
-#include "prprf.h"
-#include "prenv.h"
-#include "plgetopt.h"
-#include "prinit.h"
-#include "prmem.h"
-#include "plstr.h"
-#include "prerror.h"
-
-/* softoken headers */
-#include "pkcs11.h"
-#include "pkcs11t.h"
-
-/* freebl headers */
-#include "shsign.h"
-
-#define NUM_ELEM(array) (sizeof(array)/sizeof(array[0]))
-CK_BBOOL true = CK_TRUE;
-CK_BBOOL false = CK_FALSE;
-static PRBool verbose = PR_FALSE;
-
-static void
-usage (const char *program_name)
-{
-    PRFileDesc *debug_out = PR_GetSpecialFD(PR_StandardError);
-    PR_fprintf (debug_out,
-                "type %s -H for more detail information.\n", program_name);
-    PR_fprintf (debug_out,
-                "Usage: %s [-v] [-V] [-o outfile] [-d dbdir] [-f pwfile]\n"
-                "          [-F] [-p pwd] -[P dbprefix ] "
-                "-i shared_library_name\n",
-                program_name);
-    exit(1);
-}
-
-static void 
-long_usage(const char *program_name) 
-{
-    PRFileDesc *debug_out = PR_GetSpecialFD(PR_StandardError);
-    PR_fprintf(debug_out, "%s test program usage:\n", program_name);
-    PR_fprintf(debug_out, "\t-i <infile>  shared_library_name to process\n");
-    PR_fprintf(debug_out, "\t-o <outfile> checksum outfile\n");
-    PR_fprintf(debug_out, "\t-d <path>    database path location\n");
-    PR_fprintf(debug_out, "\t-P <prefix>  database prefix\n");
-    PR_fprintf(debug_out, "\t-f <file>    password File : echo pw > file \n");
-    PR_fprintf(debug_out, "\t-F           FIPS mode\n"); 
-    PR_fprintf(debug_out, "\t-p <pwd>     password\n");
-    PR_fprintf(debug_out, "\t-v           verbose output\n");
-    PR_fprintf(debug_out, "\t-V           perform Verify operations\n");
-    PR_fprintf(debug_out, "\t-?           short help message\n");
-    PR_fprintf(debug_out, "\t-h           short help message\n");
-    PR_fprintf(debug_out, "\t-H           this help message\n");
-    PR_fprintf(debug_out, "\n\n\tNote: Use of FIPS mode requires your ");
-    PR_fprintf(debug_out, "library path is using \n");
-    PR_fprintf(debug_out, "\t      pre-existing libraries with generated ");
-    PR_fprintf(debug_out, "checksum files\n");
-    PR_fprintf(debug_out, "\t      and database in FIPS mode \n");
-    exit(1);
-}
-
-static char * 
-mkoutput(const char *input)
-{
-    int in_len = strlen(input);
-    char *output = PR_Malloc(in_len+sizeof(SGN_SUFFIX));
-    int index = in_len + 1 - sizeof("."SHLIB_SUFFIX);
-
-    if ((index > 0) && 
-        (PL_strncmp(&input[index],
-                 "."SHLIB_SUFFIX,sizeof("."SHLIB_SUFFIX)) == 0)) {
-        in_len = index;
-    }
-    memcpy(output,input,in_len);
-    memcpy(&output[in_len],SGN_SUFFIX,sizeof(SGN_SUFFIX));
-    return output;
-}
-
-static void 
-lperror(const char *string) {
-    PRErrorCode errorcode;
-
-    errorcode = PR_GetError();
-    PR_fprintf(PR_STDERR, "%s: %d: %s\n", string, errorcode,
-                PR_ErrorToString(errorcode, PR_LANGUAGE_I_DEFAULT));
-}
-
-static void
-encodeInt(unsigned char *buf, int val)
-{
-    buf[3] = (val >> 0) & 0xff;
-    buf[2] = (val >>  8) & 0xff;
-    buf[1] = (val >> 16) & 0xff;
-    buf[0] = (val >> 24) & 0xff;
-    return;
-}
-
-static PRStatus 
-writeItem(PRFileDesc *fd, CK_VOID_PTR pValue,
-          CK_ULONG ulValueLen, char *file)
-{
-    unsigned char buf[4];
-    int bytesWritten;
-    if (ulValueLen == 0) {
-        PR_fprintf(PR_STDERR, "call to writeItem with 0 bytes of data.\n");
-        return PR_FAILURE;
-    }
-
-    encodeInt(buf,ulValueLen);
-    bytesWritten = PR_Write(fd,buf, 4);
-    if (bytesWritten != 4) {
-        lperror(file);
-        return PR_FAILURE;
-    }
-    bytesWritten = PR_Write(fd, pValue, ulValueLen);
-    if (bytesWritten != ulValueLen) {
-        lperror(file);
-        return PR_FAILURE;
-    }
-    return PR_SUCCESS;
-}
-
-static const unsigned char prime[] = { 0x00,
-   0x97, 0x44, 0x1d, 0xcc, 0x0d, 0x39, 0x0d, 0x8d, 
-   0xcb, 0x75, 0xdc, 0x24, 0x25, 0x6f, 0x01, 0x92, 
-   0xa1, 0x11, 0x07, 0x6b, 0x70, 0xac, 0x73, 0xd7, 
-   0x82, 0x28, 0xdf, 0xab, 0x82, 0x0c, 0x41, 0x0c, 
-   0x95, 0xb3, 0x3c, 0x3d, 0xea, 0x8a, 0xe6, 0x44, 
-   0x0a, 0xb8, 0xab, 0x90, 0x15, 0x41, 0x11, 0xe8, 
-   0x48, 0x7b, 0x8d, 0xb0, 0x9c, 0xd3, 0xf2, 0x69, 
-   0x66, 0xff, 0x66, 0x4b, 0x70, 0x2b, 0xbf, 0xfb, 
-   0xd6, 0x68, 0x85, 0x76, 0x1e, 0x34, 0xaa, 0xc5, 
-   0x57, 0x6e, 0x23, 0x02, 0x08, 0x60, 0x6e, 0xfd, 
-   0x67, 0x76, 0xe1, 0x7c, 0xc8, 0xcb, 0x51, 0x77, 
-   0xcf, 0xb1, 0x3b, 0x00, 0x2e, 0xfa, 0x21, 0xcd, 
-   0x34, 0x76, 0x75, 0x01, 0x19, 0xfe, 0xf8, 0x5d, 
-   0x43, 0xc5, 0x34, 0xf3, 0x7a, 0x95, 0xdc, 0xc2, 
-   0x58, 0x07, 0x19, 0x2f, 0x1d, 0x6f, 0x9a, 0x77, 
-   0x7e, 0x55, 0xaa, 0xe7, 0x5a, 0x50, 0x43, 0xd3 };
-
-static const unsigned char subprime[] = { 0x0,
-   0xd8, 0x16, 0x23, 0x34, 0x8a, 0x9e, 0x3a, 0xf5, 
-   0xd9, 0x10, 0x13, 0x35, 0xaa, 0xf3, 0xf3, 0x54, 
-   0x0b, 0x31, 0x24, 0xf1 };
-
-static const unsigned char base[] = { 
-    0x03, 0x3a, 0xad, 0xfa, 0x3a, 0x0c, 0xea, 0x0a, 
-    0x4e, 0x43, 0x32, 0x92, 0xbb, 0x87, 0xf1, 0x11, 
-    0xc0, 0xad, 0x39, 0x38, 0x56, 0x1a, 0xdb, 0x23, 
-    0x66, 0xb1, 0x08, 0xda, 0xb6, 0x19, 0x51, 0x42, 
-    0x93, 0x4f, 0xc3, 0x44, 0x43, 0xa8, 0x05, 0xc1, 
-    0xf8, 0x71, 0x62, 0x6f, 0x3d, 0xe2, 0xab, 0x6f, 
-    0xd7, 0x80, 0x22, 0x6f, 0xca, 0x0d, 0xf6, 0x9f, 
-    0x45, 0x27, 0x83, 0xec, 0x86, 0x0c, 0xda, 0xaa, 
-    0xd6, 0xe0, 0xd0, 0x84, 0xfd, 0xb1, 0x4f, 0xdc, 
-    0x08, 0xcd, 0x68, 0x3a, 0x77, 0xc2, 0xc5, 0xf1, 
-    0x99, 0x0f, 0x15, 0x1b, 0x6a, 0x8c, 0x3d, 0x18, 
-    0x2b, 0x6f, 0xdc, 0x2b, 0xd8, 0xb5, 0x9b, 0xb8, 
-    0x2d, 0x57, 0x92, 0x1c, 0x46, 0x27, 0xaf, 0x6d, 
-    0xe1, 0x45, 0xcf, 0x0b, 0x3f, 0xfa, 0x07, 0xcc, 
-    0x14, 0x8e, 0xe7, 0xb8, 0xaa, 0xd5, 0xd1, 0x36, 
-    0x1d, 0x7e, 0x5e, 0x7d, 0xfa, 0x5b, 0x77, 0x1f };
-
-static const unsigned char h[] = { 
-    0x41, 0x87, 0x47, 0x79, 0xd8, 0xba, 0x4e, 0xac, 
-    0x44, 0x4f, 0x6b, 0xd2, 0x16, 0x5e, 0x04, 0xc6, 
-    0xc2, 0x29, 0x93, 0x5e, 0xbd, 0xc7, 0xa9, 0x8f, 
-    0x23, 0xa1, 0xc8, 0xee, 0x80, 0x64, 0xd5, 0x67, 
-    0x3c, 0xba, 0x59, 0x9a, 0x06, 0x0c, 0xcc, 0x29, 
-    0x56, 0xc0, 0xb2, 0x21, 0xe0, 0x5b, 0x52, 0xcd, 
-    0x84, 0x73, 0x57, 0xfd, 0xd8, 0xc3, 0x5b, 0x13, 
-    0x54, 0xd7, 0x4a, 0x06, 0x86, 0x63, 0x09, 0xa5, 
-    0xb0, 0x59, 0xe2, 0x32, 0x9e, 0x09, 0xa3, 0x9f, 
-    0x49, 0x62, 0xcc, 0xa6, 0xf9, 0x54, 0xd5, 0xb2, 
-    0xc3, 0x08, 0x71, 0x7e, 0xe3, 0x37, 0x50, 0xd6, 
-    0x7b, 0xa7, 0xc2, 0x60, 0xc1, 0xeb, 0x51, 0x32, 
-    0xfa, 0xad, 0x35, 0x25, 0x17, 0xf0, 0x7f, 0x23, 
-    0xe5, 0xa8, 0x01, 0x52, 0xcf, 0x2f, 0xd9, 0xa9, 
-    0xf6, 0x00, 0x21, 0x15, 0xf1, 0xf7, 0x70, 0xb7, 
-    0x57, 0x8a, 0xd0, 0x59, 0x6a, 0x82, 0xdc, 0x9c };
-
-static const unsigned char seed[] = { 0x00,
-    0xcc, 0x4c, 0x69, 0x74, 0xf6, 0x72, 0x24, 0x68, 
-    0x24, 0x4f, 0xd7, 0x50, 0x11, 0x40, 0x81, 0xed, 
-    0x19, 0x3c, 0x8a, 0x25, 0xbc, 0x78, 0x0a, 0x85, 
-    0x82, 0x53, 0x70, 0x20, 0xf6, 0x54, 0xa5, 0x1b, 
-    0xf4, 0x15, 0xcd, 0xff, 0xc4, 0x88, 0xa7, 0x9d, 
-    0xf3, 0x47, 0x1c, 0x0a, 0xbe, 0x10, 0x29, 0x83, 
-    0xb9, 0x0f, 0x4c, 0xdf, 0x90, 0x16, 0x83, 0xa2, 
-    0xb3, 0xe3, 0x2e, 0xc1, 0xc2, 0x24, 0x6a, 0xc4, 
-    0x9d, 0x57, 0xba, 0xcb, 0x0f, 0x18, 0x75, 0x00, 
-    0x33, 0x46, 0x82, 0xec, 0xd6, 0x94, 0x77, 0xc3, 
-    0x4f, 0x4c, 0x58, 0x1c, 0x7f, 0x61, 0x3c, 0x36, 
-    0xd5, 0x2f, 0xa5, 0x66, 0xd8, 0x2f, 0xce, 0x6e, 
-    0x8e, 0x20, 0x48, 0x4a, 0xbb, 0xe3, 0xe0, 0xb2, 
-    0x50, 0x33, 0x63, 0x8a, 0x5b, 0x2d, 0x6a, 0xbe, 
-    0x4c, 0x28, 0x81, 0x53, 0x5b, 0xe4, 0xf6, 0xfc, 
-    0x64, 0x06, 0x13, 0x51, 0xeb, 0x4a, 0x91, 0x9c };
-
-static const unsigned int counter=1496;
-
-struct tuple_str {
-    CK_RV         errNum;
-    const char * errString;
-};
-
-typedef struct tuple_str tuple_str;
-
-static const tuple_str errStrings[] = {
-{CKR_OK                              , "CKR_OK                              "},
-{CKR_CANCEL                          , "CKR_CANCEL                          "},
-{CKR_HOST_MEMORY                     , "CKR_HOST_MEMORY                     "},
-{CKR_SLOT_ID_INVALID                 , "CKR_SLOT_ID_INVALID                 "},
-{CKR_GENERAL_ERROR                   , "CKR_GENERAL_ERROR                   "},
-{CKR_FUNCTION_FAILED                 , "CKR_FUNCTION_FAILED                 "},
-{CKR_ARGUMENTS_BAD                   , "CKR_ARGUMENTS_BAD                   "},
-{CKR_NO_EVENT                        , "CKR_NO_EVENT                        "},
-{CKR_NEED_TO_CREATE_THREADS          , "CKR_NEED_TO_CREATE_THREADS          "},
-{CKR_CANT_LOCK                       , "CKR_CANT_LOCK                       "},
-{CKR_ATTRIBUTE_READ_ONLY             , "CKR_ATTRIBUTE_READ_ONLY             "},
-{CKR_ATTRIBUTE_SENSITIVE             , "CKR_ATTRIBUTE_SENSITIVE             "},
-{CKR_ATTRIBUTE_TYPE_INVALID          , "CKR_ATTRIBUTE_TYPE_INVALID          "},
-{CKR_ATTRIBUTE_VALUE_INVALID         , "CKR_ATTRIBUTE_VALUE_INVALID         "},
-{CKR_DATA_INVALID                    , "CKR_DATA_INVALID                    "},
-{CKR_DATA_LEN_RANGE                  , "CKR_DATA_LEN_RANGE                  "},
-{CKR_DEVICE_ERROR                    , "CKR_DEVICE_ERROR                    "},
-{CKR_DEVICE_MEMORY                   , "CKR_DEVICE_MEMORY                   "},
-{CKR_DEVICE_REMOVED                  , "CKR_DEVICE_REMOVED                  "},
-{CKR_ENCRYPTED_DATA_INVALID          , "CKR_ENCRYPTED_DATA_INVALID          "},
-{CKR_ENCRYPTED_DATA_LEN_RANGE        , "CKR_ENCRYPTED_DATA_LEN_RANGE        "},
-{CKR_FUNCTION_CANCELED               , "CKR_FUNCTION_CANCELED               "},
-{CKR_FUNCTION_NOT_PARALLEL           , "CKR_FUNCTION_NOT_PARALLEL           "},
-{CKR_FUNCTION_NOT_SUPPORTED          , "CKR_FUNCTION_NOT_SUPPORTED          "},
-{CKR_KEY_HANDLE_INVALID              , "CKR_KEY_HANDLE_INVALID              "},
-{CKR_KEY_SIZE_RANGE                  , "CKR_KEY_SIZE_RANGE                  "},
-{CKR_KEY_TYPE_INCONSISTENT           , "CKR_KEY_TYPE_INCONSISTENT           "},
-{CKR_KEY_NOT_NEEDED                  , "CKR_KEY_NOT_NEEDED                  "},
-{CKR_KEY_CHANGED                     , "CKR_KEY_CHANGED                     "},
-{CKR_KEY_NEEDED                      , "CKR_KEY_NEEDED                      "},
-{CKR_KEY_INDIGESTIBLE                , "CKR_KEY_INDIGESTIBLE                "},
-{CKR_KEY_FUNCTION_NOT_PERMITTED      , "CKR_KEY_FUNCTION_NOT_PERMITTED      "},
-{CKR_KEY_NOT_WRAPPABLE               , "CKR_KEY_NOT_WRAPPABLE               "},
-{CKR_KEY_UNEXTRACTABLE               , "CKR_KEY_UNEXTRACTABLE               "},
-{CKR_MECHANISM_INVALID               , "CKR_MECHANISM_INVALID               "},
-{CKR_MECHANISM_PARAM_INVALID         , "CKR_MECHANISM_PARAM_INVALID         "},
-{CKR_OBJECT_HANDLE_INVALID           , "CKR_OBJECT_HANDLE_INVALID           "},
-{CKR_OPERATION_ACTIVE                , "CKR_OPERATION_ACTIVE                "},
-{CKR_OPERATION_NOT_INITIALIZED       , "CKR_OPERATION_NOT_INITIALIZED       "},
-{CKR_PIN_INCORRECT                   , "CKR_PIN_INCORRECT                   "},
-{CKR_PIN_INVALID                     , "CKR_PIN_INVALID                     "},
-{CKR_PIN_LEN_RANGE                   , "CKR_PIN_LEN_RANGE                   "},
-{CKR_PIN_EXPIRED                     , "CKR_PIN_EXPIRED                     "},
-{CKR_PIN_LOCKED                      , "CKR_PIN_LOCKED                      "},
-{CKR_SESSION_CLOSED                  , "CKR_SESSION_CLOSED                  "},
-{CKR_SESSION_COUNT                   , "CKR_SESSION_COUNT                   "},
-{CKR_SESSION_HANDLE_INVALID          , "CKR_SESSION_HANDLE_INVALID          "},
-{CKR_SESSION_PARALLEL_NOT_SUPPORTED  , "CKR_SESSION_PARALLEL_NOT_SUPPORTED  "},
-{CKR_SESSION_READ_ONLY               , "CKR_SESSION_READ_ONLY               "},
-{CKR_SESSION_EXISTS                  , "CKR_SESSION_EXISTS                  "},
-{CKR_SESSION_READ_ONLY_EXISTS        , "CKR_SESSION_READ_ONLY_EXISTS        "},
-{CKR_SESSION_READ_WRITE_SO_EXISTS    , "CKR_SESSION_READ_WRITE_SO_EXISTS    "},
-{CKR_SIGNATURE_INVALID               , "CKR_SIGNATURE_INVALID               "},
-{CKR_SIGNATURE_LEN_RANGE             , "CKR_SIGNATURE_LEN_RANGE             "},
-{CKR_TEMPLATE_INCOMPLETE             , "CKR_TEMPLATE_INCOMPLETE             "},
-{CKR_TEMPLATE_INCONSISTENT           , "CKR_TEMPLATE_INCONSISTENT           "},
-{CKR_TOKEN_NOT_PRESENT               , "CKR_TOKEN_NOT_PRESENT               "},
-{CKR_TOKEN_NOT_RECOGNIZED            , "CKR_TOKEN_NOT_RECOGNIZED            "},
-{CKR_TOKEN_WRITE_PROTECTED           , "CKR_TOKEN_WRITE_PROTECTED           "},
-{CKR_UNWRAPPING_KEY_HANDLE_INVALID   , "CKR_UNWRAPPING_KEY_HANDLE_INVALID   "},
-{CKR_UNWRAPPING_KEY_SIZE_RANGE       , "CKR_UNWRAPPING_KEY_SIZE_RANGE       "},
-{CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT"},
-{CKR_USER_ALREADY_LOGGED_IN          , "CKR_USER_ALREADY_LOGGED_IN          "},
-{CKR_USER_NOT_LOGGED_IN              , "CKR_USER_NOT_LOGGED_IN              "},
-{CKR_USER_PIN_NOT_INITIALIZED        , "CKR_USER_PIN_NOT_INITIALIZED        "},
-{CKR_USER_TYPE_INVALID               , "CKR_USER_TYPE_INVALID               "},
-{CKR_USER_ANOTHER_ALREADY_LOGGED_IN  , "CKR_USER_ANOTHER_ALREADY_LOGGED_IN  "},
-{CKR_USER_TOO_MANY_TYPES             , "CKR_USER_TOO_MANY_TYPES             "},
-{CKR_WRAPPED_KEY_INVALID             , "CKR_WRAPPED_KEY_INVALID             "},
-{CKR_WRAPPED_KEY_LEN_RANGE           , "CKR_WRAPPED_KEY_LEN_RANGE           "},
-{CKR_WRAPPING_KEY_HANDLE_INVALID     , "CKR_WRAPPING_KEY_HANDLE_INVALID     "},
-{CKR_WRAPPING_KEY_SIZE_RANGE         , "CKR_WRAPPING_KEY_SIZE_RANGE         "},
-{CKR_WRAPPING_KEY_TYPE_INCONSISTENT  , "CKR_WRAPPING_KEY_TYPE_INCONSISTENT  "},
-{CKR_RANDOM_SEED_NOT_SUPPORTED       , "CKR_RANDOM_SEED_NOT_SUPPORTED       "},
-{CKR_RANDOM_NO_RNG                   , "CKR_RANDOM_NO_RNG                   "},
-{CKR_DOMAIN_PARAMS_INVALID           , "CKR_DOMAIN_PARAMS_INVALID           "},
-{CKR_BUFFER_TOO_SMALL                , "CKR_BUFFER_TOO_SMALL                "},
-{CKR_SAVED_STATE_INVALID             , "CKR_SAVED_STATE_INVALID             "},
-{CKR_INFORMATION_SENSITIVE           , "CKR_INFORMATION_SENSITIVE           "},
-{CKR_STATE_UNSAVEABLE                , "CKR_STATE_UNSAVEABLE                "},
-{CKR_CRYPTOKI_NOT_INITIALIZED        , "CKR_CRYPTOKI_NOT_INITIALIZED        "},
-{CKR_CRYPTOKI_ALREADY_INITIALIZED    , "CKR_CRYPTOKI_ALREADY_INITIALIZED    "},
-{CKR_MUTEX_BAD                       , "CKR_MUTEX_BAD                       "},
-{CKR_MUTEX_NOT_LOCKED                , "CKR_MUTEX_NOT_LOCKED                "},
-{CKR_FUNCTION_REJECTED               , "CKR_FUNCTION_REJECTED               "},
-{CKR_VENDOR_DEFINED                  , "CKR_VENDOR_DEFINED                  "},
-{0xCE534351                          , "CKR_NETSCAPE_CERTDB_FAILED          "},
-{0xCE534352                          , "CKR_NETSCAPE_KEYDB_FAILED           "}
-
-};
-
-static const CK_ULONG numStrings = sizeof(errStrings) / sizeof(tuple_str);
-
-/* Returns constant error string for "CRV".
- * Returns "unknown error" if errNum is unknown.
- */
-static const char *
-CK_RVtoStr(CK_RV errNum) {
-    CK_ULONG low  = 1;
-    CK_ULONG high = numStrings - 1;
-    CK_ULONG i;
-    CK_RV num;
-    static int initDone;
-
-    /* make sure table is in  ascending order.
-     * binary search depends on it.
-     */
-    if (!initDone) {
-        CK_RV lastNum = CKR_OK;
-        for (i = low; i <= high; ++i) {
-            num = errStrings[i].errNum;
-            if (num <= lastNum) {
-                PR_fprintf(PR_STDERR,
-                        "sequence error in error strings at item %d\n"
-                        "error %d (%s)\n"
-                        "should come after \n"
-                        "error %d (%s)\n",
-                        (int) i, (int) lastNum, errStrings[i-1].errString,
-                        (int) num, errStrings[i].errString);
-            }
-            lastNum = num;
-        }
-        initDone = 1;
-    }
-
-    /* Do binary search of table. */
-    while (low + 1 < high) {
-        i = (low + high) / 2;
-        num = errStrings[i].errNum;
-        if (errNum == num)
-            return errStrings[i].errString;
-        if (errNum < num)
-            high = i;
-        else
-            low = i;
-    }
-    if (errNum == errStrings[low].errNum)
-        return errStrings[low].errString;
-    if (errNum == errStrings[high].errNum)
-        return errStrings[high].errString;
-    return "unknown error";
-}
-
-static void 
-pk11error(const char *string, CK_RV crv) {
-    PRErrorCode errorcode;
-
-    PR_fprintf(PR_STDERR, "%s: 0x%08lX, %-26s\n", string, crv, CK_RVtoStr(crv));
-
-    errorcode = PR_GetError();
-    if (errorcode) {
-        PR_fprintf(PR_STDERR, "NSPR error code: %d: %s\n", errorcode,
-                PR_ErrorToString(errorcode, PR_LANGUAGE_I_DEFAULT));
-    }
-}
-
-static void 
-logIt(const char *fmt, ...) {
-    va_list args;
-
-    if (verbose) {
-        va_start (args, fmt);
-        vprintf(fmt, args);
-        va_end(args);
-    }
-}
-
-static CK_RV 
-softokn_Init(CK_FUNCTION_LIST_PTR pFunctionList, const char * configDir,
-            const char * dbPrefix) {
-
-    CK_RV crv = CKR_OK;
-    CK_C_INITIALIZE_ARGS initArgs;
-    char *moduleSpec = NULL;
-
-    initArgs.CreateMutex = NULL;
-    initArgs.DestroyMutex = NULL;
-    initArgs.LockMutex = NULL;
-    initArgs.UnlockMutex = NULL;
-    initArgs.flags = CKF_OS_LOCKING_OK;
-    if (configDir) {
-        moduleSpec = PR_smprintf("configdir='%s' certPrefix='%s' "
-                             "keyPrefix='%s' secmod='secmod.db' flags=ReadOnly ",
-                             configDir, dbPrefix, dbPrefix);
-    } else {
-        moduleSpec = PR_smprintf("configdir='' certPrefix='' keyPrefix='' "
-                                 "secmod='' flags=noCertDB, noModDB");
-    }
-    if (!moduleSpec) {
-        PR_fprintf(PR_STDERR, "softokn_Init: out of memory error\n");
-        return CKR_HOST_MEMORY;
-    } 
-    logIt("moduleSpec %s\n", moduleSpec);
-    initArgs.LibraryParameters = (CK_CHAR_PTR *) moduleSpec;
-    initArgs.pReserved = NULL;
-
-    crv = pFunctionList->C_Initialize(&initArgs);
-    if (crv != CKR_OK) {
-        pk11error("C_Initialize failed", crv);
-        goto cleanup;
-    }
-
-cleanup:
-    if (moduleSpec) {
-        PR_smprintf_free(moduleSpec);
-    }
-
-    return crv;
-}
-
-static char * 
-filePasswd(char *pwFile)
-{
-    unsigned char phrase[200];
-    PRFileDesc *fd;
-    PRInt32 nb;
-    int i;
-
-    if (!pwFile)
-        return 0;
-
-    fd = PR_Open(pwFile, PR_RDONLY, 0);
-    if (!fd) {
-        lperror(pwFile);
-        return NULL;
-    }
-
-    nb = PR_Read(fd, phrase, sizeof(phrase));
-
-    PR_Close(fd);
-    /* handle the Windows EOL case */
-    i = 0;
-    while (phrase[i] != '\r' && phrase[i] != '\n' && i < nb) i++;
-    phrase[i] = '\0';
-    if (nb == 0) {
-        PR_fprintf(PR_STDERR,"password file contains no data\n");
-        return NULL;
-    }
-    return (char*) PL_strdup((char*)phrase);
-}
-
-static void 
-checkPath(char *string)
-{
-    char *src;
-    char *dest;
-
-    /*
-     * windows support convert any back slashes to
-     * forward slashes.
-     */
-    for (src=string, dest=string; *src; src++,dest++) {
-        if (*src == '\\') {
-            *dest = '/';
-        }
-    }
-    dest--;
-    /* if the last char is a / set it to 0 */
-    if (*dest == '/')
-        *dest = 0;
-
-}
-
-static CK_SLOT_ID *
-getSlotList(CK_FUNCTION_LIST_PTR pFunctionList,
-            CK_ULONG slotIndex) {
-    CK_RV crv = CKR_OK;
-    CK_SLOT_ID *pSlotList = NULL;
-    CK_ULONG slotCount;
-
-    /* Get slot list */
-    crv = pFunctionList->C_GetSlotList(CK_FALSE /* all slots */,
-                                       NULL, &slotCount);
-    if (crv != CKR_OK) {
-        pk11error( "C_GetSlotList failed", crv);
-        return NULL;
-    }
-
-    if (slotIndex >= slotCount) {
-        PR_fprintf(PR_STDERR, "provided slotIndex is greater than the slot count.");
-        return NULL;
-    }
-
-    pSlotList = (CK_SLOT_ID *)PR_Malloc(slotCount * sizeof(CK_SLOT_ID));
-    if (!pSlotList) {
-        lperror("failed to allocate slot list");
-        return NULL;
-    }
-    crv = pFunctionList->C_GetSlotList(CK_FALSE /* all slots */,
-                                       pSlotList, &slotCount);
-    if (crv != CKR_OK) {
-        pk11error( "C_GetSlotList failed", crv);
-        if (pSlotList) PR_Free(pSlotList);
-        return NULL;
-    }
-    return pSlotList;
-}
-
-int main(int argc, char **argv)
-{
-    PLOptState *optstate;
-    char *program_name;
-    char *libname = NULL;
-    PRLibrary *lib;
-    PRFileDesc *fd;
-    PRStatus rv = PR_SUCCESS;
-    const char  *input_file = NULL; /* read/create encrypted data from here */
-    char  *output_file = NULL;	/* write new encrypted data here */
-    int bytesRead;
-    int bytesWritten;
-    unsigned char file_buf[512];
-    int count=0;
-    int i;
-    PRBool verify = PR_FALSE;
-    static PRBool FIPSMODE = PR_FALSE;
-
-#ifdef USES_LINKS
-    int ret;
-    struct stat stat_buf;
-    char link_buf[MAXPATHLEN+1];
-    char *link_file = NULL;
-#endif
-
-    char *pwd = NULL;
-    char *configDir = NULL;
-    char *dbPrefix = NULL;
-    char *disableUnload = NULL;
-
-    CK_C_GetFunctionList pC_GetFunctionList;
-    CK_TOKEN_INFO tokenInfo;
-    CK_FUNCTION_LIST_PTR pFunctionList = NULL;
-    CK_RV crv = CKR_OK;
-    CK_SESSION_HANDLE hRwSession;
-    CK_SLOT_ID *pSlotList = NULL;
-    CK_ULONG slotIndex = 0; 
-    CK_MECHANISM digestmech;
-    CK_ULONG digestLen = 0;
-    CK_BYTE digest[20]; /* SHA1_LENGTH */
-    CK_BYTE sign[40];   /* DSA SIGNATURE LENGTH */
-    CK_ULONG signLen = 0 ;
-    CK_MECHANISM signMech = {
-        CKM_DSA, NULL, 0
-    };
-
-    /*** DSA Key ***/
-
-    CK_MECHANISM dsaKeyPairGenMech;
-    CK_ATTRIBUTE dsaPubKeyTemplate[5];
-    CK_ATTRIBUTE dsaPrivKeyTemplate[5];
-    CK_OBJECT_HANDLE hDSApubKey = CK_INVALID_HANDLE;
-    CK_OBJECT_HANDLE hDSAprivKey = CK_INVALID_HANDLE;
-
-    CK_BYTE dsaPubKey[128];
-    CK_ATTRIBUTE dsaPubKeyValue;
-
-    /* DSA key init */
-    dsaPubKeyTemplate[0].type       = CKA_PRIME;
-    dsaPubKeyTemplate[0].pValue     = (CK_VOID_PTR) &prime;
-    dsaPubKeyTemplate[0].ulValueLen = sizeof(prime);
-    dsaPubKeyTemplate[1].type = CKA_SUBPRIME;
-    dsaPubKeyTemplate[1].pValue = (CK_VOID_PTR) &subprime;
-    dsaPubKeyTemplate[1].ulValueLen = sizeof(subprime);
-    dsaPubKeyTemplate[2].type = CKA_BASE;
-    dsaPubKeyTemplate[2].pValue = (CK_VOID_PTR) &base;
-    dsaPubKeyTemplate[2].ulValueLen = sizeof(base);
-    dsaPubKeyTemplate[3].type = CKA_TOKEN;
-    dsaPubKeyTemplate[3].pValue = &false; /* session object */
-    dsaPubKeyTemplate[3].ulValueLen = sizeof(false);
-    dsaPubKeyTemplate[4].type = CKA_VERIFY;
-    dsaPubKeyTemplate[4].pValue = &true;
-    dsaPubKeyTemplate[4].ulValueLen = sizeof(true);
-    dsaKeyPairGenMech.mechanism      = CKM_DSA_KEY_PAIR_GEN;
-    dsaKeyPairGenMech.pParameter = NULL;
-    dsaKeyPairGenMech.ulParameterLen = 0;
-    dsaPrivKeyTemplate[0].type       = CKA_TOKEN;
-    dsaPrivKeyTemplate[0].pValue     = &false; /* session object */
-    dsaPrivKeyTemplate[0].ulValueLen = sizeof(false);
-    dsaPrivKeyTemplate[1].type       = CKA_PRIVATE;
-    dsaPrivKeyTemplate[1].pValue     = &true;
-    dsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
-    dsaPrivKeyTemplate[2].type       = CKA_SENSITIVE;
-    dsaPrivKeyTemplate[2].pValue     = &true; 
-    dsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
-    dsaPrivKeyTemplate[3].type       = CKA_SIGN,
-    dsaPrivKeyTemplate[3].pValue     = &true;
-    dsaPrivKeyTemplate[3].ulValueLen = sizeof(true);
-    dsaPrivKeyTemplate[4].type       = CKA_EXTRACTABLE;
-    dsaPrivKeyTemplate[4].pValue     = &false;
-    dsaPrivKeyTemplate[4].ulValueLen = sizeof(false);
-    digestmech.mechanism = CKM_SHA_1;
-    digestmech.pParameter = NULL;
-    digestmech.ulParameterLen = 0;
-
-    program_name = strrchr(argv[0], '/');
-    program_name = program_name ? (program_name + 1) : argv[0];
-    optstate = PL_CreateOptState (argc, argv, "i:o:f:Fd:hH?p:P:vVs:");
-    if (optstate == NULL) {
-        lperror("PL_CreateOptState failed");
-        return 1;
-    }
-
-    while (PL_GetNextOpt (optstate) == PL_OPT_OK) {
-        switch (optstate->option) {
-
-            case 'd':
-                if (!optstate->value) {
-                    PL_DestroyOptState(optstate);
-                    usage(program_name);
-                }
-                configDir = PL_strdup(optstate->value);
-                checkPath(configDir);
-                break;
-
-                case 'i':
-                if (!optstate->value) {
-                    PL_DestroyOptState(optstate);
-                    usage(program_name);
-                }
-                input_file = optstate->value;
-                break;
-
-                case 'o':
-                if (!optstate->value) {
-                    PL_DestroyOptState(optstate);
-                    usage(program_name);
-                }
-                output_file = PL_strdup(optstate->value);
-                break;
-
-                case 'f':
-                if (!optstate->value) {
-                    PL_DestroyOptState(optstate);
-                    usage(program_name);
-                }
-                pwd = filePasswd((char *)optstate->value);
-                if (!pwd) usage(program_name);
-                break;
-
-                case 'F':
-                FIPSMODE = PR_TRUE;
-                break;
-
-                case 'p':
-                if (!optstate->value) {
-                    PL_DestroyOptState(optstate);
-                    usage(program_name);
-                }
-                pwd =  PL_strdup(optstate->value);
-                break;
-
-                case 'P':
-                if (!optstate->value) {
-                    PL_DestroyOptState(optstate);
-                    usage(program_name);
-                }
-                dbPrefix = PL_strdup(optstate->value);
-                break;
-
-                case 'v':
-                verbose = PR_TRUE;
-                break;
-
-                case 'V':
-                verify = PR_TRUE;
-                break;
-
-                case 'H':
-                PL_DestroyOptState(optstate);
-                long_usage (program_name);
-                return 1;
-                break;
-
-                case 'h':
-                case '?':
-                default:
-                PL_DestroyOptState(optstate);
-                usage(program_name);
-                return 1;
-                break;
-        }
-    }
-    PL_DestroyOptState(optstate);
-
-    if (!input_file) {
-        usage(program_name);
-        return 1;
-    }
-
-    /* Get the platform-dependent library name of the
-     * NSS cryptographic module.
-     */
-    libname = PR_GetLibraryName(NULL, "softokn3");
-    assert(libname != NULL);
-    lib = PR_LoadLibrary(libname);
-    assert(lib != NULL);
-    PR_FreeLibraryName(libname);
-
-
-    if (FIPSMODE) {
-        /* FIPSMODE == FC_GetFunctionList */
-        /* library path must be set to an already signed softokn3/freebl */
-        pC_GetFunctionList = (CK_C_GetFunctionList)
-                             PR_FindFunctionSymbol(lib, "FC_GetFunctionList");
-    } else {
-        /* NON FIPS mode  == C_GetFunctionList */
-        pC_GetFunctionList = (CK_C_GetFunctionList)
-                             PR_FindFunctionSymbol(lib, "C_GetFunctionList");
-     }
-    assert(pC_GetFunctionList != NULL);
-
-    crv = (*pC_GetFunctionList)(&pFunctionList);
-    assert(crv == CKR_OK);
-
-    if (configDir) {
-    if (!dbPrefix) {
-            dbPrefix = PL_strdup("");
-        }
-        crv = softokn_Init(pFunctionList, configDir, dbPrefix);
-        if (crv != CKR_OK) {
-            logIt("Failed to use provided database directory "
-                  "will just initialize the volatile certdb.\n");
-            crv = softokn_Init(pFunctionList, NULL, NULL); /* NoDB Init */
-        }
-    } else {
-        crv = softokn_Init(pFunctionList, NULL, NULL); /* NoDB Init */
-    }
-
-    if (crv != CKR_OK) {
-        pk11error( "Initiailzing softoken failed", crv);
-        goto cleanup;
-    }
-
-    pSlotList = getSlotList(pFunctionList, slotIndex);
-    if (pSlotList == NULL) {
-        PR_fprintf(PR_STDERR, "getSlotList failed");
-        goto cleanup;
-    }
-
-    crv = pFunctionList->C_OpenSession(pSlotList[slotIndex],
-                                       CKF_RW_SESSION | CKF_SERIAL_SESSION,
-                                       NULL, NULL, &hRwSession);
-    if (crv != CKR_OK) {
-        pk11error( "Opening a read/write session failed", crv);
-        goto cleanup;
-    }
-
-    /* check if a password is needed */
-    crv = pFunctionList->C_GetTokenInfo(pSlotList[slotIndex], &tokenInfo);
-    if (crv != CKR_OK) {
-        pk11error( "C_GetTokenInfo failed", crv);
-        goto cleanup;
-    }
-    if (tokenInfo.flags & CKF_LOGIN_REQUIRED) {
-        if (pwd) {
-            int pwdLen = strlen((const char*)pwd); 
-            crv = pFunctionList->C_Login(hRwSession, CKU_USER, 
-                                (CK_UTF8CHAR_PTR) pwd, (CK_ULONG)pwdLen);
-            if (crv != CKR_OK) {
-                pk11error("C_Login failed", crv);
-                goto cleanup;
-            }
-        } else {
-            PR_fprintf(PR_STDERR, "Please provide the password for the token");
-            goto cleanup;
-        }
-    } else if (pwd) {
-        logIt("A password was provided but the password was not used.\n");
-    }
-
-    /* Generate a DSA key pair */
-    logIt("Generate a DSA key pair ... \n");
-    crv = pFunctionList->C_GenerateKeyPair(hRwSession, &dsaKeyPairGenMech,
-                                           dsaPubKeyTemplate,
-                                           NUM_ELEM(dsaPubKeyTemplate),
-                                           dsaPrivKeyTemplate,
-                                           NUM_ELEM(dsaPrivKeyTemplate),
-                                           &hDSApubKey, &hDSAprivKey);
-    if (crv != CKR_OK) {
-        pk11error("DSA key pair generation failed", crv);
-        goto cleanup;
-    }
-
-    /* open the shared library */
-    fd = PR_OpenFile(input_file,PR_RDONLY,0);
-    if (fd == NULL ) {
-        lperror(input_file);
-        goto cleanup;
-    }
-#ifdef USES_LINKS
-    ret = lstat(input_file, &stat_buf);
-    if (ret < 0) {
-        perror(input_file);
-        goto cleanup;
-    }
-    if (S_ISLNK(stat_buf.st_mode)) {
-        char *dirpath,*dirend;
-        ret = readlink(input_file, link_buf, sizeof(link_buf) - 1);
-        if (ret < 0) {
-            perror(input_file);
-            goto cleanup;
-        }
-        link_buf[ret] = 0;
-        link_file = mkoutput(input_file);
-        /* get the dirname of input_file */
-        dirpath = PL_strdup(input_file);
-        dirend = strrchr(dirpath, '/');
-        if (dirend) {
-            *dirend = '\0';
-            ret = chdir(dirpath);
-            if (ret < 0) {
-                perror(dirpath);
-                goto cleanup;
-            }
-        }
-        PL_strfree(dirpath);
-        input_file = link_buf;
-        /* get the basename of link_file */
-        dirend = strrchr(link_file, '/');
-        if (dirend) {
-            char * tmp_file = NULL;
-            tmp_file = PL_strdup(dirend +1 );
-            PL_strfree(link_file);
-            link_file = tmp_file;
-        }
-    }
-#endif
-    if (output_file == NULL) {
-        output_file = mkoutput(input_file);
-    }
-
-    /* compute the digest */
-    memset(digest, 0, sizeof(digest));
-    crv = pFunctionList->C_DigestInit(hRwSession, &digestmech);
-    if (crv != CKR_OK) {
-        pk11error("C_DigestInit failed", crv);
-        goto cleanup;
-    }
-
-    /* Digest the file */
-    while ((bytesRead = PR_Read(fd,file_buf,sizeof(file_buf))) > 0) {
-        crv = pFunctionList->C_DigestUpdate(hRwSession, (CK_BYTE_PTR)file_buf,
-                                            bytesRead);
-        if (crv != CKR_OK) {
-            pk11error("C_DigestUpdate failed", crv);
-            goto cleanup;
-        }
-        count += bytesRead;
-    }
-
-    /* close the input_File */
-    PR_Close(fd);
-    fd = NULL;
-    if (bytesRead < 0) {
-        lperror("0 bytes read from input file");
-        goto cleanup;
-    }
-
-    digestLen = sizeof(digest);
-    crv = pFunctionList->C_DigestFinal(hRwSession, (CK_BYTE_PTR)digest,
-                                       &digestLen);
-    if (crv != CKR_OK) {
-        pk11error("C_DigestFinal failed", crv);
-        goto cleanup;
-    }
-
-    if (digestLen != sizeof(digest)) {
-        PR_fprintf(PR_STDERR, "digestLen has incorrect length %lu "
-                "it should be %lu \n",digestLen, sizeof(digest));
-        goto cleanup;
-    }
-
-    /* sign the hash */
-    memset(sign, 0, sizeof(sign));
-    /* SignUpdate  */
-    crv = pFunctionList->C_SignInit(hRwSession, &signMech, hDSAprivKey);
-    if (crv != CKR_OK) {
-        pk11error("C_SignInit failed", crv);
-        goto cleanup;
-    }
-
-    signLen = sizeof(sign);
-    crv = pFunctionList->C_Sign(hRwSession, (CK_BYTE * ) digest, digestLen,
-                                sign, &signLen);
-    if (crv != CKR_OK) {
-        pk11error("C_Sign failed", crv);
-        goto cleanup;
-    }
-
-    if (signLen != sizeof(sign)) {
-        PR_fprintf(PR_STDERR, "signLen has incorrect length %lu "
-                    "it should be %lu \n", signLen, sizeof(sign));
-        goto cleanup;
-    }
-
-    if (verify) {
-        crv = pFunctionList->C_VerifyInit(hRwSession, &signMech, hDSApubKey);
-        if (crv != CKR_OK) {
-            pk11error("C_VerifyInit failed", crv);
-            goto cleanup;
-        }
-        crv = pFunctionList->C_Verify(hRwSession, digest, digestLen,
-                                      sign, signLen);
-        if (crv != CKR_OK) {
-            pk11error("C_Verify failed", crv);
-            goto cleanup;
-        }
-    }
-
-    if (verbose) {
-        int j;
-        PR_fprintf(PR_STDERR,"Library File: %s %d bytes\n",input_file, count);
-        PR_fprintf(PR_STDERR,"Check File: %s\n",output_file);
-#ifdef USES_LINKS
-        if (link_file) {
-            PR_fprintf(PR_STDERR,"Link: %s\n",link_file);
-        }
-#endif
-        PR_fprintf(PR_STDERR,"  hash: %lu bytes\n", digestLen);
-#define STEP 10
-        for (i=0; i < (int) digestLen; i += STEP) {
-            PR_fprintf(PR_STDERR,"   ");
-            for (j=0; j < STEP && (i+j) < (int) digestLen; j++) {
-                PR_fprintf(PR_STDERR," %02x", digest[i+j]);
-            }
-            PR_fprintf(PR_STDERR,"\n");
-        }
-        PR_fprintf(PR_STDERR,"  signature: %lu bytes\n", signLen);
-        for (i=0; i < (int) signLen; i += STEP) {
-            PR_fprintf(PR_STDERR,"   ");
-            for (j=0; j < STEP && (i+j) < (int) signLen; j++) {
-                PR_fprintf(PR_STDERR," %02x", sign[i+j]);
-            }
-            PR_fprintf(PR_STDERR,"\n");
-        }
-    }
-
-    /* open the target signature file */
-    fd = PR_OpenFile(output_file,PR_WRONLY|PR_CREATE_FILE|PR_TRUNCATE,0666);
-    if (fd == NULL ) {
-        lperror(output_file);
-        goto cleanup;
-    }
-
-    /*
-     * we write the key out in a straight binary format because very
-     * low level libraries need to read an parse this file. Ideally we should
-     * just derEncode the public key (which would be pretty simple, and be
-     * more general), but then we'd need to link the ASN.1 decoder with the
-     * freebl libraries.
-     */
-
-    file_buf[0] = NSS_SIGN_CHK_MAGIC1;
-    file_buf[1] = NSS_SIGN_CHK_MAGIC2;
-    file_buf[2] = NSS_SIGN_CHK_MAJOR_VERSION;
-    file_buf[3] = NSS_SIGN_CHK_MINOR_VERSION;
-    encodeInt(&file_buf[4],12);  /* offset to data start */
-    encodeInt(&file_buf[8],CKK_DSA);
-    bytesWritten = PR_Write(fd,file_buf, 12);
-    if (bytesWritten != 12) {
-        lperror(output_file);
-        goto cleanup;
-    }
-
-    /* get DSA Public KeyValue */
-    memset(dsaPubKey, 0, sizeof(dsaPubKey));
-    dsaPubKeyValue.type =CKA_VALUE;
-    dsaPubKeyValue.pValue = (CK_VOID_PTR) &dsaPubKey;
-    dsaPubKeyValue.ulValueLen = sizeof(dsaPubKey);
-
-    crv = pFunctionList->C_GetAttributeValue(hRwSession, hDSApubKey,
-                                             &dsaPubKeyValue, 1);
-    if (crv != CKR_OK && crv != CKR_ATTRIBUTE_TYPE_INVALID) {
-        pk11error("C_GetAttributeValue failed", crv);
-        goto cleanup;
-    }
-
-    /* CKA_PRIME */
-    rv = writeItem(fd,dsaPubKeyTemplate[0].pValue,
-                   dsaPubKeyTemplate[0].ulValueLen, output_file);
-    if (rv != PR_SUCCESS) goto cleanup;
-    /* CKA_SUBPRIME */
-    rv = writeItem(fd,dsaPubKeyTemplate[1].pValue,
-                   dsaPubKeyTemplate[1].ulValueLen, output_file);
-    if (rv != PR_SUCCESS) goto cleanup;
-    /* CKA_BASE */ 
-    rv = writeItem(fd,dsaPubKeyTemplate[2].pValue,
-                   dsaPubKeyTemplate[2].ulValueLen, output_file);
-    if (rv != PR_SUCCESS) goto cleanup;
-    /* DSA Public Key value */
-    rv = writeItem(fd,dsaPubKeyValue.pValue,
-                   dsaPubKeyValue.ulValueLen, output_file);
-    if (rv != PR_SUCCESS) goto cleanup;
-    /* DSA SIGNATURE */
-    rv = writeItem(fd,&sign, signLen, output_file);
-    if (rv != PR_SUCCESS) goto cleanup;
-    PR_Close(fd);
-
-#ifdef USES_LINKS
-    if (link_file) {
-        (void)unlink(link_file);
-        ret = symlink(output_file, link_file);
-        if (ret < 0) {
-            perror(link_file);
-            goto cleanup;
-        }
-    }
-#endif
-
-cleanup:
-    if (pFunctionList) {
-        /* C_Finalize will automatically logout, close session, */
-        /* and delete the temp objects on the token */
-        crv = pFunctionList->C_Finalize(NULL);
-        if (crv != CKR_OK) {
-            pk11error("C_Finalize failed", crv);
-        }
-    }
-    if (pSlotList) {
-        PR_Free(pSlotList);
-    }
-    if (pwd) {
-        PL_strfree(pwd);
-    }
-    if (configDir) {
-        PL_strfree(configDir);
-    }
-    if (dbPrefix) {
-        PL_strfree(dbPrefix);
-    }
-    if (output_file) { /* allocated by mkoutput function */
-        PL_strfree(output_file); 
-    }
-#ifdef USES_LINKS
-    if (link_file) { /* allocated by mkoutput function */
-        PL_strfree(link_file); 
-    }
-#endif
-
-    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
-    if (!disableUnload) {
-        PR_UnloadLibrary(lib);
-    }
-    PR_Cleanup();
-
-    return crv;
-}
diff --git a/security/nss/cmd/shlibsign/sign.cmd b/security/nss/cmd/shlibsign/sign.cmd
deleted file mode 100644
index 9ad4b9236..000000000
--- a/security/nss/cmd/shlibsign/sign.cmd
+++ /dev/null
@@ -1,21 +0,0 @@
-/* Equivalent to sign.sh for OS/2 */
-PARSE ARG dist objdir os_target nspr_lib_dir therest
-dist=forwardtoback(dist);
-objdir=forwardtoback(objdir);
-nspr_lib_dir=forwardtoback(nspr_lib_dir);
-'echo 'dist
-'echo 'objdir
-'echo 'nspr_lib_dir
-'set BEGINLIBPATH='dist'\lib;'nspr_lib_dir';'dist'\bin;%BEGINLIBPATH%'
-'set LIBPATHSTRICT=T'
-objdir'\shlibsign -v -i 'therest
-exit
-
-forwardtoback: procedure
-  arg pathname
-  parse var pathname pathname'/'rest
-  do while (rest <> "")
-    pathname = pathname'\'rest
-    parse var pathname pathname'/'rest
-  end
-  return pathname
diff --git a/security/nss/cmd/shlibsign/sign.sh b/security/nss/cmd/shlibsign/sign.sh
deleted file mode 100644
index 764012d7b..000000000
--- a/security/nss/cmd/shlibsign/sign.sh
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/bin/sh
-case "${3}" in
-WIN*)
-    if echo "${PATH}" | grep -c \; >/dev/null; then
-        PATH=${1}/lib\;${1}/bin\;${4}\;${PATH}
-    else
-        # ARG1 is ${1} with the drive letter escaped.
-        if echo "${1}" | grep -c : >/dev/null; then
-            ARG1=`(cd ${1}; pwd)`
-        else
-            ARG1=${1}
-        fi
-        if echo "${4}" | grep -c : >/dev/null; then
-            ARG4=`(cd ${4}; pwd)`
-        else
-            ARG4=${4}
-        fi
-        PATH=${ARG1}/lib:${ARG1}/bin:${ARG4}:${PATH}
-    fi
-    export PATH
-    echo ${2}/shlibsign -v -i ${5}
-    ${2}/shlibsign -v -i ${5}
-    ;;
-OpenVMS)
-    temp="tmp$$.tmp"
-    temp2="tmp$$.tmp2"
-    cd ${1}/lib
-    vmsdir=`dcl show default`
-    ls *.so > $temp
-    sed -e "s/\([^\.]*\)\.so/\$ define\/job \1 ${vmsdir}\1.so/" $temp > $temp2
-    echo '$ define/job getipnodebyname xxx' >> $temp2
-    echo '$ define/job vms_null_dl_name sys$share:decc$shr' >> $temp2
-    dcl @$temp2
-    echo ${2}/shlibsign -v -i ${5}
-    ${2}/shlibsign -v -i ${5}
-    sed -e "s/\([^\.]*\)\.so/\$ deass\/job \1/" $temp > $temp2
-    echo '$ deass/job getipnodebyname' >> $temp2
-    echo '$ deass/job vms_null_dl_name' >> $temp2
-    dcl @$temp2
-    rm $temp $temp2
-    ;;
-*)
-    LIBPATH=`(cd ${1}/lib; pwd)`:`(cd ${4}; pwd)`:$LIBPATH
-    export LIBPATH
-    SHLIB_PATH=${1}/lib:${4}:$SHLIB_PATH
-    export SHLIB_PATH
-    LD_LIBRARY_PATH=${1}/lib:${4}:$LD_LIBRARY_PATH
-    export LD_LIBRARY_PATH
-    DYLD_LIBRARY_PATH=${1}/lib:${4}:$DYLD_LIBRARY_PATH
-    export DYLD_LIBRARY_PATH
-    LIBRARY_PATH=${1}/lib:${4}:$LIBRARY_PATH
-    export LIBRARY_PATH
-    ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
-    export ADDON_PATH
-    echo ${2}/shlibsign -v -i ${5}
-    ${2}/shlibsign -v -i ${5}
-    ;;
-esac
diff --git a/security/nss/cmd/signtool/Makefile b/security/nss/cmd/signtool/Makefile
deleted file mode 100644
index cd06aaa4f..000000000
--- a/security/nss/cmd/signtool/Makefile
+++ /dev/null
@@ -1,75 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include ../platrules.mk
diff --git a/security/nss/cmd/signtool/README b/security/nss/cmd/signtool/README
deleted file mode 100644
index 100fb2778..000000000
--- a/security/nss/cmd/signtool/README
+++ /dev/null
@@ -1,128 +0,0 @@
-                      Signing Tool (signtool)
-                         3.10 Release Notes
-               ========================================
-
-Documentation is provided online at mozilla.org
-
-Problems or questions not covered by the online documentation can be
-discussed in the DevEdge Security Newsgroup.
-
-=== New Features in 3.10
-=======================
-One new option (-X) has been added to create a Mozilla aware signed XPI archive. 
-The option must be accompanied by the -Z option. This new option
-creates a JAR file with the META-INF/zigbert.rsa/dsa file as the first file in 
-the archive instead of the default third to last. This will enable the archive
-to be seen as signed by products incorporating XPInstall. i.e. .xpi extensions
-for FireFox or Mozilla.
-
-=== New Features in 1.3
-=======================
-
-The security library components have been upgraded to utilize NSS_2_7_1_RTM.
-This means that the maximum RSA keysize now supported should be 4096 bits.
-
-=== Zigbert 0.6 Support
-=======================
-This program was previously named Zigbert.  The last version of zigbert
-was Zigbert 0.6.  Because all the functionality of Zigbert is maintained in
-signtool 1.2, Zigbert is no longer supported.  If you have problems
-using Zigbert, please upgrade to signtool 1.2.
-
-=== New Features in 1.2
-=======================
-
-Certificate Generation Improvements
------------------------------------
-Two new options have been added to control generation of self-signed object
-signing certificates with the -G option. The -s option takes the size (in bits)
-of the generated RSA private key.  The -t option takes the name of the PKCS #11
-token on which to generate the keypair and install the certificate.  Both
-options are optional.  By default, the private key is 1024 bits and is generated
-on the internal software token.
-
-
-=== New Features in 1.1
-=======================
-
-File I/O
---------
-Signtool can now read its options from a command file specified with the -f
-option on the command line. The format for the file is described in the
-documentation.
-Error messages and informational output can be redirected to an output file
-by supplying the "--outfile" option on the command line or the "outfile="
-option in the command file.
-
-New Options
------------
-"--norecurse" tells Signtool not to recurse into subdirectories when signing
-directories or parsing HTML with the -J option.
-"--leavearc" tells Signtool not to delete the temporary .arc directories
-produced by the -J option.  This can aid debugging.
-"--verbosity" tells Signtool how much information to display. 0 is the
-default. -1 suppresses most messages, except for errors.
-
-=== Bug Fixes in 1.1
-====================
-
--J option revamped
-------------------
-The -J option, which parses HTML files, extracts Java and Javascript code,
-and stores them in signed JAR files, has been re-implemented. Several bugs
-have been fixed:
-- CODEBASE attribute is no longer ignored
-- CLASS and SRC attributes can be be paths ("xxx/xxx/x.class") rather than
-  just filenames ("x.class").
-- LINK tags are handled correctly
-- various HTML parsing bugs fixed
-- error messages are more informative
-
-No Password on Key Database
----------------------------
-If you had not yet set a Communicator password (which locks key3.db, the
-key database), signtool would fail with a cryptic error message whenever it
-attempted to verify the password.  Now this condition is detected at the
-beginning of the program, and a more informative message is displayed.
-
--x and -e Options
------------------
-Previously, only one of each of these options could be specified on the command
-line. Now arbitrarily many can be specified.  For example, to sign only files
-with .class or .js extensions, the arguments "-eclass -ejs" could both be
-specified. To exclude the directories "subdir1" and "subdir2" from signing,
-the arguments "-x subdir1 -x subdir2" could both be specified.
-
-New Features in 1.0
-===================
-
-Creation of JAR files
-----------------------
-The -Z option causes signtool to output a JAR file formed by storing the
-signed archive in ZIP format.  This eliminates the need to use a separate ZIP
-utility.  The -c option specifies the compression level of the resulting
-JAR file.
-
-Generation of Object-Signing Certificates and Keys
---------------------------------------------------
-The -G option will create a new, self-signed object-signing certificate
-which can be used for testing purposes.  The generated certificate and 
-associated public and private keys will be installed in the cert7.db and
-key3.db files in the directory specified with the -d option (unless the key
-is generated on an external token using the -t option). On Unix systems,
-if no directory is specified, the user's Netscape directory (~/.netscape)
-will be used. In addition, the certificate is output in X509 format to the
-files x509.raw and x509.cacert in the current directory.  x509.cacert can
-be published on a web page and imported into browsers that visit that page.
-
-Extraction and Signing of JavaScript from HTML
-----------------------------------------------
-The -J option activates the same functionality provided by the signpages
-Perl script.  It will parse a directory of html files, creating archives
-of the JavaScript called from the HTML. These archives are then signed and
-made into JAR files.
-
-Enhanced Smart Card Support
----------------------------
-Certificates that reside on smart cards are displayed when using the -L and
--l options.
diff --git a/security/nss/cmd/signtool/certgen.c b/security/nss/cmd/signtool/certgen.c
deleted file mode 100644
index a08d98b6f..000000000
--- a/security/nss/cmd/signtool/certgen.c
+++ /dev/null
@@ -1,738 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "signtool.h"
-
-#include "secoid.h"
-#include "cryptohi.h"
-#include "certdb.h"
-
-static char	*GetSubjectFromUser(unsigned long serial);
-static CERTCertificate*GenerateSelfSignedObjectSigningCert(char *nickname,
- 	CERTCertDBHandle *db, char *subject, unsigned long serial, int keysize,
-        char *token);
-static SECStatus ChangeTrustAttributes(CERTCertDBHandle *db,
-	CERTCertificate *cert, char *trusts);
-static SECStatus set_cert_type(CERTCertificate *cert, unsigned int type);
-static SECItem *sign_cert(CERTCertificate *cert, SECKEYPrivateKey *privk);
-static CERTCertificate*install_cert(CERTCertDBHandle *db, SECItem *derCert,
-            char *nickname);
-static SECStatus GenerateKeyPair(PK11SlotInfo *slot, SECKEYPublicKey **pubk,
- 	SECKEYPrivateKey **privk, int keysize);
-static CERTCertificateRequest*make_cert_request(char *subject,
-	SECKEYPublicKey *pubk);
-static CERTCertificate *make_cert(CERTCertificateRequest *req,
-	unsigned long serial, CERTName *ca_subject);
-static void	output_ca_cert (CERTCertificate *cert, CERTCertDBHandle *db);
-
-
-/***********************************************************************
- *
- * G e n e r a t e C e r t
- *
- * Runs the whole process of creating a new cert, getting info from the
- * user, etc.
- */
-int
-GenerateCert(char *nickname, int keysize, char *token)
-{
-    CERTCertDBHandle * db;
-    CERTCertificate * cert;
-    char	*subject;
-    unsigned long	serial;
-    char	stdinbuf[160];
-
-    /* Print warning about having the browser open */
-    PR_fprintf(PR_STDOUT /*always go to console*/,
-        "\nWARNING: Performing this operation while the browser is running could cause"
-        "\ncorruption of your security databases. If the browser is currently running,"
-        "\nyou should exit the browser before continuing this operation. Enter "
-        "\n\"y\" to continue, or anything else to abort: ");
-    pr_fgets(stdinbuf, 160, PR_STDIN);
-    PR_fprintf(PR_STDOUT, "\n");
-    if (tolower(stdinbuf[0]) != 'y') {
-	PR_fprintf(errorFD, "Operation aborted at user's request.\n");
-	errorCount++;
-	return - 1;
-    }
-
-    db = CERT_GetDefaultCertDB();
-    if (!db) {
-	FatalError("Unable to open certificate database");
-    }
-
-    if (PK11_FindCertFromNickname(nickname, &pwdata)) {
-	PR_fprintf(errorFD,
-	    "ERROR: Certificate with nickname \"%s\" already exists in database. You\n"
-	    "must choose a different nickname.\n", nickname);
-	errorCount++;
-	exit(ERRX);
-    }
-
-    LL_L2UI(serial, PR_Now());
-
-    subject = GetSubjectFromUser(serial);
-
-    cert = GenerateSelfSignedObjectSigningCert(nickname, db, subject,
-         		serial, keysize, token);
-
-    if (cert) {
-	output_ca_cert(cert, db);
-	CERT_DestroyCertificate(cert);
-    }
-
-    PORT_Free(subject);
-    return 0;
-}
-
-
-#undef VERBOSE_PROMPTS
-
-/*********************************************************************8
- * G e t S u b j e c t F r o m U s e r
- *
- * Construct the subject information line for a certificate by querying
- * the user on stdin.
- */
-static char	*
-GetSubjectFromUser(unsigned long serial)
-{
-    char	buf[STDIN_BUF_SIZE];
-    char	common_name_buf[STDIN_BUF_SIZE];
-    char	*common_name, *state, *orgunit, *country, *org, *locality;
-    char	*email, *uid;
-    char	*subject;
-    char	*cp;
-    int	subjectlen = 0;
-
-    common_name = state = orgunit = country = org = locality = email =
-        uid = subject = NULL;
-
-    /* Get subject information */
-    PR_fprintf(PR_STDOUT,
-        "\nEnter certificate information.  All fields are optional. Acceptable\n"
-        "characters are numbers, letters, spaces, and apostrophes.\n");
-
-#ifdef VERBOSE_PROMPTS
-    PR_fprintf(PR_STDOUT, "\nCOMMON NAME\n"
-        "Enter the full name you want to give your certificate. (Example: Test-Only\n"
-        "Object Signing Certificate)\n"
-        "-->");
-#else
-    PR_fprintf(PR_STDOUT, "certificate common name: ");
-#endif
-    fgets(buf, STDIN_BUF_SIZE, stdin);
-    cp = chop(buf);
-    if (*cp == '\0') {
-	sprintf(common_name_buf, "%s (%lu)", DEFAULT_COMMON_NAME,
-	     serial);
-	cp = common_name_buf;
-    }
-    common_name = PORT_ZAlloc(strlen(cp) + 6);
-    if (!common_name) {
-	out_of_memory();
-    }
-    sprintf(common_name, "CN=%s, ", cp);
-    subjectlen += strlen(common_name);
-
-#ifdef VERBOSE_PROMPTS
-    PR_fprintf(PR_STDOUT, "\nORGANIZATION NAME\n"
-        "Enter the name of your organization. For example, this could be the name\n"
-        "of your company.\n"
-        "-->");
-#else
-    PR_fprintf(PR_STDOUT, "organization: ");
-#endif
-    fgets(buf, STDIN_BUF_SIZE, stdin);
-    cp = chop(buf);
-    if (*cp != '\0') {
-	org = PORT_ZAlloc(strlen(cp) + 5);
-	if (!org) {
-	    out_of_memory();
-	}
-	sprintf(org, "O=%s, ", cp);
-	subjectlen += strlen(org);
-    }
-
-#ifdef VERBOSE_PROMPTS
-    PR_fprintf(PR_STDOUT, "\nORGANIZATION UNIT\n"
-        "Enter the name of your organization unit.  For example, this could be the\n"
-        "name of your department.\n"
-        "-->");
-#else
-    PR_fprintf(PR_STDOUT, "organization unit: ");
-#endif
-    fgets(buf, STDIN_BUF_SIZE, stdin);
-    cp = chop(buf);
-    if (*cp != '\0') {
-	orgunit = PORT_ZAlloc(strlen(cp) + 6);
-	if (!orgunit) {
-	    out_of_memory();
-	}
-	sprintf(orgunit, "OU=%s, ", cp);
-	subjectlen += strlen(orgunit);
-    }
-
-#ifdef VERBOSE_PROMPTS
-    PR_fprintf(PR_STDOUT, "\nSTATE\n"
-        "Enter the name of your state or province.\n"
-        "-->");
-#else
-    PR_fprintf(PR_STDOUT, "state or province: ");
-#endif
-    fgets(buf, STDIN_BUF_SIZE, stdin);
-    cp = chop(buf);
-    if (*cp != '\0') {
-	state = PORT_ZAlloc(strlen(cp) + 6);
-	if (!state) {
-	    out_of_memory();
-	}
-	sprintf(state, "ST=%s, ", cp);
-	subjectlen += strlen(state);
-    }
-
-#ifdef VERBOSE_PROMPTS
-    PR_fprintf(PR_STDOUT, "\nCOUNTRY\n"
-        "Enter the 2-character abbreviation for the name of your country.\n"
-        "-->");
-#else
-    PR_fprintf(PR_STDOUT, "country (must be exactly 2 characters): ");
-#endif
-    fgets(buf, STDIN_BUF_SIZE, stdin);
-    cp = chop(cp);
-    if (strlen(cp) != 2) {
-	*cp = '\0';	/* country code must be 2 chars */
-    }
-    if (*cp != '\0') {
-	country = PORT_ZAlloc(strlen(cp) + 5);
-	if (!country) {
-	    out_of_memory();
-	}
-	sprintf(country, "C=%s, ", cp);
-	subjectlen += strlen(country);
-    }
-
-#ifdef VERBOSE_PROMPTS
-    PR_fprintf(PR_STDOUT, "\nUSERNAME\n"
-        "Enter your system username or UID\n"
-        "-->");
-#else
-    PR_fprintf(PR_STDOUT, "username: ");
-#endif
-    fgets(buf, STDIN_BUF_SIZE, stdin);
-    cp = chop(buf);
-    if (*cp != '\0') {
-	uid = PORT_ZAlloc(strlen(cp) + 7);
-	if (!uid) {
-	    out_of_memory();
-	}
-	sprintf(uid, "UID=%s, ", cp);
-	subjectlen += strlen(uid);
-    }
-
-#ifdef VERBOSE_PROMPTS
-    PR_fprintf(PR_STDOUT, "\nEMAIL ADDRESS\n"
-        "Enter your email address.\n"
-        "-->");
-#else
-    PR_fprintf(PR_STDOUT, "email address: ");
-#endif
-    fgets(buf, STDIN_BUF_SIZE, stdin);
-    cp = chop(buf);
-    if (*cp != '\0') {
-	email = PORT_ZAlloc(strlen(cp) + 5);
-	if (!email) {
-	    out_of_memory();
-	}
-	sprintf(email, "E=%s,", cp);
-	subjectlen += strlen(email);
-    }
-
-    subjectlen++;
-
-    subject = PORT_ZAlloc(subjectlen);
-    if (!subject) {
-	out_of_memory();
-    }
-
-    sprintf(subject, "%s%s%s%s%s%s%s",
-        common_name ? common_name : "",
-        org ? org : "",
-        orgunit ? orgunit : "",
-        state ? state : "",
-        country ? country : "",
-        uid ? uid : "",
-        email ? email : ""
-        );
-    if ( (strlen(subject) > 1) && (subject[strlen(subject)-1] == ' ') ) {
-	subject[strlen(subject)-2] = '\0';
-    }
-
-    PORT_Free(common_name);
-    PORT_Free(org);
-    PORT_Free(orgunit);
-    PORT_Free(state);
-    PORT_Free(country);
-    PORT_Free(uid);
-    PORT_Free(email);
-
-    return subject;
-}
-
-
-/**************************************************************************
- *
- * G e n e r a t e S e l f S i g n e d O b j e c t S i g n i n g C e r t
- *														   		  *phew*^
- *
- */
-static CERTCertificate*
-GenerateSelfSignedObjectSigningCert(char *nickname, CERTCertDBHandle *db,
- 	char *subject, unsigned long serial, int keysize, char *token)
-{
-    CERTCertificate * cert, *temp_cert;
-    SECItem * derCert;
-    CERTCertificateRequest * req;
-
-    PK11SlotInfo * slot = NULL;
-    SECKEYPrivateKey * privk = NULL;
-    SECKEYPublicKey * pubk = NULL;
-
-    if ( token ) {
-	slot = PK11_FindSlotByName(token);
-    } else {
-	slot = PK11_GetInternalKeySlot();
-    }
-
-    if (slot == NULL) {
-	PR_fprintf(errorFD, "Can't find PKCS11 slot %s\n",
-	    token ? token : "");
-	errorCount++;
-	exit (ERRX);
-    }
-
-    if ( GenerateKeyPair(slot, &pubk, &privk, keysize) != SECSuccess) {
-	FatalError("Error generating keypair.");
-    }
-    req = make_cert_request (subject, pubk);
-    temp_cert = make_cert (req, serial, &req->subject);
-    if (set_cert_type(temp_cert,
-        NS_CERT_TYPE_OBJECT_SIGNING | NS_CERT_TYPE_OBJECT_SIGNING_CA)
-         != SECSuccess) {
-	FatalError("Unable to set cert type");
-    }
-
-    derCert = sign_cert (temp_cert, privk);
-    cert = install_cert(db, derCert, nickname);
-    if (ChangeTrustAttributes(db, cert, ",,uC") != SECSuccess) {
-	FatalError("Unable to change trust on generated certificate");
-    }
-
-    /* !!! Free memory ? !!! */
-    PK11_FreeSlot(slot);
-    SECKEY_DestroyPrivateKey(privk);
-    SECKEY_DestroyPublicKey(pubk);
-
-    return cert;
-}
-
-
-/**************************************************************************
- *
- * C h a n g e T r u s t A t t r i b u t e s
- */
-static SECStatus
-ChangeTrustAttributes(CERTCertDBHandle *db, CERTCertificate *cert, char *trusts)
-{
-
-    CERTCertTrust	 * trust;
-
-    if (!db || !cert || !trusts) {
-	PR_fprintf(errorFD, "ChangeTrustAttributes got incomplete arguments.\n");
-	errorCount++;
-	return SECFailure;
-    }
-
-    trust = (CERTCertTrust * ) PORT_ZAlloc(sizeof(CERTCertTrust));
-    if (!trust) {
-	PR_fprintf(errorFD, "ChangeTrustAttributes unable to allocate "
-	    "CERTCertTrust\n");
-	errorCount++;
-	return SECFailure;
-    }
-
-    if ( CERT_DecodeTrustString(trust, trusts) ) {
-	return SECFailure;
-    }
-
-    if ( CERT_ChangeCertTrust(db, cert, trust) ) {
-	PR_fprintf(errorFD, "unable to modify trust attributes for cert %s\n",
-	     		 cert->nickname ? cert->nickname : "");
-	errorCount++;
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-
-/*************************************************************************
- *
- * s e t _ c e r t _ t y p e
- */
-static SECStatus
-set_cert_type(CERTCertificate *cert, unsigned int type)
-{
-    void	*context;
-    SECStatus status = SECSuccess;
-    SECItem certType;
-    char	ctype;
-
-    context = CERT_StartCertExtensions(cert);
-
-    certType.type = siBuffer;
-    certType.data = (unsigned char * ) &ctype;
-    certType.len = 1;
-    ctype = (unsigned char)type;
-    if (CERT_EncodeAndAddBitStrExtension(context, SEC_OID_NS_CERT_EXT_CERT_TYPE,
-         	 &certType, PR_TRUE /*critical*/) != SECSuccess) {
-	status = SECFailure;
-    }
-
-    if (CERT_FinishExtensions(context) != SECSuccess) {
-	status = SECFailure;
-    }
-
-    return status;
-}
-
-
-/********************************************************************
- *
- * s i g n _ c e r t
- */
-static SECItem *
-sign_cert(CERTCertificate *cert, SECKEYPrivateKey *privk)
-{
-    SECStatus rv;
-
-    SECItem der2;
-    SECItem * result2;
-
-    void	*dummy;
-    SECOidTag alg = SEC_OID_UNKNOWN;
-
-    alg = SEC_GetSignatureAlgorithmOidTag(privk->keyType, SEC_OID_UNKNOWN);
-    if (alg == SEC_OID_UNKNOWN) {
-	FatalError("Unknown key type");
-    }
-
-    rv = SECOID_SetAlgorithmID (cert->arena, &cert->signature, alg, 0);
-
-    if (rv != SECSuccess) {
-	PR_fprintf(errorFD, "%s: unable to set signature alg id\n",
-	     PROGRAM_NAME);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    der2.len = 0;
-    der2.data = NULL;
-
-    dummy = SEC_ASN1EncodeItem
-        (cert->arena, &der2, cert, SEC_ASN1_GET(CERT_CertificateTemplate));
-
-    if (rv != SECSuccess) {
-	PR_fprintf(errorFD, "%s: error encoding cert\n", PROGRAM_NAME);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    result2 = (SECItem * ) PORT_ArenaZAlloc (cert->arena, sizeof (SECItem));
-    if (result2 == NULL)
-	out_of_memory();
-
-    rv = SEC_DerSignData 
-        (cert->arena, result2, der2.data, der2.len, privk, alg);
-
-    if (rv != SECSuccess) {
-	PR_fprintf(errorFD, "can't sign encoded certificate data\n");
-	errorCount++;
-	exit (ERRX);
-    } else if (verbosity >= 0) {
-	PR_fprintf(outputFD, "certificate has been signed\n");
-    }
-
-    cert->derCert = *result2;
-
-    return result2;
-}
-
-
-/*********************************************************************
- *
- * i n s t a l l _ c e r t
- *
- * Installs the cert in the permanent database.
- */
-static CERTCertificate*
-install_cert(CERTCertDBHandle *db, SECItem *derCert, char *nickname)
-{
-    CERTCertificate * newcert;
-    PK11SlotInfo * newSlot;
-
-
-    newSlot = PK11_ImportDERCertForKey(derCert, nickname, &pwdata);
-    if ( newSlot == NULL ) {
-	PR_fprintf(errorFD, "Unable to install certificate\n");
-	errorCount++;
-	exit(ERRX);
-    }
-
-    newcert = PK11_FindCertFromDERCertItem(newSlot, derCert, &pwdata);
-    PK11_FreeSlot(newSlot);
-    if (newcert == NULL) {
-	PR_fprintf(errorFD, "%s: can't find new certificate\n",
-	     PROGRAM_NAME);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    if (verbosity >= 0) {
-	PR_fprintf(outputFD, "certificate \"%s\" added to database\n",
-	     nickname);
-    }
-
-    return newcert;
-}
-
-
-/******************************************************************
- *
- * G e n e r a t e K e y P a i r
- */
-static SECStatus
-GenerateKeyPair(PK11SlotInfo *slot, SECKEYPublicKey **pubk,
-SECKEYPrivateKey **privk, int keysize)
-{
-
-    PK11RSAGenParams rsaParams;
-
-    if ( keysize == -1 ) {
-	rsaParams.keySizeInBits = DEFAULT_RSA_KEY_SIZE;
-    } else {
-	rsaParams.keySizeInBits = keysize;
-    }
-    rsaParams.pe = 0x10001;
-
-    if (PK11_Authenticate( slot, PR_FALSE /*loadCerts*/, &pwdata)
-         != SECSuccess) {
-	SECU_PrintError(progName, "failure authenticating to key database.\n");
-	exit(ERRX);
-    }
-
-    *privk = PK11_GenerateKeyPair (slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams,
-         
-        pubk, PR_TRUE /*isPerm*/, PR_TRUE /*isSensitive*/, &pwdata);
-
-    if (*privk != NULL && *pubk != NULL) {
-	if (verbosity >= 0) {
-	    PR_fprintf(outputFD, "generated public/private key pair\n");
-	}
-    } else {
-	SECU_PrintError(progName, "failure generating key pair\n");
-	exit (ERRX);
-    }
-
-    return SECSuccess;
-}
-
-
-
-/******************************************************************
- *
- * m a k e _ c e r t _ r e q u e s t
- */
-static CERTCertificateRequest*
-make_cert_request(char *subject, SECKEYPublicKey *pubk)
-{
-    CERTName * subj;
-    CERTSubjectPublicKeyInfo * spki;
-
-    CERTCertificateRequest * req;
-
-    /* Create info about public key */
-    spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);
-    if (!spki) {
-	SECU_PrintError(progName, "unable to create subject public key");
-	exit (ERRX);
-    }
-
-    subj = CERT_AsciiToName (subject);
-    if (subj == NULL) {
-	FatalError("Invalid data in certificate description");
-    }
-
-    /* Generate certificate request */
-    req = CERT_CreateCertificateRequest(subj, spki, 0);
-    if (!req) {
-	SECU_PrintError(progName, "unable to make certificate request");
-	exit (ERRX);
-    }
-
-    if (verbosity >= 0) {
-	PR_fprintf(outputFD, "certificate request generated\n");
-    }
-
-    return req;
-}
-
-
-/******************************************************************
- *
- * m a k e _ c e r t
- */
-static CERTCertificate *
-make_cert(CERTCertificateRequest *req, unsigned long serial,
-CERTName *ca_subject)
-{
-    CERTCertificate * cert;
-
-    CERTValidity * validity = NULL;
-
-    PRTime now, after;
-    PRExplodedTime printableTime;
-
-    now = PR_Now();
-    PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
-
-    printableTime.tm_month += 3;
-    after = PR_ImplodeTime (&printableTime);
-
-    validity = CERT_CreateValidity (now, after);
-
-    if (validity == NULL) {
-	PR_fprintf(errorFD, "%s: error creating certificate validity\n",
-	     PROGRAM_NAME);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    cert = CERT_CreateCertificate
-        (serial, ca_subject, validity, req);
-
-    if (cert == NULL) {
-	/* should probably be more precise here */
-	PR_fprintf(errorFD, "%s: error while generating certificate\n",
-	     PROGRAM_NAME);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    return cert;
-}
-
-
-/*************************************************************************
- *
- * o u t p u t _ c a _ c e r t
- */
-static void	
-output_ca_cert (CERTCertificate *cert, CERTCertDBHandle *db)
-{
-    FILE * out;
-
-    SECItem * encodedCertChain;
-    SEC_PKCS7ContentInfo * certChain;
-    char	*filename;
-
-    /* the raw */
-
-    filename = PORT_ZAlloc(strlen(DEFAULT_X509_BASENAME) + 8);
-    if (!filename) 
-	out_of_memory();
-
-    sprintf(filename, "%s.raw", DEFAULT_X509_BASENAME);
-    if ((out = fopen (filename, "wb")) == NULL) {
-	PR_fprintf(errorFD, "%s: Can't open %s output file\n", PROGRAM_NAME,
-	     filename);
-	errorCount++;
-	exit(ERRX);
-    }
-
-    certChain = SEC_PKCS7CreateCertsOnly (cert, PR_TRUE, db);
-    encodedCertChain 
-         = SEC_PKCS7EncodeItem (NULL, NULL, certChain, NULL, NULL, NULL);
-    SEC_PKCS7DestroyContentInfo (certChain);
-
-    if (encodedCertChain) {
-	fprintf(out, "Content-type: application/x-x509-ca-cert\n\n");
-	fwrite (encodedCertChain->data, 1, encodedCertChain->len,
-	     out);
-	SECITEM_FreeItem(encodedCertChain, PR_TRUE);
-    } else {
-	PR_fprintf(errorFD, "%s: Can't DER encode this certificate\n",
-	     PROGRAM_NAME);
-	errorCount++;
-	exit(ERRX);
-    }
-
-    fclose (out);
-
-    /* and the cooked */
-
-    sprintf(filename, "%s.cacert", DEFAULT_X509_BASENAME);
-    if ((out = fopen (filename, "wb")) == NULL) {
-	PR_fprintf(errorFD, "%s: Can't open %s output file\n", PROGRAM_NAME,
-	     filename);
-	errorCount++;
-	return;
-    }
-
-    fprintf (out, "%s\n%s\n%s\n", 
-        NS_CERT_HEADER,
-        BTOA_DataToAscii (cert->derCert.data, cert->derCert.len), 
-        NS_CERT_TRAILER);
-
-    fclose (out);
-
-    if (verbosity >= 0) {
-	PR_fprintf(outputFD, "Exported certificate to %s.raw and %s.cacert.\n",
-	     			DEFAULT_X509_BASENAME, DEFAULT_X509_BASENAME);
-    }
-}
-
-
diff --git a/security/nss/cmd/signtool/javascript.c b/security/nss/cmd/signtool/javascript.c
deleted file mode 100644
index add76db03..000000000
--- a/security/nss/cmd/signtool/javascript.c
+++ /dev/null
@@ -1,1867 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "signtool.h"
-#include <prmem.h>
-#include <prio.h>
-#include <prenv.h>
-
-static int	javascript_fn(char *relpath, char *basedir, char *reldir,
-char *filename, void *arg);
-static int	extract_js (char *filename);
-static int	copyinto (char *from, char *to);
-static PRStatus ensureExists (char *base, char *path);
-static int	make_dirs(char *path, PRInt32 file_perms);
-
-static char	*jartree = NULL;
-static int	idOrdinal;
-static PRBool dumpParse = PR_FALSE;
-
-static char	*event_handlers[] = {
-    "onAbort",
-    "onBlur",
-    "onChange",
-    "onClick",
-    "onDblClick",
-    "onDragDrop",
-    "onError",
-    "onFocus",
-    "onKeyDown",
-    "onKeyPress",
-    "onKeyUp",
-    "onLoad",
-    "onMouseDown",
-    "onMouseMove",
-    "onMouseOut",
-    "onMouseOver",
-    "onMouseUp",
-    "onMove",
-    "onReset",
-    "onResize",
-    "onSelect",
-    "onSubmit",
-    "onUnload"
-};
-
-
-static int	num_handlers = 23;
-
-/*
- *  I n l i n e J a v a S c r i p t
- *
- *  Javascript signing. Instead of passing an archive to signtool,
- *  a directory containing html files is given. Archives are created
- *  from the archive= and src= tag attributes inside the html,
- *  as appropriate. Then the archives are signed.
- *
- */
-int
-InlineJavaScript(char *dir, PRBool recurse)
-{
-    jartree = dir;
-    if (verbosity >= 0) {
-	PR_fprintf(outputFD, "\nGenerating inline signatures from HTML files in: %s\n",
-	     dir);
-    }
-    if (PR_GetEnv("SIGNTOOL_DUMP_PARSE")) {
-	dumpParse = PR_TRUE;
-    }
-
-    return foreach(dir, "", javascript_fn, recurse, PR_FALSE /*include dirs*/,
-         		(void * )NULL);
-
-}
-
-
-/************************************************************************
- *
- * j a v a s c r i p t _ f n
- */
-static int	javascript_fn
-(char *relpath, char *basedir, char *reldir, char *filename, void *arg)
-{
-    char	fullname [FNSIZE];
-
-    /* only process inline scripts from .htm, .html, and .shtml*/
-
-    if (!(PL_strcaserstr(filename, ".htm") == filename + strlen(filename) -
-        4) && 
-        !(PL_strcaserstr(filename, ".html") == filename + strlen(filename) -
-        5) && 
-        !(PL_strcaserstr(filename, ".shtml") == filename + strlen(filename)
-        -6)) {
-	return 0;
-    }
-
-    /* don't process scripts that signtool has already
-     extracted (those that are inside .arc directories) */
-
-    if (PL_strcaserstr(filename, ".arc") == filename + strlen(filename) - 4)
-	return 0;
-
-    if (verbosity >= 0) {
-	PR_fprintf(outputFD, "Processing HTML file: %s\n", relpath);
-    }
-
-    /* reset firstArchive at top of each HTML file */
-
-    /* skip directories that contain extracted scripts */
-
-    if (PL_strcaserstr(reldir, ".arc") == reldir + strlen(reldir) - 4)
-	return 0;
-
-    sprintf (fullname, "%s/%s", basedir, relpath);
-    return extract_js (fullname);
-}
-
-
-/*===========================================================================
- =
- = D A T A   S T R U C T U R E S
- =
-*/
-typedef enum {
-    TEXT_HTML_STATE = 0,
-    SCRIPT_HTML_STATE
-} 
-
-
-HTML_STATE ;
-
-typedef enum {
-    /* we start in the start state */
-    START_STATE,
-
-    /* We are looking for or reading in an attribute */
-    GET_ATT_STATE,
-
-    /* We're burning ws before finding an attribute */
-    PRE_ATT_WS_STATE,
-
-    /* We're burning ws after an attribute.  Looking for an '='. */
-    POST_ATT_WS_STATE,
-
-    /* We're burning ws after an '=', waiting for a value */
-    PRE_VAL_WS_STATE,
-
-    /* We're reading in a value */
-    GET_VALUE_STATE,
-
-    /* We're reading in a value that's inside quotes */
-    GET_QUOTED_VAL_STATE,
-
-    /* We've encountered the closing '>' */
-    DONE_STATE,
-
-    /* Error state */
-    ERR_STATE
-} 
-
-
-TAG_STATE ;
-
-typedef struct AVPair_Str {
-    char	*attribute;
-    char	*value;
-    unsigned int	valueLine; /* the line that the value ends on */
-    struct AVPair_Str *next;
-} AVPair;
-
-typedef enum {
-    APPLET_TAG,
-    SCRIPT_TAG,
-    LINK_TAG,
-    STYLE_TAG,
-    COMMENT_TAG,
-    OTHER_TAG
-} 
-
-
-TAG_TYPE ;
-
-typedef struct {
-    TAG_TYPE type;
-    AVPair * attList;
-    AVPair * attListTail;
-    char	*text;
-} TagItem;
-
-typedef enum {
-    TAG_ITEM,
-    TEXT_ITEM
-} 
-
-
-ITEM_TYPE ;
-
-typedef struct HTMLItem_Str {
-    unsigned int	startLine;
-    unsigned int	endLine;
-    ITEM_TYPE type;
-    union {
-	TagItem *tag;
-	char	*text;
-    } item;
-    struct HTMLItem_Str *next;
-} HTMLItem;
-
-typedef struct {
-    PRFileDesc *fd;
-    PRInt32 curIndex;
-    PRBool IsEOF;
-#define FILE_BUFFER_BUFSIZE 512
-    char	buf[FILE_BUFFER_BUFSIZE];
-    PRInt32 startOffset;
-    PRInt32 maxIndex;
-    unsigned int	lineNum;
-} FileBuffer;
-
-/*===========================================================================
- =
- = F U N C T I O N S
- =
-*/
-static HTMLItem*CreateTextItem(char *text, unsigned int startline,
-unsigned int endline);
-static HTMLItem*CreateTagItem(TagItem*ti, unsigned int startline,
-unsigned int endline);
-static TagItem*ProcessTag(FileBuffer*fb, char **errStr);
-static void	DestroyHTMLItem(HTMLItem *item);
-static void	DestroyTagItem(TagItem*ti);
-static TAG_TYPE GetTagType(char *att);
-static FileBuffer*FB_Create(PRFileDesc*fd);
-static int	FB_GetChar(FileBuffer *fb);
-static PRInt32 FB_GetPointer(FileBuffer *fb);
-static PRInt32 FB_GetRange(FileBuffer *fb, PRInt32 start, PRInt32 end,
-char **buf);
-static unsigned int	FB_GetLineNum(FileBuffer *fb);
-static void	FB_Destroy(FileBuffer *fb);
-static void	PrintTagItem(PRFileDesc *fd, TagItem *ti);
-static void	PrintHTMLStream(PRFileDesc *fd, HTMLItem *head);
-
-/************************************************************************
- *
- * C r e a t e T e x t I t e m
- */
-static HTMLItem*
-CreateTextItem(char *text, unsigned int startline, unsigned int endline)
-{
-    HTMLItem * item;
-
-    item = PR_Malloc(sizeof(HTMLItem));
-    if (!item) {
-	return NULL;
-    }
-
-    item->type = TEXT_ITEM;
-    item->item.text = text;
-    item->next = NULL;
-    item->startLine = startline;
-    item->endLine = endline;
-
-    return item;
-}
-
-
-/************************************************************************
- *
- * C r e a t e T a g I t e m
- */
-static HTMLItem*
-CreateTagItem(TagItem*ti, unsigned int startline, unsigned int endline)
-{
-    HTMLItem * item;
-
-    item = PR_Malloc(sizeof(HTMLItem));
-    if (!item) {
-	return NULL;
-    }
-
-    item->type = TAG_ITEM;
-    item->item.tag = ti;
-    item->next = NULL;
-    item->startLine = startline;
-    item->endLine = endline;
-
-    return item;
-}
-
-
-static PRBool
-isAttChar(int c)
-{
-    return (isalnum(c) || c == '/' || c == '-');
-}
-
-
-/************************************************************************
- *
- * P r o c e s s T a g
- */
-static TagItem*
-ProcessTag(FileBuffer*fb, char **errStr)
-{
-    TAG_STATE state;
-    PRInt32 startText, startID, curPos;
-    PRBool firstAtt;
-    int	curchar;
-    TagItem * ti = NULL;
-    AVPair * curPair = NULL;
-    char	quotechar = '\0';
-    unsigned int	linenum;
-    unsigned int	startline;
-
-    state = START_STATE;
-
-    startID = FB_GetPointer(fb);
-    startText = startID;
-    firstAtt = PR_TRUE;
-
-    ti = (TagItem * ) PR_Malloc(sizeof(TagItem));
-    if (!ti) 
-	out_of_memory();
-    ti->type = OTHER_TAG;
-    ti->attList = NULL;
-    ti->attListTail = NULL;
-    ti->text = NULL;
-
-    startline = FB_GetLineNum(fb);
-
-    while (state != DONE_STATE && state != ERR_STATE) {
-	linenum = FB_GetLineNum(fb);
-	curchar = FB_GetChar(fb);
-	if (curchar == EOF) {
-	    *errStr = PR_smprintf(
-	        "line %d: Unexpected end-of-file while parsing tag starting at line %d.\n",
-	         linenum, startline);
-	    state = ERR_STATE;
-	    continue;
-	}
-
-	switch (state) {
-	case START_STATE:
-	    if (curchar == '!') {
-		/*
-		 * SGML tag or comment
-		 * Here's the general rule for SGML tags.  Everything from
-		 * <! to > is the tag.  Inside the tag, comments are
-		 * delimited with --.  So we are looking for the first '>'
-		 * that is not commented out, that is, not inside a pair
-		 * of --: <!DOCTYPE --this is a comment >(psyche!)   -->
-		 */
-
-		PRBool inComment = PR_FALSE;
-		short	hyphenCount = 0; /* number of consecutive hyphens */
-
-		while (1) {
-		    linenum = FB_GetLineNum(fb);
-		    curchar = FB_GetChar(fb);
-		    if (curchar == EOF) {
-			/* Uh oh, EOF inside comment */
-			*errStr = PR_smprintf(
-    "line %d: Unexpected end-of-file inside comment starting at line %d.\n",
-  						linenum, startline);
-			state = ERR_STATE;
-			break;
-		    }
-		    if (curchar == '-') {
-			if (hyphenCount == 1) {
-			    /* This is a comment delimiter */
-			    inComment = !inComment;
-			    hyphenCount = 0;
-			} else {
-			    /* beginning of a comment delimiter? */
-			    hyphenCount = 1;
-			}
-		    } else if (curchar == '>') {
-			if (!inComment) {
-			    /* This is the end of the tag */
-			    state = DONE_STATE;
-			    break;
-			} else {
-			    /* The > is inside a comment, so it's not
-							 * really the end of the tag */
-			    hyphenCount = 0;
-			}
-		    } else {
-			hyphenCount = 0;
-		    }
-		}
-		ti->type = COMMENT_TAG;
-		break;
-	    }
-	    /* fall through */
-	case GET_ATT_STATE:
-	    if (isspace(curchar) || curchar == '=' || curchar
-	        == '>') {
-		/* end of the current attribute */
-		curPos = FB_GetPointer(fb) - 2;
-		if (curPos >= startID) {
-		    /* We have an attribute */
-		    curPair = (AVPair * )PR_Malloc(sizeof(AVPair));
-		    if (!curPair) 
-			out_of_memory();
-		    curPair->value = NULL;
-		    curPair->next = NULL;
-		    FB_GetRange(fb, startID, curPos,
-		        &curPair->attribute);
-
-		    /* Stick this attribute on the list */
-		    if (ti->attListTail) {
-			ti->attListTail->next = curPair;
-			ti->attListTail = curPair;
-		    } else {
-			ti->attList = ti->attListTail =
-			    curPair;
-		    }
-
-		    /* If this is the first attribute, find the type of tag
-		     * based on it. Also, start saving the text of the tag. */
-		    if (firstAtt) {
-			ti->type = GetTagType(curPair->attribute);
-			startText = FB_GetPointer(fb)
-			    -1;
-			firstAtt = PR_FALSE;
-		    }
-		} else {
-		    if (curchar == '=') {
-			/* If we don't have any attribute but we do have an
-			 * equal sign, that's an error */
-			*errStr = PR_smprintf("line %d: Malformed tag starting at line %d.\n",
-			     linenum, startline);
-			state = ERR_STATE;
-			break;
-		    }
-		}
-
-		/* Compute next state */
-		if (curchar == '=') {
-		    startID = FB_GetPointer(fb);
-		    state = PRE_VAL_WS_STATE;
-		} else if (curchar == '>') {
-		    state = DONE_STATE;
-		} else if (curPair) {
-		    state = POST_ATT_WS_STATE;
-		} else {
-		    state = PRE_ATT_WS_STATE;
-		}
-	    } else if (isAttChar(curchar)) {
-		/* Just another char in the attribute. Do nothing */
-		state = GET_ATT_STATE;
-	    } else {
-		/* bogus char */
-		*errStr = PR_smprintf("line %d: Bogus chararacter '%c' in tag.\n",
-		     			linenum, curchar);
-		state = ERR_STATE;
-		break;
-	    }
-	    break;
-	case PRE_ATT_WS_STATE:
-	    if (curchar == '>') {
-		state = DONE_STATE;
-	    } else if (isspace(curchar)) {
-		/* more whitespace, do nothing */
-	    } else if (isAttChar(curchar)) {
-		/* starting another attribute */
-		startID = FB_GetPointer(fb) - 1;
-		state = GET_ATT_STATE;
-	    } else {
-		/* bogus char */
-		*errStr = PR_smprintf("line %d: Bogus character '%c' in tag.\n",
-		     			linenum, curchar);
-		state = ERR_STATE;
-		break;
-	    }
-	    break;
-	case POST_ATT_WS_STATE:
-	    if (curchar == '>') {
-		state = DONE_STATE;
-	    } else if (isspace(curchar)) {
-		/* more whitespace, do nothing */
-	    } else if (isAttChar(curchar)) {
-		/* starting another attribute */
-		startID = FB_GetPointer(fb) - 1;
-		state = GET_ATT_STATE;
-	    } else if (curchar == '=') {
-		/* there was whitespace between the attribute and its equal
-		 * sign, which means there's a value coming up */
-		state = PRE_VAL_WS_STATE;
-	    } else {
-		/* bogus char */
-		*errStr = PR_smprintf("line %d: Bogus character '%c' in tag.\n",
-		     					linenum, curchar);
-		state = ERR_STATE;
-		break;
-	    }
-	    break;
-	case PRE_VAL_WS_STATE:
-	    if (curchar == '>') {
-		/* premature end-of-tag (sounds like a personal problem). */
-		*errStr = PR_smprintf(
-		    "line %d: End of tag while waiting for value.\n",
-		     linenum);
-		state = ERR_STATE;
-		break;
-	    } else if (isspace(curchar)) {
-		/* more whitespace, do nothing */
-		break;
-	    } else {
-		/* this must be some sort of value. Fall through
-				 * to GET_VALUE_STATE */
-		startID = FB_GetPointer(fb) - 1;
-		state = GET_VALUE_STATE;
-	    }
-	    /* Fall through if we didn't break on '>' or whitespace */
-	case GET_VALUE_STATE:
-	    if (isspace(curchar) || curchar == '>') {
-		/* end of value */
-		curPos = FB_GetPointer(fb) - 2;
-		if (curPos >= startID) {
-		    /* Grab the value */
-		    FB_GetRange(fb, startID, curPos,
-		        &curPair->value);
-		    curPair->valueLine = linenum;
-		} else {
-		    /* empty value, leave as NULL */
-		}
-		if (isspace(curchar)) {
-		    state = PRE_ATT_WS_STATE;
-		} else {
-		    state = DONE_STATE;
-		}
-	    } else if (curchar == '\"' || curchar == '\'') {
-		/* quoted value.  Start recording the value inside the quote*/
-		startID = FB_GetPointer(fb);
-		state = GET_QUOTED_VAL_STATE;
-		PORT_Assert(quotechar == '\0');
-		quotechar = curchar; /* look for matching quote type */
-	    } else {
-		/* just more value */
-	    }
-	    break;
-	case GET_QUOTED_VAL_STATE:
-	    PORT_Assert(quotechar != '\0');
-	    if (curchar == quotechar) {
-		/* end of quoted value */
-		curPos = FB_GetPointer(fb) - 2;
-		if (curPos >= startID) {
-		    /* Grab the value */
-		    FB_GetRange(fb, startID, curPos,
-		        &curPair->value);
-		    curPair->valueLine = linenum;
-		} else {
-		    /* empty value, leave it as NULL */
-		}
-		state = GET_ATT_STATE;
-		quotechar = '\0';
-		startID = FB_GetPointer(fb);
-	    } else {
-		/* more quoted value, continue */
-	    }
-	    break;
-	case DONE_STATE:
-	case ERR_STATE:
-	default:
-	    ; /* should never get here */
-	}
-    }
-
-    if (state == DONE_STATE) {
-	/* Get the text of the tag */
-	curPos = FB_GetPointer(fb) - 1;
-	FB_GetRange(fb, startText, curPos, &ti->text);
-
-	/* Return the tag */
-	return ti;
-    }
-
-    /* Uh oh, an error.  Kill the tag item*/
-    DestroyTagItem(ti);
-    return NULL;
-}
-
-
-/************************************************************************
- *
- * D e s t r o y H T M L I t e m
- */
-static void	
-DestroyHTMLItem(HTMLItem *item)
-{
-    if (item->type == TAG_ITEM) {
-	DestroyTagItem(item->item.tag);
-    } else {
-	if (item->item.text) {
-	    PR_Free(item->item.text);
-	}
-    }
-}
-
-
-/************************************************************************
- *
- * D e s t r o y T a g I t e m
- */
-static void	
-DestroyTagItem(TagItem*ti)
-{
-    AVPair * temp;
-
-    if (ti->text) {
-	PR_Free(ti->text); 
-	ti->text = NULL;
-    }
-
-    while (ti->attList) {
-	temp = ti->attList;
-	ti->attList = ti->attList->next;
-
-	if (temp->attribute) {
-	    PR_Free(temp->attribute); 
-	    temp->attribute = NULL;
-	}
-	if (temp->value) {
-	    PR_Free(temp->value); 
-	    temp->value = NULL;
-	}
-	PR_Free(temp);
-    }
-
-    PR_Free(ti);
-}
-
-
-/************************************************************************
- *
- * G e t T a g T y p e
- */
-static TAG_TYPE
-GetTagType(char *att)
-{
-    if (!PORT_Strcasecmp(att, "APPLET")) {
-	return APPLET_TAG;
-    }
-    if (!PORT_Strcasecmp(att, "SCRIPT")) {
-	return SCRIPT_TAG;
-    }
-    if (!PORT_Strcasecmp(att, "LINK")) {
-	return LINK_TAG;
-    }
-    if (!PORT_Strcasecmp(att, "STYLE")) {
-	return STYLE_TAG;
-    }
-    return OTHER_TAG;
-}
-
-
-/************************************************************************
- *
- * F B _ C r e a t e
- */
-static FileBuffer*
-FB_Create(PRFileDesc*fd)
-{
-    FileBuffer * fb;
-    PRInt32 amountRead;
-    PRInt32 storedOffset;
-
-    fb = (FileBuffer * ) PR_Malloc(sizeof(FileBuffer));
-    fb->fd = fd;
-    storedOffset = PR_Seek(fd, 0, PR_SEEK_CUR);
-    PR_Seek(fd, 0, PR_SEEK_SET);
-    fb->startOffset = 0;
-    amountRead = PR_Read(fd, fb->buf, FILE_BUFFER_BUFSIZE);
-    if (amountRead == -1) 
-	goto loser;
-    fb->maxIndex = amountRead - 1;
-    fb->curIndex = 0;
-    fb->IsEOF = (fb->curIndex > fb->maxIndex) ? PR_TRUE : PR_FALSE;
-    fb->lineNum = 1;
-
-    PR_Seek(fd, storedOffset, PR_SEEK_SET);
-    return fb;
-loser:
-    PR_Seek(fd, storedOffset, PR_SEEK_SET);
-    PR_Free(fb);
-    return NULL;
-}
-
-
-/************************************************************************
- *
- * F B _ G e t C h a r
- */
-static int	
-FB_GetChar(FileBuffer *fb)
-{
-    PRInt32 storedOffset;
-    PRInt32 amountRead;
-    int	retval = -1;
-
-    if (fb->IsEOF) {
-	return EOF;
-    }
-
-    storedOffset = PR_Seek(fb->fd, 0, PR_SEEK_CUR);
-
-    retval = (unsigned char) fb->buf[fb->curIndex++];
-    if (retval == '\n') 
-	fb->lineNum++;
-
-    if (fb->curIndex > fb->maxIndex) {
-	/* We're at the end of the buffer. Try to get some new data from the
-		 * file */
-	fb->startOffset += fb->maxIndex + 1;
-	PR_Seek(fb->fd, fb->startOffset, PR_SEEK_SET);
-	amountRead = PR_Read(fb->fd, fb->buf, FILE_BUFFER_BUFSIZE);
-	if (amountRead == -1)  
-	    goto loser;
-	fb->maxIndex = amountRead - 1;
-	fb->curIndex = 0;
-    }
-
-    fb->IsEOF = (fb->curIndex > fb->maxIndex) ? PR_TRUE : PR_FALSE;
-
-loser:
-    PR_Seek(fb->fd, storedOffset, PR_SEEK_SET);
-    return retval;
-}
-
-
-/************************************************************************
- *
- * F B _ G e t L i n e N u m
- *
- */
-static unsigned int	
-FB_GetLineNum(FileBuffer *fb)
-{
-    return fb->lineNum;
-}
-
-
-/************************************************************************
- *
- * F B _ G e t P o i n t e r
- *
- */
-static PRInt32
-FB_GetPointer(FileBuffer *fb)
-{
-    return fb->startOffset + fb->curIndex;
-}
-
-
-/************************************************************************
- *
- * F B _ G e t R a n g e
- *
- */
-static PRInt32
-FB_GetRange(FileBuffer *fb, PRInt32 start, PRInt32 end, char **buf)
-{
-    PRInt32 amountRead;
-    PRInt32 storedOffset;
-
-    *buf = PR_Malloc(end - start + 2);
-    if (*buf == NULL) {
-	return 0;
-    }
-
-    storedOffset = PR_Seek(fb->fd, 0, PR_SEEK_CUR);
-    PR_Seek(fb->fd, start, PR_SEEK_SET);
-    amountRead = PR_Read(fb->fd, *buf, end - start + 1);
-    PR_Seek(fb->fd, storedOffset, PR_SEEK_SET);
-    if (amountRead == -1) {
-	PR_Free(*buf);
-	*buf = NULL;
-	return 0;
-    }
-
-    (*buf)[end-start+1] = '\0';
-    return amountRead;
-}
-
-
-/************************************************************************
- *
- * F B _ D e s t r o y
- *
- */
-static void	
-FB_Destroy(FileBuffer *fb)
-{
-    if (fb) {
-	PR_Free(fb);
-    }
-}
-
-
-/************************************************************************
- *
- * P r i n t T a g I t e m
- *
- */
-static void	
-PrintTagItem(PRFileDesc *fd, TagItem *ti)
-{
-    AVPair * pair;
-
-    PR_fprintf(fd, "TAG:\n----\nType: ");
-    switch (ti->type) {
-    case APPLET_TAG:
-	PR_fprintf(fd, "applet\n");
-	break;
-    case SCRIPT_TAG:
-	PR_fprintf(fd, "script\n");
-	break;
-    case LINK_TAG:
-	PR_fprintf(fd, "link\n");
-	break;
-    case STYLE_TAG:
-	PR_fprintf(fd, "style\n");
-	break;
-    case COMMENT_TAG:
-	PR_fprintf(fd, "comment\n");
-	break;
-    case OTHER_TAG:
-    default:
-	PR_fprintf(fd, "other\n");
-	break;
-    }
-
-    PR_fprintf(fd, "Attributes:\n");
-    for (pair = ti->attList; pair; pair = pair->next) {
-	PR_fprintf(fd, "\t%s=%s\n", pair->attribute,
-	    pair->value ? pair->value : "");
-    }
-    PR_fprintf(fd, "Text:%s\n", ti->text ? ti->text : "");
-
-    PR_fprintf(fd, "---End of tag---\n");
-}
-
-
-/************************************************************************
- *
- * P r i n t H T M L S t r e a m
- *
- */
-static void	
-PrintHTMLStream(PRFileDesc *fd, HTMLItem *head)
-{
-    while (head) {
-	if (head->type == TAG_ITEM) {
-	    PrintTagItem(fd, head->item.tag);
-	} else {
-	    PR_fprintf(fd, "\nTEXT:\n-----\n%s\n-----\n\n", head->item.text);
-	}
-	head = head->next;
-    }
-}
-
-
-/************************************************************************
- *
- * S a v e I n l i n e S c r i p t
- *
- */
-static int	
-SaveInlineScript(char *text, char *id, char *basedir, char *archiveDir)
-{
-    char	*filename = NULL;
-    PRFileDesc * fd = NULL;
-    int	retval = -1;
-    PRInt32 writeLen;
-    char	*ilDir = NULL;
-
-    if (!text || !id || !archiveDir) {
-	return - 1;
-    }
-
-    if (dumpParse) {
-	PR_fprintf(outputFD, "SaveInlineScript: text=%s, id=%s, \n"
-	    "basedir=%s, archiveDir=%s\n",
-	    text, id, basedir, archiveDir);
-    }
-
-    /* Make sure the archive directory is around */
-    if (ensureExists(basedir, archiveDir) != PR_SUCCESS) {
-	PR_fprintf(errorFD,
-	    "ERROR: Unable to create archive directory %s.\n", archiveDir);
-	errorCount++;
-	return - 1;
-    }
-
-    /* Make sure the inline script directory is around */
-    ilDir = PR_smprintf("%s/inlineScripts", archiveDir);
-    scriptdir = "inlineScripts";
-    if (ensureExists(basedir, ilDir) != PR_SUCCESS) {
-	PR_fprintf(errorFD,
-	    "ERROR: Unable to create directory %s.\n", ilDir);
-	errorCount++;
-	return - 1;
-    }
-
-    filename = PR_smprintf("%s/%s/%s", basedir, ilDir, id);
-
-    /* If the file already exists, give a warning, then blow it away */
-    if (PR_Access(filename, PR_ACCESS_EXISTS) == PR_SUCCESS) {
-	PR_fprintf(errorFD,
-	    "warning: file \"%s\" already exists--will overwrite.\n",
-	     			filename);
-	warningCount++;
-	if (rm_dash_r(filename)) {
-	    PR_fprintf(errorFD, "ERROR: Unable to delete %s.\n", filename);
-	    errorCount++;
-	    goto finish;
-	}
-    }
-
-    /* Write text into file with name id */
-    fd = PR_Open(filename, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0777);
-    if (!fd) {
-	PR_fprintf(errorFD, "ERROR: Unable to create file \"%s\".\n",
-	     			filename);
-	errorCount++;
-	goto finish;
-    }
-    writeLen = strlen(text);
-    if ( PR_Write(fd, text, writeLen) != writeLen) {
-	PR_fprintf(errorFD, "ERROR: Unable to write to file \"%s\".\n",
-	     			filename);
-	errorCount++;
-	goto finish;
-    }
-
-    retval = 0;
-finish:
-    if (filename) {
-	PR_smprintf_free(filename);
-    }
-    if (ilDir) {
-	PR_smprintf_free(ilDir);
-    }
-    if (fd) {
-	PR_Close(fd);
-    }
-    return retval;
-}
-
-
-/************************************************************************
- *
- * S a v e U n n a m a b l e S c r i p t
- *
- */
-static int	
-SaveUnnamableScript(char *text, char *basedir, char *archiveDir,
-char *HTMLfilename)
-{
-    char	*id = NULL;
-    char	*ext = NULL;
-    char	*start = NULL;
-    int	retval = -1;
-
-    if (!text || !archiveDir || !HTMLfilename) {
-	return - 1;
-    }
-
-    if (dumpParse) {
-	PR_fprintf(outputFD, "SaveUnnamableScript: text=%s, basedir=%s,\n"
-	    "archiveDir=%s, filename=%s\n", text, basedir, archiveDir,
-	     			HTMLfilename);
-    }
-
-    /* Construct the filename */
-    ext = PL_strrchr(HTMLfilename, '.');
-    if (ext) {
-	*ext = '\0';
-    }
-    for (start = HTMLfilename; strpbrk(start, "/\\"); 
-         start = strpbrk(start, "/\\") + 1)
-	/* do nothing */;
-    if (*start == '\0') 
-	start = HTMLfilename;
-    id = PR_smprintf("_%s%d", start, idOrdinal++);
-    if (ext) {
-	*ext = '.';
-    }
-
-    /* Now call SaveInlineScript to do the work */
-    retval = SaveInlineScript(text, id, basedir, archiveDir);
-
-    PR_Free(id);
-
-    return retval;
-}
-
-
-/************************************************************************
- *
- * S a v e S o u r c e
- *
- */
-static int	
-SaveSource(char *src, char *codebase, char *basedir, char *archiveDir)
-{
-    char	*from = NULL, *to = NULL;
-    int	retval = -1;
-    char	*arcDir = NULL;
-
-    if (!src || !archiveDir) {
-	return - 1;
-    }
-
-    if (dumpParse) {
-	PR_fprintf(outputFD, "SaveSource: src=%s, codebase=%s, basedir=%s,\n"
-	    "archiveDir=%s\n", src, codebase, basedir, archiveDir);
-    }
-
-    if (codebase) {
-	arcDir = PR_smprintf("%s/%s/%s/", basedir, codebase, archiveDir);
-    } else {
-	arcDir = PR_smprintf("%s/%s/", basedir, archiveDir);
-    }
-
-    if (codebase) {
-	from = PR_smprintf("%s/%s/%s", basedir, codebase, src);
-	to = PR_smprintf("%s%s", arcDir, src);
-    } else {
-	from = PR_smprintf("%s/%s", basedir, src);
-	to = PR_smprintf("%s%s", arcDir, src);
-    }
-
-    if (make_dirs(to, 0777)) {
-	PR_fprintf(errorFD,
-	    "ERROR: Unable to create archive directory %s.\n", archiveDir);
-	errorCount++;
-	goto finish;
-    }
-
-    retval = copyinto(from, to);
-finish:
-    if (from) 
-	PR_Free(from);
-    if (to) 
-	PR_Free(to);
-    if (arcDir) 
-	PR_Free(arcDir);
-    return retval;
-}
-
-
-/************************************************************************
- *
- * T a g T y p e T o S t r i n g
- *
- */
-char	*
-TagTypeToString(TAG_TYPE type)
-{
-    switch (type) {
-    case APPLET_TAG:
-	return "APPLET";
-    case SCRIPT_TAG:
-	return "SCRIPT";
-    case LINK_TAG:
-	return "LINK";
-    case STYLE_TAG:
-	return "STYLE";
-    default:
-	break;
-    }
-    return "unknown";
-}
-
-
-/************************************************************************
- *
- * e x t r a c t _ j s
- *
- */
-static int	
-extract_js(char *filename)
-{
-    PRFileDesc * fd = NULL;
-    FileBuffer * fb = NULL;
-    HTMLItem * head = NULL;
-    HTMLItem * tail = NULL;
-    HTMLItem * curitem = NULL;
-    HTMLItem * styleList	= NULL;
-    HTMLItem * styleListTail	= NULL;
-    HTMLItem * entityList	= NULL;
-    HTMLItem * entityListTail	= NULL;
-    TagItem * tagp = NULL;
-    char	*text = NULL;
-    char	*tagerr = NULL;
-    char	*archiveDir = NULL;
-    char	*firstArchiveDir = NULL;
-    char	*basedir = NULL;
-    PRInt32    textStart;
-    PRInt32    curOffset;
-    HTML_STATE state;
-    int	       curchar;
-    int	       retval = -1;
-    unsigned int linenum, startLine;
-
-    /* Initialize the implicit ID counter for each file */
-    idOrdinal = 0;
-
-    /*
-     * First, parse the HTML into a stream of tags and text.
-     */
-
-    fd = PR_Open(filename, PR_RDONLY, 0);
-    if (!fd) {
-	PR_fprintf(errorFD, "Unable to open %s for reading.\n", filename);
-	errorCount++;
-	return - 1;
-    }
-
-    /* Construct base directory of filename. */
-     {
-	char	*cp;
-
-	basedir = PL_strdup(filename);
-
-	/* Remove trailing slashes */
-	while ( (cp = PL_strprbrk(basedir, "/\\")) == 
-	    (basedir + strlen(basedir) - 1)) {
-	    *cp = '\0';
-	}
-
-	/* Now remove everything from the last slash (which will be followed
-	 * by a filename) to the end */
-	cp = PL_strprbrk(basedir, "/\\");
-	if (cp) {
-	    *cp = '\0';
-	}
-    }
-
-    state = TEXT_HTML_STATE;
-
-    fb = FB_Create(fd);
-
-    textStart = 0;
-    startLine = 0;
-    while (linenum = FB_GetLineNum(fb), (curchar = FB_GetChar(fb)) !=
-        EOF) {
-	switch (state) {
-	case TEXT_HTML_STATE:
-	    if (curchar == '<') {
-		/*
-		 * Found a tag
-		 */
-		/* Save the text so far to a new text item */
-		curOffset = FB_GetPointer(fb) - 2;
-		if (curOffset >= textStart) {
-		    if (FB_GetRange(fb, textStart, curOffset,
-		         &text) != 
-		        curOffset - textStart + 1)  {
-			PR_fprintf(errorFD,
-			    "Unable to read from %s.\n",
-			     filename);
-			errorCount++;
-			goto loser;
-		    }
-		    /* little fudge here.  If the first character on a line
-		     * is '<', meaning a new tag, the preceding text item
-		     * actually ends on the previous line.  In this case
-		     * we will be saying that the text segment ends on the
-		     * next line. I don't think this matters for text items. */
-		    curitem = CreateTextItem(text, startLine,
-		         linenum);
-		    text = NULL;
-		    if (tail == NULL) {
-			head = tail = curitem;
-		    } else {
-			tail->next = curitem;
-			tail = curitem;
-		    }
-		}
-
-		/* Process the tag */
-		tagp = ProcessTag(fb, &tagerr);
-		if (!tagp) {
-		    if (tagerr) {
-			PR_fprintf(errorFD, "Error in file %s: %s\n",
-						  filename, tagerr);
-			errorCount++;
-		    } else {
-			PR_fprintf(errorFD,
-			    "Error in file %s, in tag starting at line %d\n",
-						  filename, linenum);
-			errorCount++;
-		    }
-		    goto loser;
-		}
-		/* Add the tag to the list */
-		curitem = CreateTagItem(tagp, linenum, FB_GetLineNum(fb));
-		if (tail == NULL) {
-		    head = tail = curitem;
-		} else {
-		    tail->next = curitem;
-		    tail = curitem;
-		}
-
-		/* What's the next state */
-		if (tagp->type == SCRIPT_TAG) {
-		    state = SCRIPT_HTML_STATE;
-		}
-
-		/* Start recording text from the new offset */
-		textStart = FB_GetPointer(fb);
-		startLine = FB_GetLineNum(fb);
-	    } else {
-		/* regular character.  Next! */
-	    }
-	    break;
-	case SCRIPT_HTML_STATE:
-	    if (curchar == '<') {
-		char	*cp;
-		/*
-		 * If this is a </script> tag, then we're at the end of the
-		 * script.  Otherwise, ignore
-		 */
-		curOffset = FB_GetPointer(fb) - 1;
-		cp = NULL;
-		if (FB_GetRange(fb, curOffset, curOffset + 8, &cp) != 9) {
-		    if (cp) { 
-			PR_Free(cp); 
-			cp = NULL; 
-		    }
-		} else {
-		    /* compare the strings */
-		    if ( !PORT_Strncasecmp(cp, "</script>", 9) ) {
-			/* This is the end of the script. Record the text. */
-			curOffset--;
-			if (curOffset >= textStart) {
-			    if (FB_GetRange(fb, textStart, curOffset, &text) != 
-			        curOffset - textStart + 1) {
-				PR_fprintf(errorFD, "Unable to read from %s.\n",
-				     filename);
-				errorCount++;
-				goto loser;
-			    }
-			    curitem = CreateTextItem(text, startLine, linenum);
-			    text = NULL;
-			    if (tail == NULL) {
-				head = tail = curitem;
-			    } else {
-				tail->next = curitem;
-				tail = curitem;
-			    }
-			}
-
-			/* Now parse the /script tag and put it on the list */
-			tagp = ProcessTag(fb, &tagerr);
-			if (!tagp) {
-			    if (tagerr) {
-				PR_fprintf(errorFD, "Error in file %s: %s\n",
-				     filename, tagerr);
-			    } else {
-				PR_fprintf(errorFD, 
-				    "Error in file %s, in tag starting at"
-				    " line %d\n", filename, linenum);
-			    }
-			    errorCount++;
-			    goto loser;
-			}
-			curitem = CreateTagItem(tagp, linenum,
-						FB_GetLineNum(fb));
-			if (tail == NULL) {
-			    head = tail = curitem;
-			} else {
-			    tail->next = curitem;
-			    tail = curitem;
-			}
-
-			/* go back to text state */
-			state = TEXT_HTML_STATE;
-
-			textStart = FB_GetPointer(fb);
-			startLine = FB_GetLineNum(fb);
-		    }
-		}
-	    }
-	    break;
-	}
-    }
-
-    /* End of the file.  Wrap up any remaining text */
-    if (state == SCRIPT_HTML_STATE) {
-	if (tail && tail->type == TAG_ITEM) {
-	    PR_fprintf(errorFD, "ERROR: <SCRIPT> tag at %s:%d is not followed "
-	        "by a </SCRIPT> tag.\n", filename, tail->startLine);
-	} else {
-	    PR_fprintf(errorFD, "ERROR: <SCRIPT> tag in file %s is not followed"
-	        " by a </SCRIPT tag.\n", filename);
-	}
-	errorCount++;
-	goto loser;
-    }
-    curOffset = FB_GetPointer(fb) - 1;
-    if (curOffset >= textStart) {
-	text = NULL;
-	if ( FB_GetRange(fb, textStart, curOffset, &text) != 
-	    curOffset - textStart + 1) {
-	    PR_fprintf(errorFD, "Unable to read from %s.\n", filename);
-	    errorCount++;
-	    goto loser;
-	}
-	curitem = CreateTextItem(text, startLine, linenum);
-	text = NULL;
-	if (tail == NULL) {
-	    head = tail = curitem;
-	} else {
-	    tail->next = curitem;
-	    tail = curitem;
-	}
-    }
-
-    if (dumpParse) {
-	PrintHTMLStream(outputFD, head);
-    }
-
-    /*
-     * Now we have a stream of tags and text.  Go through and deal with each.
-     */
-    for (curitem = head; curitem; curitem = curitem->next) {
-	TagItem * tagp = NULL;
-	AVPair * pairp = NULL;
-	char	*src = NULL, *id = NULL, *codebase = NULL;
-	PRBool hasEventHandler = PR_FALSE;
-	int	i;
-
-	/* Reset archive directory for each tag */
-	if (archiveDir) {
-	    PR_Free(archiveDir); 
-	    archiveDir = NULL;
-	}
-
-	/* We only analyze tags */
-	if (curitem->type != TAG_ITEM) {
-	    continue;
-	}
-
-	tagp = curitem->item.tag;
-
-	/* go through the attributes to get information */
-	for (pairp = tagp->attList; pairp; pairp = pairp->next) {
-
-	    /* ARCHIVE= */
-	    if ( !PL_strcasecmp(pairp->attribute, "archive")) {
-		if (archiveDir) {
-		    /* Duplicate attribute.  Print warning */
-		    PR_fprintf(errorFD,
-		        "warning: \"%s\" attribute overwrites previous attribute"
-		        " in tag starting at %s:%d.\n",
-		        pairp->attribute, filename, curitem->startLine);
-		    warningCount++;
-		    PR_Free(archiveDir);
-		}
-		archiveDir = PL_strdup(pairp->value);
-
-		/* Substiture ".arc" for ".jar" */
-		if ( (PL_strlen(archiveDir) < 4) || 
-		    PL_strcasecmp((archiveDir + strlen(archiveDir) -4), 
-			".jar")) {
-		    PR_fprintf(errorFD,
-		        "warning: ARCHIVE attribute should end in \".jar\" in tag"
-		        " starting on %s:%d.\n", filename, curitem->startLine);
-		    warningCount++;
-		    PR_Free(archiveDir);
-		    archiveDir = PR_smprintf("%s.arc", archiveDir);
-		} else {
-		    PL_strcpy(archiveDir + strlen(archiveDir) -4, ".arc");
-		}
-
-		/* Record the first archive.  This will be used later if
-		 * the archive is not specified */
-		if (firstArchiveDir == NULL) {
-		    firstArchiveDir = PL_strdup(archiveDir);
-		}
-	    } 
-	    /* CODEBASE= */
-	    else if ( !PL_strcasecmp(pairp->attribute, "codebase")) {
-		if (codebase) {
-		    /* Duplicate attribute.  Print warning */
-		    PR_fprintf(errorFD,
-		        "warning: \"%s\" attribute overwrites previous attribute"
-		        " in tag staring at %s:%d.\n",
-		        pairp->attribute, filename, curitem->startLine);
-		    warningCount++;
-		}
-		codebase = pairp->value;
-	    } 
-	    /* SRC= and HREF= */
-	    else if ( !PORT_Strcasecmp(pairp->attribute, "src") ||
-	        !PORT_Strcasecmp(pairp->attribute, "href") ) {
-		if (src) {
-		    /* Duplicate attribute.  Print warning */
-		    PR_fprintf(errorFD,
-		        "warning: \"%s\" attribute overwrites previous attribute"
-		        " in tag staring at %s:%d.\n",
-		        pairp->attribute, filename, curitem->startLine);
-		    warningCount++;
-		}
-		src = pairp->value;
-	    } 
-	    /* CODE= */
-	    else if (!PORT_Strcasecmp(pairp->attribute, "code") ) {
-		/*!!!XXX Change PORT to PL all over this code !!! */
-		if (src) {
-		    /* Duplicate attribute.  Print warning */
-		    PR_fprintf(errorFD,
-		        "warning: \"%s\" attribute overwrites previous attribute"
-		        " ,in tag staring at %s:%d.\n",
-		        pairp->attribute, filename, curitem->startLine);
-		    warningCount++;
-		}
-		src = pairp->value;
-
-		/* Append a .class if one is not already present */
-		if ( (PL_strlen(src) < 6) || 
-		    PL_strcasecmp( (src + PL_strlen(src) - 6), ".class") ) {
-		    src = PR_smprintf("%s.class", src);
-		    /* Put this string back into the data structure so it
-		     * will be deallocated properly */
-		    PR_Free(pairp->value);
-		    pairp->value = src;
-		}
-	    } 
-	    /* ID= */
-	    else if (!PL_strcasecmp(pairp->attribute, "id") ) {
-		if (id) {
-		    /* Duplicate attribute.  Print warning */
-		    PR_fprintf(errorFD,
-		        "warning: \"%s\" attribute overwrites previous attribute"
-		        " in tag staring at %s:%d.\n",
-		        pairp->attribute, filename, curitem->startLine);
-		    warningCount++;
-		}
-		id = pairp->value;
-	    }
-
-	    /* STYLE= */
-	    /* style= attributes, along with JS entities, are stored into
-	     * files with dynamically generated names. The filenames are
-	     * based on the order in which the text is found in the file.
-	     * All JS entities on all lines up to and including the line
-	     * containing the end of the tag that has this style= attribute
-	     * will be processed before this style=attribute.  So we need
-	     * to record the line that this _tag_ (not the attribute) ends on.
-	     */
-	    else if (!PL_strcasecmp(pairp->attribute, "style") && pairp->value) 
-	    {
-		HTMLItem * styleItem;
-		/* Put this item on the style list */
-		styleItem = CreateTextItem(PL_strdup(pairp->value),
-		    curitem->startLine, curitem->endLine);
-		if (styleListTail == NULL) {
-		    styleList = styleListTail = styleItem;
-		} else {
-		    styleListTail->next = styleItem;
-		    styleListTail = styleItem;
-		}
-	    } 
-	    /* Event handlers */
-	    else {
-		for (i = 0; i < num_handlers; i++) {
-		    if (!PL_strcasecmp(event_handlers[i], pairp->attribute)) {
-			hasEventHandler = PR_TRUE;
-			break;
-		    }
-		}
-	    }
-
-
-	    /* JS Entity */
-	    {
-		char	*entityStart, *entityEnd;
-		HTMLItem * entityItem;
-
-		/* go through each JavaScript entity ( &{...}; ) and store it
-		 * in the entityList.  The important thing is to record what
-		 * line number it's on, so we can get it in the right order
-		 * in relation to style= attributes.
-		 * Apparently, these can't flow across lines, so the start and
-		 * end line will be the same.  That helps matters.
-		 */
-		entityEnd = pairp->value;
-		while ( entityEnd && 
-		    (entityStart = PL_strstr(entityEnd, "&{")) /*}*/ != NULL) {
-		    entityStart += 2; /* point at beginning of actual entity */
-		    entityEnd = PL_strstr(entityStart, /*{*/ "}");
-		    if (entityEnd) {
-			/* Put this item on the entity list */
-			*entityEnd = '\0';
-			entityItem = CreateTextItem(PL_strdup(entityStart),
-					    pairp->valueLine, pairp->valueLine);
-			*entityEnd = /* { */ '}';
-			if (entityListTail) {
-			    entityListTail->next = entityItem;
-			    entityListTail = entityItem;
-			} else {
-			    entityList = entityListTail = entityItem;
-			}
-		    }
-		}
-	    }
-	}
-
-	/* If no archive was supplied, we use the first one of the file */
-	if (!archiveDir && firstArchiveDir) {
-	    archiveDir = PL_strdup(firstArchiveDir);
-	}
-
-	/* If we have an event handler, we need to archive this tag */
-	if (hasEventHandler) {
-	    if (!id) {
-		PR_fprintf(errorFD,
-		    "warning: tag starting at %s:%d has event handler but"
-		    " no ID attribute.  The tag will not be signed.\n",
-					filename, curitem->startLine);
-		warningCount++;
-	    } else if (!archiveDir) {
-		PR_fprintf(errorFD,
-		    "warning: tag starting at %s:%d has event handler but"
-		    " no ARCHIVE attribute.  The tag will not be signed.\n",
-					    filename, curitem->startLine);
-		warningCount++;
-	    } else {
-		if (SaveInlineScript(tagp->text, id, basedir, archiveDir)) {
-		    goto loser;
-		}
-	    }
-	}
-
-	switch (tagp->type) {
-	case APPLET_TAG:
-	    if (!src) {
-		PR_fprintf(errorFD,
-		    "error: APPLET tag starting on %s:%d has no CODE "
-		    "attribute.\n", filename, curitem->startLine);
-		errorCount++;
-		goto loser;
-	    } else if (!archiveDir) {
-		PR_fprintf(errorFD,
-		    "error: APPLET tag starting on %s:%d has no ARCHIVE "
-		    "attribute.\n", filename, curitem->startLine);
-		errorCount++;
-		goto loser;
-	    } else {
-		if (SaveSource(src, codebase, basedir, archiveDir)) {
-		    goto loser;
-		}
-	    }
-	    break;
-	case SCRIPT_TAG:
-	case LINK_TAG:
-	case STYLE_TAG:
-	    if (!archiveDir) {
-		PR_fprintf(errorFD,
-		    "error: %s tag starting on %s:%d has no ARCHIVE "
-		    "attribute.\n", TagTypeToString(tagp->type),
-					    filename, curitem->startLine);
-		errorCount++;
-		goto loser;
-	    } else if (src) {
-		if (SaveSource(src, codebase, basedir, archiveDir)) {
-		    goto loser;
-		}
-	    } else if (id) {
-		/* Save the next text item */
-		if (!curitem->next || (curitem->next->type !=
-		    TEXT_ITEM)) {
-		    PR_fprintf(errorFD,
-		        "warning: %s tag starting on %s:%d is not followed"
-		        " by script text.\n", TagTypeToString(tagp->type),
-					    filename, curitem->startLine);
-		    warningCount++;
-		    /* just create empty file */
-		    if (SaveInlineScript("", id, basedir, archiveDir)) {
-			goto loser;
-		    }
-		} else {
-		    curitem = curitem->next;
-		    if (SaveInlineScript(curitem->item.text,
-		         id, basedir,
-		        archiveDir)) {
-			goto loser;
-		    }
-		}
-	    } else {
-		/* No src or id tag--warning */
-		PR_fprintf(errorFD,
-		    "warning: %s tag starting on %s:%d has no SRC or"
-		    " ID attributes.  Will not sign.\n",
-		    TagTypeToString(tagp->type), filename, curitem->startLine);
-		warningCount++;
-	    }
-	    break;
-	default:
-	    /* do nothing for other tags */
-	    break;
-	}
-
-    }
-
-    /* Now deal with all the unnamable scripts */
-    if (firstArchiveDir) {
-	HTMLItem * style, *entity;
-
-	/* Go through the lists of JS entities and style attributes.  Do them
-	 * in chronological order within a list.  Pick the list with the lower
-	 * endLine. In case of a tie, entities come first.
-	 */
-	style = styleList; 
-	entity = entityList;
-	while (style || entity) {
-	    if (!entity || (style && (style->endLine < entity->endLine))) {
-		/* Process style */
-		SaveUnnamableScript(style->item.text, basedir, firstArchiveDir,
-				    filename);
-		style = style->next;
-	    } else {
-		/* Process entity */
-		SaveUnnamableScript(entity->item.text, basedir, firstArchiveDir,
-				    filename);
-		entity = entity->next;
-	    }
-	}
-    }
-
-
-    retval = 0;
-loser:
-    /* Blow away the stream */
-    while (head) {
-	curitem = head;
-	head = head->next;
-	DestroyHTMLItem(curitem);
-    }
-    while (styleList) {
-	curitem = styleList;
-	styleList = styleList->next;
-	DestroyHTMLItem(curitem);
-    }
-    while (entityList) {
-	curitem = entityList;
-	entityList = entityList->next;
-	DestroyHTMLItem(curitem);
-    }
-    if (text) {
-	PR_Free(text); 
-	text = NULL;
-    }
-    if (fb) {
-	FB_Destroy(fb); 
-	fb = NULL;
-    }
-    if (fd) {
-	PR_Close(fd);
-    }
-    if (tagerr) {
-	PR_smprintf_free(tagerr); 
-	tagerr = NULL;
-    }
-    if (archiveDir) {
-	PR_Free(archiveDir); 
-	archiveDir = NULL;
-    }
-    if (firstArchiveDir) {
-	PR_Free(firstArchiveDir); 
-	firstArchiveDir = NULL;
-    }
-    return retval;
-}
-
-
-/**********************************************************************
- *
- * e n s u r e E x i s t s
- *
- * Check for existence of indicated directory.  If it doesn't exist,
- * it will be created.
- * Returns PR_SUCCESS if the directory is present, PR_FAILURE otherwise.
- */
-static PRStatus
-ensureExists (char *base, char *path)
-{
-    char	fn [FNSIZE];
-    PRDir * dir;
-    sprintf (fn, "%s/%s", base, path);
-
-    /*PR_fprintf(outputFD, "Trying to open directory %s.\n", fn);*/
-
-    if ( (dir = PR_OpenDir(fn)) ) {
-	PR_CloseDir(dir);
-	return PR_SUCCESS;
-    }
-    return PR_MkDir(fn, 0777);
-}
-
-
-/***************************************************************************
- *
- * m a k e _ d i r s
- *
- * Ensure that the directory portion of the path exists.  This may require
- * making the directory, and its parent, and its parent's parent, etc.
- */
-static int	
-make_dirs(char *path, int file_perms)
-{
-    char	*Path;
-    char	*start;
-    char	*sep;
-    int	ret = 0;
-    PRFileInfo info;
-
-    if (!path) {
-	return 0;
-    }
-
-    Path = PL_strdup(path);
-    start = strpbrk(Path, "/\\");
-    if (!start) {
-	return 0;
-    }
-    start++; /* start right after first slash */
-
-    /* Each time through the loop add one more directory. */
-    while ( (sep = strpbrk(start, "/\\")) ) {
-	*sep = '\0';
-
-	if ( PR_GetFileInfo(Path, &info) != PR_SUCCESS) {
-	    /* No such dir, we have to create it */
-	    if ( PR_MkDir(Path, file_perms) != PR_SUCCESS) {
-		PR_fprintf(errorFD, "ERROR: Unable to create directory %s.\n",
-		     					Path);
-		errorCount++;
-		ret = -1;
-		goto loser;
-	    }
-	} else {
-	    /* something exists by this name, make sure it's a directory */
-	    if ( info.type != PR_FILE_DIRECTORY ) {
-		PR_fprintf(errorFD, "ERROR: Unable to create directory %s.\n",
-		     					Path);
-		errorCount++;
-		ret = -1;
-		goto loser;
-	    }
-	}
-
-	start = sep + 1; /* start after the next slash */
-	*sep = '/';
-    }
-
-loser:
-    PR_Free(Path);
-    return ret;
-}
-
-
-/*
- *  c o p y i n t o
- *
- *  Function to copy file "from" to path "to".
- *
- */
-static int	
-copyinto (char *from, char *to)
-{
-    PRInt32 num;
-    char	buf [BUFSIZ];
-    PRFileDesc * infp = NULL, *outfp = NULL;
-    int	retval = -1;
-
-    if ((infp = PR_Open(from, PR_RDONLY, 0777)) == NULL) {
-	PR_fprintf(errorFD, "ERROR: Unable to open \"%s\" for reading.\n",
-	     			from);
-	errorCount++;
-	goto finish;
-    }
-
-    /* If to already exists, print a warning before deleting it */
-    if (PR_Access(to, PR_ACCESS_EXISTS) == PR_SUCCESS) {
-	PR_fprintf(errorFD, "warning: %s already exists--will overwrite\n", to);
-	warningCount++;
-	if (rm_dash_r(to)) {
-	    PR_fprintf(errorFD,
-	        "ERROR: Unable to remove %s.\n", to);
-	    errorCount++;
-	    goto finish;
-	}
-    }
-
-    if ((outfp = PR_Open(to, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0777))
-         == NULL) {
-	char	*errBuf = NULL;
-
-	errBuf = PR_Malloc(PR_GetErrorTextLength());
-	PR_fprintf(errorFD, "ERROR: Unable to open \"%s\" for writing.\n", to);
-	if (PR_GetErrorText(errBuf)) {
-	    PR_fprintf(errorFD, "Cause: %s\n", errBuf);
-	}
-	if (errBuf) {
-	    PR_Free(errBuf);
-	}
-	errorCount++;
-	goto finish;
-    }
-
-    while ( (num = PR_Read(infp, buf, BUFSIZ)) > 0) {
-	if (PR_Write(outfp, buf, num) != num) {
-	    PR_fprintf(errorFD, "ERROR: Error writing to %s.\n", to);
-	    errorCount++;
-	    goto finish;
-	}
-    }
-
-    retval = 0;
-finish:
-    if (infp) 
-	PR_Close(infp);
-    if (outfp) 
-	PR_Close(outfp);
-
-    return retval;
-}
-
-
diff --git a/security/nss/cmd/signtool/list.c b/security/nss/cmd/signtool/list.c
deleted file mode 100644
index 00b58076b..000000000
--- a/security/nss/cmd/signtool/list.c
+++ /dev/null
@@ -1,251 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "signtool.h"
-#include "pk11func.h"
-#include "certdb.h"
-
-static int	num_trav_certs = 0;
-static SECStatus cert_trav_callback(CERTCertificate *cert, SECItem *k,
-			void *data);
-
-/*********************************************************************
- *
- * L i s t C e r t s
- */
-int
-ListCerts(char *key, int list_certs)
-{
-    int	failed = 0;
-    SECStatus rv;
-    char	*ugly_list;
-    CERTCertDBHandle * db;
-
-    CERTCertificate * cert;
-    CERTVerifyLog errlog;
-
-    errlog.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( errlog.arena == NULL) {
-	out_of_memory();
-    }
-    errlog.head = NULL;
-    errlog.tail = NULL;
-    errlog.count = 0;
-
-    ugly_list = PORT_ZAlloc (16);
-
-    if (ugly_list == NULL) {
-	out_of_memory();
-    }
-
-    *ugly_list = 0;
-
-    db = CERT_GetDefaultCertDB();
-
-    if (list_certs == 2) {
-	PR_fprintf(outputFD, "\nS Certificates\n");
-	PR_fprintf(outputFD, "- ------------\n");
-    } else {
-	PR_fprintf(outputFD, "\nObject signing certificates\n");
-	PR_fprintf(outputFD, "---------------------------------------\n");
-    }
-
-    num_trav_certs = 0;
-
-    /* Traverse ALL tokens in all slots, authenticating to them all */
-    rv = PK11_TraverseSlotCerts(cert_trav_callback, (void * )&list_certs,
-         		&pwdata);
-
-    if (rv) {
-	PR_fprintf(outputFD, "**Traverse of ALL slots & tokens failed**\n");
-	return - 1;
-    }
-
-    if (num_trav_certs == 0) {
-	PR_fprintf(outputFD,
-	    "You don't appear to have any object signing certificates.\n");
-    }
-
-    if (list_certs == 2) {
-	PR_fprintf(outputFD, "- ------------\n");
-    } else {
-	PR_fprintf(outputFD, "---------------------------------------\n");
-    }
-
-    if (list_certs == 1) {
-	PR_fprintf(outputFD,
-	    "For a list including CA's, use \"%s -L\"\n", PROGRAM_NAME);
-    }
-
-    if (list_certs == 2) {
-	PR_fprintf(outputFD,
-	    "Certificates that can be used to sign objects have *'s to "
-	    "their left.\n");
-    }
-
-    if (key) {
-	/* Do an analysis of the given cert */
-
-	cert = PK11_FindCertFromNickname(key, &pwdata);
-
-	if (cert) {
-	    PR_fprintf(outputFD,
-	        "\nThe certificate with nickname \"%s\" was found:\n",
-	         			 cert->nickname);
-	    PR_fprintf(outputFD, "\tsubject name: %s\n", cert->subjectName);
-	    PR_fprintf(outputFD, "\tissuer name: %s\n", cert->issuerName);
-
-	    PR_fprintf(outputFD, "\n");
-
-	    rv = CERT_CertTimesValid (cert);
-	    if (rv != SECSuccess) {
-		PR_fprintf(outputFD, "**This certificate is expired**\n");
-	    } else {
-		PR_fprintf(outputFD, "This certificate is not expired.\n");
-	    }
-
-	    rv = CERT_VerifyCert (db, cert, PR_TRUE,
-	        certUsageObjectSigner, PR_Now(), &pwdata, &errlog);
-
-	    if (rv != SECSuccess) {
-		failed = 1;
-		if (errlog.count > 0) {
-		    PR_fprintf(outputFD,
-		        "**Certificate validation failed for the "
-		        "following reason(s):**\n");
-		} else {
-		    PR_fprintf(outputFD, "**Certificate validation failed**");
-		}
-	    } else {
-		PR_fprintf(outputFD, "This certificate is valid.\n");
-	    }
-	    displayVerifyLog(&errlog);
-
-
-	} else {
-	    failed = 1;
-	    PR_fprintf(outputFD,
-	        "The certificate with nickname \"%s\" was NOT FOUND\n", key);
-	}
-    }
-
-    if (errlog.arena != NULL) {
-	PORT_FreeArena(errlog.arena, PR_FALSE);
-    }
-
-    if (failed) {
-	return - 1;
-    }
-    return 0;
-}
-
-
-/********************************************************************
- *
- * c e r t _ t r a v _ c a l l b a c k
- */
-static SECStatus
-cert_trav_callback(CERTCertificate *cert, SECItem *k, void *data)
-{
-    int	list_certs = 1;
-    char *name;
-
-    if (data) {
-	list_certs = *((int * )data);
-    }
-
-#define LISTING_USER_SIGNING_CERTS (list_certs == 1)
-#define LISTING_ALL_CERTS          (list_certs == 2)
-
-    name = cert->nickname;
-    if (name) {
-    	int     isSigningCert;
-
-	isSigningCert = cert->nsCertType & NS_CERT_TYPE_OBJECT_SIGNING;
-	if (!isSigningCert && LISTING_USER_SIGNING_CERTS)
-	    return (SECSuccess);
-
-	/* Display this name or email address */
-	num_trav_certs++;
-
-	if (LISTING_ALL_CERTS) {
-	    PR_fprintf(outputFD, "%s ", isSigningCert ? "*" : " ");
-	}
-	PR_fprintf(outputFD, "%s\n", name);
-
-	if (LISTING_USER_SIGNING_CERTS) {
-	    int rv = SECFailure;
-	    if (rv) {
-		CERTCertificate * issuerCert;
-		issuerCert = CERT_FindCertIssuer(cert, PR_Now(),
-						 certUsageObjectSigner);
-		if (issuerCert) {
-		    if (issuerCert->nickname && issuerCert->nickname[0]) {
-			PR_fprintf(outputFD, "    Issued by: %s\n",
-			     issuerCert->nickname);
-			rv = SECSuccess;
-		    }
-		    CERT_DestroyCertificate(issuerCert);
-		}
-	    }
-	    if (rv && cert->issuerName && cert->issuerName[0]) {
-		PR_fprintf(outputFD, "    Issued by: %s \n", cert->issuerName);
-	    }
-	    {
-		char *expires;
-		expires = DER_TimeChoiceDayToAscii(&cert->validity.notAfter);
-		if (expires) {
-		    PR_fprintf(outputFD, "    Expires: %s\n", expires);
-		    PORT_Free(expires);
-		}
-	    }
-
-	    rv = CERT_VerifyCertNow (cert->dbhandle, cert,
-		PR_TRUE, certUsageObjectSigner, &pwdata);
-
-	    if (rv != SECSuccess) {
-		rv = PORT_GetError();
-		PR_fprintf(outputFD,
-		"    ++ Error ++ THIS CERTIFICATE IS NOT VALID (%s)\n",
-						secErrorString(rv));            
-	    }
-	}
-    }
-
-    return (SECSuccess);
-}
-
-
diff --git a/security/nss/cmd/signtool/manifest.mn b/security/nss/cmd/signtool/manifest.mn
deleted file mode 100644
index df3a55908..000000000
--- a/security/nss/cmd/signtool/manifest.mn
+++ /dev/null
@@ -1,57 +0,0 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-EXPORTS = 
-
-CSRCS = signtool.c		\
-		certgen.c	\
-		javascript.c	\
-		list.c		\
-		sign.c		\
-		util.c		\
-		verify.c	\
-		zip.c		\
-	$(NULL)
-
-PROGRAM =  signtool
-
-REQUIRES = seccmd
-
-EXTRA_LIBS = $(JAR_LIBS)
diff --git a/security/nss/cmd/signtool/sign.c b/security/nss/cmd/signtool/sign.c
deleted file mode 100644
index 93b2d552a..000000000
--- a/security/nss/cmd/signtool/sign.c
+++ /dev/null
@@ -1,869 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "signtool.h"
-#include "zip.h" 
-#include "prmem.h"
-#include "blapi.h"
-#include "sechash.h"	/* for HASH_GetHashObject() */
-
-static int	create_pk7 (char *dir, char *keyName, int *keyType);
-static int	jar_find_key_type (CERTCertificate *cert);
-static int	manifesto (char *dirname, char *install_script, PRBool recurse);
-static int	manifesto_fn(char *relpath, char *basedir, char *reldir,
-			char *filename, void *arg);
-static int	manifesto_xpi_fn(char *relpath, char *basedir, char *reldir,
-			char *filename, void *arg);
-static int	sign_all_arc_fn(char *relpath, char *basedir, char *reldir,
-			char *filename, void *arg);
-static int	add_meta (FILE *fp, char *name);
-static int	SignFile (FILE *outFile, FILE *inFile, CERTCertificate *cert);
-static int	generate_SF_file (char *manifile, char *who);
-static int	calculate_MD5_range (FILE *fp, long r1, long r2, 
-			JAR_Digest *dig);
-static void	SignOut (void *arg, const char *buf, unsigned long len);
-
-static char	*metafile = NULL;
-static int	optimize = 0;
-static FILE *mf;
-static ZIPfile *zipfile = NULL;
-
-/* 
- *  S i g n A r c h i v e
- *
- *  Sign an individual archive tree. A directory 
- *  called META-INF is created underneath this.
- *
- */
-int
-SignArchive(char *tree, char *keyName, char *zip_file, int javascript,
-	char *meta_file, char *install_script, int _optimize, PRBool recurse)
-{
-    int	status;
-    char	tempfn [FNSIZE], fullfn [FNSIZE];
-    int	keyType = rsaKey;
-
-    metafile = meta_file;
-    optimize = _optimize;
-
-    /* To create XPI compatible Archive manifesto() must be run before 
-     * the zipfile is opened. This is so the signed files are not added
-     * the archive before the crucial rsa/dsa file*/
-    if (xpi_arc) {
-	manifesto (tree, install_script, recurse);
-    }
-
-    if (zip_file) {
-	zipfile = JzipOpen(zip_file, NULL /*no comment*/);
-    }
-
-    /*Sign and add files to the archive normally with manifesto()*/
-    if (!xpi_arc) {
-	manifesto (tree, install_script, recurse);
-    }
-
-    if (keyName) {
-	status = create_pk7 (tree, keyName, &keyType);
-	if (status < 0) {
-	    PR_fprintf(errorFD, "the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
-	         tree);
-	    errorCount++;
-	    exit (ERRX);
-	}
-    }
-
-    /* Add the rsa/dsa file as the first file in the archive. This is crucial
-     * for a XPInstall compatible archive */
-    if (xpi_arc) {
-	if (verbosity >= 0) {
-	    PR_fprintf(outputFD, "%s \n", XPI_TEXT);
-	}
-
-	/* rsa/dsa to zip */
-	sprintf (tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ?
-	    "dsa" : "rsa"));
-	sprintf (fullfn, "%s/%s", tree, tempfn);
-	JzipAdd(fullfn, tempfn, zipfile, compression_level);
-
-	/* Loop through all files & subdirectories, add to archive */
-	foreach (tree, "", manifesto_xpi_fn, recurse, PR_FALSE /*include dirs */,
-	     		(void * )NULL);
-    }
-    /* mf to zip */
-    strcpy (tempfn, "META-INF/manifest.mf");
-    sprintf (fullfn, "%s/%s", tree, tempfn);
-    JzipAdd(fullfn, tempfn, zipfile, compression_level);
-
-    /* sf to zip */
-    sprintf (tempfn, "META-INF/%s.sf", base);
-    sprintf (fullfn, "%s/%s", tree, tempfn);
-    JzipAdd(fullfn, tempfn, zipfile, compression_level);
-
-    /* Add the rsa/dsa file to the zip archive normally */
-    if (!xpi_arc) {
-	/* rsa/dsa to zip */
-	sprintf (tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ?
-	    "dsa" : "rsa"));
-	sprintf (fullfn, "%s/%s", tree, tempfn);
-	JzipAdd(fullfn, tempfn, zipfile, compression_level);
-    }
-
-    JzipClose(zipfile);
-
-    if (verbosity >= 0) {
-	if (javascript) {
-	    PR_fprintf(outputFD, "jarfile \"%s\" signed successfully\n",
-	         				zip_file);
-	} else {
-	    PR_fprintf(outputFD, "tree \"%s\" signed successfully\n",
-	         tree);
-	}
-    }
-
-    return 0;
-}
-
-
-typedef struct {
-    char	*keyName;
-    int	javascript;
-    char	*metafile;
-    char	*install_script;
-    int	optimize;
-} SignArcInfo;
-
-/* 
- *  S i g n A l l A r c
- *
- *  Javascript may generate multiple .arc directories, one
- *  for each jar archive needed. Sign them all.
- *
- */
-int
-SignAllArc(char *jartree, char *keyName, int javascript, char *metafile,
-char *install_script, int optimize, PRBool recurse)
-{
-    SignArcInfo info;
-
-    info.keyName = keyName;
-    info.javascript = javascript;
-    info.metafile = metafile;
-    info.install_script = install_script;
-    info.optimize = optimize;
-
-    return foreach(jartree, "", sign_all_arc_fn, recurse,
-        PR_TRUE /*include dirs*/, (void * )&info);
-}
-
-
-static int	
-sign_all_arc_fn(char *relpath, char *basedir, char *reldir, char *filename,
- 	void *arg)
-{
-    char	*zipfile = NULL;
-    char	*arc = NULL, *archive = NULL;
-    int	retval = 0;
-    SignArcInfo * infop = (SignArcInfo * )arg;
-
-    /* Make sure there is one and only one ".arc" in the relative path, 
-     * and that it is at the end of the path (don't sign .arcs within .arcs) */
-    if ( (PL_strcaserstr(relpath, ".arc") == relpath + strlen(relpath) -
-        4) && 
-        (PL_strcasestr(relpath, ".arc") == relpath + strlen(relpath) - 4) ) {
-
-	if (!infop) {
-	    PR_fprintf(errorFD, "%s: Internal failure\n", PROGRAM_NAME);
-	    errorCount++;
-	    retval = -1;
-	    goto finish;
-	}
-	archive = PR_smprintf("%s/%s", basedir, relpath);
-
-	zipfile = PL_strdup(archive);
-	arc = PORT_Strrchr (zipfile, '.');
-
-	if (arc == NULL) {
-	    PR_fprintf(errorFD, "%s: Internal failure\n", PROGRAM_NAME);
-	    errorCount++;
-	    retval = -1;
-	    goto finish;
-	}
-
-	PL_strcpy (arc, ".jar");
-
-	if (verbosity >= 0) {
-	    PR_fprintf(outputFD, "\nsigning: %s\n", zipfile);
-	}
-	retval = SignArchive(archive, infop->keyName, zipfile,
-	    infop->javascript, infop->metafile, infop->install_script,
-	     			infop->optimize, PR_TRUE /* recurse */);
-    }
-finish:
-    if (archive) 
-	PR_Free(archive);
-    if (zipfile) 
-	PR_Free(zipfile);
-
-    return retval;
-}
-
-
-/*********************************************************************
- *
- * c r e a t e _ p k 7
- */
-static int	
-create_pk7 (char *dir, char *keyName, int *keyType)
-{
-    int	status = 0;
-    char	*file_ext;
-
-    CERTCertificate * cert;
-    CERTCertDBHandle * db;
-
-    FILE * in, *out;
-
-    char	sf_file [FNSIZE];
-    char	pk7_file [FNSIZE];
-
-    /* open cert database */
-    db = CERT_GetDefaultCertDB();
-
-    if (db == NULL)
-	return - 1;
-
-    /* find cert */
-    /*cert = CERT_FindCertByNicknameOrEmailAddr(db, keyName);*/
-    cert = PK11_FindCertFromNickname(keyName, &pwdata);
-
-    if (cert == NULL) {
-	SECU_PrintError ( PROGRAM_NAME,
-	    "Cannot find the cert \"%s\"", keyName);
-	return -1;
-    }
-
-
-    /* determine the key type, which sets the extension for pkcs7 object */
-
-    *keyType = jar_find_key_type (cert);
-    file_ext = (*keyType == dsaKey) ? "dsa" : "rsa";
-
-    sprintf (sf_file, "%s/META-INF/%s.sf", dir, base);
-    sprintf (pk7_file, "%s/META-INF/%s.%s", dir, base, file_ext);
-
-    if ((in = fopen (sf_file, "rb")) == NULL) {
-	PR_fprintf(errorFD, "%s: Can't open %s for reading\n", PROGRAM_NAME,
-	     sf_file);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    if ((out = fopen (pk7_file, "wb")) == NULL) {
-	PR_fprintf(errorFD, "%s: Can't open %s for writing\n", PROGRAM_NAME,
-	     sf_file);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    status = SignFile (out, in, cert);
-
-    CERT_DestroyCertificate (cert);
-    fclose (in);
-    fclose (out);
-
-    if (status) {
-	PR_fprintf(errorFD, "%s: PROBLEM signing data (%s)\n",
-	    PROGRAM_NAME, SECU_ErrorString ((int16) PORT_GetError()));
-	errorCount++;
-	return - 1;
-    }
-
-    return 0;
-}
-
-
-/*
- *  j a r _ f i n d _ k e y _ t y p e
- * 
- *  Determine the key type for a given cert, which 
- * should be rsaKey or dsaKey. Any error return 0.
- *
- */
-static int	
-jar_find_key_type (CERTCertificate *cert)
-{
-    SECKEYPrivateKey * privk = NULL;
-    KeyType keyType;
-
-    /* determine its type */
-    privk = PK11_FindKeyByAnyCert (cert, &pwdata);
-    if (privk == NULL) {
-	PR_fprintf(errorFD, "warning - can't find private key for this cert\n");
-	warningCount++;
-	return 0;
-    }
-
-    keyType = privk->keyType;
-    SECKEY_DestroyPrivateKey (privk);
-    return keyType;
-}
-
-
-/*
- *  m a n i f e s t o
- *
- *  Run once for every subdirectory in which a 
- *  manifest is to be created -- usually exactly once.
- *
- */
-static int	
-manifesto (char *dirname, char *install_script, PRBool recurse)
-{
-    char	metadir [FNSIZE], sfname [FNSIZE];
-
-    /* Create the META-INF directory to hold signing info */
-
-    if (PR_Access (dirname, PR_ACCESS_READ_OK)) {
-	PR_fprintf(errorFD, "%s: unable to read your directory: %s\n",
-	     PROGRAM_NAME, dirname);
-	errorCount++;
-	perror (dirname);
-	exit (ERRX);
-    }
-
-    if (PR_Access (dirname, PR_ACCESS_WRITE_OK)) {
-	PR_fprintf(errorFD, "%s: unable to write to your directory: %s\n",
-	     			PROGRAM_NAME, dirname);
-	errorCount++;
-	perror(dirname);
-	exit(ERRX);
-    }
-
-    sprintf (metadir, "%s/META-INF", dirname);
-
-    strcpy (sfname, metadir);
-
-    PR_MkDir (metadir, 0777);
-
-    strcat (metadir, "/");
-    strcat (metadir, MANIFEST);
-
-    if ((mf = fopen (metadir, "wb")) == NULL) {
-	perror (MANIFEST);
-	PR_fprintf(errorFD, "%s: Probably, the directory you are trying to"
-			    " sign has\n", PROGRAM_NAME);
-	PR_fprintf(errorFD, "%s: permissions problems or may not exist.\n",
-	     		PROGRAM_NAME);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    if (verbosity >= 0) {
-	PR_fprintf(outputFD, "Generating %s file..\n", metadir);
-    }
-
-    fprintf(mf, "Manifest-Version: 1.0\n");
-    fprintf (mf, "Created-By: %s\n", CREATOR);
-    fprintf (mf, "Comments: %s\n", BREAKAGE);
-
-    if (scriptdir) {
-	fprintf (mf, "Comments: --\n");
-	fprintf (mf, "Comments: --\n");
-	fprintf (mf, "Comments: -- This archive signs Javascripts which may not necessarily\n");
-	fprintf (mf, "Comments: -- be included in the physical jar file.\n");
-	fprintf (mf, "Comments: --\n");
-	fprintf (mf, "Comments: --\n");
-    }
-
-    if (install_script)
-	fprintf (mf, "Install-Script: %s\n", install_script);
-
-    if (metafile)
-	add_meta (mf, "+");
-
-    /* Loop through all files & subdirectories */
-    foreach (dirname, "", manifesto_fn, recurse, PR_FALSE /*include dirs */,
-         		(void * )NULL);
-
-    fclose (mf);
-
-    strcat (sfname, "/");
-    strcat (sfname, base);
-    strcat (sfname, ".sf");
-
-    if (verbosity >= 0) {
-	PR_fprintf(outputFD, "Generating %s.sf file..\n", base);
-    }
-    generate_SF_file (metadir, sfname);
-
-    return 0;
-}
-
-
-/*
- *  m a n i f e s t o _ x p i _ f n
- *
- *  Called by pointer from SignArchive(), once for
- *  each file within the directory. This function
- *  is only used for adding to XPI compatible archive
- *
- */
-static int	manifesto_xpi_fn 
-(char *relpath, char *basedir, char *reldir, char *filename, void *arg)
-{
-    char	fullname [FNSIZE];
-
-    if (verbosity >= 0) {
-	PR_fprintf(outputFD, "--> %s\n", relpath);
-    }
-
-    /* extension matching */
-    if (extensionsGiven) {
-	char	*ext = PL_strrchr(relpath, '.');
-	if (!ext) 
-	    return 0;
-	if (!PL_HashTableLookup(extensions, ext)) 
-	    return 0;
-    }
-    sprintf (fullname, "%s/%s", basedir, relpath);
-    JzipAdd(fullname, relpath, zipfile, compression_level);
-
-    return 0;
-}
-
-
-/*
- *  m a n i f e s t o _ f n
- *
- *  Called by pointer from manifesto(), once for
- *  each file within the directory.
- *
- */
-static int	manifesto_fn 
-(char *relpath, char *basedir, char *reldir, char *filename, void *arg)
-{
-    int	use_js;
-
-    JAR_Digest dig;
-    char	fullname [FNSIZE];
-
-    if (verbosity >= 0) {
-	PR_fprintf(outputFD, "--> %s\n", relpath);
-    }
-
-    /* extension matching */
-    if (extensionsGiven) {
-	char	*ext = PL_strrchr(relpath, '.');
-	if (!ext) 
-	    return 0;
-	if (!PL_HashTableLookup(extensions, ext)) 
-	    return 0;
-    }
-
-    sprintf (fullname, "%s/%s", basedir, relpath);
-
-    fprintf (mf, "\n");
-
-    use_js = 0;
-
-    if (scriptdir && !PORT_Strcmp (scriptdir, reldir))
-	use_js++;
-
-    /* sign non-.js files inside .arc directories using the javascript magic */
-
-    if ( (PL_strcaserstr(filename, ".js") != filename + strlen(filename) - 3)
-         && (PL_strcaserstr(reldir, ".arc") == reldir + strlen(filename) - 4))
-	use_js++;
-
-    if (use_js) {
-	fprintf (mf, "Name: %s\n", filename);
-	fprintf (mf, "Magic: javascript\n");
-
-	if (optimize == 0)
-	    fprintf (mf, "javascript.id: %s\n", filename);
-
-	if (metafile)
-	    add_meta (mf, filename);
-    } else {
-	fprintf (mf, "Name: %s\n", relpath);
-	if (metafile)
-	    add_meta (mf, relpath);
-    }
-
-    JAR_digest_file (fullname, &dig);
-
-
-    if (optimize == 0) {
-	fprintf (mf, "Digest-Algorithms: MD5 SHA1\n");
-	fprintf (mf, "MD5-Digest: %s\n", BTOA_DataToAscii (dig.md5,
-	     MD5_LENGTH));
-    }
-
-    fprintf (mf, "SHA1-Digest: %s\n", BTOA_DataToAscii (dig.sha1, SHA1_LENGTH));
-
-    if (!use_js) {
-	JzipAdd(fullname, relpath, zipfile, compression_level);
-    }
-
-    return 0;
-}
-
-
-/*
- *  a d d _ m e t a
- *
- *  Parse the metainfo file, and add any details
- *  necessary to the manifest file. In most cases you
- *  should be using the -i option (ie, for SmartUpdate).
- *
- */
-static int	add_meta (FILE *fp, char *name)
-{
-    FILE * met;
-    char	buf [BUFSIZ];
-
-    int	place;
-    char	*pattern, *meta;
-
-    int	num = 0;
-
-    if ((met = fopen (metafile, "r")) != NULL) {
-	while (fgets (buf, BUFSIZ, met)) {
-	    char	*s;
-
-	    for (s = buf; *s && *s != '\n' && *s != '\r'; s++)
-		;
-	    *s = 0;
-
-	    if (*buf == 0)
-		continue;
-
-	    pattern = buf;
-
-	    /* skip to whitespace */
-	    for (s = buf; *s && *s != ' ' && *s != '\t'; s++)
-		;
-
-	    /* terminate pattern */
-	    if (*s == ' ' || *s == '\t') 
-		*s++ = 0;
-
-	    /* eat through whitespace */
-	    while (*s == ' ' || *s == '\t') 
-		s++;
-
-	    meta = s;
-
-	    /* this will eventually be regexp matching */
-
-	    place = 0;
-	    if (!PORT_Strcmp (pattern, name))
-		place = 1;
-
-	    if (place) {
-		num++;
-		if (verbosity >= 0) {
-		    PR_fprintf(outputFD, "[%s] %s\n", name, meta);
-		}
-		fprintf (fp, "%s\n", meta);
-	    }
-	}
-	fclose (met);
-    } else {
-	PR_fprintf(errorFD, "%s: can't open metafile: %s\n", PROGRAM_NAME,
-	     metafile);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    return num;
-}
-
-
-/**********************************************************************
- *
- * S i g n F i l e
- */
-static int	
-SignFile (FILE *outFile, FILE *inFile, CERTCertificate *cert)
-{
-    int	nb;
-    char	ibuf[4096], digestdata[32];
-    const SECHashObject *hashObj;
-    void	*hashcx;
-    unsigned int	len;
-
-    SECItem digest;
-    SEC_PKCS7ContentInfo * cinfo;
-    SECStatus rv;
-
-    if (outFile == NULL || inFile == NULL || cert == NULL)
-	return - 1;
-
-    /* XXX probably want to extend interface to allow other hash algorithms */
-    hashObj = HASH_GetHashObject(HASH_AlgSHA1);
-
-    hashcx = (*hashObj->create)();
-    if (hashcx == NULL)
-	return - 1;
-
-    (*hashObj->begin)(hashcx);
-
-    for (; ; ) {
-	if (feof(inFile)) 
-	    break;
-	nb = fread(ibuf, 1, sizeof(ibuf), inFile);
-	if (nb == 0) {
-	    if (ferror(inFile)) {
-		PORT_SetError(SEC_ERROR_IO);
-		(*hashObj->destroy)(hashcx, PR_TRUE);
-		return - 1;
-	    }
-	    /* eof */
-	    break;
-	}
-	(*hashObj->update)(hashcx, (unsigned char *) ibuf, nb);
-    }
-
-    (*hashObj->end)(hashcx, (unsigned char *) digestdata, &len, 32);
-    (*hashObj->destroy)(hashcx, PR_TRUE);
-
-    digest.data = (unsigned char *) digestdata;
-    digest.len = len;
-
-    cinfo = SEC_PKCS7CreateSignedData 
-        (cert, certUsageObjectSigner, NULL, 
-        SEC_OID_SHA1, &digest, NULL, NULL);
-
-    if (cinfo == NULL)
-	return - 1;
-
-    rv = SEC_PKCS7IncludeCertChain (cinfo, NULL);
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return - 1;
-    }
-
-    if (no_time == 0) {
-	rv = SEC_PKCS7AddSigningTime (cinfo);
-	if (rv != SECSuccess) {
-	    /* don't check error */
-	}
-    }
-
-    rv = SEC_PKCS7Encode(cinfo, SignOut, outFile, NULL, NULL, &pwdata);
-
-    SEC_PKCS7DestroyContentInfo (cinfo);
-
-    if (rv != SECSuccess)
-	return - 1;
-
-    return 0;
-}
-
-
-/*
- *  g e n e r a t e _ S F _ f i l e 
- *
- *  From the supplied manifest file, calculates
- *  digests on the various sections, creating a .SF
- *  file in the process.
- * 
- */
-static int	generate_SF_file (char *manifile, char *who)
-{
-    FILE * sf;
-    FILE * mf;
-    long	r1, r2, r3;
-    char	whofile [FNSIZE];
-    char	*buf, *name = NULL;
-    JAR_Digest dig;
-    int	line = 0;
-
-    strcpy (whofile, who);
-
-    if ((mf = fopen (manifile, "rb")) == NULL) {
-	perror (manifile);
-	exit (ERRX);
-    }
-
-    if ((sf = fopen (whofile, "wb")) == NULL) {
-	perror (who);
-	exit (ERRX);
-    }
-
-    buf = (char *) PORT_ZAlloc (BUFSIZ);
-
-    if (buf)
-	name = (char *) PORT_ZAlloc (BUFSIZ);
-
-    if (buf == NULL || name == NULL)
-	out_of_memory();
-
-    fprintf (sf, "Signature-Version: 1.0\n");
-    fprintf (sf, "Created-By: %s\n", CREATOR);
-    fprintf (sf, "Comments: %s\n", BREAKAGE);
-
-    if (fgets (buf, BUFSIZ, mf) == NULL) {
-	PR_fprintf(errorFD, "%s: empty manifest file!\n", PROGRAM_NAME);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    if (strncmp (buf, "Manifest-Version:", 17)) {
-	PR_fprintf(errorFD, "%s: not a manifest file!\n", PROGRAM_NAME);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    fseek (mf, 0L, SEEK_SET);
-
-    /* Process blocks of headers, and calculate their hashen */
-
-    while (1) {
-	/* Beginning range */
-	r1 = ftell (mf);
-
-	if (fgets (name, BUFSIZ, mf) == NULL)
-	    break;
-
-	line++;
-
-	if (r1 != 0 && strncmp (name, "Name:", 5)) {
-	    PR_fprintf(errorFD, 
-	    "warning: unexpected input in manifest file \"%s\" at line %d:\n",
-	         manifile, line);
-	    PR_fprintf(errorFD, "%s\n", name);
-	    warningCount++;
-	}
-
-	r2 = r1;
-	while (fgets (buf, BUFSIZ, mf)) {
-	    if (*buf == 0 || *buf == '\n' || *buf == '\r')
-		break;
-
-	    line++;
-
-	    /* Ending range for hashing */
-	    r2 = ftell (mf);
-	}
-
-	r3 = ftell (mf);
-
-	if (r1) {
-	    fprintf (sf, "\n");
-	    fprintf (sf, "%s", name);
-	}
-
-	calculate_MD5_range (mf, r1, r2, &dig);
-
-	if (optimize == 0) {
-	    fprintf (sf, "Digest-Algorithms: MD5 SHA1\n");
-	    fprintf (sf, "MD5-Digest: %s\n", 
-	        BTOA_DataToAscii (dig.md5, MD5_LENGTH));
-	}
-
-	fprintf (sf, "SHA1-Digest: %s\n", 
-	    BTOA_DataToAscii (dig.sha1, SHA1_LENGTH));
-
-	/* restore normalcy after changing offset position */
-	fseek (mf, r3, SEEK_SET);
-    }
-
-    PORT_Free (buf);
-    PORT_Free (name);
-
-    fclose (sf);
-    fclose (mf);
-
-    return 0;
-}
-
-
-/*
- *  c a l c u l a t e _ M D 5 _ r a n g e
- *
- *  Calculate the MD5 digest on a range of bytes in
- *  the specified fopen'd file. Returns base64.
- *
- */
-static int	
-calculate_MD5_range (FILE *fp, long r1, long r2, JAR_Digest *dig)
-{
-    int	num;
-    int	range;
-    unsigned char	*buf;
-    SECStatus rv;
-
-    range = r2 - r1;
-
-    /* position to the beginning of range */
-    fseek (fp, r1, SEEK_SET);
-
-    buf = (unsigned char *) PORT_ZAlloc (range);
-    if (buf == NULL)
-	out_of_memory();
-
-    if ((num = fread (buf, 1, range, fp)) != range) {
-	PR_fprintf(errorFD, "%s: expected %d bytes, got %d\n", PROGRAM_NAME,
-	     		range, num);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    rv = PK11_HashBuf(SEC_OID_MD5, dig->md5, buf, range);
-    if (rv == SECSuccess) {
-	rv =PK11_HashBuf(SEC_OID_SHA1, dig->sha1, buf, range);
-    }
-    if (rv != SECSuccess) {
-	PR_fprintf(errorFD, "%s: can't generate digest context\n",
-	     PROGRAM_NAME);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    PORT_Free (buf);
-
-    return 0;
-}
-
-
-static void	SignOut (void *arg, const char *buf, unsigned long len)
-{
-    fwrite (buf, len, 1, (FILE * ) arg);
-}
-
-
diff --git a/security/nss/cmd/signtool/signtool.c b/security/nss/cmd/signtool/signtool.c
deleted file mode 100644
index 881a4e92d..000000000
--- a/security/nss/cmd/signtool/signtool.c
+++ /dev/null
@@ -1,1108 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- *  SIGNTOOL
- *
- *  A command line tool to create manifest files
- *  from a directory hierarchy. It is assumed that
- *  the tree will be equivalent to what resides
- *  or will reside in an archive. 
- *
- * 
- */
-
-#include "nss.h"
-#include "signtool.h"
-#include "prmem.h"
-#include "prio.h"
-
-/***********************************************************************
- * Global Variable Definitions
- */
-char	*progName; /* argv[0] */
-
-/* password data */
-secuPWData  pwdata = { PW_NONE, 0 };
-
-/* directories or files to exclude in descent */
-PLHashTable *excludeDirs = NULL;
-static PRBool exclusionsGiven = PR_FALSE;
-
-/* zatharus is the man who knows no time, dies tragic death */
-int	no_time = 0;
-
-/* -b basename of .rsa, .sf files */
-char	*base = DEFAULT_BASE_NAME;
-
-/* Only sign files with this extension */
-PLHashTable *extensions = NULL;
-PRBool extensionsGiven = PR_FALSE;
-
-char	*scriptdir = NULL;
-
-int	verbosity = 0;
-
-PRFileDesc *outputFD = NULL, *errorFD = NULL;
-
-int	errorCount = 0, warningCount = 0;
-
-int	compression_level = DEFAULT_COMPRESSION_LEVEL;
-PRBool compression_level_specified = PR_FALSE;
-
-int	xpi_arc = 0;
-
-/* Command-line arguments */
-static char	*genkey = NULL;
-static char	*verify = NULL;
-static char	*zipfile = NULL;
-static char	*cert_dir = NULL;
-static int	javascript = 0;
-static char	*jartree = NULL;
-static char	*keyName = NULL;
-static char	*metafile = NULL;
-static char	*install_script = NULL;
-static int	list_certs = 0;
-static int	list_modules = 0;
-static int	optimize = 0;
-static int	enableOCSP = 0;
-static char	*tell_who = NULL;
-static char	*outfile = NULL;
-static char	*cmdFile = NULL;
-static PRBool noRecurse = PR_FALSE;
-static PRBool leaveArc = PR_FALSE;
-static int	keySize = -1;
-static char	*token = NULL;
-
-typedef enum {
-    UNKNOWN_OPT,
-    HELP_OPT,
-    LONG_HELP_OPT,
-    BASE_OPT,
-    COMPRESSION_OPT,
-    CERT_DIR_OPT,
-    EXTENSION_OPT,
-    INSTALL_SCRIPT_OPT,
-    SCRIPTDIR_OPT,
-    CERTNAME_OPT,
-    LIST_OBJSIGN_CERTS_OPT,
-    LIST_ALL_CERTS_OPT,
-    METAFILE_OPT,
-    OPTIMIZE_OPT,
-    ENABLE_OCSP_OPT,
-    PASSWORD_OPT,
-    VERIFY_OPT,
-    WHO_OPT,
-    EXCLUDE_OPT,
-    NO_TIME_OPT,
-    JAVASCRIPT_OPT,
-    ZIPFILE_OPT,
-    GENKEY_OPT,
-    MODULES_OPT,
-    NORECURSE_OPT,
-    SIGNDIR_OPT,
-    OUTFILE_OPT,
-    COMMAND_FILE_OPT,
-    LEAVE_ARC_OPT,
-    VERBOSITY_OPT,
-    KEYSIZE_OPT,
-    TOKEN_OPT,
-    XPI_ARC_OPT
-} 
-
-
-OPT_TYPE;
-
-typedef enum {
-    DUPLICATE_OPTION_ERR = 0,
-    OPTION_NEEDS_ARG_ERR
-} 
-
-
-Error;
-
-static char	*errStrings[] = {
-    "warning: %s option specified more than once.\n"
-    "Only last specification will be used.\n",
-    "ERROR: option \"%s\" requires an argument.\n"
-};
-
-
-static int	ProcessOneOpt(OPT_TYPE type, char *arg);
-
-/*********************************************************************
- *
- * P r o c e s s C o m m a n d F i l e
- */
-int
-ProcessCommandFile()
-{
-    PRFileDesc * fd;
-#define CMD_FILE_BUFSIZE 1024
-    char	buf[CMD_FILE_BUFSIZE];
-    char	*equals;
-    int	linenum = 0;
-    int	retval = -1;
-    OPT_TYPE type;
-
-    fd = PR_Open(cmdFile, PR_RDONLY, 0777);
-    if (!fd) {
-	PR_fprintf(errorFD, "ERROR: Unable to open command file %s.\n");
-	errorCount++;
-	return - 1;
-    }
-
-    while (pr_fgets(buf, CMD_FILE_BUFSIZE, fd)) {
-	char	*eol;
-	linenum++;
-
-	/* Chop off final newline */
-	eol = PL_strchr(buf, '\r');
-	if (!eol) {
-	    eol = PL_strchr(buf, '\n');
-	}
-	if (eol) 
-	    *eol = '\0';
-
-	equals = PL_strchr(buf, '=');
-	if (!equals) {
-	    continue;
-	}
-
-	*equals = '\0';
-	equals++;
-
-	/* Now buf points to the attribute, and equals points to the value. */
-
-	/* This is pretty straightforward, just deal with whatever attribute
-		 * this is */
-	if (!PL_strcasecmp(buf, "basename")) {
-	    type = BASE_OPT;
-	} else if (!PL_strcasecmp(buf, "compression")) {
-	    type = COMPRESSION_OPT;
-	} else if (!PL_strcasecmp(buf, "certdir")) {
-	    type = CERT_DIR_OPT;
-	} else if (!PL_strcasecmp(buf, "extension")) {
-	    type = EXTENSION_OPT;
-	} else if (!PL_strcasecmp(buf, "generate")) {
-	    type = GENKEY_OPT;
-	} else if (!PL_strcasecmp(buf, "installScript")) {
-	    type = INSTALL_SCRIPT_OPT;
-	} else if (!PL_strcasecmp(buf, "javascriptdir")) {
-	    type = SCRIPTDIR_OPT;
-	} else if (!PL_strcasecmp(buf, "htmldir")) {
-	    type = JAVASCRIPT_OPT;
-	    if (jartree) {
-		PR_fprintf(errorFD,
-		    "warning: directory to be signed specified more than once."
-		    " Only last specification will be used.\n");
-		warningCount++;
-		PR_Free(jartree); 
-		jartree = NULL;
-	    }
-	    jartree = PL_strdup(equals);
-	} else if (!PL_strcasecmp(buf, "certname")) {
-	    type = CERTNAME_OPT;
-	} else if (!PL_strcasecmp(buf, "signdir")) {
-	    type = SIGNDIR_OPT;
-	} else if (!PL_strcasecmp(buf, "list")) {
-	    type = LIST_OBJSIGN_CERTS_OPT;
-	} else if (!PL_strcasecmp(buf, "listall")) {
-	    type = LIST_ALL_CERTS_OPT;
-	} else if (!PL_strcasecmp(buf, "metafile")) {
-	    type = METAFILE_OPT;
-	} else if (!PL_strcasecmp(buf, "modules")) {
-	    type = MODULES_OPT;
-	} else if (!PL_strcasecmp(buf, "optimize")) {
-	    type = OPTIMIZE_OPT;
-	} else if (!PL_strcasecmp(buf, "ocsp")) {
-	    type = ENABLE_OCSP_OPT;
-	} else if (!PL_strcasecmp(buf, "password")) {
-	    type = PASSWORD_OPT;
-	} else if (!PL_strcasecmp(buf, "verify")) {
-	    type = VERIFY_OPT;
-	} else if (!PL_strcasecmp(buf, "who")) {
-	    type = WHO_OPT;
-	} else if (!PL_strcasecmp(buf, "exclude")) {
-	    type = EXCLUDE_OPT;
-	} else if (!PL_strcasecmp(buf, "notime")) {
-	    type = NO_TIME_OPT;
-	} else if (!PL_strcasecmp(buf, "jarfile")) {
-	    type = ZIPFILE_OPT;
-	} else if (!PL_strcasecmp(buf, "outfile")) {
-	    type = OUTFILE_OPT;
-	} else if (!PL_strcasecmp(buf, "leavearc")) {
-	    type = LEAVE_ARC_OPT;
-	} else if (!PL_strcasecmp(buf, "verbosity")) {
-	    type = VERBOSITY_OPT;
-	} else if (!PL_strcasecmp(buf, "keysize")) {
-	    type = KEYSIZE_OPT;
-	} else if (!PL_strcasecmp(buf, "token")) {
-	    type = TOKEN_OPT;
-	} else if (!PL_strcasecmp(buf, "xpi")) {
-	    type = XPI_ARC_OPT;
-	} else {
-	    PR_fprintf(errorFD,
-	        "warning: unknown attribute \"%s\" in command file, line %d.\n",
-	         					buf, linenum);
-	    warningCount++;
-	    type = UNKNOWN_OPT;
-	}
-
-	/* Process the option, whatever it is */
-	if (type != UNKNOWN_OPT) {
-	    if (ProcessOneOpt(type, equals) == -1) {
-		goto finish;
-	    }
-	}
-    }
-
-    retval = 0;
-
-finish:
-    PR_Close(fd);
-    return retval;
-}
-
-
-/*********************************************************************
- *
- * p a r s e _ a r g s
- */
-static int	
-parse_args(int argc, char *argv[])
-{
-    char	*opt;
-    char	*arg;
-    int	needsInc = 0;
-    int	i;
-    OPT_TYPE type;
-
-    /* Loop over all arguments */
-    for (i = 1; i < argc; i++) {
-	opt = argv[i];
-	arg = NULL;
-
-	if (opt[0] == '-') {
-	    if (opt[1] == '-') {
-		/* word option */
-		if (i < argc - 1) {
-		    needsInc = 1;
-		    arg = argv[i+1];
-		} else {
-		    arg = NULL;
-		}
-
-		if ( !PL_strcasecmp(opt + 2, "norecurse")) {
-		    type = NORECURSE_OPT;
-		} else if ( !PL_strcasecmp(opt + 2, "leavearc")) {
-		    type = LEAVE_ARC_OPT;
-		} else if ( !PL_strcasecmp(opt + 2, "verbosity")) {
-		    type = VERBOSITY_OPT;
-		} else if ( !PL_strcasecmp(opt + 2, "outfile")) {
-		    type = OUTFILE_OPT;
-		} else if ( !PL_strcasecmp(opt + 2, "keysize")) {
-		    type = KEYSIZE_OPT;
-		} else if ( !PL_strcasecmp(opt + 2, "token")) {
-		    type = TOKEN_OPT;
-		} else {
-		    PR_fprintf(errorFD, "warning: unknown option: %s\n",
-		         opt);
-		    warningCount++;
-		    type = UNKNOWN_OPT;
-		}
-	    } else {
-		/* char option */
-		if (opt[2] != '\0') {
-		    arg = opt + 2;
-		} else if (i < argc - 1) {
-		    needsInc = 1;
-		    arg = argv[i+1];
-		} else {
-		    arg = NULL;
-		}
-
-		switch (opt[1]) {
-		case 'b':
-		    type = BASE_OPT;
-		    break;
-		case 'c':
-		    type = COMPRESSION_OPT;
-		    break;
-		case 'd':
-		    type = CERT_DIR_OPT;
-		    break;
-		case 'e':
-		    type = EXTENSION_OPT;
-		    break;
-		case 'f':
-		    type = COMMAND_FILE_OPT;
-		    break;
-		case 'h':
-		    type = HELP_OPT;
-		    break;
-		case 'H':
-		    type = LONG_HELP_OPT;
-		    break;
-		case 'i':
-		    type = INSTALL_SCRIPT_OPT;
-		    break;
-		case 'j':
-		    type = SCRIPTDIR_OPT;
-		    break;
-		case 'k':
-		    type = CERTNAME_OPT;
-		    break;
-		case 'l':
-		    type = LIST_OBJSIGN_CERTS_OPT;
-		    break;
-		case 'L':
-		    type = LIST_ALL_CERTS_OPT;
-		    break;
-		case 'm':
-		    type = METAFILE_OPT;
-		    break;
-		case 'o':
-		    type = OPTIMIZE_OPT;
-		    break;
-		case 'O':
-		    type = ENABLE_OCSP_OPT;
-		    break;
-		case 'p':
-		    type = PASSWORD_OPT;
-		    break;
-		case 'v':
-		    type = VERIFY_OPT;
-		    break;
-		case 'w':
-		    type = WHO_OPT;
-		    break;
-		case 'x':
-		    type = EXCLUDE_OPT;
-		    break;
-		case 'X':
-		    type = XPI_ARC_OPT;
-		    break;
-		case 'z':
-		    type = NO_TIME_OPT;
-		    break;
-		case 'J':
-		    type = JAVASCRIPT_OPT;
-		    break;
-		case 'Z':
-		    type = ZIPFILE_OPT;
-		    break;
-		case 'G':
-		    type = GENKEY_OPT;
-		    break;
-		case 'M':
-		    type = MODULES_OPT;
-		    break;
-		case 's':
-		    type = KEYSIZE_OPT;
-		    break;
-		case 't':
-		    type = TOKEN_OPT;
-		    break;
-		default:
-		    type = UNKNOWN_OPT;
-		    PR_fprintf(errorFD, "warning: unrecognized option: -%c.\n",
-		         
-		        opt[1]);
-		    warningCount++;
-		    break;
-		}
-	    }
-	} else {
-	    type = UNKNOWN_OPT;
-	    if (i == argc - 1) {
-		if (jartree) {
-		    PR_fprintf(errorFD,
-		        "warning: directory to be signed specified more than once.\n"
-		        " Only last specification will be used.\n");
-		    warningCount++;
-		    PR_Free(jartree); 
-		    jartree = NULL;
-		}
-		jartree = PL_strdup(opt);
-	    } else {
-		PR_fprintf(errorFD, "warning: unrecognized option: %s\n", opt);
-		warningCount++;
-	    }
-	}
-
-	if (type != UNKNOWN_OPT) {
-	    short	ateArg = ProcessOneOpt(type, arg);
-	    if (ateArg == -1) {
-		/* error */
-		return - 1;
-	    } 
-	    if (ateArg && needsInc) {
-		i++;
-	    }
-	}
-    }
-
-    return 0;
-}
-
-
-/*********************************************************************
- *
- * P r o c e s s O n e O p t
- *
- * Since options can come from different places (command file, word options,
- * char options), this is a central function that is called to deal with
- * them no matter where they come from.
- *
- * type is the type of option.
- * arg is the argument to the option, possibly NULL.
- * Returns 1 if the argument was eaten, 0 if it wasn't, and -1 for error.
- */
-static int	
-ProcessOneOpt(OPT_TYPE type, char *arg)
-{
-    int	ate = 0;
-
-    switch (type) {
-    case HELP_OPT:
-	Usage();
-	break;
-    case LONG_HELP_OPT:
-	LongUsage();
-	break;
-    case BASE_OPT:
-	if (base) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR], "-b");
-	    warningCount++;
-	    PR_Free(base); 
-	    base = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR], "-b");
-	    errorCount++;
-	    goto loser;
-	}
-	base = PL_strdup(arg);
-	ate = 1;
-	break;
-    case COMPRESSION_OPT:
-	if (compression_level_specified) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR], "-c");
-	    warningCount++;
-	}
-	if ( !arg ) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR], "-c");
-	    errorCount++;
-	    goto loser;
-	}
-	compression_level = atoi(arg);
-	compression_level_specified = PR_TRUE;
-	ate = 1;
-	break;
-    case CERT_DIR_OPT:
-	if (cert_dir) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR], "-d");
-	    warningCount++;
-	    PR_Free(cert_dir); 
-	    cert_dir = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR], "-d");
-	    errorCount++;
-	    goto loser;
-	}
-	cert_dir = PL_strdup(arg);
-	ate = 1;
-	break;
-    case EXTENSION_OPT:
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         				"extension (-e)");
-	    errorCount++;
-	    goto loser;
-	}
-	PL_HashTableAdd(extensions, arg, arg);
-	extensionsGiven = PR_TRUE;
-	ate = 1;
-	break;
-    case INSTALL_SCRIPT_OPT:
-	if (install_script) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
-	         				"installScript (-i)");
-	    warningCount++;
-	    PR_Free(install_script); 
-	    install_script = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         				"installScript (-i)");
-	    errorCount++;
-	    goto loser;
-	}
-	install_script = PL_strdup(arg);
-	ate = 1;
-	break;
-    case SCRIPTDIR_OPT:
-	if (scriptdir) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
-	         				"javascriptdir (-j)");
-	    warningCount++;
-	    PR_Free(scriptdir); 
-	    scriptdir = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         				"javascriptdir (-j)");
-	    errorCount++;
-	    goto loser;
-	}
-	scriptdir = PL_strdup(arg);
-	ate = 1;
-	break;
-    case CERTNAME_OPT:
-	if (keyName) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
-	         				"keyName (-k)");
-	    warningCount++;
-	    PR_Free(keyName); 
-	    keyName = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         				"keyName (-k)");
-	    errorCount++;
-	    goto loser;
-	}
-	keyName = PL_strdup(arg);
-	ate = 1;
-	break;
-    case LIST_OBJSIGN_CERTS_OPT:
-    case LIST_ALL_CERTS_OPT:
-	if (list_certs != 0) {
-	    PR_fprintf(errorFD,
-	        "warning: only one of -l and -L may be specified.\n");
-	    warningCount++;
-	}
-	list_certs = (type == LIST_OBJSIGN_CERTS_OPT ? 1 : 2);
-	break;
-    case METAFILE_OPT:
-	if (metafile) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
-	         				"metafile (-m)");
-	    warningCount++;
-	    PR_Free(metafile); 
-	    metafile = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         				"metafile (-m)");
-	    errorCount++;
-	    goto loser;
-	}
-	metafile = PL_strdup(arg);
-	ate = 1;
-	break;
-    case OPTIMIZE_OPT:
-	optimize = 1;
-	break;
-    case ENABLE_OCSP_OPT:
-	enableOCSP = 1;
-	break;
-    case PASSWORD_OPT:
-	if (pwdata.data) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
-	         				"password (-p)");
-	    warningCount++;
-	    PR_Free(pwdata.data); 
-	    pwdata.data = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         				"password (-p)");
-	    errorCount++;
-	    goto loser;
-	}
-        pwdata.source = PW_PLAINTEXT;
-	pwdata.data = PL_strdup(arg);
-	ate = 1;
-	break;
-    case VERIFY_OPT:
-	if (verify) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
-	         				"verify (-v)");
-	    warningCount++;
-	    PR_Free(verify); 
-	    verify = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         				"verify (-v)");
-	    errorCount++;
-	    goto loser;
-	}
-	verify = PL_strdup(arg);
-	ate = 1;
-	break;
-    case WHO_OPT:
-	if (tell_who) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
-	         				"who (-v)");
-	    warningCount++;
-	    PR_Free(tell_who); 
-	    tell_who = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         				"who (-w)");
-	    errorCount++;
-	    goto loser;
-	}
-	tell_who = PL_strdup(arg);
-	ate = 1;
-	break;
-    case EXCLUDE_OPT:
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         				"exclude (-x)");
-	    errorCount++;
-	    goto loser;
-	}
-	PL_HashTableAdd(excludeDirs, arg, arg);
-	exclusionsGiven = PR_TRUE;
-	ate = 1;
-	break;
-    case NO_TIME_OPT:
-	no_time = 1;
-	break;
-    case JAVASCRIPT_OPT:
-	javascript++;
-	break;
-    case ZIPFILE_OPT:
-	if (zipfile) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
-	         				"jarfile (-Z)");
-	    warningCount++;
-	    PR_Free(zipfile); 
-	    zipfile = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         				"jarfile (-Z)");
-	    errorCount++;
-	    goto loser;
-	}
-	zipfile = PL_strdup(arg);
-	ate = 1;
-	break;
-    case GENKEY_OPT:
-	if (genkey) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
-	         				"generate (-G)");
-	    warningCount++;
-	    PR_Free(zipfile); 
-	    zipfile = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         				"generate (-G)");
-	    errorCount++;
-	    goto loser;
-	}
-	genkey = PL_strdup(arg);
-	ate = 1;
-	break;
-    case MODULES_OPT:
-	list_modules++;
-	break;
-    case SIGNDIR_OPT:
-	if (jartree) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
-	         				"signdir");
-	    warningCount++;
-	    PR_Free(jartree); 
-	    jartree = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         "signdir");
-	    errorCount++;
-	    goto loser;
-	}
-	jartree = PL_strdup(arg);
-	ate = 1;
-	break;
-    case OUTFILE_OPT:
-	if (outfile) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
-	         				"outfile");
-	    warningCount++;
-	    PR_Free(outfile); 
-	    outfile = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         "outfile");
-	    errorCount++;
-	    goto loser;
-	}
-	outfile = PL_strdup(arg);
-	ate = 1;
-	break;
-    case COMMAND_FILE_OPT:
-	if (cmdFile) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR],
-	         "-f");
-	    warningCount++;
-	    PR_Free(cmdFile); 
-	    cmdFile = NULL;
-	}
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         "-f");
-	    errorCount++;
-	    goto loser;
-	}
-	cmdFile = PL_strdup(arg);
-	ate = 1;
-	break;
-    case NORECURSE_OPT:
-	noRecurse = PR_TRUE;
-	break;
-    case LEAVE_ARC_OPT:
-	leaveArc = PR_TRUE;
-	break;
-    case VERBOSITY_OPT:
-	if (!arg) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR],
-	         			  "--verbosity");
-	    errorCount++;
-	    goto loser;
-	}
-	verbosity = atoi(arg);
-	ate = 1;
-	break;
-    case KEYSIZE_OPT:
-	if ( keySize != -1 ) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR], "-s");
-	    warningCount++;
-	}
-	keySize = atoi(arg);
-	ate = 1;
-	if ( keySize < 1 || keySize > MAX_RSA_KEY_SIZE ) {
-	    PR_fprintf(errorFD, "Invalid key size: %d.\n", keySize);
-	    errorCount++;
-	    goto loser;
-	}
-	break;
-    case TOKEN_OPT:
-	if ( token ) {
-	    PR_fprintf(errorFD, errStrings[DUPLICATE_OPTION_ERR], "-t");
-	    PR_Free(token); 
-	    token = NULL;
-	}
-	if ( !arg ) {
-	    PR_fprintf(errorFD, errStrings[OPTION_NEEDS_ARG_ERR], "-t");
-	    errorCount++;
-	    goto loser;
-	}
-	token = PL_strdup(arg);
-	ate = 1;
-	break;
-    case XPI_ARC_OPT:
-	xpi_arc = 1;
-	break;
-    default:
-	PR_fprintf(errorFD, "warning: unknown option\n");
-	warningCount++;
-	break;
-    }
-
-    return ate;
-loser:
-    return - 1;
-}
-
-
-/*********************************************************************
- *
- * m a i n
- */
-int
-main(int argc, char *argv[])
-{
-    PRBool readOnly;
-    int	retval = 0;
-
-    outputFD = PR_STDOUT;
-    errorFD = PR_STDERR;
-
-    progName = argv[0];
-
-    if (argc < 2) {
-	Usage();
-    }
-
-    excludeDirs = PL_NewHashTable(10, PL_HashString, PL_CompareStrings,
-         					PL_CompareStrings, NULL, NULL);
-    extensions = PL_NewHashTable(10, PL_HashString, PL_CompareStrings,
-         					PL_CompareStrings, NULL, NULL);
-
-    if (parse_args(argc, argv)) {
-	retval = -1;
-	goto cleanup;
-    }
-
-    /* Parse the command file if one was given */
-    if (cmdFile) {
-	if (ProcessCommandFile()) {
-	    retval = -1;
-	    goto cleanup;
-	}
-    }
-
-    /* Set up output redirection */
-    if (outfile) {
-	if (PR_Access(outfile, PR_ACCESS_EXISTS) == PR_SUCCESS) {
-	    /* delete the file if it is already present */
-	    PR_fprintf(errorFD,
-	        "warning: %s already exists and will be overwritten.\n",
-	         				outfile);
-	    warningCount++;
-	    if (PR_Delete(outfile) != PR_SUCCESS) {
-		PR_fprintf(errorFD, "ERROR: unable to delete %s.\n", outfile);
-		errorCount++;
-		exit(ERRX);
-	    }
-	}
-	outputFD = PR_Open(outfile,
-	    PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0777);
-	if (!outputFD) {
-	    PR_fprintf(errorFD, "ERROR: Unable to create %s.\n",
-	         outfile);
-	    errorCount++;
-	    exit(ERRX);
-	}
-	errorFD = outputFD;
-    }
-
-    /* This seems to be a fairly common user error */
-
-    if (verify && list_certs > 0) {
-	PR_fprintf (errorFD, "%s: Can't use -l and -v at the same time\n",
-	     		PROGRAM_NAME);
-	errorCount++;
-	retval = -1;
-	goto cleanup;
-    }
-
-    /* -J assumes -Z now */
-
-    if (javascript && zipfile) {
-	PR_fprintf (errorFD, "%s: Can't use -J and -Z at the same time\n",
-	     		PROGRAM_NAME);
-	PR_fprintf (errorFD, "%s: -J option will create the jar files for you\n",
-	     		PROGRAM_NAME);
-	errorCount++;
-	retval = -1;
-	goto cleanup;
-    }
-
-    /* -X needs -Z */
-
-    if (xpi_arc && !zipfile) {
-	PR_fprintf (errorFD, "%s: option XPI (-X) requires option jarfile (-Z)\n",
-	     		PROGRAM_NAME);
-	errorCount++;
-	retval = -1;
-	goto cleanup;
-    }
-
-    /* Less common mixing of -L with various options */
-
-    if (list_certs > 0 && 
-        (tell_who || zipfile || javascript || 
-        scriptdir || extensionsGiven || exclusionsGiven || install_script)) {
-	PR_fprintf(errorFD, "%s: Can't use -l or -L with that option\n",
-	     			PROGRAM_NAME);
-	errorCount++;
-	retval = -1;
-	goto cleanup;
-    }
-
-
-    if (!cert_dir)
-	cert_dir = get_default_cert_dir();
-
-    VerifyCertDir(cert_dir, keyName);
-
-
-    if (	compression_level < MIN_COMPRESSION_LEVEL || 
-        compression_level > MAX_COMPRESSION_LEVEL) {
-	PR_fprintf(errorFD, "Compression level must be between %d and %d.\n",
-	     		 MIN_COMPRESSION_LEVEL, MAX_COMPRESSION_LEVEL);
-	errorCount++;
-	retval = -1;
-	goto cleanup;
-    }
-
-    if (jartree && !keyName) {
-	PR_fprintf(errorFD, "You must specify a key with which to sign.\n");
-	errorCount++;
-	retval = -1;
-	goto cleanup;
-    }
-
-    readOnly = (genkey == NULL); /* only key generation requires write */
-    if (InitCrypto(cert_dir, readOnly)) {
-	PR_fprintf(errorFD, "ERROR: Cryptographic initialization failed.\n");
-	errorCount++;
-	retval = -1;
-	goto cleanup;
-    }
-
-    if (enableOCSP) {
-	SECStatus rv = CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
-	if (rv != SECSuccess) {
-	    PR_fprintf(errorFD, "ERROR: Attempt to enable OCSP Checking failed.\n");
-	    errorCount++;
-	    retval = -1;
-	}
-    }
-
-    if (verify) {
-	if (VerifyJar(verify)) {
-	    errorCount++;
-	    retval = -1;
-	    goto cleanup;
-	}
-    } else if (list_certs) {
-	if (ListCerts(keyName, list_certs)) {
-	    errorCount++;
-	    retval = -1;
-	    goto cleanup;
-	}
-    } else if (list_modules) {
-	JarListModules();
-    } else if (genkey) {
-	if (GenerateCert(genkey, keySize, token)) {
-	    errorCount++;
-	    retval = -1;
-	    goto cleanup;
-	}
-    } else if (tell_who) {
-	if (JarWho(tell_who)) {
-	    errorCount++;
-	    retval = -1;
-	    goto cleanup;
-	}
-    } else if (javascript && jartree) {
-	/* make sure directory exists */
-	PRDir * dir;
-	dir = PR_OpenDir(jartree);
-	if (!dir) {
-	    PR_fprintf(errorFD, "ERROR: unable to open directory %s.\n",
-	         jartree);
-	    errorCount++;
-	    retval = -1;
-	    goto cleanup;
-	} else {
-	    PR_CloseDir(dir);
-	}
-
-	/* undo junk from prior runs of signtool*/
-	if (RemoveAllArc(jartree)) {
-	    PR_fprintf(errorFD, "Error removing archive directories under %s\n",
-	         jartree);
-	    errorCount++;
-	    retval = -1;
-	    goto cleanup;
-	}
-
-	/* traverse all the htm|html files in the directory */
-	if (InlineJavaScript(jartree, !noRecurse)) {
-	    retval = -1;
-	    goto cleanup;
-	}
-
-	/* sign any resultant .arc directories created in above step */
-	if (SignAllArc(jartree, keyName, javascript, metafile, install_script,
-	     		optimize, !noRecurse)) {
-	    retval = -1;
-	    goto cleanup;
-	}
-
-	if (!leaveArc) {
-	    RemoveAllArc(jartree);
-	}
-
-	if (errorCount > 0 || warningCount > 0) {
-	    PR_fprintf(outputFD, "%d error%s, %d warning%s.\n",
-	         errorCount,
-	        errorCount == 1 ? "" : "s", warningCount, warningCount
-	        == 1 ? "" : "s");
-	} else {
-	    PR_fprintf(outputFD, "Directory %s signed successfully.\n",
-	         jartree);
-	}
-    } else if (jartree) {
-	SignArchive(jartree, keyName, zipfile, javascript, metafile,
-	     		install_script, optimize, !noRecurse);
-    } else
-	Usage();
-
-cleanup:
-    if (extensions) {
-	PL_HashTableDestroy(extensions); 
-	extensions = NULL;
-    }
-    if (excludeDirs) {
-	PL_HashTableDestroy(excludeDirs); 
-	excludeDirs = NULL;
-    }
-    if (outputFD != PR_STDOUT) {
-	PR_Close(outputFD);
-    }
-    rm_dash_r(TMP_OUTPUT);
-    if (retval == 0) {
-	if (NSS_Shutdown() != SECSuccess) {
-	    exit(1);
-	}
-    }
-    return retval;
-}
-
-
diff --git a/security/nss/cmd/signtool/signtool.h b/security/nss/cmd/signtool/signtool.h
deleted file mode 100644
index e05c73371..000000000
--- a/security/nss/cmd/signtool/signtool.h
+++ /dev/null
@@ -1,146 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef SIGNTOOL_H
-#define SIGNTOOL_H
- 
-#define DJN_TEST
-
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-
-#include "prprf.h"
-#include "prio.h"
-#include "secutil.h"
-#include "ocsp.h"
-#include "jar.h"
-#include "jarfile.h"
-#include "secpkcs7.h"
-#include "pk11func.h"
-#include "secmod.h"
-#include "plhash.h"
-#include "nss.h"
-
-#ifdef _UNIX
-#include <unistd.h> 
-#endif
-
-/**********************************************************************
- * General Defines
- */
-#define JAR_BASE_END JAR_BASE + 100
-#define ERRX (-1)	/* the exit code used on failure */
-#define FNSIZE 256	/* the maximum length for filenames */
-#define MAX_RSA_KEY_SIZE 4096
-#define DEFAULT_RSA_KEY_SIZE 1024
-#define MANIFEST "manifest.mf"
-#define DEFAULT_X509_BASENAME "x509"
-#define DEFAULT_COMMON_NAME "Signtool " NSS_VERSION " Testing Certificate"
-#define CREATOR  "Signtool (signtool " NSS_VERSION ")"
-#define BREAKAGE "PLEASE DO NOT EDIT THIS FILE. YOU WILL BREAK IT."
-#define MIN_COMPRESSION_LEVEL (-1)
-#define MAX_COMPRESSION_LEVEL 9
-#define DEFAULT_COMPRESSION_LEVEL (-1) /* zlib understands this to be default*/
-#define STDIN_BUF_SIZE 160
-#define PROGRAM_NAME	"signtool"
-#define LONG_PROGRAM_NAME "Signing Tool"
-#define DEFAULT_BASE_NAME "zigbert"
-#define TMP_OUTPUT "signtool.tmp"
-#define XPI_TEXT "Creating XPI Compatible Archive"
-
-/***************************************************************
- * Main Task Functions
- */
-int GenerateCert(char *nickname, int keysize, char *token);
-int ListCerts(char *key, int list_certs);
-int VerifyJar(char *filename);
-int SignArchive(char *tree, char *keyName, char *zip_file, int javascript,
-	char *meta_file, char *install_script, int _optimize, PRBool recurse);
-int SignAllArc(char *jartree, char *keyName, int javascript, char *metafile,
-	char *install_script, int optimize, PRBool recurse);
-int InlineJavaScript(char *dir, PRBool recurse);
-int JarWho(char *filename);
-void JarListModules(void);
-
-/**************************************************************
- * Utility Functions
- */
-CERTCertDBHandle *OpenCertDB (PRBool readOnly);
-
-int RemoveAllArc(char *tree);
-void VerifyCertDir(char *dir, char *keyName);
-int InitCrypto(char *cert_dir, PRBool readOnly);
-int foreach (char *dirname, char *prefix,
-	int (*fn)(char *filename, char *dirname, char *basedir,char *base,void*arg),
-	PRBool recurse, PRBool includeDirs, void *arg);
-void print_error (int i);
-void give_help (int status);
-const char* secErrorString(long code);
-void displayVerifyLog(CERTVerifyLog *log);
-void Usage (void);
-void LongUsage (void);
-char* chop(char*);
-void out_of_memory(void);
-void FatalError(char *msg);
-char* get_default_cert_dir(void);
-SECItem *password_hardcode(void *arg, void *handle);
-char* pk11_password_hardcode(PK11SlotInfo *slot, PRBool retry, void *arg);
-int rm_dash_r(char *path);
-char* pr_fgets(char *buf, int size, PRFileDesc *file);
-
-
-/*****************************************************************
- * Global Variables (*gag*)
- */
-extern char *password;	/* the password passed in on the command line */
-extern PLHashTable *excludeDirs;  /* directory entry to skip while recursing */
-extern int no_time;
-extern int xpi_arc;
-extern char *base;		/* basename of ".rsa" and ".sf" files */
-extern long *mozilla_event_queue;
-extern char *progName; /* argv[0] */
-extern PLHashTable *extensions;/* only sign files with this extension */
-extern PRBool extensionsGiven;
-extern char *scriptdir;
-extern int compression_level;
-extern PRFileDesc *outputFD, *errorFD;
-extern int verbosity;
-extern int errorCount;
-extern int warningCount;
-extern secuPWData pwdata;
-
-#endif /* SIGNTOOL_H */
diff --git a/security/nss/cmd/signtool/util.c b/security/nss/cmd/signtool/util.c
deleted file mode 100644
index be780d29b..000000000
--- a/security/nss/cmd/signtool/util.c
+++ /dev/null
@@ -1,1131 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "signtool.h"
-#include "prio.h"
-#include "prmem.h"
-#include "nss.h"
-
-static int	is_dir (char *filename);
-
-/***********************************************************
- * Nasty hackish function definitions
- */
-
-long	*mozilla_event_queue = 0;
-
-#ifndef XP_WIN
-char	*XP_GetString (int i)
-{
-    return SECU_ErrorStringRaw ((int16) i);
-}
-#endif
-
-void	FE_SetPasswordEnabled()
-{
-}
-
-
-void	/*MWContext*/ *FE_GetInitContext (void)
-{
-    return 0;
-}
-
-
-void	/*MWContext*/ *XP_FindSomeContext()
-{
-    /* No windows context in command tools */
-    return NULL;
-}
-
-
-void	ET_moz_CallFunction()
-{
-}
-
-
-/*
- *  R e m o v e A l l A r c
- *
- *  Remove .arc directories that are lingering
- *  from a previous run of signtool.
- *
- */
-int
-RemoveAllArc(char *tree)
-{
-    PRDir * dir;
-    PRDirEntry * entry;
-    char	*archive = NULL;
-    int	retval = 0;
-
-    dir = PR_OpenDir (tree);
-    if (!dir) 
-	return - 1;
-
-    for (entry = PR_ReadDir (dir, 0); entry; entry = PR_ReadDir (dir,
-         0)) {
-
-	if (entry->name[0] == '.') {
-	    continue;
-	}
-
-	if (archive) 
-	    PR_Free(archive);
-	archive = PR_smprintf("%s/%s", tree, entry->name);
-
-	if (PL_strcaserstr (entry->name, ".arc")
-	     == (entry->name + strlen(entry->name) - 4) ) {
-
-	    if (verbosity >= 0) {
-		PR_fprintf(outputFD, "removing: %s\n", archive);
-	    }
-
-	    if (rm_dash_r(archive)) {
-		PR_fprintf(errorFD, "Error removing %s\n", archive);
-		errorCount++;
-		retval = -1;
-		goto finish;
-	    }
-	} else if (is_dir(archive)) {
-	    if (RemoveAllArc(archive)) {
-		retval = -1;
-		goto finish;
-	    }
-	}
-    }
-
-finish:
-    PR_CloseDir (dir);
-    if (archive) 
-	PR_Free(archive);
-
-    return retval;
-}
-
-
-/*
- *  r m _ d a s h _ r
- *
- *  Remove a file, or a directory recursively.
- *
- */
-int	rm_dash_r (char *path)
-{
-    PRDir	 * dir;
-    PRDirEntry * entry;
-    PRFileInfo fileinfo;
-    char	filename[FNSIZE];
-
-    if (PR_GetFileInfo(path, &fileinfo) != PR_SUCCESS) {
-	/*fprintf(stderr, "Error: Unable to access %s\n", filename);*/
-	return - 1;
-    }
-    if (fileinfo.type == PR_FILE_DIRECTORY) {
-
-	dir = PR_OpenDir(path);
-	if (!dir) {
-	    PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
-	    errorCount++;
-	    return - 1;
-	}
-
-	/* Recursively delete all entries in the directory */
-	while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
-	    sprintf(filename, "%s/%s", path, entry->name);
-	    if (rm_dash_r(filename)) 
-		return - 1;
-	}
-
-	if (PR_CloseDir(dir) != PR_SUCCESS) {
-	    PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
-	    errorCount++;
-	    return - 1;
-	}
-
-	/* Delete the directory itself */
-	if (PR_RmDir(path) != PR_SUCCESS) {
-	    PR_fprintf(errorFD, "Error: Unable to delete %s\n", path);
-	    errorCount++;
-	    return - 1;
-	}
-    } else {
-	if (PR_Delete(path) != PR_SUCCESS) {
-	    PR_fprintf(errorFD, "Error: Unable to delete %s\n", path);
-	    errorCount++;
-	    return - 1;
-	}
-    }
-    return 0;
-}
-
-
-/*
- *  u s a g e 
- * 
- *  Print some useful help information
- *
- */
-
-
-void
-Usage (void)
-{
-#define FPS PR_fprintf(outputFD,
-    FPS "%s %s -a signing tool for jar files\n", LONG_PROGRAM_NAME,NSS_VERSION);
-    FPS "\n\nType %s -H for more detailed descriptions\n", PROGRAM_NAME);
-    FPS "\nUsage:  %s -k keyName [-b basename] [-c Compression Level]\n"
-        "\t\t [-d cert-dir] [-i installer script] [-m metafile] [-x name]\n"
-        "\t\t [-e extension] [-o] [-z] [-X] [--outfile] [--verbose value]\n"
-        "\t\t [--norecurse] [--leavearc] [-j directory] [-Z jarfile] [-O]\n"
-        "\t\t [-p password] directory-tree\n", PROGRAM_NAME);
-    FPS "\t%s -J -k keyName [-b basename] [-c Compression Level]\n"
-        "\t\t [-d cert-dir][-i installer script] [-m metafile] [-x name]\n"
-        "\t\t [-e extension] [-o] [-z] [-X] [--outfile] [--verbose value]\n"
-        "\t\t [--norecurse] [--leavearc] [-j directory] [-p password] [-O] \n"
-        "\t\t directory-tree\n", PROGRAM_NAME);
-    FPS "\t%s -h \n", PROGRAM_NAME);
-    FPS "\t%s -H \n", PROGRAM_NAME);
-    FPS "\t%s -l [-k keyName] [-d cert-dir] [--outfile] [-O] \n", PROGRAM_NAME);
-    FPS "\t%s -L [-k keyName] [-d cert-dir] [--outfile] [-O] \n", PROGRAM_NAME);
-    FPS "\t%s -M [--outfile] [-O] \n", PROGRAM_NAME);
-    FPS "\t%s -v [-d cert-dir] [--outfile] [-O] archive\n", PROGRAM_NAME);
-    FPS "\t%s -w [--outfile] [-O] archive\n" , PROGRAM_NAME);
-    FPS "\t%s -G nickname [--keysize|-s size] [-t |--token tokenname]\n"
-        "\t\t [--outfile] [-O] \n", PROGRAM_NAME);
-    FPS "\t%s -f filename\n" , PROGRAM_NAME);
-    exit (ERRX);
-}
-
-void 
-LongUsage(void)
-{
-    FPS "%s %s -a signing tool for jar files\n", LONG_PROGRAM_NAME,NSS_VERSION);
-    FPS "\n%-20s  Signs the directory-tree\n",
-        "signtool directory-tree");
-    FPS "%-30s Nickname (key) of the certificate to sign with\n",
-        "   -k keyname");
-    FPS "%-30s Base filename for the .rsa and.sf files in the\n",
-        "   -b basename");
-    FPS "%-30s META-INF directory\n"," ");
-    FPS "%-30s Set the compression level. 0-9, 0=none\n", 
-	"   -c CompressionLevel");
-    FPS "%-30s Certificate database directory containing cert*db\n",
-	"   -d certificate directory");
-    FPS "%-30s and key*db\n"," ");
-    FPS "%-30s Name of the installer script for SmartUpdate\n",
-	"   -i installer script");
-    FPS "%-30s Name of a metadata control file\n",
-	"   -m metafile");
-    FPS "%-30s For optimizing the archive for size.\n",
-	"   -o");
-    FPS "%-30s Omit Optional Headers\n"," ");
-    FPS "%-30s Excludes the specified directory or file from\n",
-	"   -x  directory or file name");
-    FPS "%-30s signing\n"," ");
-    FPS "%-30s To not store the signing time in digital\n",
-	"   -z  directory or file name");
-    FPS "%-30s signature\n"," ");
-    FPS "%-30s Create XPI Compatible Archive. It requires -Z\n",
-	"   -X  directory or file name");
-    FPS "%-30s option\n"," ");
-    FPS "%-30s Sign only files with the given extension\n",
-	"   -e");
-    FPS "%-30s Causes the specified directory to be signed and\n",
-	"   -j");
-    FPS "%-30s tags its entries as inline JavaScript\n"," ");
-    FPS "%-30s Creates a JAR file with the specified name.\n",
-	"   -Z");
-    FPS "%-30s -Z option cannot be used with -J option\n"," ");
-    FPS "%-30s Specifies a password for the private-key database\n",
-	"   -p");
-    FPS "%-30s (insecure)\n"," ");
-    FPS "%-30s File to receive redirected output\n",
-    	"   --outfile filename");
-    FPS "%-30s Sets the quantity of information generated in\n",
-	"   --verbosity value");
-    FPS "%-30s operation\n"," ");
-    FPS "%-30s Blocks recursion into subdirectories\n",
-	"   --norecurse");
-    FPS "%-30s Retains the temporary .arc (archive) directories\n",
-	"   --leavearc");
-    FPS "%-30s -J option creates\n"," ");
-
-    FPS "\n%-20s Signs a directory of HTML files containing JavaScript and\n",
-	"-J" );
-    FPS "%-20s creates as many archive files as are in the HTML tags.\n"," ");
-
-    FPS "%-20s The options are same as without any command option given\n"," ");
-    FPS "%-20s above. -Z and -J options are not allowed together\n"," ");
-    
-    FPS "\n%-20s Generates a new private-public key pair and corresponding\n",
-	"-G nickname");
-    FPS "%-20s object-signing certificates with the given nickname\n"," ");
-    FPS "%-30s Specifies the size of the key for generated \n",
-	"   --keysize|-s keysize");
-    FPS "%-30s certificate\n"," ");
-    FPS "%-30s Specifies which available token should generate\n",
-	"   --token|-t token name ");
-    FPS "%-30s the key and receive the certificate\n"," ");
-    FPS "%-30s Specifies a file to receive redirected output\n",
-	"   --outfile filename ");
-    
-    FPS "\n%-20s Display signtool help\n",
-	"-h ");
-    
-    FPS "\n%-20s Display signtool help(Detailed)\n",
-	"-H ");
-    
-    FPS "\n%-20s Lists signing certificates, including issuing CAs\n",
-	"-l ");
-    FPS "%-30s Certificate database directory containing cert*db\n",
-	"   -d certificate directory");
-    FPS "%-30s and key*db\n"," ");
-
-    FPS "%-30s Specifies a file to receive redirected output\n",
-	"   --outfile filename ");
-    FPS "%-30s Specifies the nickname (key) of the certificate\n",
-	"   -k keyname");
-
-    
-    FPS "\n%-20s Lists the certificates in your database\n",
-	"-L ");
-    FPS "%-30s Certificate database directory containing cert*db\n",
-	"   -d certificate directory");
-    FPS "%-30s and key*db\n"," ");
-
-    FPS "%-30s Specifies a file to receive redirected output\n",
-	"   --outfile filename ");
-    FPS "%-30s Specifies the nickname (key) of the certificate\n",
-	"   -k keyname");
-    
-    FPS "\n%-20s Lists the PKCS #11 modules available to signtool\n",
-	"-M ");
-   
-    FPS "\n%-20s Displays the contents of an archive and verifies\n",
-	"-v archive");
-    FPS "%-20s cryptographic integrity\n"," ");
-    FPS "%-30s Certificate database directory containing cert*db\n",
-	"   -d certificate directory");
-    FPS "%-30s and key*db\n"," ");
-    FPS "%-30s Specifies a file to receive redirected output\n",
-	"   --outfile filename ");
-    
-    FPS "\n%-20s Displays the names of signers in the archive\n",
-	"-w archive");
-    FPS "%-30s Specifies a file to receive redirected output\n",
-	"   --outfile filename ");
-
-    
-    FPS "\n%-30s Common option to all the above.\n",
-	"   -O");
-    FPS "%-30s Enable OCSP checking\n"," ");
-    
-    FPS "\n%-20s Specifies a text file containing options and arguments in\n",
-	"-f command-file");
-    FPS "%-20s keyword=value format. Commands are taken from this file\n"," ");
-
-    FPS  "\n\n\n");
-    FPS  "Example:\n");
-    FPS  "%-10s -d \"certificate directory\" -k \"certnickname\" \\",
-         PROGRAM_NAME);
-    FPS  "\n%-10s -p \"password\"  -X -Z \"file.xpi\" directory-tree\n"," " );
-    FPS  "Common syntax to create an XPInstall compatible"
-         " signed archive\n\n"," ");
-    FPS  "\nCommand File Keywords and Example:\n");
-    FPS "\nKeyword\t\tValue\n");
-    FPS "basename\tSame as -b option\n");
-    FPS "compression\tSame as -c option\n");
-    FPS "certdir\t\tSame as -d option\n");
-    FPS "extension\tSame as -e option\n");
-    FPS "generate\tSame as -G option\n");
-    FPS "installscript\tSame as -i option\n");
-    FPS "javascriptdir\tSame as -j option\n");
-    FPS "htmldir\t\tSame as -J option\n");
-    FPS "certname\tNickname of certificate, as with -k  option\n");
-    FPS "signdir\t\tThe directory to be signed, as with -k option\n");
-    FPS "list\t\tSame as -l option. Value is ignored,\n"
-        "    \t\tbut = sign must be present\n");
-    FPS "listall\t\tSame as -L option. Value is ignored\n"
-        "       \t\tbut = sign must be present\n");
-    FPS "metafile\tSame as -m option\n");
-    FPS "modules\t\tSame as -M option. Value is ignored,\n"
-        "       \t\tbut = sign must be present\n");
-    FPS "optimize\tSame as -o option. Value is ignored,\n" 
-        "        \tbut = sign must be present\n");
-    FPS "ocsp\t\tSame as -O option\n");
-    FPS "password\tSame as -p option\n");
-    FPS "verify\t\tSame as -v option\n");
-    FPS "who\t\tSame as -w option\n");
-    FPS "exclude\t\tSame as -x option\n");
-    FPS "notime\t\tSame as -z option. Value is ignored,\n"
-        "      \t\tbut = sign must be present\n");
-    FPS "jarfile\t\tSame as -Z option\n");
-    FPS "outfile\t\tSame as --outfile option. The argument\n");
-    FPS "       \t\tis the name of a file to which output\n");
-    FPS "       \t\tof a file and error messages will be  \n");
-    FPS "       \t\tredirected\n");
-    FPS "leavearc\tSame as --leavearc option\n");
-    FPS "verbosity\tSame as --verbosity option\n");
-    FPS "keysize\t\tSame as -s option\n");
-    FPS "token\t\tSame as -t option\n");
-    FPS "xpi\t\tSame as -X option\n");
-    FPS "\n\n");
-    FPS "Here's an example of the use of the command file. The command\n\n");
-    FPS "   signtool -d c:\\netscape\\users\\james -k mycert -Z myjar.jar \\\n"
-        "   signdir > output.txt\n\n"); 
-    FPS "becomes\n\n");
-    FPS "   signtool -f somefile\n\n");
-    FPS "where somefile contains the following lines:\n\n");
-    FPS "   certdir=c:\\netscape\\users\\james\n"," "); 
-    FPS "   certname=mycert\n"," "); 
-    FPS "   jarfile=myjar.jar\n"," "); 
-    FPS "   signdir=signdir\n"," "); 
-    FPS "   outfile=output.txt\n"," "); 
-    exit (ERRX);
-#undef FPS
-}
-
-/*
- *  p r i n t _ e r r o r
- *
- *  For the undocumented -E function. If an older version
- *  of communicator gives you a numeric error, we can see what
- *  really happened without doing hex math.
- *
- */
-
-void
-print_error (int err)
-{
-    PR_fprintf(errorFD, "Error %d: %s\n", err, JAR_get_error (err));
-    errorCount++;
-    give_help (err);
-}
-
-
-/*
- *  o u t _ o f _ m e m o r y
- *
- *  Out of memory, exit Signtool.
- * 
- */
-void
-out_of_memory (void)
-{
-    PR_fprintf(errorFD, "%s: out of memory\n", PROGRAM_NAME);
-    errorCount++;
-    exit (ERRX);
-}
-
-
-/*
- *  V e r i f y C e r t D i r
- *
- *  Validate that the specified directory
- *  contains a certificate database
- *
- */
-void
-VerifyCertDir(char *dir, char *keyName)
-{
-    char	fn [FNSIZE];
-
-    /* don't try verifying if we don't have a local directory */
-    if (strncmp(dir, "multiaccess:", sizeof("multiaccess:") - 1) == 0) {
-	return;
-    }
-    /* this function is truly evil. Tools and applications should not have
-     * any knowledge of actual cert databases! */
-    return;
-
-    /* This code is really broken because it makes underlying assumptions about
-   * how the NSS profile directory is laid out, but these names can change
-   * from release to release. */
-    sprintf (fn, "%s/cert8.db", dir);
-
-    if (PR_Access (fn, PR_ACCESS_EXISTS)) {
-	PR_fprintf(errorFD, "%s: No certificate database in \"%s\"\n",
-			 PROGRAM_NAME, dir);
-	PR_fprintf(errorFD, "%s: Check the -d arguments that you gave\n",
-	     		PROGRAM_NAME);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    if (verbosity >= 0) {
-	PR_fprintf(outputFD, "using certificate directory: %s\n", dir);
-    }
-
-    if (keyName == NULL)
-	return;
-
-    /* if the user gave the -k key argument, verify that 
-     a key database already exists */
-
-    sprintf (fn, "%s/key3.db", dir);
-
-    if (PR_Access (fn, PR_ACCESS_EXISTS)) {
-	PR_fprintf(errorFD, "%s: No private key database in \"%s\"\n",
-	     PROGRAM_NAME,
-	    dir);
-	PR_fprintf(errorFD, "%s: Check the -d arguments that you gave\n",
-	     		PROGRAM_NAME);
-	errorCount++;
-	exit (ERRX);
-    }
-}
-
-
-/*
- *  f o r e a c h 
- * 
- *  A recursive function to loop through all names in
- *  the specified directory, as well as all subdirectories.
- *
- *  FIX: Need to see if all platforms allow multiple
- *  opendir's to be called.
- *
- */
-
-int
-foreach(char *dirname, char *prefix, 
-int (*fn)(char *relpath, char *basedir, char *reldir, char *filename,
-void*arg),
-PRBool recurse, PRBool includeDirs, void *arg) 
-{
-    char	newdir [FNSIZE];
-    int	retval = 0;
-
-    PRDir * dir;
-    PRDirEntry * entry;
-
-    strcpy (newdir, dirname);
-    if (*prefix) {
-	strcat (newdir, "/");
-	strcat (newdir, prefix);
-    }
-
-    dir = PR_OpenDir (newdir);
-    if (!dir) 
-	return - 1;
-
-    for (entry = PR_ReadDir (dir, 0); entry; entry = PR_ReadDir (dir, 0)) {
-	if ( strcmp(entry->name, ".") == 0   || 
-	    strcmp(entry->name, "..") == 0 ) {
-	    /* no infinite recursion, please */
-	    continue;
-	}
-
-	/* can't sign self */
-	if (!strcmp (entry->name, "META-INF"))
-	    continue;
-
-	/* -x option */
-	if (PL_HashTableLookup(excludeDirs, entry->name))
-	    continue;
-
-	strcpy (newdir, dirname);
-	if (*dirname)
-	    strcat (newdir, "/");
-
-	if (*prefix) {
-	    strcat (newdir, prefix);
-	    strcat (newdir, "/");
-	}
-	strcat (newdir, entry->name);
-
-	if (!is_dir(newdir) || includeDirs) {
-	    char	newpath [FNSIZE];
-
-	    strcpy (newpath, prefix);
-	    if (*newpath)
-		strcat (newpath, "/");
-	    strcat (newpath, entry->name);
-
-	    if ( (*fn) (newpath, dirname, prefix, (char *) entry->name,
-	         arg)) {
-		retval = -1;
-		break;
-	    }
-	}
-
-	if (is_dir (newdir)) {
-	    if (recurse) {
-		char	newprefix [FNSIZE];
-
-		strcpy (newprefix, prefix);
-		if (*newprefix) {
-		    strcat (newprefix, "/");
-		}
-		strcat (newprefix, entry->name);
-
-		if (foreach (dirname, newprefix, fn, recurse,
-		     includeDirs, arg)) {
-		    retval = -1;
-		    break;
-		}
-	    }
-	}
-
-    }
-
-    PR_CloseDir (dir);
-
-    return retval;
-}
-
-
-/*
- *  i s _ d i r
- *
- *  Return 1 if file is a directory.
- *  Wonder if this runs on a mac, trust not.
- *
- */
-static int	is_dir (char *filename)
-{
-    PRFileInfo	finfo;
-
-    if ( PR_GetFileInfo(filename, &finfo) != PR_SUCCESS ) {
-	printf("Unable to get information about %s\n", filename);
-	return 0;
-    }
-
-    return ( finfo.type == PR_FILE_DIRECTORY );
-}
-
-
-/***************************************************************
- *
- * s e c E r r o r S t r i n g
- *
- * Returns an error string corresponding to the given error code.
- * Doesn't cover all errors; returns a default for many.
- * Returned string is only valid until the next call of this function.
- */
-const char	*
-secErrorString(long code)
-{
-    static char	errstring[80]; /* dynamically constructed error string */
-    char	*c; /* the returned string */
-
-    switch (code) {
-    case SEC_ERROR_IO: 
-	c = "io error";
-	break;
-    case SEC_ERROR_LIBRARY_FAILURE: 
-	c = "security library failure";
-	break;
-    case SEC_ERROR_BAD_DATA: 
-	c = "bad data";
-	break;
-    case SEC_ERROR_OUTPUT_LEN: 
-	c = "output length";
-	break;
-    case SEC_ERROR_INPUT_LEN: 
-	c = "input length";
-	break;
-    case SEC_ERROR_INVALID_ARGS: 
-	c = "invalid args";
-	break;
-    case SEC_ERROR_EXPIRED_CERTIFICATE: 
-	c = "expired certificate";
-	break;
-    case SEC_ERROR_REVOKED_CERTIFICATE: 
-	c = "revoked certificate";
-	break;
-    case SEC_ERROR_INADEQUATE_KEY_USAGE: 
-	c = "inadequate key usage";
-	break;
-    case SEC_ERROR_INADEQUATE_CERT_TYPE: 
-	c = "inadequate certificate type";
-	break;
-    case SEC_ERROR_UNTRUSTED_CERT: 
-	c = "untrusted cert";
-	break;
-    case SEC_ERROR_NO_KRL: 
-	c = "no key revocation list";
-	break;
-    case SEC_ERROR_KRL_BAD_SIGNATURE: 
-	c = "key revocation list: bad signature";
-	break;
-    case SEC_ERROR_KRL_EXPIRED: 
-	c = "key revocation list expired";
-	break;
-    case SEC_ERROR_REVOKED_KEY: 
-	c = "revoked key";
-	break;
-    case SEC_ERROR_CRL_BAD_SIGNATURE:
-	c = "certificate revocation list: bad signature";
-	break;
-    case SEC_ERROR_CRL_EXPIRED: 
-	c = "certificate revocation list expired";
-	break;
-    case SEC_ERROR_CRL_NOT_YET_VALID:
-	c = "certificate revocation list not yet valid";
-	break;
-    case SEC_ERROR_UNKNOWN_ISSUER: 
-	c = "unknown issuer";
-	break;
-    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: 
-	c = "expired issuer certificate";
-	break;
-    case SEC_ERROR_BAD_SIGNATURE: 
-	c = "bad signature";
-	break;
-    case SEC_ERROR_BAD_KEY: 
-	c = "bad key";
-	break;
-    case SEC_ERROR_NOT_FORTEZZA_ISSUER: 
-	c = "not fortezza issuer";
-	break;
-    case SEC_ERROR_CA_CERT_INVALID:
-	c = "Certificate Authority certificate invalid";
-	break;
-    case SEC_ERROR_EXTENSION_NOT_FOUND: 
-	c = "extension not found";
-	break;
-    case SEC_ERROR_CERT_NOT_IN_NAME_SPACE: 
-	c = "certificate not in name space";
-	break;
-    case SEC_ERROR_UNTRUSTED_ISSUER: 
-	c = "untrusted issuer";
-	break;
-    default:
-	sprintf(errstring, "security error %ld", code);
-	c = errstring;
-	break;
-    }
-
-    return c;
-}
-
-
-/***************************************************************
- *
- * d i s p l a y V e r i f y L o g
- *
- * Prints the log of a cert verification.
- */
-void
-displayVerifyLog(CERTVerifyLog *log)
-{
-    CERTVerifyLogNode	 * node;
-    CERTCertificate		 * cert;
-    char	*name;
-
-    if ( !log  || (log->count <= 0) ) {
-	return;
-    }
-
-    for (node = log->head; node != NULL; node = node->next) {
-
-	if ( !(cert = node->cert) ) {
-	    continue;
-	}
-
-	/* Get a name for this cert */
-	if (cert->nickname != NULL) {
-	    name = cert->nickname;
-	} else if (cert->emailAddr && cert->emailAddr[0]) {
-	    name = cert->emailAddr;
-	} else {
-	    name = cert->subjectName;
-	}
-
-	printf( "%s%s:\n", name,
-	    (node->depth > 0) ? " [Certificate Authority]" : "");
-
-	printf("\t%s\n", secErrorString(node->error));
-
-    }
-}
-
-
-/*
- *  J a r L i s t M o d u l e s
- *
- *  Print a list of the PKCS11 modules that are
- *  available. This is useful for smartcard people to
- *  make sure they have the drivers loaded.
- *
- */
-void
-JarListModules(void)
-{
-    int	i;
-    int	count = 0;
-
-    SECMODModuleList * modules = NULL;
-    static SECMODListLock *moduleLock = NULL;
-
-    SECMODModuleList * mlp;
-
-    if ((moduleLock = SECMOD_GetDefaultModuleListLock()) == NULL) {
-	/* this is the wrong text */
-	PR_fprintf(errorFD, "%s: unable to acquire lock on module list\n",
-	     		PROGRAM_NAME);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    SECMOD_GetReadLock (moduleLock);
-
-    modules = SECMOD_GetDefaultModuleList();
-
-    if (modules == NULL) {
-	SECMOD_ReleaseReadLock (moduleLock);
-	PR_fprintf(errorFD, "%s: Can't get module list\n", PROGRAM_NAME);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    PR_fprintf(outputFD, "\nListing of PKCS11 modules\n");
-    PR_fprintf(outputFD, "-----------------------------------------------\n");
-
-    for (mlp = modules; mlp != NULL; mlp = mlp->next) {
-	count++;
-	PR_fprintf(outputFD, "%3d. %s\n", count, mlp->module->commonName);
-
-	if (mlp->module->internal)
-	    PR_fprintf(outputFD, "          (this module is internally loaded)\n");
-	else
-	    PR_fprintf(outputFD, "          (this is an external module)\n");
-
-	if (mlp->module->dllName)
-	    PR_fprintf(outputFD, "          DLL name: %s\n",
-	        mlp->module->dllName);
-
-	if (mlp->module->slotCount == 0)
-	    PR_fprintf(outputFD, "          slots: There are no slots attached to this module\n");
-	else
-	    PR_fprintf(outputFD, "          slots: %d slots attached\n",
-	         mlp->module->slotCount);
-
-	if (mlp->module->loaded == 0)
-	    PR_fprintf(outputFD, "          status: Not loaded\n");
-	else
-	    PR_fprintf(outputFD, "          status: loaded\n");
-
-	for (i = 0; i < mlp->module->slotCount; i++) {
-	    PK11SlotInfo * slot = mlp->module->slots[i];
-
-	    PR_fprintf(outputFD, "\n");
-	    PR_fprintf(outputFD, "    slot: %s\n", PK11_GetSlotName(slot));
-	    PR_fprintf(outputFD, "   token: %s\n", PK11_GetTokenName(slot));
-	}
-    }
-
-    PR_fprintf(outputFD, "-----------------------------------------------\n");
-
-    if (count == 0)
-	PR_fprintf(outputFD,
-	    "Warning: no modules were found (should have at least one)\n");
-
-    SECMOD_ReleaseReadLock (moduleLock);
-}
-
-
-/**********************************************************************
- * c h o p
- *
- * Eliminates leading and trailing whitespace.  Returns a pointer to the 
- * beginning of non-whitespace, or an empty string if it's all whitespace.
- */
-char*
-chop(char *str)
-{
-    char	*start, *end;
-
-    if (str) {
-	start = str;
-
-	/* Nip leading whitespace */
-	while (isspace(*start)) {
-	    start++;
-	}
-
-	/* Nip trailing whitespace */
-	if (*start) {
-	    end = start + strlen(start) - 1;
-	    while (isspace(*end) && end > start) {
-		end--;
-	    }
-	    *(end + 1) = '\0';
-	}
-
-	return start;
-    } else {
-	return NULL;
-    }
-}
-
-
-/***********************************************************************
- *
- * F a t a l E r r o r
- *
- * Outputs an error message and bails out of the program.
- */
-void
-FatalError(char *msg)
-{
-    if (!msg) 
-	msg = "";
-
-    PR_fprintf(errorFD, "FATAL ERROR: %s\n", msg);
-    errorCount++;
-    exit(ERRX);
-}
-
-
-/*************************************************************************
- *
- * I n i t C r y p t o
- */
-int
-InitCrypto(char *cert_dir, PRBool readOnly)
-{
-    SECStatus rv;
-    static int	prior = 0;
-    PK11SlotInfo * slotinfo;
-
-    if (prior == 0) {
-	/* some functions such as OpenKeyDB expect this path to be
-	 * implicitly set prior to calling */
-	if (readOnly) {
-	    rv = NSS_Init(cert_dir);
-	} else {
-	    rv = NSS_InitReadWrite(cert_dir);
-	}
-	if (rv != SECSuccess) {
-	    SECU_PrintPRandOSError(PROGRAM_NAME);
-	    exit(-1);
-	}
-
-	SECU_ConfigDirectory (cert_dir);
-
-	/* Been there done that */
-	prior++;
-
-        PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-	/* Must login to FIPS before you do anything else */
-	if (PK11_IsFIPS()) {
-	    slotinfo = PK11_GetInternalSlot();
-	    if (!slotinfo) {
-		fprintf(stderr, "%s: Unable to get PKCS #11 Internal Slot."
-				    "\n", PROGRAM_NAME);
-		return - 1;
-	    }
-	    if (PK11_Authenticate(slotinfo, PR_FALSE /*loadCerts*/,
-	         			  &pwdata) != SECSuccess) {
-		fprintf(stderr, "%s: Unable to authenticate to %s.\n",
-				    PROGRAM_NAME, PK11_GetSlotName(slotinfo));
-		PK11_FreeSlot(slotinfo);
-		return - 1;
-	    }
-	    PK11_FreeSlot(slotinfo);
-	}
-
-	/* Make sure there is a password set on the internal key slot */
-	slotinfo = PK11_GetInternalKeySlot();
-	if (!slotinfo) {
-	    fprintf(stderr, "%s: Unable to get PKCS #11 Internal Key Slot."
-	        "\n", PROGRAM_NAME);
-	    return - 1;
-	}
-	if (PK11_NeedUserInit(slotinfo)) {
-	    PR_fprintf(errorFD,
-	        "\nWARNING: No password set on internal key database.  Most operations will fail."
-	        "\nYou must create a password.\n");
-	    warningCount++;
-	}
-
-	/* Make sure we can authenticate to the key slot in FIPS mode */
-	if (PK11_IsFIPS()) {
-	    if (PK11_Authenticate(slotinfo, PR_FALSE /*loadCerts*/,
-	         			  &pwdata) != SECSuccess) {
-		fprintf(stderr, "%s: Unable to authenticate to %s.\n",
-				PROGRAM_NAME, PK11_GetSlotName(slotinfo));
-		PK11_FreeSlot(slotinfo);
-		return - 1;
-	    }
-	}
-	PK11_FreeSlot(slotinfo);
-    }
-
-    return 0;
-}
-
-
-/* Windows foolishness is now in the secutil lib */
-
-/*****************************************************************
- *  g e t _ d e f a u l t _ c e r t _ d i r
- *
- *  Attempt to locate a certificate directory.
- *  Failing that, complain that the user needs to
- *  use the -d(irectory) parameter.
- *
- */
-char	*get_default_cert_dir (void)
-{
-    char	*home;
-
-    char	*cd = NULL;
-    static char	db [FNSIZE];
-
-#ifdef XP_UNIX
-    home = getenv ("HOME");
-
-    if (home && *home) {
-	sprintf (db, "%s/.netscape", home);
-	cd = db;
-    }
-#endif
-
-#ifdef XP_PC
-    FILE * fp;
-
-    /* first check the environment override */
-
-    home = getenv ("JAR_HOME");
-
-    if (home && *home) {
-	sprintf (db, "%s/cert7.db", home);
-
-	if ((fp = fopen (db, "r")) != NULL) {
-	    fclose (fp);
-	    cd = home;
-	}
-    }
-
-    /* try the old navigator directory */
-
-    if (cd == NULL) {
-	home = "c:/Program Files/Netscape/Navigator";
-
-	sprintf (db, "%s/cert7.db", home);
-
-	if ((fp = fopen (db, "r")) != NULL) {
-	    fclose (fp);
-	    cd = home;
-	}
-    }
-
-    /* Try the current directory, I wonder if this
-     is really a good idea. Remember, Windows only.. */
-
-    if (cd == NULL) {
-	home = ".";
-
-	sprintf (db, "%s/cert7.db", home);
-
-	if ((fp = fopen (db, "r")) != NULL) {
-	    fclose (fp);
-	    cd = home;
-	}
-    }
-
-#endif
-
-    if (!cd) {
-	PR_fprintf(errorFD,
-	    "You must specify the location of your certificate directory\n");
-	PR_fprintf(errorFD,
-	    "with the -d option. Example: -d ~/.netscape in many cases with Unix.\n");
-	errorCount++;
-	exit (ERRX);
-    }
-
-    return cd;
-}
-
-
-/************************************************************************
- * g i v e _ h e l p
- */
-void	give_help (int status)
-{
-    if (status == SEC_ERROR_UNKNOWN_ISSUER) {
-	PR_fprintf(errorFD,
-	    "The Certificate Authority (CA) for this certificate\n");
-	PR_fprintf(errorFD,
-	    "does not appear to be in your database. You should contact\n");
-	PR_fprintf(errorFD,
-	    "the organization which issued this certificate to obtain\n");
-	PR_fprintf(errorFD, "a copy of its CA Certificate.\n");
-    }
-}
-
-
-/**************************************************************************
- *
- * p r _ f g e t s
- *
- * fgets implemented with NSPR.
- */
-char*
-pr_fgets(char *buf, int size, PRFileDesc *file)
-{
-    int	i;
-    int	status;
-    char	c;
-
-    i = 0;
-    while (i < size - 1) {
-	status = PR_Read(file, &c, 1);
-	if (status == -1) {
-	    return NULL;
-	} else if (status == 0) {
-	    if (i == 0) {
-		return NULL;
-	    }
-	    break;
-	}
-	buf[i++] = c;
-	if (c == '\n') {
-	    break;
-	}
-    }
-    buf[i] = '\0';
-
-    return buf;
-}
-
-
diff --git a/security/nss/cmd/signtool/verify.c b/security/nss/cmd/signtool/verify.c
deleted file mode 100644
index 302e9d497..000000000
--- a/security/nss/cmd/signtool/verify.c
+++ /dev/null
@@ -1,371 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "signtool.h"
-
-
-static int	jar_cb(int status, JAR *jar, const char *metafile, 
-char *pathname, char *errortext);
-static int	verify_global (JAR *jar);
-
-/*************************************************************************
- *
- * V e r i f y J a r
- */
-int
-VerifyJar(char *filename)
-{
-    FILE * fp;
-
-    int	ret;
-    int	status;
-    int	failed = 0;
-    char	*err;
-
-    JAR * jar;
-    JAR_Context * ctx;
-
-    JAR_Item * it;
-
-    jar = JAR_new();
-
-    if ((fp = fopen (filename, "r")) == NULL) {
-	perror (filename);
-	exit (ERRX);
-    } else
-	fclose (fp);
-
-    JAR_set_callback (JAR_CB_SIGNAL, jar, jar_cb);
-
-
-    status = JAR_pass_archive (jar, jarArchGuess, filename, "some-url");
-
-    if (status < 0 || jar->valid < 0) {
-	failed = 1;
-	PR_fprintf(outputFD, 
-	    "\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
-	     filename);
-	if (status < 0) {
-	    char	*errtext;
-
-	    if (status >= JAR_BASE && status <= JAR_BASE_END) {
-		errtext = JAR_get_error (status);
-	    } else {
-		errtext = SECU_ErrorString ((int16) PORT_GetError());
-	    }
-
-	    PR_fprintf(outputFD, "  (reported reason: %s)\n\n",
-	         errtext);
-
-	    /* corrupt files should not have their contents listed */
-
-	    if (status == JAR_ERR_CORRUPT)
-		return - 1;
-	}
-	PR_fprintf(outputFD,
-	    "entries shown below will have their digests checked only.\n");
-	jar->valid = 0;
-    } else
-	PR_fprintf(outputFD,
-	    "archive \"%s\" has passed crypto verification.\n", filename);
-
-    if (verify_global (jar))
-	failed = 1;
-
-    PR_fprintf(outputFD, "\n");
-    PR_fprintf(outputFD, "%16s   %s\n", "status", "path");
-    PR_fprintf(outputFD, "%16s   %s\n", "------------", "-------------------");
-
-    ctx = JAR_find (jar, NULL, jarTypeMF);
-
-    while (JAR_find_next (ctx, &it) >= 0) {
-	if (it && it->pathname) {
-	    rm_dash_r(TMP_OUTPUT);
-	    ret = JAR_verified_extract (jar, it->pathname, TMP_OUTPUT);
-	    /* if (ret < 0) printf ("error %d on %s\n", ret, it->pathname); */
-	    if (ret < 0) 
-		failed = 1;
-
-	    if (ret == JAR_ERR_PNF)
-		err = "NOT PRESENT";
-	    else if (ret == JAR_ERR_HASH)
-		err = "HASH FAILED";
-	    else
-		err = "NOT VERIFIED";
-
-	    PR_fprintf(outputFD, "%16s   %s\n", 
-	        ret >= 0 ? "verified" : err, it->pathname);
-
-	    if (ret != 0 && ret != JAR_ERR_PNF && ret != JAR_ERR_HASH)
-		PR_fprintf(outputFD, "      (reason: %s)\n",
-		     JAR_get_error (ret));
-	}
-    }
-
-    JAR_find_end (ctx);
-
-    if (status < 0 || jar->valid < 0) {
-	failed = 1;
-	PR_fprintf(outputFD,
-	    "\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
-	     filename);
-	give_help (status);
-    }
-
-    JAR_destroy (jar);
-
-    if (failed)
-	return - 1;
-    return 0;
-}
-
-
-/***************************************************************************
- *
- * v e r i f y _ g l o b a l
- */
-static int	
-verify_global (JAR *jar)
-{
-    FILE        * fp;
-    JAR_Context * ctx;
-    JAR_Item    * it;
-    JAR_Digest  * globaldig;
-    char	* ext;
-    unsigned char *md5_digest, *sha1_digest;
-    unsigned int  sha1_length, md5_length;
-    int	          retval = 0;
-    char	  buf [BUFSIZ];
-
-    ctx = JAR_find (jar, "*", jarTypePhy);
-
-    while (JAR_find_next (ctx, &it) >= 0) {
-	if (!PORT_Strncmp (it->pathname, "META-INF", 8)) {
-	    for (ext = it->pathname; *ext; ext++)
-		;
-	    while (ext > it->pathname && *ext != '.') 
-		ext--;
-
-	    if (verbosity >= 0) {
-		if (!PORT_Strcasecmp (ext, ".rsa")) {
-		    PR_fprintf(outputFD, "found a RSA signature file: %s\n",
-		         				  it->pathname);
-		}
-
-		if (!PORT_Strcasecmp (ext, ".dsa")) {
-		    PR_fprintf(outputFD, "found a DSA signature file: %s\n",
-		         				  it->pathname);
-		}
-
-		if (!PORT_Strcasecmp (ext, ".mf")) {
-		    PR_fprintf(outputFD,
-		        "found a MF master manifest file: %s\n",
-		         it->pathname);
-		}
-	    }
-
-	    if (!PORT_Strcasecmp (ext, ".sf")) {
-		if (verbosity >= 0) {
-		    PR_fprintf(outputFD,
-		        "found a SF signature manifest file: %s\n",
-		         it->pathname);
-		}
-
-		rm_dash_r(TMP_OUTPUT);
-		if (JAR_extract (jar, it->pathname, TMP_OUTPUT) < 0) {
-		    PR_fprintf(errorFD, "%s: error extracting %s\n",
-		         PROGRAM_NAME, it->pathname);
-		    errorCount++;
-		    retval = -1;
-		    continue;
-		}
-
-		md5_digest = NULL;
-		sha1_digest = NULL;
-
-		if ((fp = fopen (TMP_OUTPUT, "rb")) != NULL) {
-		    while (fgets (buf, BUFSIZ, fp)) {
-			char	*s;
-
-			if (*buf == 0 || *buf == '\n' || *buf == '\r') 
-			    break;
-
-			for (s = buf; *s && *s != '\n' && *s != '\r'; s++)
-			    ;
-			*s = 0;
-
-			if (!PORT_Strncmp (buf, "MD5-Digest: ", 12)) {
-			    md5_digest = 
-				ATOB_AsciiToData (buf + 12, &md5_length);
-			}
-			if (!PORT_Strncmp (buf, "SHA1-Digest: ", 13)) {
-			    sha1_digest = 
-				ATOB_AsciiToData (buf + 13, &sha1_length);
-			}
-			if (!PORT_Strncmp (buf, "SHA-Digest: ", 12)) {
-			    sha1_digest = 
-				ATOB_AsciiToData (buf + 12, &sha1_length);
-			}
-		    }
-
-		    globaldig = jar->globalmeta;
-
-		    if (globaldig && md5_digest && verbosity >= 0) {
-			PR_fprintf(outputFD,
-			   "  md5 digest on global metainfo: %s\n",
-			    PORT_Memcmp(md5_digest, globaldig->md5, MD5_LENGTH)
-			    ? "no match" : "match");
-		    }
-
-		    if (globaldig && sha1_digest && verbosity >= 0) {
-			PR_fprintf(outputFD,
-			    "  sha digest on global metainfo: %s\n",
-			    PORT_Memcmp(sha1_digest, globaldig->sha1, SHA1_LENGTH) 
-			    ? "no match" : "match");
-		    }
-
-		    if (globaldig == NULL && verbosity >= 0) {
-			PR_fprintf(outputFD,
-			     "global metadigest is not available, strange.\n");
-		    }
-
-		    fclose (fp);
-		}
-	    }
-	}
-    }
-
-    JAR_find_end (ctx);
-
-    return retval;
-}
-
-
-/************************************************************************
- *
- * J a r W h o
- */
-int
-JarWho(char *filename)
-{
-    FILE * fp;
-
-    JAR * jar;
-    JAR_Context * ctx;
-
-    int	status;
-    int	retval = 0;
-
-    JAR_Item * it;
-    JAR_Cert * fing;
-
-    CERTCertificate * cert, *prev = NULL;
-
-    jar = JAR_new();
-
-    if ((fp = fopen (filename, "r")) == NULL) {
-	perror (filename);
-	exit (ERRX);
-    } 
-    fclose (fp);
-
-    status = JAR_pass_archive (jar, jarArchGuess, filename, "some-url");
-
-    if (status < 0 || jar->valid < 0) {
-	PR_fprintf(outputFD,
-	    "NOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
-	     filename);
-	retval = -1;
-	if (jar->valid < 0 || status != -1) {
-	    char	*errtext;
-
-	    if (status >= JAR_BASE && status <= JAR_BASE_END) {
-		errtext = JAR_get_error (status);
-	    } else {
-		errtext = SECU_ErrorString ((int16) PORT_GetError());
-	    }
-
-	    PR_fprintf(outputFD, "  (reported reason: %s)\n\n", errtext);
-	}
-    }
-
-    PR_fprintf(outputFD, "\nSigner information:\n\n");
-
-    ctx = JAR_find (jar, NULL, jarTypeSign);
-
-    while (JAR_find_next (ctx, &it) >= 0) {
-	fing = (JAR_Cert * ) it->data;
-	cert = fing->cert;
-
-	if (cert) {
-	    if (prev == cert)
-		break;
-
-	    if (cert->nickname)
-		PR_fprintf(outputFD, "nickname: %s\n", cert->nickname);
-	    if (cert->subjectName)
-		PR_fprintf(outputFD, "subject name: %s\n",
-		     cert->subjectName);
-	    if (cert->issuerName)
-		PR_fprintf(outputFD, "issuer name: %s\n", cert->issuerName);
-	} else {
-	    PR_fprintf(outputFD, "no certificate could be found\n");
-	    retval = -1;
-	}
-
-	prev = cert;
-    }
-
-    JAR_find_end (ctx);
-
-    JAR_destroy (jar);
-    return retval;
-}
-
-
-/************************************************************************
- * j a r _ c b
- */
-static int	jar_cb(int status, JAR *jar, const char *metafile,
-char *pathname, char *errortext)
-{
-    PR_fprintf(errorFD, "error %d: %s IN FILE %s\n", status, errortext,
-         pathname);
-    errorCount++;
-    return 0;
-}
-
-
diff --git a/security/nss/cmd/signtool/zip.c b/security/nss/cmd/signtool/zip.c
deleted file mode 100644
index 2da1623ad..000000000
--- a/security/nss/cmd/signtool/zip.c
+++ /dev/null
@@ -1,721 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "signtool.h"
-#include "zip.h"
-#include "zlib.h"
-#include "prmem.h"
-
-static void	inttox (int in, char *out);
-static void	longtox (long in, char *out);
-
-/****************************************************************
- *
- * J z i p O p e n
- *
- * Opens a new ZIP file and creates a new ZIPfile structure to 
- * control the process of installing files into a zip.
- */
-ZIPfile*
-JzipOpen(char *filename, char *comment)
-{
-    ZIPfile * zipfile;
-    PRExplodedTime prtime;
-
-    zipfile = PORT_ZAlloc(sizeof(ZIPfile));
-    if (!zipfile) 
-	out_of_memory();
-
-    /* Construct time and date */
-    PR_ExplodeTime(PR_Now(), PR_LocalTimeParameters, &prtime);
-    zipfile->date = 	((prtime.tm_year - 1980) << 9) | 
-			((prtime.tm_month + 1) << 5)   | 
-			prtime.tm_mday;
-    zipfile->time = 	(prtime.tm_hour << 11)   | 
-			(prtime.tm_min << 5)     | 
-			(prtime.tm_sec & 0x3f);
-
-    zipfile->fp = NULL;
-    if (filename  && 
-        (zipfile->fp = PR_Open(filename,
-        PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0777)) == NULL) {
-	char	*nsprErr;
-	if (PR_GetErrorTextLength()) {
-	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
-	    PR_GetErrorText(nsprErr);
-	} else {
-	    nsprErr = NULL;
-	}
-	PR_fprintf(errorFD, "%s: can't open output jar, %s.%s\n",
-	     PROGRAM_NAME,
-	    filename, nsprErr ? nsprErr : "");
-	if (nsprErr) 
-	    PR_Free(nsprErr);
-	errorCount++;
-	exit (ERRX);
-    }
-
-    zipfile->list = NULL;
-    if (filename) {
-	zipfile->filename = PORT_ZAlloc(strlen(filename) + 1);
-	if (!zipfile->filename) 
-	    out_of_memory();
-	PORT_Strcpy(zipfile->filename, filename);
-    }
-    if (comment) {
-	zipfile->comment = PORT_ZAlloc(strlen(comment) + 1);
-	if (!zipfile->comment) 
-	    out_of_memory();
-	PORT_Strcpy(zipfile->comment, comment);
-    }
-
-    return zipfile;
-}
-
-
-static
-void*
-my_alloc_func(void*opaque, uInt items, uInt size)
-{
-    return PORT_Alloc(items * size);
-}
-
-
-static
-void
-my_free_func(void*opaque, void*address)
-{
-    PORT_Free(address);
-}
-
-
-static
-void
-handle_zerror(int err, char *msg)
-{
-    if (!msg) {
-	msg = "";
-    }
-
-    errorCount++; /* unless Z_OK...see below */
-
-    switch (err) {
-    case Z_OK:
-	PR_fprintf(errorFD, "No error: %s\n", msg);
-	errorCount--; /* this was incremented above */
-	break;
-    case Z_MEM_ERROR:
-	PR_fprintf(errorFD, "Deflation ran out of memory: %s\n", msg);
-	break;
-    case Z_STREAM_ERROR:
-	PR_fprintf(errorFD, "Invalid compression level: %s\n", msg);
-	break;
-    case Z_VERSION_ERROR:
-	PR_fprintf(errorFD, "Incompatible compression library version: %s\n",
-	     msg);
-	break;
-    case Z_DATA_ERROR:
-	PR_fprintf(errorFD, "Compression data error: %s\n", msg);
-	break;
-    default:
-	PR_fprintf(errorFD, "Unknown error in compression library: %s\n", msg);
-	break;
-    }
-}
-
-
-
-
-/****************************************************************
- *
- * J z i p A d d
- *
- * Adds a new file into a ZIP file.  The ZIP file must have already
- * been opened with JzipOpen.
- */
-int
-JzipAdd(char *fullname, char *filename, ZIPfile *zipfile, int compression_level)
-{
-    ZIPentry * entry;
-    PRFileDesc * readfp;
-    PRFileDesc * zipfp;
-    unsigned long crc;
-    unsigned long local_size_pos;
-    int	          num;
-    int	          err;
-    int	          deflate_percent;
-    z_stream      zstream;
-    Bytef         inbuf[BUFSIZ];
-    Bytef         outbuf[BUFSIZ];
-
-
-    if ( !fullname || !filename || !zipfile) {
-	return - 1;
-    }
-
-    zipfp = zipfile->fp;
-    if (!zipfp)
-	return - 1;
-
-
-    if ( (readfp = PR_Open(fullname, PR_RDONLY, 0777)) == NULL) {
-	char	*nsprErr;
-	if (PR_GetErrorTextLength()) {
-	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
-	    PR_GetErrorText(nsprErr);
-	} else {
-	    nsprErr = NULL;
-	}
-	PR_fprintf(errorFD, "%s: %s\n", fullname, nsprErr ? nsprErr :
-	    "");
-	errorCount++;
-	if (nsprErr) 
-	    PR_Free(nsprErr);
-	exit(ERRX);
-    }
-
-    /*
-     * Make sure the input file is not the output file.
-     * Add a few bytes to the end of the JAR file and see if the input file
-     * twitches
-     */
-     {
-	PRInt32 endOfJar;
-	PRInt32 inputSize;
-	PRBool isSame;
-
-	inputSize = PR_Available(readfp);
-
-	endOfJar = PR_Seek(zipfp, 0L, PR_SEEK_CUR);
-
-	if (PR_Write(zipfp, "abcde", 5) < 5) {
-	    char	*nsprErr;
-
-	    if (PR_GetErrorTextLength()) {
-		nsprErr = PR_Malloc(PR_GetErrorTextLength());
-		PR_GetErrorText(nsprErr);
-	    } else {
-		nsprErr = NULL;
-	    }
-	    PR_fprintf(errorFD, "Writing to zip file: %s\n",
-	        nsprErr ? nsprErr : "");
-	    if (nsprErr) 
-		PR_Free(nsprErr);
-	    errorCount++;
-	    exit(ERRX);
-	}
-
-	isSame = (PR_Available(readfp) != inputSize);
-
-	PR_Seek(zipfp, endOfJar, PR_SEEK_SET);
-
-	if (isSame) {
-	    /* It's the same file! Forget it! */
-	    PR_Close(readfp);
-	    return 0;
-	}
-    }
-
-    if (verbosity >= 0) {
-	PR_fprintf(outputFD, "adding %s to %s...", fullname, zipfile->filename);
-    }
-
-    entry = PORT_ZAlloc(sizeof(ZIPentry));
-    if (!entry) 
-	out_of_memory();
-
-    entry->filename = PORT_Strdup(filename);
-    entry->comment = NULL;
-
-    /* Set up local file header */
-    longtox(LSIG, entry->local.signature);
-    inttox(strlen(filename), entry->local.filename_len);
-    inttox(zipfile->time, entry->local.time);
-    inttox(zipfile->date, entry->local.date);
-    inttox(Z_DEFLATED, entry->local.method);
-
-    /* Set up central directory entry */
-    longtox(CSIG, entry->central.signature);
-    inttox(strlen(filename), entry->central.filename_len);
-    if (entry->comment) {
-	inttox(strlen(entry->comment), entry->central.commentfield_len);
-    }
-    longtox(PR_Seek(zipfile->fp, 0, PR_SEEK_CUR),
-        entry->central.localhdr_offset);
-    inttox(zipfile->time, entry->central.time);
-    inttox(zipfile->date, entry->central.date);
-    inttox(Z_DEFLATED, entry->central.method);
-
-    /* Compute crc.  Too bad we have to process the whole file to do this*/
-    crc = crc32(0L, NULL, 0);
-    while ( (num = PR_Read(readfp, inbuf, BUFSIZ)) > 0) {
-	crc = crc32(crc, inbuf, num);
-    }
-    PR_Seek(readfp, 0L, PR_SEEK_SET);
-
-    /* Store CRC */
-    longtox(crc, entry->local.crc32);
-    longtox(crc, entry->central.crc32);
-
-    /* Stick this entry onto the end of the list */
-    entry->next = NULL;
-    if ( zipfile->list == NULL ) {
-	/* First entry */
-	zipfile->list = entry;
-    } else {
-	ZIPentry * pe;
-
-	pe = zipfile->list;
-	while (pe->next != NULL) {
-	    pe = pe->next;
-	}
-	pe->next = entry;
-    }
-
-    /*
-     * Start writing stuff out
-     */
-
-    local_size_pos = PR_Seek(zipfp, 0, PR_SEEK_CUR) + 18;
-    /* File header */
-    if (PR_Write(zipfp, &entry->local, sizeof(struct ZipLocal ))
-         < sizeof(struct ZipLocal )) {
-	char	*nsprErr;
-	if (PR_GetErrorTextLength()) {
-	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
-	    PR_GetErrorText(nsprErr);
-	} else {
-	    nsprErr = NULL;
-	}
-	PR_fprintf(errorFD, "Writing zip data: %s\n", nsprErr ? nsprErr :
-	    "");
-	if (nsprErr) 
-	    PR_Free(nsprErr);
-	errorCount++;
-	exit(ERRX);
-    }
-
-    /* File Name */
-    if ( PR_Write(zipfp, filename, strlen(filename)) < strlen(filename)) {
-	char	*nsprErr;
-	if (PR_GetErrorTextLength()) {
-	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
-	    PR_GetErrorText(nsprErr);
-	} else {
-	    nsprErr = NULL;
-	}
-	PR_fprintf(errorFD, "Writing zip data: %s\n", nsprErr ? nsprErr :
-	    "");
-	if (nsprErr) 
-	    PR_Free(nsprErr);
-	errorCount++;
-	exit(ERRX);
-    }
-
-    /*
-     * File data
-     */
-    /* Initialize zstream */
-    zstream.zalloc = my_alloc_func;
-    zstream.zfree = my_free_func;
-    zstream.opaque = NULL;
-    zstream.next_in = inbuf;
-    zstream.avail_in = BUFSIZ;
-    zstream.next_out = outbuf;
-    zstream.avail_out = BUFSIZ;
-    /* Setting the windowBits to -MAX_WBITS is an undocumented feature of
-     * zlib (see deflate.c in zlib).  It is the same thing that Java does
-     * when you specify the nowrap option for deflation in java.util.zip.
-     * It causes zlib to leave out its headers and footers, which don't
-     * work in PKZIP files.
-     */
-    err = deflateInit2(&zstream, compression_level, Z_DEFLATED,
-			-MAX_WBITS, 8 /*default*/, Z_DEFAULT_STRATEGY);
-    if (err != Z_OK) {
-	handle_zerror(err, zstream.msg);
-	exit(ERRX);
-    }
-
-    while ( (zstream.avail_in = PR_Read(readfp, inbuf, BUFSIZ)) > 0) {
-	zstream.next_in = inbuf;
-	/* Process this chunk of data */
-	while (zstream.avail_in > 0) {
-	    err = deflate(&zstream, Z_NO_FLUSH);
-	    if (err != Z_OK) {
-		handle_zerror(err, zstream.msg);
-		exit(ERRX);
-	    }
-	    if (zstream.avail_out <= 0) {
-		if ( PR_Write(zipfp, outbuf, BUFSIZ) < BUFSIZ) {
-		    char	*nsprErr;
-		    if (PR_GetErrorTextLength()) {
-			nsprErr = PR_Malloc(PR_GetErrorTextLength());
-			PR_GetErrorText(nsprErr);
-		    } else {
-			nsprErr = NULL;
-		    }
-		    PR_fprintf(errorFD, "Writing zip data: %s\n",
-					nsprErr ? nsprErr : "");
-		    if (nsprErr) 
-			PR_Free(nsprErr);
-		    errorCount++;
-		    exit(ERRX);
-		}
-		zstream.next_out = outbuf;
-		zstream.avail_out = BUFSIZ;
-	    }
-	}
-    }
-
-    /* Now flush everything */
-    while (1) {
-	err = deflate(&zstream, Z_FINISH);
-	if (err == Z_STREAM_END) {
-	    break;
-	} else if (err == Z_OK) {
-	    /* output buffer full, repeat */
-	} else {
-	    handle_zerror(err, zstream.msg);
-	    exit(ERRX);
-	}
-	if ( PR_Write(zipfp, outbuf, BUFSIZ) < BUFSIZ) {
-	    char	*nsprErr;
-	    if (PR_GetErrorTextLength()) {
-		nsprErr = PR_Malloc(PR_GetErrorTextLength());
-		PR_GetErrorText(nsprErr);
-	    } else {
-		nsprErr = NULL;
-	    }
-	    PR_fprintf(errorFD, "Writing zip data: %s\n",
-				nsprErr ? nsprErr : "");
-	    if (nsprErr) 
-		PR_Free(nsprErr);
-	    errorCount++;
-	    exit(ERRX);
-	}
-	zstream.avail_out = BUFSIZ;
-	zstream.next_out = outbuf;
-    }
-
-    /* If there's any output left, write it out. */
-    if (zstream.next_out != outbuf) {
-	if ( PR_Write(zipfp, outbuf, zstream.next_out - outbuf) <
-	    zstream.next_out - outbuf) {
-	    char	*nsprErr;
-	    if (PR_GetErrorTextLength()) {
-		nsprErr = PR_Malloc(PR_GetErrorTextLength());
-		PR_GetErrorText(nsprErr);
-	    } else {
-		nsprErr = NULL;
-	    }
-	    PR_fprintf(errorFD, "Writing zip data: %s\n",
-				nsprErr ? nsprErr : "");
-	    if (nsprErr) 
-		PR_Free(nsprErr);
-	    errorCount++;
-	    exit(ERRX);
-	}
-	zstream.avail_out = BUFSIZ;
-	zstream.next_out = outbuf;
-    }
-
-    /* Now that we know the compressed size, write this to the headers */
-    longtox(zstream.total_in, entry->local.orglen);
-    longtox(zstream.total_out, entry->local.size);
-    if (PR_Seek(zipfp, local_size_pos, PR_SEEK_SET) == -1) {
-	char	*nsprErr;
-	if (PR_GetErrorTextLength()) {
-	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
-	    PR_GetErrorText(nsprErr);
-	} else {
-	    nsprErr = NULL;
-	}
-	PR_fprintf(errorFD, "Accessing zip file: %s\n", nsprErr ? nsprErr : "");
-	if (nsprErr) 
-	    PR_Free(nsprErr);
-	errorCount++;
-	exit(ERRX);
-    }
-    if ( PR_Write(zipfp, entry->local.size, 8) != 8) {
-	char	*nsprErr;
-	if (PR_GetErrorTextLength()) {
-	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
-	    PR_GetErrorText(nsprErr);
-	} else {
-	    nsprErr = NULL;
-	}
-	PR_fprintf(errorFD, "Writing zip data: %s\n", nsprErr ? nsprErr : "");
-	if (nsprErr) 
-	    PR_Free(nsprErr);
-	errorCount++;
-	exit(ERRX);
-    }
-    if (PR_Seek(zipfp, 0L, PR_SEEK_END) == -1) {
-	char	*nsprErr;
-	if (PR_GetErrorTextLength()) {
-	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
-	    PR_GetErrorText(nsprErr);
-	} else {
-	    nsprErr = NULL;
-	}
-	PR_fprintf(errorFD, "Accessing zip file: %s\n", 
-			    nsprErr ? nsprErr : "");
-	if (nsprErr) 
-	    PR_Free(nsprErr);
-	errorCount++;
-	exit(ERRX);
-    }
-    longtox(zstream.total_in, entry->central.orglen);
-    longtox(zstream.total_out, entry->central.size);
-
-    /* Close out the deflation operation */
-    err = deflateEnd(&zstream);
-    if (err != Z_OK) {
-	handle_zerror(err, zstream.msg);
-	exit(ERRX);
-    }
-
-    PR_Close(readfp);
-
-    if ((zstream.total_in > zstream.total_out) && (zstream.total_in > 0)) {
-	deflate_percent = (int) 
-	    ((zstream.total_in - zstream.total_out) *100 / zstream.total_in);
-    } else {
-	deflate_percent = 0;
-    }
-    if (verbosity >= 0) {
-	PR_fprintf(outputFD, "(deflated %d%%)\n", deflate_percent);
-    }
-
-    return 0;
-}
-
-
-/********************************************************************
- * J z i p C l o s e
- *
- * Finishes the ZipFile. ALSO DELETES THE ZIPFILE STRUCTURE PASSED IN!!
- */
-int
-JzipClose(ZIPfile *zipfile)
-{
-    ZIPentry * pe, *dead;
-    PRFileDesc * zipfp;
-    struct ZipEnd zipend;
-    unsigned int	entrycount = 0;
-
-    if (!zipfile) {
-	return - 1;
-    }
-
-    if (!zipfile->filename) {
-	/* bogus */
-	return 0;
-    }
-
-    zipfp = zipfile->fp;
-    zipfile->central_start = PR_Seek(zipfp, 0L, PR_SEEK_CUR);
-
-    /* Write out all the central directories */
-    pe = zipfile->list;
-    while (pe) {
-	entrycount++;
-
-	/* Write central directory info */
-	if ( PR_Write(zipfp, &pe->central, sizeof(struct ZipCentral ))
-	     < sizeof(struct ZipCentral )) {
-	    char	*nsprErr;
-	    if (PR_GetErrorTextLength()) {
-		nsprErr = PR_Malloc(PR_GetErrorTextLength());
-		PR_GetErrorText(nsprErr);
-	    } else {
-		nsprErr = NULL;
-	    }
-	    PR_fprintf(errorFD, "Writing zip data: %s\n",
-				nsprErr ? nsprErr : "");
-	    if (nsprErr) 
-		PR_Free(nsprErr);
-	    errorCount++;
-	    exit(ERRX);
-	}
-
-	/* Write filename */
-	if ( PR_Write(zipfp, pe->filename, strlen(pe->filename))
-	     < strlen(pe->filename)) {
-	    char	*nsprErr;
-	    if (PR_GetErrorTextLength()) {
-		nsprErr = PR_Malloc(PR_GetErrorTextLength());
-		PR_GetErrorText(nsprErr);
-	    } else {
-		nsprErr = NULL;
-	    }
-	    PR_fprintf(errorFD, "Writing zip data: %s\n",
-				nsprErr ? nsprErr : "");
-	    if (nsprErr) 
-		PR_Free(nsprErr);
-	    errorCount++;
-	    exit(ERRX);
-	}
-
-	/* Write file comment */
-	if (pe->comment) {
-	    if ( PR_Write(zipfp, pe->comment, strlen(pe->comment))
-	         < strlen(pe->comment)) {
-		char	*nsprErr;
-		if (PR_GetErrorTextLength()) {
-		    nsprErr = PR_Malloc(PR_GetErrorTextLength());
-		    PR_GetErrorText(nsprErr);
-		} else {
-		    nsprErr = NULL;
-		}
-		PR_fprintf(errorFD, "Writing zip data: %s\n",
-					    nsprErr ? nsprErr : "");
-		if (nsprErr) 
-		    PR_Free(nsprErr);
-		errorCount++;
-		exit(ERRX);
-	    }
-	}
-
-	/* Delete the structure */
-	dead = pe;
-	pe = pe->next;
-	if (dead->filename) {
-	    PORT_Free(dead->filename);
-	}
-	if (dead->comment) {
-	    PORT_Free(dead->comment);
-	}
-	PORT_Free(dead);
-    }
-    zipfile->central_end = PR_Seek(zipfile->fp, 0L, PR_SEEK_CUR);
-
-    /* Create the ZipEnd structure */
-    PORT_Memset(&zipend, 0, sizeof(zipend));
-    longtox(ESIG, zipend.signature);
-    inttox(entrycount, zipend.total_entries_disk);
-    inttox(entrycount, zipend.total_entries_archive);
-    longtox(zipfile->central_end - zipfile->central_start,
-	    zipend.central_dir_size);
-    longtox(zipfile->central_start, zipend.offset_central_dir);
-    if (zipfile->comment) {
-	inttox(strlen(zipfile->comment), zipend.commentfield_len);
-    }
-
-    /* Write out ZipEnd xtructure */
-    if ( PR_Write(zipfp, &zipend, sizeof(zipend)) < sizeof(zipend)) {
-	char	*nsprErr;
-	if (PR_GetErrorTextLength()) {
-	    nsprErr = PR_Malloc(PR_GetErrorTextLength());
-	    PR_GetErrorText(nsprErr);
-	} else {
-	    nsprErr = NULL;
-	}
-	PR_fprintf(errorFD, "Writing zip data: %s\n", 
-			    nsprErr ? nsprErr : "");
-	if (nsprErr) 
-	    PR_Free(nsprErr);
-	errorCount++;
-	exit(ERRX);
-    }
-
-    /* Write out Zipfile comment */
-    if (zipfile->comment) {
-	if ( PR_Write(zipfp, zipfile->comment, strlen(zipfile->comment))
-	     < strlen(zipfile->comment)) {
-	    char	*nsprErr;
-	    if (PR_GetErrorTextLength()) {
-		nsprErr = PR_Malloc(PR_GetErrorTextLength());
-		PR_GetErrorText(nsprErr);
-	    } else {
-		nsprErr = NULL;
-	    }
-	    PR_fprintf(errorFD, "Writing zip data: %s\n",
-				nsprErr ? nsprErr : "");
-	    if (nsprErr) 
-		PR_Free(nsprErr);
-	    errorCount++;
-	    exit(ERRX);
-	}
-    }
-
-    PR_Close(zipfp);
-
-    /* Free the memory of the zipfile structure */
-    if (zipfile->filename) {
-	PORT_Free(zipfile->filename);
-    }
-    if (zipfile->comment) {
-	PORT_Free(zipfile->comment);
-    }
-    PORT_Free(zipfile);
-
-    return 0;
-}
-
-
-/**********************************************
- *  i n t t o x
- *
- *  Converts a two byte ugly endianed integer
- *  to our platform's integer.
- *
- */
-
-static void	inttox (int in, char *out)
-{
-    out [0] = (in & 0xFF);
-    out [1] = (in & 0xFF00) >> 8;
-}
-
-
-/*********************************************
- *  l o n g t o x
- *
- *  Converts a four byte ugly endianed integer
- *  to our platform's integer.
- *
- */
-
-static void	longtox (long in, char *out)
-{
-    out [0] = (in & 0xFF);
-    out [1] = (in & 0xFF00) >> 8;
-    out [2] = (in & 0xFF0000) >> 16;
-    out [3] = (in & 0xFF000000) >> 24;
-}
-
-
diff --git a/security/nss/cmd/signtool/zip.h b/security/nss/cmd/signtool/zip.h
deleted file mode 100644
index c1cd5df5b..000000000
--- a/security/nss/cmd/signtool/zip.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* zip.h
- * Structures and functions for creating ZIP archives.
- */
-#ifndef ZIP_H
-#define ZIP_H
-
-/* For general information on ZIP formats, you can look at jarfile.h
- * in ns/security/lib/jar.  Or look it up on the web...
- */
-
-/* One entry in a ZIPfile.  This corresponds to one file in the archive.
- * We have to save this information because first all the files go into
- * the archive with local headers; then at the end of the file we have to
- * put the central directory entries for each file.
- */
-typedef struct ZIPentry_s {
-	struct ZipLocal local;		/* local header info */
-	struct ZipCentral central;	/* central directory info */
-	char *filename;				/* name of file */
-	char *comment;				/* comment for this file -- optional */
-
-	struct ZIPentry_s *next;
-} ZIPentry;
-
-/* This structure contains the necessary data for putting a ZIP file
- * together.  Has some overall information and a list of ZIPentrys.
- */
-typedef struct ZIPfile_s {
-	char *filename;	/* ZIP file name */
-	char *comment;	/* ZIP file comment -- may be NULL */
-	PRFileDesc *fp;	/* ZIP file pointer */
-	ZIPentry *list;	/* one entry for each file in the archive */
-	unsigned int time;	/* the GMT time of creation, in DOS format */
-	unsigned int date;  /* the GMT date of creation, in DOS format */
-	unsigned long central_start; /* starting offset of central directory */
-	unsigned long central_end; /*index right after the last byte of central*/
-} ZIPfile;
-
-
-/* Open a new ZIP file.  Takes the name of the zip file and an optional
- * comment to be included in the file.  Returns a new ZIPfile structure
- * which is used by JzipAdd and JzipClose
- */
-ZIPfile* JzipOpen(char *filename, char *comment);
-
-/* Add a file to a ZIP archive.  Fullname is the path relative to the
- * current directory.  Filename is what the name will be stored as in the
- * archive, and thus what it will be restored as.  zipfile is a structure
- * returned from a previous call to JzipOpen.
- *
- * Non-zero return code means error (although usually the function will
- * call exit() rather than return an error--gotta fix this).
- */
-int JzipAdd(char *fullname, char *filename, ZIPfile *zipfile,
-	int compression_level);
-
-/* Finalize a ZIP archive.  Adds all the footer information to the end of
- * the file and closes it.  Also DELETES THE ZIPFILE STRUCTURE that was
- * passed in.  So you never have to allocate or free a ZIPfile yourself.
- *
- * Non-zero return code means error (although usually the function will
- * call exit() rather than return an error--gotta fix this).
- */
-int JzipClose (ZIPfile *zipfile);
-
-
-#endif /* ZIP_H */
diff --git a/security/nss/cmd/signver/Makefile b/security/nss/cmd/signver/Makefile
deleted file mode 100644
index cd06aaa4f..000000000
--- a/security/nss/cmd/signver/Makefile
+++ /dev/null
@@ -1,75 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include ../platrules.mk
diff --git a/security/nss/cmd/signver/examples/1/form.pl b/security/nss/cmd/signver/examples/1/form.pl
deleted file mode 100755
index aedc0c46a..000000000
--- a/security/nss/cmd/signver/examples/1/form.pl
+++ /dev/null
@@ -1,54 +0,0 @@
-#! /usr/bin/perl
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-
-print "Content-type: text/html\n\n";
-print "<B>Server Name:</B> ", $ENV{'SERVER_NAME'}, "<BR>", "\n";
-print "<B>Server Port:</B> ", $ENV{'SERVER_PORT'}, "<BR>", "\n";
-print "<B>Server Software:</B> ", $ENV{'SERVER_SOFTWARE'}, "<BR>", "\n";
-print "<B>Server Protocol:</B> ", $ENV{'SERVER_PROTOCOL'}, "<BR>", "\n";
-print "<B>CGI Revision:</B> ", $ENV{'GATEWAY_INTERFACE'}, "<BR>", "\n";
-print "<B>Browser:</B> ", $ENV{'HTTP_USER_AGENT'}, "<BR>", "\n";
-print "<B>Remote Address:</B> ", $ENV{'REMOTE_ADDR'}, "<BR>", "\n";
-print "<B>Remote Host:</B> ", $ENV{'REMOTE_HOST'}, "<BR>", "\n";
-print "<B>Remote User:</B> ", $ENV{'REMOTE_USER'}, "<BR>", "\n";
-print "You typed:\n";
-
-while( $_ = <STDIN>) {
-  print "$_";
-}
-
diff --git a/security/nss/cmd/signver/examples/1/signedForm.html b/security/nss/cmd/signver/examples/1/signedForm.html
deleted file mode 100644
index 3463fac8f..000000000
--- a/security/nss/cmd/signver/examples/1/signedForm.html
+++ /dev/null
@@ -1,87 +0,0 @@
-<html>
-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is the Netscape security libraries.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 1994-2000
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-<head>
-<title>Form to sign</title>
-<script language="javascript">
-<!--
-function submitSigned(form){
-  var signature = "";
-  var dataToSign = "";
-  var i;
-
-  form.action='signedForm.pl';
-  for (i = 0; i < form.length; i++)
-    if (form.elements[i].type == "text")
-      dataToSign += form.elements[i].value;
-
-  // alert("Data to sign:\n" + dataToSign);
-  signature = crypto.signText(dataToSign, "ask");
-  /* alert("You cannot see this alert");
-  alert("Data signature:\n" + signature); */
-
-  if (signature != "error:userCancel") {
-    for (i = 0; i < form.length; i++) {
-      if (form.elements[i].type == "hidden") {
-        if (form.elements[i].name == "dataToSign")
-          form.elements[i].value = dataToSign;
-        if (form.elements[i].name == "dataSignature")
-          form.elements[i].value = signature;
-      }
-    }
-    form.submit();
-  }
-}
-//-->
-</script>
-</head>
-
-<body>
-<form method=post Action="form.pl">
-<input type=hidden size=30 name=dataSignature>
-<input type=hidden size=30 name=dataToSign>
-<input type=text size=30 name=p>
-<BR>
-<input type=text size=30 name=q>
-<BR>
-<input type=text size=30 name=r>
-<BR>
-<input type=submit value="Submit Data">
-<input type=button value="Sign and Submit Data" onclick=submitSigned(this.form)>
-<input type=reset value=Reset>
-</form>
-</body>
-</html>
diff --git a/security/nss/cmd/signver/examples/1/signedForm.nt.html b/security/nss/cmd/signver/examples/1/signedForm.nt.html
deleted file mode 100644
index 86e4c7e01..000000000
--- a/security/nss/cmd/signver/examples/1/signedForm.nt.html
+++ /dev/null
@@ -1,87 +0,0 @@
-<html>
-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is the Netscape security libraries.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 1994-2000
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-<head>
-<title>Form to sign</title>
-<script language="javascript">
-<!--
-function submitSigned(form){
-  var signature = "";
-  var dataToSign = "";
-  var i;
-
-  form.action='cgi-bin/signedForm.pl';
-  for (i = 0; i < form.length; i++)
-    if (form.elements[i].type == "text")
-      dataToSign += form.elements[i].value;
-
-  // alert("Data to sign:\n" + dataToSign);
-  signature = crypto.signText(dataToSign, "ask");
-  /* alert("You cannot see this alert");
-  alert("Data signature:\n" + signature); */
-
-  if (signature != "error:userCancel") {
-    for (i = 0; i < form.length; i++) {
-      if (form.elements[i].type == "hidden") {
-        if (form.elements[i].name == "dataToSign")
-          form.elements[i].value = dataToSign;
-        if (form.elements[i].name == "dataSignature")
-          form.elements[i].value = signature;
-      }
-    }
-    form.submit();
-  }
-}
-//-->
-</script>
-</head>
-
-<body>
-<form method=post Action="cgi-bin/form.pl">
-<input type=hidden size=30 name=dataSignature>
-<input type=hidden size=30 name=dataToSign>
-<input type=text size=30 name=p>
-<BR>
-<input type=text size=30 name=q>
-<BR>
-<input type=text size=30 name=r>
-<BR>
-<input type=submit value="Submit Data">
-<input type=button value="Sign and Submit Data" onclick=submitSigned(this.form)>
-<input type=reset value=Reset>
-</form>
-</body>
-</html>
diff --git a/security/nss/cmd/signver/examples/1/signedForm.pl b/security/nss/cmd/signver/examples/1/signedForm.pl
deleted file mode 100755
index c9b596061..000000000
--- a/security/nss/cmd/signver/examples/1/signedForm.pl
+++ /dev/null
@@ -1,92 +0,0 @@
-#! /usr/bin/perl
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-
-
-sub decode {
-    read (STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
-    @pairs = split(/&/, $buffer);
-    foreach $pair (@pairs)
-    {
-        ($name, $value) = split(/=/, $pair);
-        $value =~tr/+/ /;
-        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
-        $FORM{$name} = $value;
-#        print "name=$name  value=$value<BR>\n";
-    }
-}
-
-print "Content-type: text/html\n\n";
-
-&decode();
-
-$dataSignature = $FORM{'dataSignature'};
-$dataToSign = $FORM{'dataToSign'};
-
-unlink("signature");
-open(FILE1,">signature") || die("Cannot open file for writing\n");
-
-print FILE1 "$dataSignature";
-
-close(FILE1);
-
-
-unlink("data");
-open(FILE2,">data") || die("Cannot open file for writing\n");
-
-print FILE2 "$dataToSign";
-
-close(FILE2);
-
-
-print "<BR><B>Signed Data:</B><BR>", "$dataToSign", "<BR>";
- 
-print "<BR><b>Verification Info:</b><BR>";
- 
-$verInfo = `./signver -D . -s signature -d data -v`;
-print "<font color=red><b>$verInfo</b></font><BR>";
-
-print "<BR><B>Signature Data:</B><BR>", "$dataSignature", "<BR>";
-
-print "<BR><b>Signature Info:</b><BR>";
-
-foreach $line (`./signver -s signature -A`) {
-     print "$line<BR>\n";
-}
-
-print "<b>End of Info</b><BR>";
-
diff --git a/security/nss/cmd/signver/manifest.mn b/security/nss/cmd/signver/manifest.mn
deleted file mode 100644
index a063d2a3c..000000000
--- a/security/nss/cmd/signver/manifest.mn
+++ /dev/null
@@ -1,56 +0,0 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-CSRCS = signver.c	\
-        pk7print.c	\
-	$(NULL)
-
-REQUIRES = dbm seccmd
-
-PROGRAM = signver
-
-PACKAGE_FILES = README.txt signedForm.html signedForm.pl form.pl
-ifeq ($(subst /,_,$(shell uname -s)),WINNT)
-PACKAGE_FILES += signedForm.nt.pl signver.exe
-else
-PACKAGE_FILES += signver
-endif
-
-ARCHIVE_NAME  = signver
diff --git a/security/nss/cmd/signver/pk7print.c b/security/nss/cmd/signver/pk7print.c
deleted file mode 100644
index 60e0d07ec..000000000
--- a/security/nss/cmd/signver/pk7print.c
+++ /dev/null
@@ -1,900 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-** secutil.c - various functions used by security stuff
-**
-*/
- 
-/* pkcs #7 -related functions */
- 
- 
-#include "secutil.h"
-#include "secpkcs7.h"
-#include "secoid.h"
-#include <sys/stat.h>
-#include <stdarg.h>
- 
-#ifdef XP_UNIX
-#include <unistd.h>
-#endif
- 
-/* for SEC_TraverseNames */
-#include "cert.h"
-#include "prtypes.h"
-#include "prtime.h"
- 
-#include "prlong.h"
-#include "secmod.h"
-#include "pk11func.h"
-#include "prerror.h"
- 
-
-
-
-/*
-** PKCS7 Support
-*/
-
-/* forward declaration */
-int
-sv_PrintPKCS7ContentInfo(FILE *, SEC_PKCS7ContentInfo *, char *);
-
-
-void
-sv_PrintAsHex(FILE *out, SECItem *data, char *m)
-{
-    unsigned i;
-
-    if (m) fprintf(out, m);
-    
-    for (i = 0; i < data->len; i++) {
-        if (i < data->len - 1) {
-            fprintf(out, "%02x:", data->data[i]);
-        } else {
-            fprintf(out, "%02x\n", data->data[i]);
-            break;
-        }
-    }
-}
-
-void
-sv_PrintInteger(FILE *out, SECItem *i, char *m)
-{
-    int iv;
-
-    if (i->len > 4) {
-        sv_PrintAsHex(out, i, m);
-    } else {
-        iv = DER_GetInteger(i);
-        fprintf(out, "%s%d (0x%x)\n", m, iv, iv);
-    }
-}
-
-
-int
-sv_PrintTime(FILE *out, SECItem *t, char *m)
-{
-    PRExplodedTime printableTime; 
-    int64 time;
-    char *timeString;
-    int rv;
-
-    rv = DER_DecodeTimeChoice(&time, t);
-    if (rv) return rv;
-
-    /* Convert to local time */
-    PR_ExplodeTime(time, PR_LocalTimeParameters, &printableTime);
-
-    timeString = (char *)PORT_Alloc(256);
-
-    if ( timeString ) {
-        if (PR_FormatTime( timeString, 256, "%a %b %d %H:%M:%S %Y", &printableTime )) {
-            fprintf(out, "%s%s\n", m, timeString);
-        }
-        PORT_Free(timeString);
-        return 0;
-    }
-    return SECFailure;
-}
-
-int
-sv_PrintValidity(FILE *out, CERTValidity *v, char *m)
-{
-    int rv;
-
-    fprintf(out, m);
-    rv = sv_PrintTime(out, &v->notBefore, "notBefore=");
-    if (rv) return rv;
-    fprintf(out, m);
-    sv_PrintTime(out, &v->notAfter, "notAfter=");
-    return rv;
-}
-
-void
-sv_PrintObjectID(FILE *out, SECItem *oid, char *m)
-{
-    const char *name;
-    SECOidData *oiddata;
-    
-    oiddata = SECOID_FindOID(oid);
-    if (oiddata == NULL) {
-        sv_PrintAsHex(out, oid, m);
-        return;
-    }
-    name = oiddata->desc;
-
-    if (m != NULL)
-        fprintf(out, "%s", m);
-    fprintf(out, "%s\n", name);
-}
-
-void
-sv_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m)
-{
-    sv_PrintObjectID(out, &a->algorithm, m);
-
-    if ((a->parameters.len != 2) ||
-        (PORT_Memcmp(a->parameters.data, "\005\000", 2) != 0)) {
-        /* Print args to algorithm */
-        sv_PrintAsHex(out, &a->parameters, "Args=");
-    }
-}
-
-void
-sv_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m)
-{
-    SECItem *value;
-    int i;
-    char om[100];
-
-    fprintf(out, m);
-
-    /*
-     * XXX Make this smarter; look at the type field and then decode
-     * and print the value(s) appropriately!
-     */
-    sv_PrintObjectID(out, &(attr->type), "type=");
-    if (attr->values != NULL) {
-        i = 0;
-        while ((value = attr->values[i]) != NULL) {
-            sprintf(om, "%svalue[%d]=%s", m, i++, attr->encoded ? "(encoded)" : ""); 
-            if (attr->encoded || attr->typeTag == NULL) {
-                sv_PrintAsHex(out, value, om);
-            } else {
-                switch (attr->typeTag->offset) {
-                    default:
-                        sv_PrintAsHex(out, value, om);
-                        break;
-                    case SEC_OID_PKCS9_CONTENT_TYPE:
-                        sv_PrintObjectID(out, value, om);
-                        break;
-                    case SEC_OID_PKCS9_SIGNING_TIME:
-                        sv_PrintTime(out, value, om);
-                        break;
-                }
-            }
-        }
-    }
-}
-
-void
-sv_PrintName(FILE *out, CERTName *name, char *msg)
-{
-    char *str;
-
-    str = CERT_NameToAscii(name);
-    fprintf(out, "%s%s\n", msg, str);
-    PORT_Free(str);
-}
-
-
-#if 0
-/*
-** secu_PrintPKCS7EncContent
-**   Prints a SEC_PKCS7EncryptedContentInfo (without decrypting it)
-*/
-void
-secu_PrintPKCS7EncContent(FILE *out, SEC_PKCS7EncryptedContentInfo *src, 
-			  char *m, int level)
-{
-    if (src->contentTypeTag == NULL)
-	src->contentTypeTag = SECOID_FindOID(&(src->contentType));
-
-    secu_Indent(out, level);
-    fprintf(out, "%s:\n", m);
-    secu_Indent(out, level + 1); 
-    fprintf(out, "Content Type: %s\n",
-	    (src->contentTypeTag != NULL) ? src->contentTypeTag->desc
-					  : "Unknown");
-    sv_PrintAlgorithmID(out, &(src->contentEncAlg),
-			  "Content Encryption Algorithm");
-    sv_PrintAsHex(out, &(src->encContent), 
-		    "Encrypted Content", level+1);
-}
-
-/*
-** secu_PrintRecipientInfo
-**   Prints a PKCS7RecipientInfo type
-*/
-void
-secu_PrintRecipientInfo(FILE *out, SEC_PKCS7RecipientInfo *info, char *m, 
-			int level)
-{
-    secu_Indent(out, level); fprintf(out, "%s:\n", m);
-    sv_PrintInteger(out, &(info->version), "Version");	
-
-    sv_PrintName(out, &(info->issuerAndSN->issuer), "Issuer");
-    sv_PrintInteger(out, &(info->issuerAndSN->serialNumber), 
-		      "Serial Number");
-
-    /* Parse and display encrypted key */
-    sv_PrintAlgorithmID(out, &(info->keyEncAlg), 
-			"Key Encryption Algorithm");
-    sv_PrintAsHex(out, &(info->encKey), "Encrypted Key", level + 1);
-}
-#endif
-
-/* 
-** secu_PrintSignerInfo
-**   Prints a PKCS7SingerInfo type
-*/
-void
-sv_PrintSignerInfo(FILE *out, SEC_PKCS7SignerInfo *info, char *m)
-{
-    SEC_PKCS7Attribute *attr;
-    int iv;
-    
-    fprintf(out, m);
-    sv_PrintInteger(out, &(info->version), "version=");
-
-    fprintf(out, m);
-    sv_PrintName(out, &(info->issuerAndSN->issuer), "issuerName=");
-    fprintf(out, m);
-    sv_PrintInteger(out, &(info->issuerAndSN->serialNumber), 
-                        "serialNumber=");
-  
-    fprintf(out, m);
-    sv_PrintAlgorithmID(out, &(info->digestAlg), "digestAlgorithm=");
-    
-    if (info->authAttr != NULL) {
-        char mm[120];
-
-        iv = 0;
-        while (info->authAttr[iv] != NULL) iv++;
-        fprintf(out, "%sauthenticatedAttributes=%d\n", m, iv);
-        iv = 0;
-        while ((attr = info->authAttr[iv]) != NULL) {
-            sprintf(mm, "%sattribute[%d].", m, iv++); 
-            sv_PrintAttribute(out, attr, mm);
-        }
-    }
-    
-    /* Parse and display signature */
-    fprintf(out, m);
-    sv_PrintAlgorithmID(out, &(info->digestEncAlg), "digestEncryptionAlgorithm=");
-    fprintf(out, m);
-    sv_PrintAsHex(out, &(info->encDigest), "encryptedDigest=");
-    
-    if (info->unAuthAttr != NULL) {
-        char mm[120];
-
-        iv = 0;
-        while (info->unAuthAttr[iv] != NULL) iv++;
-        fprintf(out, "%sunauthenticatedAttributes=%d\n", m, iv);
-        iv = 0;
-        while ((attr = info->unAuthAttr[iv]) != NULL) {
-            sprintf(mm, "%sattribute[%d].", m, iv++); 
-            sv_PrintAttribute(out, attr, mm);
-        }
-    }
-}
-
-void
-sv_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m)
-{
-    fprintf(out, m);
-    sv_PrintInteger(out, &pk->u.rsa.modulus, "modulus=");
-    fprintf(out, m);
-    sv_PrintInteger(out, &pk->u.rsa.publicExponent, "exponent=");
-}
-
-void
-sv_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m)
-{
-    fprintf(out, m);
-    sv_PrintInteger(out, &pk->u.dsa.params.prime, "prime=");
-    fprintf(out, m);
-    sv_PrintInteger(out, &pk->u.dsa.params.subPrime, "subprime=");
-    fprintf(out, m);
-    sv_PrintInteger(out, &pk->u.dsa.params.base, "base=");
-    fprintf(out, m);
-    sv_PrintInteger(out, &pk->u.dsa.publicValue, "publicValue=");
-}
-
-int
-sv_PrintSubjectPublicKeyInfo(FILE *out, PRArenaPool *arena,
-                             CERTSubjectPublicKeyInfo *i,  char *msg)
-{
-    SECKEYPublicKey *pk;
-    int rv;
-    char mm[200];
-
-    sprintf(mm, "%s.publicKeyAlgorithm=", msg);
-    sv_PrintAlgorithmID(out, &i->algorithm, mm);
-
-    pk = (SECKEYPublicKey*) PORT_ZAlloc(sizeof(SECKEYPublicKey));
-    if (!pk) return PORT_GetError();
-
-    DER_ConvertBitString(&i->subjectPublicKey);
-    switch(SECOID_FindOIDTag(&i->algorithm.algorithm)) {
-        case SEC_OID_PKCS1_RSA_ENCRYPTION:
-            rv = SEC_ASN1DecodeItem(arena, pk,
-                                    SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate),
-                                    &i->subjectPublicKey);
-            if (rv) return rv;
-            sprintf(mm, "%s.rsaPublicKey.", msg);
-            sv_PrintRSAPublicKey(out, pk, mm);
-            break;
-        case SEC_OID_ANSIX9_DSA_SIGNATURE:
-            rv = SEC_ASN1DecodeItem(arena, pk,
-                                    SEC_ASN1_GET(SECKEY_DSAPublicKeyTemplate),
-                                    &i->subjectPublicKey);
-            if (rv) return rv;
-            sprintf(mm, "%s.dsaPublicKey.", msg);
-            sv_PrintDSAPublicKey(out, pk, mm);
-            break;
-        default:
-            fprintf(out, "%s=bad SPKI algorithm type\n", msg);
-            return 0;
-    }
-
-    return 0;
-}
-
-SECStatus
-sv_PrintInvalidDateExten  (FILE *out, SECItem *value, char *msg)
-{
-    SECItem decodedValue;
-    SECStatus rv;
-    int64 invalidTime;
-    char *formattedTime = NULL;
-
-    decodedValue.data = NULL;
-    rv = SEC_ASN1DecodeItem (NULL, &decodedValue,
-                             SEC_ASN1_GET(SEC_GeneralizedTimeTemplate),
-                             value);
-    if (rv == SECSuccess) {
-        rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue);
-        if (rv == SECSuccess) {
-            formattedTime = CERT_GenTime2FormattedAscii(invalidTime, "%a %b %d %H:%M:%S %Y");
-            fprintf (out, "%s: %s\n", msg, formattedTime);
-            PORT_Free (formattedTime);
-        }
-    }
-    PORT_Free (decodedValue.data);
-
-    return (rv);
-}
-
-int
-sv_PrintExtensions(FILE *out, CERTCertExtension **extensions, char *msg)
-{
-    SECOidTag oidTag;
-
-    if (extensions) {
-
-        while ( *extensions ) {
-            SECItem *tmpitem;
-
-            fprintf(out, "%sname=", msg);
-
-            tmpitem = &(*extensions)->id;
-            sv_PrintObjectID(out, tmpitem, NULL);
-
-            tmpitem = &(*extensions)->critical;
-            if ( tmpitem->len )
-                fprintf(out, "%scritical=%s\n", msg,
-                        (tmpitem->data && tmpitem->data[0])? "True": "False");
-
-            oidTag = SECOID_FindOIDTag (&((*extensions)->id));
-
-            fprintf(out, msg);
-            tmpitem = &((*extensions)->value);
-            if (oidTag == SEC_OID_X509_INVALID_DATE) 
-                sv_PrintInvalidDateExten (out, tmpitem,"invalidExt");
-            else			    
-                sv_PrintAsHex(out,tmpitem, "data=");
-
-            /*fprintf(out, "\n");*/
-            extensions++;
-        }
-    }
-
-    return 0;
-}
-
-/* callers of this function must make sure that the CERTSignedCrl
-   from which they are extracting the CERTCrl has been fully-decoded.
-   Otherwise it will not have the entries even though the CRL may have
-   some */
-void
-sv_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m)
-{
-    CERTCrlEntry *entry;
-    int iv;
-    char om[100];
-    
-    fprintf(out, m);
-    sv_PrintAlgorithmID(out, &(crl->signatureAlg), "signatureAlgorithm=");
-    fprintf(out, m);
-    sv_PrintName(out, &(crl->name), "name=");
-    fprintf(out, m);
-    sv_PrintTime(out, &(crl->lastUpdate), "lastUpdate=");
-    fprintf(out, m);
-    sv_PrintTime(out, &(crl->nextUpdate), "nextUpdate=");
-    
-    if (crl->entries != NULL) {
-        iv = 0;
-        while ((entry = crl->entries[iv]) != NULL) {
-            fprintf(out, "%sentry[%d].", m, iv); 
-            sv_PrintInteger(out, &(entry->serialNumber), "serialNumber=");
-            fprintf(out, "%sentry[%d].", m, iv); 
-            sv_PrintTime(out, &(entry->revocationDate), "revocationDate=");
-            sprintf(om, "%sentry[%d].signedCRLEntriesExtensions.", m, iv++); 
-            sv_PrintExtensions(out, entry->extensions, om);
-        }
-    }
-    sprintf(om, "%ssignedCRLEntriesExtensions.", m); 
-    sv_PrintExtensions(out, crl->extensions, om);
-}
-
-
-int
-sv_PrintCertificate(FILE *out, SECItem *der, char *m, int level)
-{
-    PRArenaPool *arena = NULL;
-    CERTCertificate *c;
-    int rv;
-    int iv;
-    char mm[200];
-    
-    /* Decode certificate */
-    c = (CERTCertificate*) PORT_ZAlloc(sizeof(CERTCertificate));
-    if (!c) return PORT_GetError();
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (!arena) return SEC_ERROR_NO_MEMORY;
-
-    rv = SEC_ASN1DecodeItem(arena, c, SEC_ASN1_GET(CERT_CertificateTemplate),
-                            der);
-    if (rv) {
-        PORT_FreeArena(arena, PR_FALSE);
-        return rv;
-    }
-
-    /* Pretty print it out */
-    iv = DER_GetInteger(&c->version);
-    fprintf(out, "%sversion=%d (0x%x)\n", m, iv + 1, iv);
-    sprintf(mm, "%sserialNumber=", m);
-    sv_PrintInteger(out, &c->serialNumber, mm);
-    sprintf(mm, "%ssignatureAlgorithm=", m);
-    sv_PrintAlgorithmID(out, &c->signature, mm);
-    sprintf(mm, "%sissuerName=", m);
-    sv_PrintName(out, &c->issuer, mm);
-    sprintf(mm, "%svalidity.", m);
-    sv_PrintValidity(out, &c->validity, mm);
-    sprintf(mm, "%ssubject=", m);
-    sv_PrintName(out, &c->subject, mm);
-    sprintf(mm, "%ssubjectPublicKeyInfo", m);
-    rv = sv_PrintSubjectPublicKeyInfo(out, arena, &c->subjectPublicKeyInfo, mm);
-    if (rv) {
-        PORT_FreeArena(arena, PR_FALSE);
-        return rv;
-    }
-    sprintf(mm, "%ssignedExtensions.", m);
-    sv_PrintExtensions(out, c->extensions, mm);
-    
-    PORT_FreeArena(arena, PR_FALSE);
-    return 0;
-}
-
-int
-sv_PrintSignedData(FILE *out, SECItem *der, char *m, SECU_PPFunc inner)
-{
-    PRArenaPool *arena = NULL;
-    CERTSignedData *sd;
-    int rv;
-
-    /* Strip off the signature */
-    sd = (CERTSignedData*) PORT_ZAlloc(sizeof(CERTSignedData));
-    if (!sd) return PORT_GetError();
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (!arena) return SEC_ERROR_NO_MEMORY;
-
-    rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate),
-                            der);
-    if (rv) {
-        PORT_FreeArena(arena, PR_FALSE);
-        return rv;
-    }
-
-/*    fprintf(out, "%s:\n", m); */
-    PORT_Strcat(m, "data.");
-
-    rv = (*inner)(out, &sd->data, m, 0);
-    if (rv) {
-        PORT_FreeArena(arena, PR_FALSE);
-        return rv;
-    }
-
-    m[PORT_Strlen(m) - 5] = 0;
-    fprintf(out, m);
-    sv_PrintAlgorithmID(out, &sd->signatureAlgorithm, "signatureAlgorithm=");
-    DER_ConvertBitString(&sd->signature);
-    fprintf(out, m);
-    sv_PrintAsHex(out, &sd->signature, "signature=");
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return 0;
-
-}
-
-
-/*
-** secu_PrintPKCS7Signed
-**   Pretty print a PKCS7 signed data type (up to version 1).
-*/
-int
-sv_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src)
-{
-    SECAlgorithmID *digAlg;		/* digest algorithms */
-    SECItem *aCert;			/* certificate */
-    CERTSignedCrl *aCrl;		/* certificate revocation list */
-    SEC_PKCS7SignerInfo *sigInfo;	/* signer information */
-    int rv, iv;
-    char om[120];
-
-    sv_PrintInteger(out, &(src->version), "pkcs7.version=");
-
-    /* Parse and list digest algorithms (if any) */
-    if (src->digestAlgorithms != NULL) {
-        iv = 0;
-        while (src->digestAlgorithms[iv] != NULL)
-            iv++;
-        fprintf(out, "pkcs7.digestAlgorithmListLength=%d\n", iv);
-        iv = 0;
-        while ((digAlg = src->digestAlgorithms[iv]) != NULL) {
-            sprintf(om, "pkcs7.digestAlgorithm[%d]=", iv++);
-            sv_PrintAlgorithmID(out, digAlg, om);
-        }
-    }
-
-    /* Now for the content */
-    rv = sv_PrintPKCS7ContentInfo(out, &(src->contentInfo), 
-				                    "pkcs7.contentInformation=");
-    if (rv != 0) return rv;
-
-    /* Parse and list certificates (if any) */
-    if (src->rawCerts != NULL) {
-        iv = 0;
-        while (src->rawCerts[iv] != NULL)
-            iv++;
-        fprintf(out, "pkcs7.certificateListLength=%d\n", iv);
-
-        iv = 0;
-        while ((aCert = src->rawCerts[iv]) != NULL) {
-            sprintf(om, "certificate[%d].", iv++);
-            rv = sv_PrintSignedData(out, aCert, om, sv_PrintCertificate);
-            if (rv) return rv;
-        }
-    }
-
-    /* Parse and list CRL's (if any) */
-    if (src->crls != NULL) {
-        iv = 0;
-        while (src->crls[iv] != NULL) iv++;
-        fprintf(out, "pkcs7.signedRevocationLists=%d\n", iv);
-        iv = 0;
-        while ((aCrl = src->crls[iv]) != NULL) {
-            sprintf(om, "signedRevocationList[%d].", iv);
-            fprintf(out, om);
-            sv_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, 
-                                "signatureAlgorithm=");
-            DER_ConvertBitString(&aCrl->signatureWrap.signature);
-            fprintf(out, om);
-            sv_PrintAsHex(out, &aCrl->signatureWrap.signature, "signature=");
-            sprintf(om, "certificateRevocationList[%d].", iv);
-            sv_PrintCRLInfo(out, &aCrl->crl, om);
-            iv++;
-        }
-    }
-
-    /* Parse and list signatures (if any) */
-    if (src->signerInfos != NULL) {
-        iv = 0;
-        while (src->signerInfos[iv] != NULL)
-            iv++;
-        fprintf(out, "pkcs7.signerInformationListLength=%d\n", iv);
-        iv = 0;
-        while ((sigInfo = src->signerInfos[iv]) != NULL) {
-            sprintf(om, "signerInformation[%d].", iv++);
-            sv_PrintSignerInfo(out, sigInfo, om);
-        }
-    }  
-
-    return 0;
-}
-
-#if 0
-/*
-** secu_PrintPKCS7Enveloped
-**  Pretty print a PKCS7 enveloped data type (up to version 1).
-*/
-void
-secu_PrintPKCS7Enveloped(FILE *out, SEC_PKCS7EnvelopedData *src,
-			 char *m, int level)
-{
-    SEC_PKCS7RecipientInfo *recInfo;   /* pointer for signer information */
-    int iv;
-    char om[100];
-
-    secu_Indent(out, level); fprintf(out, "%s:\n", m);
-    sv_PrintInteger(out, &(src->version), "Version", level + 1);
-
-    /* Parse and list recipients (this is not optional) */
-    if (src->recipientInfos != NULL) {
-	secu_Indent(out, level + 1);
-	fprintf(out, "Recipient Information List:\n");
-	iv = 0;
-	while ((recInfo = src->recipientInfos[iv++]) != NULL) {
-	    sprintf(om, "Recipient Information (%x)", iv);
-	    secu_PrintRecipientInfo(out, recInfo, om, level + 2);
-	}
-    }  
-
-    secu_PrintPKCS7EncContent(out, &src->encContentInfo, 
-			      "Encrypted Content Information", level + 1);
-}
-
-/*
-** secu_PrintPKCS7SignedEnveloped
-**   Pretty print a PKCS7 singed and enveloped data type (up to version 1).
-*/
-int
-secu_PrintPKCS7SignedAndEnveloped(FILE *out,
-				  SEC_PKCS7SignedAndEnvelopedData *src,
-				  char *m, int level)
-{
-    SECAlgorithmID *digAlg;  /* pointer for digest algorithms */
-    SECItem *aCert;           /* pointer for certificate */
-    CERTSignedCrl *aCrl;        /* pointer for certificate revocation list */
-    SEC_PKCS7SignerInfo *sigInfo;   /* pointer for signer information */
-    SEC_PKCS7RecipientInfo *recInfo; /* pointer for recipient information */
-    int rv, iv;
-    char om[100];
-
-    secu_Indent(out, level); fprintf(out, "%s:\n", m);
-    sv_PrintInteger(out, &(src->version), "Version", level + 1);
-
-    /* Parse and list recipients (this is not optional) */
-    if (src->recipientInfos != NULL) {
-	secu_Indent(out, level + 1);
-	fprintf(out, "Recipient Information List:\n");
-	iv = 0;
-	while ((recInfo = src->recipientInfos[iv++]) != NULL) {
-	    sprintf(om, "Recipient Information (%x)", iv);
-	    secu_PrintRecipientInfo(out, recInfo, om, level + 2);
-	}
-    }  
-
-    /* Parse and list digest algorithms (if any) */
-    if (src->digestAlgorithms != NULL) {
-	secu_Indent(out, level + 1);  fprintf(out, "Digest Algorithm List:\n");
-	iv = 0;
-	while ((digAlg = src->digestAlgorithms[iv++]) != NULL) {
-	    sprintf(om, "Digest Algorithm (%x)", iv);
-	    sv_PrintAlgorithmID(out, digAlg, om);
-	}
-    }
-
-    secu_PrintPKCS7EncContent(out, &src->encContentInfo, 
-			      "Encrypted Content Information", level + 1);
-
-    /* Parse and list certificates (if any) */
-    if (src->rawCerts != NULL) {
-	secu_Indent(out, level + 1);  fprintf(out, "Certificate List:\n");
-	iv = 0;
-	while ((aCert = src->rawCerts[iv++]) != NULL) {
-	    sprintf(om, "Certificate (%x)", iv);
-	    rv = SECU_PrintSignedData(out, aCert, om, level + 2, 
-				      SECU_PrintCertificate);
-	    if (rv)
-		return rv;
-	}
-    }
-
-    /* Parse and list CRL's (if any) */
-    if (src->crls != NULL) {
-	secu_Indent(out, level + 1);  
-	fprintf(out, "Signed Revocation Lists:\n");
-	iv = 0;
-	while ((aCrl = src->crls[iv++]) != NULL) {
-	    sprintf(om, "Signed Revocation List (%x)", iv);
-	    secu_Indent(out, level + 2);  fprintf(out, "%s:\n", om);
-	    sv_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, 
-				  "Signature Algorithm");
-	    DER_ConvertBitString(&aCrl->signatureWrap.signature);
-	    sv_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature",
-			    level+3);
-	    SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", 
-			  level + 3); 
-	}
-    }
-
-    /* Parse and list signatures (if any) */
-    if (src->signerInfos != NULL) {
-	secu_Indent(out, level + 1);
-	fprintf(out, "Signer Information List:\n");
-	iv = 0;
-	while ((sigInfo = src->signerInfos[iv++]) != NULL) {
-	    sprintf(om, "Signer Information (%x)", iv);
-	    secu_PrintSignerInfo(out, sigInfo, om, level + 2);
-	}
-    }  
-
-    return 0;
-}
-
-/*
-** secu_PrintPKCS7Encrypted
-**   Pretty print a PKCS7 encrypted data type (up to version 1).
-*/
-void
-secu_PrintPKCS7Encrypted(FILE *out, SEC_PKCS7EncryptedData *src,
-			 char *m, int level)
-{
-    secu_Indent(out, level); fprintf(out, "%s:\n", m);
-    sv_PrintInteger(out, &(src->version), "Version", level + 1);
-
-    secu_PrintPKCS7EncContent(out, &src->encContentInfo, 
-			      "Encrypted Content Information", level + 1);
-}
-
-/*
-** secu_PrintPKCS7Digested
-**   Pretty print a PKCS7 digested data type (up to version 1).
-*/
-void
-sv_PrintPKCS7Digested(FILE *out, SEC_PKCS7DigestedData *src)
-{
-    secu_Indent(out, level); fprintf(out, "%s:\n", m);
-    sv_PrintInteger(out, &(src->version), "Version", level + 1);
-    
-    sv_PrintAlgorithmID(out, &src->digestAlg, "Digest Algorithm");
-    sv_PrintPKCS7ContentInfo(out, &src->contentInfo, "Content Information",
-			       level + 1);
-    sv_PrintAsHex(out, &src->digest, "Digest", level + 1);  
-}
-
-#endif
-
-/*
-** secu_PrintPKCS7ContentInfo
-**   Takes a SEC_PKCS7ContentInfo type and sends the contents to the 
-** appropriate function
-*/
-int
-sv_PrintPKCS7ContentInfo(FILE *out, SEC_PKCS7ContentInfo *src, char *m)
-{
-    const char *desc;
-    SECOidTag kind;
-    int rv;
-
-    if (src->contentTypeTag == NULL)
-        src->contentTypeTag = SECOID_FindOID(&(src->contentType));
-
-    if (src->contentTypeTag == NULL) {
-        desc = "Unknown";
-        kind = SEC_OID_PKCS7_DATA;
-    } else {
-        desc = src->contentTypeTag->desc;
-        kind = src->contentTypeTag->offset;
-    }
-
-    fprintf(out, "%s%s\n", m, desc);
-
-    if (src->content.data == NULL) {
-        fprintf(out, "pkcs7.data=<no content>\n");
-        return 0;
-    }
-
-    rv = 0;
-    switch (kind) {
-        case SEC_OID_PKCS7_SIGNED_DATA:  /* Signed Data */
-            rv = sv_PrintPKCS7Signed(out, src->content.signedData);
-            break;
-
-        case SEC_OID_PKCS7_ENVELOPED_DATA:  /* Enveloped Data */
-            fprintf(out, "pkcs7EnvelopedData=<unsupported>\n");
-            /*sv_PrintPKCS7Enveloped(out, src->content.envelopedData);*/
-            break;
-
-        case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:  /* Signed and Enveloped */
-            fprintf(out, "pkcs7SignedEnvelopedData=<unsupported>\n");
-            /*rv = sv_PrintPKCS7SignedAndEnveloped(out,
-                                src->content.signedAndEnvelopedData);*/
-            break;
-
-        case SEC_OID_PKCS7_DIGESTED_DATA:  /* Digested Data */
-            fprintf(out, "pkcs7DigestedData=<unsupported>\n");
-            /*sv_PrintPKCS7Digested(out, src->content.digestedData);*/
-            break;
-
-        case SEC_OID_PKCS7_ENCRYPTED_DATA:  /* Encrypted Data */
-            fprintf(out, "pkcs7EncryptedData=<unsupported>\n");
-            /*sv_PrintPKCS7Encrypted(out, src->content.encryptedData);*/
-            break;
-
-        default:
-            fprintf(out, "pkcs7UnknownData=<unsupported>\n");
-            /*sv_PrintAsHex(out, src->content.data);*/
-            break;
-    }
-
-    return rv;
-}
-
-
-int
-SV_PrintPKCS7ContentInfo(FILE *out, SECItem *der)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    int rv = -1;
-
-    cinfo = SEC_PKCS7DecodeItem(der, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
-
-    if (cinfo != NULL) {
-        rv = sv_PrintPKCS7ContentInfo(out, cinfo, "pkcs7.contentInfo=");
-        SEC_PKCS7DestroyContentInfo(cinfo);
-    }
-
-    return rv;
-}
-/*
-** End of PKCS7 functions
-*/
diff --git a/security/nss/cmd/signver/signver.c b/security/nss/cmd/signver/signver.c
deleted file mode 100644
index cff5272f0..000000000
--- a/security/nss/cmd/signver/signver.c
+++ /dev/null
@@ -1,347 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secutil.h"
-#include "secmod.h"
-#include "cert.h"
-#include "secoid.h"
-#include "nss.h"
-
-/* NSPR 2.0 header files */
-#include "prinit.h"
-#include "prprf.h"
-#include "prsystem.h"
-#include "prmem.h"
-/* Portable layer header files */
-#include "plstr.h"
-#include "sechash.h"	/* for HASH_GetHashObject() */
-
-static PRBool debugInfo;
-static PRBool verbose;
-static PRBool doVerify;
-static PRBool displayAll;
-
-static const char * const usageInfo[] = {
-    "signver - verify a detached PKCS7 signature - Version " NSS_VERSION,
-    "Commands:",
-    " -A		    display all information from pkcs #7",
-    " -V		    verify the signed object and display result",
-    "Options:",
-    " -a		    signature file is ASCII",
-    " -d certdir	    directory containing cert database",
-    " -i dataFileName	    input file containing signed data (default stdin)",
-    " -o outputFileName     output file name, default stdout",
-    " -s signatureFileName  input file for signature (default stdin)",
-    " -v		    display verbose reason for failure"
-};
-static int nUsageInfo = sizeof(usageInfo)/sizeof(char *);
-
-extern int SV_PrintPKCS7ContentInfo(FILE *, SECItem *);
-
-static void Usage(char *progName, FILE *outFile)
-{
-    int i;
-    fprintf(outFile, "Usage:  %s [ commands ] options\n", progName);
-    for (i = 0; i < nUsageInfo; i++)
-	fprintf(outFile, "%s\n", usageInfo[i]);
-    exit(-1);
-}
-
-static HASH_HashType
-AlgorithmToHashType(SECAlgorithmID *digestAlgorithms)
-{
-    SECOidTag	  tag  = SECOID_GetAlgorithmTag(digestAlgorithms);
-    HASH_HashType hash = HASH_GetHashTypeByOidTag(tag);
-    return hash;
-}
-
-
-static SECStatus
-DigestContent (SECItem * digest, SECItem * content, HASH_HashType hashType)
-{
-    unsigned int maxLen = digest->len;
-    unsigned int len	= HASH_ResultLen(hashType);
-    SECStatus	 rv;
-
-    if (len > maxLen) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	return SECFailure;
-    }
-
-    rv = HASH_HashBuf(hashType, digest->data, content->data, content->len);
-    if (rv == SECSuccess)
-	digest->len = len;
-    return rv;
-}
-
-enum {
-    cmd_DisplayAllPCKS7Info = 0,
-    cmd_VerifySignedObj
-};
-
-enum {
-    opt_ASCII,
-    opt_CertDir,
-    opt_InputDataFile,
-    opt_ItemNumber,
-    opt_OutputFile,
-    opt_InputSigFile,
-    opt_PrintWhyFailure,
-    opt_DebugInfo
-};
-
-static secuCommandFlag signver_commands[] =
-{
-    { /* cmd_DisplayAllPCKS7Info*/  'A', PR_FALSE, 0, PR_FALSE },
-    { /* cmd_VerifySignedObj	*/  'V', PR_FALSE, 0, PR_FALSE }
-};
-
-static secuCommandFlag signver_options[] =
-{
-    { /* opt_ASCII		*/  'a', PR_FALSE, 0, PR_FALSE },
-    { /* opt_CertDir		*/  'd', PR_TRUE,  0, PR_FALSE },
-    { /* opt_InputDataFile	*/  'i', PR_TRUE,  0, PR_FALSE },
-    { /* opt_OutputFile 	*/  'o', PR_TRUE,  0, PR_FALSE },
-    { /* opt_InputSigFile	*/  's', PR_TRUE,  0, PR_FALSE },
-    { /* opt_PrintWhyFailure	*/  'v', PR_FALSE, 0, PR_FALSE },
-    { /* opt_DebugInfo		*/    0, PR_FALSE, 0, PR_FALSE, "debug" }
-};
-
-int main(int argc, char **argv)
-{
-    PRFileDesc *contentFile = NULL;
-    PRFileDesc *signFile = PR_STDIN;
-    FILE *	outFile  = stdout;
-    char *	progName;
-    SECStatus	rv;
-    int 	result	 = 1;
-    SECItem	pkcs7der, content;
-    secuCommand signver;
-
-    pkcs7der.data  = NULL;
-    content.data = NULL;
-
-    signver.numCommands = sizeof(signver_commands) /sizeof(secuCommandFlag);
-    signver.numOptions = sizeof(signver_options) / sizeof(secuCommandFlag);
-    signver.commands = signver_commands;
-    signver.options = signver_options;
-
-#ifdef XP_PC
-    progName = strrchr(argv[0], '\\');
-#else
-    progName = strrchr(argv[0], '/');
-#endif
-    progName = progName ? progName+1 : argv[0];
-
-    rv = SECU_ParseCommandLine(argc, argv, progName, &signver);
-    if (SECSuccess != rv) {
-	Usage(progName, outFile);
-    }
-    debugInfo = signver.options[opt_DebugInfo	    ].activated;
-    verbose   = signver.options[opt_PrintWhyFailure ].activated;
-    doVerify  = signver.commands[cmd_VerifySignedObj].activated;
-    displayAll= signver.commands[cmd_DisplayAllPCKS7Info].activated;
-    if (!doVerify && !displayAll)
-	doVerify = PR_TRUE;
-
-    /*	Set the certdb directory (default is ~/.netscape) */
-    rv = NSS_Init(SECU_ConfigDirectory(signver.options[opt_CertDir].arg));
-    if (rv != SECSuccess) {
-	SECU_PrintPRandOSError(progName);
-	return result;
-    }
-    /* below here, goto cleanup */
-    SECU_RegisterDynamicOids();
-
-    /*	Open the input content file. */
-    if (signver.options[opt_InputDataFile].activated &&
-	signver.options[opt_InputDataFile].arg) {
-	if (PL_strcmp("-", signver.options[opt_InputDataFile].arg)) {
-	    contentFile = PR_Open(signver.options[opt_InputDataFile].arg,
-			       PR_RDONLY, 0);
-	    if (!contentFile) {
-		PR_fprintf(PR_STDERR,
-			   "%s: unable to open \"%s\" for reading.\n",
-			   progName, signver.options[opt_InputDataFile].arg);
-		goto cleanup;
-	    }
-	} else
-	    contentFile = PR_STDIN;
-    }
-
-    /*	Open the input signature file.	*/
-    if (signver.options[opt_InputSigFile].activated &&
-	signver.options[opt_InputSigFile].arg) {
-	if (PL_strcmp("-", signver.options[opt_InputSigFile].arg)) {
-	    signFile = PR_Open(signver.options[opt_InputSigFile].arg,
-			       PR_RDONLY, 0);
-	    if (!signFile) {
-		PR_fprintf(PR_STDERR,
-			   "%s: unable to open \"%s\" for reading.\n",
-			   progName, signver.options[opt_InputSigFile].arg);
-		goto cleanup;
-	    }
-	}
-    }
-
-    if (contentFile == PR_STDIN && signFile == PR_STDIN && doVerify) {
-	PR_fprintf(PR_STDERR,
-	    "%s: cannot read both content and signature from standard input\n",
-		   progName);
-	goto cleanup;
-    }
-
-    /*	Open|Create the output file.  */
-    if (signver.options[opt_OutputFile].activated) {
-	outFile = fopen(signver.options[opt_OutputFile].arg, "w");
-	if (!outFile) {
-	    PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for writing.\n",
-		       progName, signver.options[opt_OutputFile].arg);
-	    goto cleanup;
-	}
-    }
-
-    /* read in the input files' contents */
-    rv = SECU_ReadDERFromFile(&pkcs7der, signFile,
-			      signver.options[opt_ASCII].activated);
-    if (signFile != PR_STDIN)
-	PR_Close(signFile);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "problem reading PKCS7 input");
-	goto cleanup;
-    }
-    if (contentFile) {
-	rv = SECU_FileToItem(&content, contentFile);
-	if (contentFile != PR_STDIN)
-	    PR_Close(contentFile);
-	if (rv != SECSuccess)
-	    content.data = NULL;
-    }
-
-    /* Signature Verification */
-    if (doVerify) {
-	SEC_PKCS7ContentInfo *cinfo;
-	SEC_PKCS7SignedData *signedData;
-	HASH_HashType digestType;
-	PRBool contentIsSigned;
-
-	cinfo = SEC_PKCS7DecodeItem(&pkcs7der, NULL, NULL, NULL, NULL,
-				    NULL, NULL, NULL);
-	if (cinfo == NULL) {
-	    PR_fprintf(PR_STDERR, "Unable to decode PKCS7 data\n");
-	    goto cleanup;
-	}
-	/* below here, goto done */
-
-	contentIsSigned = SEC_PKCS7ContentIsSigned(cinfo);
-	if (debugInfo) {
-	    PR_fprintf(PR_STDERR, "Content is%s encrypted.\n",
-		       SEC_PKCS7ContentIsEncrypted(cinfo) ? "" : " not");
-	}
-	if (debugInfo || !contentIsSigned) {
-	    PR_fprintf(PR_STDERR, "Content is%s signed.\n",
-		       contentIsSigned ? "" : " not");
-	}
-
-	if (!contentIsSigned)
-	    goto done;
-
-	signedData = cinfo->content.signedData;
-
-	/* assume that there is only one digest algorithm for now */
-	digestType = AlgorithmToHashType(signedData->digestAlgorithms[0]);
-	if (digestType == HASH_AlgNULL) {
-	    PR_fprintf(PR_STDERR, "Invalid hash algorithmID\n");
-	    goto done;
-	}
-	if (content.data) {
-	    SECCertUsage   usage = certUsageEmailSigner;
-	    SECItem	   digest;
-	    unsigned char  digestBuffer[HASH_LENGTH_MAX];
-
-	    if (debugInfo)
-		PR_fprintf(PR_STDERR, "contentToVerify=%s\n", content.data);
-
-	    digest.data = digestBuffer;
-	    digest.len	= sizeof digestBuffer;
-
-	    if (DigestContent(&digest, &content, digestType)) {
-		SECU_PrintError(progName, "Message digest computation failure");
-		goto done;
-	    }
-
-	    if (debugInfo) {
-		unsigned int i;
-		PR_fprintf(PR_STDERR, "Data Digest=:");
-		for (i = 0; i < digest.len; i++)
-		    PR_fprintf(PR_STDERR, "%02x:", digest.data[i]);
-		PR_fprintf(PR_STDERR, "\n");
-	    }
-
-	    fprintf(outFile, "signatureValid=");
-	    PORT_SetError(0);
-	    if (SEC_PKCS7VerifyDetachedSignature (cinfo, usage,
-				   &digest, digestType, PR_FALSE)) {
-		fprintf(outFile, "yes");
-	    } else {
-		fprintf(outFile, "no");
-		if (verbose) {
-		    fprintf(outFile, ":%s",
-			    SECU_ErrorString((int16)PORT_GetError()));
-		}
-	    }
-	    fprintf(outFile, "\n");
-	    result = 0;
-	}
-done:
-	SEC_PKCS7DestroyContentInfo(cinfo);
-    }
-
-    if (displayAll) {
-	if (SV_PrintPKCS7ContentInfo(outFile, &pkcs7der))
-	    result = 1;
-    }
-
-cleanup:
-    SECITEM_FreeItem(&pkcs7der, PR_FALSE);
-    SECITEM_FreeItem(&content, PR_FALSE);
-
-    if (NSS_Shutdown() != SECSuccess) {
-	result = 1;
-    }
-
-    return result;
-}
diff --git a/security/nss/cmd/smimetools/Makefile b/security/nss/cmd/smimetools/Makefile
deleted file mode 100644
index 2d4665b18..000000000
--- a/security/nss/cmd/smimetools/Makefile
+++ /dev/null
@@ -1,81 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-ifdef NISCC_TEST
-DEFINES += -DNISCC_TEST
-endif
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include rules.mk
-
-include ../platrules.mk
diff --git a/security/nss/cmd/smimetools/cmsutil.c b/security/nss/cmd/smimetools/cmsutil.c
deleted file mode 100644
index 19218456d..000000000
--- a/security/nss/cmd/smimetools/cmsutil.c
+++ /dev/null
@@ -1,1651 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * cmsutil -- A command to work with CMS data
- *
- * $Id$
- */
-
-#include "nspr.h"
-#include "secutil.h"
-#include "plgetopt.h"
-#include "secpkcs7.h"
-#include "cert.h"
-#include "certdb.h"
-#include "secoid.h"
-#include "cms.h"
-#include "nss.h"
-#include "smime.h"
-#include "pk11func.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#if defined(_WIN32)
-#include "fcntl.h"
-#include "io.h"
-#endif
-
-#include <stdio.h>
-#include <string.h>
-
-char *progName = NULL;
-static int cms_verbose = 0;
-static secuPWData pwdata = { PW_NONE, 0 };
-static PK11PasswordFunc pwcb = NULL;
-static void *pwcb_arg = NULL;
-
-
-/* XXX stolen from cmsarray.c
- * nss_CMSArray_Count - count number of elements in array
- */
-int
-nss_CMSArray_Count(void **array)
-{
-    int n = 0;
-    if (array == NULL)
-	return 0;
-    while (*array++ != NULL)
-	n++;
-    return n;
-}
-
-static SECStatus
-DigestFile(PLArenaPool *poolp, SECItem ***digests, SECItem *input,
-           SECAlgorithmID **algids)
-{
-    NSSCMSDigestContext *digcx;
-    SECStatus rv;
-
-    digcx = NSS_CMSDigestContext_StartMultiple(algids);
-    if (digcx == NULL)
-	return SECFailure;
-
-    NSS_CMSDigestContext_Update(digcx, input->data, input->len);
-
-    rv = NSS_CMSDigestContext_FinishMultiple(digcx, poolp, digests);
-    return rv;
-}
-
-
-static void
-Usage(char *progName)
-{
-    fprintf(stderr, 
-"Usage:  %s [-C|-D|-E|-O|-S] [<options>] [-d dbdir] [-u certusage]\n"
-" -C            create a CMS encrypted data message\n"
-" -D            decode a CMS message\n"
-"  -b           decode a batch of files named in infile\n"
-"  -c content   use this detached content\n"
-"  -n           suppress output of content\n"
-"  -h num       display num levels of CMS message info as email headers\n"
-"  -k           keep decoded encryption certs in perm cert db\n"
-" -E            create a CMS enveloped data message\n"
-"  -r id,...    create envelope for these recipients,\n"
-"               where id can be a certificate nickname or email address\n"
-" -S            create a CMS signed data message\n"
-"  -G           include a signing time attribute\n"
-"  -H hash      use hash (default:SHA1)\n"
-"  -N nick      use certificate named \"nick\" for signing\n"
-"  -P           include a SMIMECapabilities attribute\n"
-"  -T           do not include content in CMS message\n"
-"  -Y nick      include a EncryptionKeyPreference attribute with cert\n"
-"                 (use \"NONE\" to omit)\n"
-" -O            create a CMS signed message containing only certificates\n"
-" General Options:\n"
-" -d dbdir      key/cert database directory (default: ~/.netscape)\n"
-" -e envelope   enveloped data message in this file is used for bulk key\n"
-" -i infile     use infile as source of data (default: stdin)\n"
-" -o outfile    use outfile as destination of data (default: stdout)\n"
-" -p password   use password as key db password (default: prompt)\n"
-" -f pwfile     use password file to set password on all PKCS#11 tokens)\n"
-" -u certusage  set type of certificate usage (default: certUsageEmailSigner)\n"
-" -v            print debugging information\n"
-"\n"
-"Cert usage codes:\n",
-	    progName);
-    fprintf(stderr, "%-25s  0 - certUsageSSLClient\n", " ");
-    fprintf(stderr, "%-25s  1 - certUsageSSLServer\n", " ");
-    fprintf(stderr, "%-25s  2 - certUsageSSLServerWithStepUp\n", " ");
-    fprintf(stderr, "%-25s  3 - certUsageSSLCA\n", " ");
-    fprintf(stderr, "%-25s  4 - certUsageEmailSigner\n", " ");
-    fprintf(stderr, "%-25s  5 - certUsageEmailRecipient\n", " ");
-    fprintf(stderr, "%-25s  6 - certUsageObjectSigner\n", " ");
-    fprintf(stderr, "%-25s  7 - certUsageUserCertImport\n", " ");
-    fprintf(stderr, "%-25s  8 - certUsageVerifyCA\n", " ");
-    fprintf(stderr, "%-25s  9 - certUsageProtectedObjectSigner\n", " ");
-    fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");
-    fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");
-
-    exit(-1);
-}
-
-struct optionsStr {
-    char *pwfile;
-    char *password;
-    SECCertUsage certUsage;
-    CERTCertDBHandle *certHandle;
-};
-
-struct decodeOptionsStr {
-    struct optionsStr *options;
-    SECItem            content;
-    int headerLevel;
-    PRBool suppressContent;
-    NSSCMSGetDecryptKeyCallback dkcb;
-    PK11SymKey *bulkkey;
-    PRBool      keepCerts;
-};
-
-struct signOptionsStr {
-    struct optionsStr *options;
-    char *nickname;
-    char *encryptionKeyPreferenceNick;
-    PRBool signingTime;
-    PRBool smimeProfile;
-    PRBool detached;
-    SECOidTag hashAlgTag;
-};
-
-struct envelopeOptionsStr {
-    struct optionsStr *options;
-    char **recipients;
-};
-
-struct certsonlyOptionsStr {
-    struct optionsStr *options;
-    char **recipients;
-};
-
-struct encryptOptionsStr {
-    struct optionsStr *options;
-    char **recipients;
-    NSSCMSMessage *envmsg;
-    SECItem *input;
-    FILE *outfile;
-    PRFileDesc *envFile;
-    PK11SymKey *bulkkey;
-    SECOidTag bulkalgtag;
-    int keysize;
-};
-
-static NSSCMSMessage *
-decode(FILE *out, SECItem *input, const struct decodeOptionsStr *decodeOptions)
-{
-    NSSCMSDecoderContext *dcx;
-    SECStatus rv;
-    NSSCMSMessage *cmsg;
-    int nlevels, i;
-    SECItem sitem = { 0, 0, 0 };
-
-    PORT_SetError(0);
-    dcx = NSS_CMSDecoder_Start(NULL, 
-                               NULL, NULL,         /* content callback     */
-                               pwcb, pwcb_arg,     /* password callback    */
-			       decodeOptions->dkcb, /* decrypt key callback */
-                               decodeOptions->bulkkey);
-    if (dcx == NULL) {
-	fprintf(stderr, "%s: failed to set up message decoder.\n", progName);
-	return NULL;
-    }
-    rv = NSS_CMSDecoder_Update(dcx, (char *)input->data, input->len);
-    if (rv != SECSuccess) {
-	fprintf(stderr, "%s: failed to decode message.\n", progName);
-	NSS_CMSDecoder_Cancel(dcx);
-	return NULL;
-    }
-    cmsg = NSS_CMSDecoder_Finish(dcx);
-    if (cmsg == NULL) {
-	fprintf(stderr, "%s: failed to decode message.\n", progName);
-	return NULL;
-    }
-
-    if (decodeOptions->headerLevel >= 0) {
-	/*fprintf(out, "SMIME: ", decodeOptions->headerLevel, i);*/
-	fprintf(out, "SMIME: ");
-    }
-
-    nlevels = NSS_CMSMessage_ContentLevelCount(cmsg);
-    for (i = 0; i < nlevels; i++) {
-	NSSCMSContentInfo *cinfo;
-	SECOidTag typetag;
-
-	cinfo = NSS_CMSMessage_ContentLevel(cmsg, i);
-	typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-
-	if (decodeOptions->headerLevel >= 0)
-	    fprintf(out, "\tlevel=%d.%d; ", decodeOptions->headerLevel, nlevels - i);
-
-	switch (typetag) {
-	case SEC_OID_PKCS7_SIGNED_DATA:
-	  {
-	    NSSCMSSignedData *sigd = NULL;
-	    SECItem **digests;
-	    int nsigners;
-	    int j;
-
-	    if (decodeOptions->headerLevel >= 0)
-		fprintf(out, "type=signedData; ");
-	    sigd = (NSSCMSSignedData *)NSS_CMSContentInfo_GetContent(cinfo);
-	    if (sigd == NULL) {
-		SECU_PrintError(progName, "signedData component missing");
-		goto loser;
-	    }
-
-	    /* if we have a content file, but no digests for this signedData */
-	    if (decodeOptions->content.data != NULL && 
-	        !NSS_CMSSignedData_HasDigests(sigd)) {
-		PLArenaPool     *poolp;
-		SECAlgorithmID **digestalgs;
-
-		/* detached content: grab content file */
-		sitem = decodeOptions->content;
-
-		if ((poolp = PORT_NewArena(1024)) == NULL) {
-		    fprintf(stderr, "cmsutil: Out of memory.\n");
-		    goto loser;
-		}
-		digestalgs = NSS_CMSSignedData_GetDigestAlgs(sigd);
-		if (DigestFile (poolp, &digests, &sitem, digestalgs) 
-		      != SECSuccess) {
-		    SECU_PrintError(progName, 
-		                    "problem computing message digest");
-		    PORT_FreeArena(poolp, PR_FALSE);
-		    goto loser;
-		}
-		if (NSS_CMSSignedData_SetDigests(sigd, digestalgs, digests) 
-		    != SECSuccess) {
-		    SECU_PrintError(progName, 
-		                    "problem setting message digests");
-		    PORT_FreeArena(poolp, PR_FALSE);
-		    goto loser;
-		}
-		PORT_FreeArena(poolp, PR_FALSE);
-	    }
-
-	    /* import the certificates */
-	    if (NSS_CMSSignedData_ImportCerts(sigd, 
-	                                   decodeOptions->options->certHandle, 
-	                                   decodeOptions->options->certUsage, 
-	                                   decodeOptions->keepCerts) 
-	          != SECSuccess) {
-		SECU_PrintError(progName, "cert import failed");
-		goto loser;
-	    }
-
-	    /* find out about signers */
-	    nsigners = NSS_CMSSignedData_SignerInfoCount(sigd);
-	    if (decodeOptions->headerLevel >= 0)
-		fprintf(out, "nsigners=%d; ", nsigners);
-	    if (nsigners == 0) {
-		/* Might be a cert transport message
-		** or might be an invalid message, such as a QA test message
-		** or a message from an attacker.
-		*/
-		SECStatus rv;
-		rv = NSS_CMSSignedData_VerifyCertsOnly(sigd, 
-		                            decodeOptions->options->certHandle, 
-		                            decodeOptions->options->certUsage);
-		if (rv != SECSuccess) {
-		    fprintf(stderr, "cmsutil: Verify certs-only failed!\n");
-		    goto loser;
-		}
-		return cmsg;
-	    }
-
-	    /* still no digests? */
-	    if (!NSS_CMSSignedData_HasDigests(sigd)) {
-		SECU_PrintError(progName, "no message digests");
-		goto loser;
-	    }
-
-	    for (j = 0; j < nsigners; j++) {
-		const char * svs;
-		NSSCMSSignerInfo *si;
-		NSSCMSVerificationStatus vs;
-		SECStatus bad;
-
-		si = NSS_CMSSignedData_GetSignerInfo(sigd, j);
-		if (decodeOptions->headerLevel >= 0) {
-		    char *signercn;
-		    static char empty[] = { "" };
-
-		    signercn = NSS_CMSSignerInfo_GetSignerCommonName(si);
-		    if (signercn == NULL)
-			signercn = empty;
-		    fprintf(out, "\n\t\tsigner%d.id=\"%s\"; ", j, signercn);
-		    if (signercn != empty)
-		        PORT_Free(signercn);
-		}
-		bad = NSS_CMSSignedData_VerifySignerInfo(sigd, j, 
-		                           decodeOptions->options->certHandle, 
-		                           decodeOptions->options->certUsage);
-		vs  = NSS_CMSSignerInfo_GetVerificationStatus(si);
-		svs = NSS_CMSUtil_VerificationStatusToString(vs);
-		if (decodeOptions->headerLevel >= 0) {
-		    fprintf(out, "signer%d.status=%s; ", j, svs);
-		    /* goto loser ? */
-		} else if (bad && out) {
-		    fprintf(stderr, "signer %d status = %s\n", j, svs);
-		    goto loser;
-		}
-	    }
-	  }
-	  break;
-	case SEC_OID_PKCS7_ENVELOPED_DATA:
-	  {
-	    NSSCMSEnvelopedData *envd;
-	    if (decodeOptions->headerLevel >= 0)
-		fprintf(out, "type=envelopedData; ");
-	    envd = (NSSCMSEnvelopedData *)NSS_CMSContentInfo_GetContent(cinfo);
-	    if (envd == NULL) {
-		SECU_PrintError(progName, "envelopedData component missing");
-		goto loser;
-	    }
-	  }
-	  break;
-	case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	  {
-	    NSSCMSEncryptedData *encd;
-	    if (decodeOptions->headerLevel >= 0)
-		fprintf(out, "type=encryptedData; ");
-	    encd = (NSSCMSEncryptedData *)NSS_CMSContentInfo_GetContent(cinfo);
-	    if (encd == NULL) {
-		SECU_PrintError(progName, "encryptedData component missing");
-		goto loser;
-	    }
-	  }
-	  break;
-	case SEC_OID_PKCS7_DATA:
-	    if (decodeOptions->headerLevel >= 0)
-		fprintf(out, "type=data; ");
-	    break;
-	default:
-	    break;
-	}
-	if (decodeOptions->headerLevel >= 0)
-	    fprintf(out, "\n");
-    }
-
-    if (!decodeOptions->suppressContent && out) {
-	SECItem *item = (sitem.data ? &sitem 
-	                            : NSS_CMSMessage_GetContent(cmsg));
-	if (item && item->data && item->len) {
-	    fwrite(item->data, item->len, 1, out);
-    	}
-    }
-    return cmsg;
-
-loser:
-    if (cmsg)
-	NSS_CMSMessage_Destroy(cmsg);
-    return NULL;
-}
-
-/* example of a callback function to use with encoder */
-/*
-static void
-writeout(void *arg, const char *buf, unsigned long len)
-{
-    FILE *f = (FILE *)arg;
-
-    if (f != NULL && buf != NULL)
-	(void)fwrite(buf, len, 1, f);
-}
-*/
-
-static NSSCMSMessage *
-signed_data(struct signOptionsStr *signOptions)
-{
-    NSSCMSMessage *cmsg = NULL;
-    NSSCMSContentInfo *cinfo;
-    NSSCMSSignedData *sigd;
-    NSSCMSSignerInfo *signerinfo;
-    CERTCertificate *cert= NULL, *ekpcert = NULL;
-
-    if (cms_verbose) {
-	fprintf(stderr, "Input to signed_data:\n");
-	if (signOptions->options->password)
-	    fprintf(stderr, "password [%s]\n", signOptions->options->password);
-        else if (signOptions->options->pwfile)
-	    fprintf(stderr, "password file [%s]\n", signOptions->options->pwfile);
-	else
-	    fprintf(stderr, "password [NULL]\n");
-	fprintf(stderr, "certUsage [%d]\n", signOptions->options->certUsage);
-	if (signOptions->options->certHandle)
-	    fprintf(stderr, "certdb [%p]\n", signOptions->options->certHandle);
-	else
-	    fprintf(stderr, "certdb [NULL]\n");
-	if (signOptions->nickname)
-	    fprintf(stderr, "nickname [%s]\n", signOptions->nickname);
-	else
-	    fprintf(stderr, "nickname [NULL]\n");
-    }
-    if (signOptions->nickname == NULL) {
-	fprintf(stderr, 
-        "ERROR: please indicate the nickname of a certificate to sign with.\n");
-	return NULL;
-    }
-    if ((cert = CERT_FindUserCertByUsage(signOptions->options->certHandle, 
-                                         signOptions->nickname,
-                                         signOptions->options->certUsage,
-                                         PR_FALSE,
-                                         &pwdata)) == NULL) {
-	SECU_PrintError(progName, 
-	                "the corresponding cert for key \"%s\" does not exist",
-	                signOptions->nickname);
-	return NULL;
-    }
-    if (cms_verbose) {
-	fprintf(stderr, "Found certificate for %s\n", signOptions->nickname);
-    }
-    /*
-     * create the message object
-     */
-    cmsg = NSS_CMSMessage_Create(NULL); /* create a message on its own pool */
-    if (cmsg == NULL) {
-	fprintf(stderr, "ERROR: cannot create CMS message.\n");
-	return NULL;
-    }
-    /*
-     * build chain of objects: message->signedData->data
-     */
-    if ((sigd = NSS_CMSSignedData_Create(cmsg)) == NULL) {
-	fprintf(stderr, "ERROR: cannot create CMS signedData object.\n");
-	goto loser;
-    }
-    cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
-    if (NSS_CMSContentInfo_SetContent_SignedData(cmsg, cinfo, sigd) 
-          != SECSuccess) {
-	fprintf(stderr, "ERROR: cannot attach CMS signedData object.\n");
-	goto loser;
-    }
-    cinfo = NSS_CMSSignedData_GetContentInfo(sigd);
-    /* we're always passing data in and detaching optionally */
-    if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, 
-                                           signOptions->detached) 
-          != SECSuccess) {
-	fprintf(stderr, "ERROR: cannot attach CMS data object.\n");
-	goto loser;
-    }
-    /* 
-     * create & attach signer information
-     */
-    signerinfo = NSS_CMSSignerInfo_Create(cmsg, cert, signOptions->hashAlgTag);
-    if (signerinfo == NULL) {
-	fprintf(stderr, "ERROR: cannot create CMS signerInfo object.\n");
-	goto loser;
-    }
-    if (cms_verbose) {
-	fprintf(stderr,
-		 "Created CMS message, added signed data w/ signerinfo\n");
-    }
-    /* we want the cert chain included for this one */
-    if (NSS_CMSSignerInfo_IncludeCerts(signerinfo, NSSCMSCM_CertChain, 
-                                       signOptions->options->certUsage) 
-          != SECSuccess) {
-	fprintf(stderr, "ERROR: cannot find cert chain.\n");
-	goto loser;
-    }
-    if (cms_verbose) {
-	fprintf(stderr, "imported certificate\n");
-    }
-    if (signOptions->signingTime) {
-	if (NSS_CMSSignerInfo_AddSigningTime(signerinfo, PR_Now()) 
-	      != SECSuccess) {
-	    fprintf(stderr, "ERROR: cannot add signingTime attribute.\n");
-	    goto loser;
-	}
-    }
-    if (signOptions->smimeProfile) {
-	if (NSS_CMSSignerInfo_AddSMIMECaps(signerinfo) != SECSuccess) {
-	    fprintf(stderr, "ERROR: cannot add SMIMECaps attribute.\n");
-	    goto loser;
-	}
-    }
-
-    if (!signOptions->encryptionKeyPreferenceNick) {
-	/* check signing cert for fitness as encryption cert */
-        SECStatus FitForEncrypt = CERT_CheckCertUsage(cert,
-                                                      certUsageEmailRecipient);
-
-        if (SECSuccess == FitForEncrypt) {
-            /* if yes, add signing cert as EncryptionKeyPreference */
-            if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, cert, 
-                                              signOptions->options->certHandle)
-                  != SECSuccess) {
-                fprintf(stderr, 
-                    "ERROR: cannot add default SMIMEEncKeyPrefs attribute.\n");
-                goto loser;
-            }
-            if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, cert, 
-                                              signOptions->options->certHandle)
-                  != SECSuccess) {
-                fprintf(stderr, 
-                    "ERROR: cannot add default MS SMIMEEncKeyPrefs attribute.\n");
-                goto loser;
-            }
-        } else {
-            /* this is a dual-key cert case, we need to look for the encryption
-               certificate under the same nickname as the signing cert */
-            /* get the cert, add it to the message */
-            if ((ekpcert = CERT_FindUserCertByUsage(
-                                              signOptions->options->certHandle,
-                                              signOptions->nickname,
-                                              certUsageEmailRecipient,
-                                              PR_FALSE,
-                                              &pwdata)) == NULL) {
-                SECU_PrintError(progName, 
-                         "the corresponding cert for key \"%s\" does not exist",
-                         signOptions->encryptionKeyPreferenceNick);
-                goto loser;
-            }
-            if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, ekpcert, 
-                                              signOptions->options->certHandle)
-                  != SECSuccess) {
-                fprintf(stderr, 
-                        "ERROR: cannot add SMIMEEncKeyPrefs attribute.\n");
-                goto loser;
-            }
-            if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, ekpcert, 
-                                              signOptions->options->certHandle)
-                  != SECSuccess) {
-                fprintf(stderr, 
-                        "ERROR: cannot add MS SMIMEEncKeyPrefs attribute.\n");
-                goto loser;
-            }
-            if (NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) {
-                fprintf(stderr, "ERROR: cannot add encryption certificate.\n");
-                goto loser;
-            }
-        }
-    } else if (PL_strcmp(signOptions->encryptionKeyPreferenceNick, "NONE") == 0) {
-        /* No action */
-    } else {
-	/* get the cert, add it to the message */
-	if ((ekpcert = CERT_FindUserCertByUsage(
-                                     signOptions->options->certHandle, 
-	                             signOptions->encryptionKeyPreferenceNick,
-                                     certUsageEmailRecipient, PR_FALSE, &pwdata))
-	      == NULL) {
-	    SECU_PrintError(progName, 
-	               "the corresponding cert for key \"%s\" does not exist",
-	                signOptions->encryptionKeyPreferenceNick);
-	    goto loser;
-	}
-	if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, ekpcert, 
-	                                     signOptions->options->certHandle)
-	      != SECSuccess) {
-	    fprintf(stderr, "ERROR: cannot add SMIMEEncKeyPrefs attribute.\n");
-	    goto loser;
-	}
-	if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, ekpcert, 
-	                                     signOptions->options->certHandle)
-	      != SECSuccess) {
-	    fprintf(stderr, "ERROR: cannot add MS SMIMEEncKeyPrefs attribute.\n");
-	    goto loser;
-	}
-	if (NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) {
-	    fprintf(stderr, "ERROR: cannot add encryption certificate.\n");
-	    goto loser;
-	}
-    }
-
-    if (NSS_CMSSignedData_AddSignerInfo(sigd, signerinfo) != SECSuccess) {
-	fprintf(stderr, "ERROR: cannot add CMS signerInfo object.\n");
-	goto loser;
-    }
-    if (cms_verbose) {
-	fprintf(stderr, "created signed-data message\n");
-    }
-    if (ekpcert) {
-	CERT_DestroyCertificate(ekpcert);
-    }
-    if (cert) {
-	CERT_DestroyCertificate(cert);
-    }
-    return cmsg;
-loser:
-    if (ekpcert) {
-	CERT_DestroyCertificate(ekpcert);
-    }
-    if (cert) {
-	CERT_DestroyCertificate(cert);
-    }
-    NSS_CMSMessage_Destroy(cmsg);
-    return NULL;
-}
-
-static NSSCMSMessage *
-enveloped_data(struct envelopeOptionsStr *envelopeOptions)
-{
-    NSSCMSMessage *cmsg = NULL;
-    NSSCMSContentInfo *cinfo;
-    NSSCMSEnvelopedData *envd;
-    NSSCMSRecipientInfo *recipientinfo;
-    CERTCertificate **recipientcerts = NULL;
-    CERTCertDBHandle *dbhandle;
-    PLArenaPool *tmppoolp = NULL;
-    SECOidTag bulkalgtag;
-    int keysize, i = 0;
-    int cnt;
-    dbhandle = envelopeOptions->options->certHandle;
-    /* count the recipients */
-    if ((cnt = nss_CMSArray_Count((void **)envelopeOptions->recipients)) == 0) {
-	fprintf(stderr, "ERROR: please name at least one recipient.\n");
-	goto loser;
-    }
-    if ((tmppoolp = PORT_NewArena (1024)) == NULL) {
-	fprintf(stderr, "ERROR: out of memory.\n");
-	goto loser;
-    }
-    /* XXX find the recipient's certs by email address or nickname */
-    if ((recipientcerts = 
-         (CERTCertificate **)PORT_ArenaZAlloc(tmppoolp, 
-					     (cnt+1)*sizeof(CERTCertificate*)))
-            == NULL) {
-	fprintf(stderr, "ERROR: out of memory.\n");
-	goto loser;
-    }
-    for (i=0; envelopeOptions->recipients[i] != NULL; i++) {
-	if ((recipientcerts[i] = 
-	      CERT_FindCertByNicknameOrEmailAddr(dbhandle,  
-	                                        envelopeOptions->recipients[i]))
-	        == NULL) {
-	    SECU_PrintError(progName, "cannot find certificate for \"%s\"", 
-	                    envelopeOptions->recipients[i]);
-	    i=0;
-	    goto loser;
-	}
-    }
-    recipientcerts[i] = NULL;
-    i=0;
-    /* find a nice bulk algorithm */
-    if (NSS_SMIMEUtil_FindBulkAlgForRecipients(recipientcerts, &bulkalgtag, 
-                                               &keysize) != SECSuccess) {
-	fprintf(stderr, "ERROR: cannot find common bulk algorithm.\n");
-	goto loser;
-    }
-    /*
-     * create the message object
-     */
-    cmsg = NSS_CMSMessage_Create(NULL); /* create a message on its own pool */
-    if (cmsg == NULL) {
-	fprintf(stderr, "ERROR: cannot create CMS message.\n");
-	goto loser;
-    }
-    /*
-     * build chain of objects: message->envelopedData->data
-     */
-    if ((envd = NSS_CMSEnvelopedData_Create(cmsg, bulkalgtag, keysize)) 
-          == NULL) {
-	fprintf(stderr, "ERROR: cannot create CMS envelopedData object.\n");
-	goto loser;
-    }
-    cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
-    if (NSS_CMSContentInfo_SetContent_EnvelopedData(cmsg, cinfo, envd) 
-          != SECSuccess) {
-	fprintf(stderr, "ERROR: cannot attach CMS envelopedData object.\n");
-	goto loser;
-    }
-    cinfo = NSS_CMSEnvelopedData_GetContentInfo(envd);
-    /* we're always passing data in, so the content is NULL */
-    if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, PR_FALSE) 
-          != SECSuccess) {
-	fprintf(stderr, "ERROR: cannot attach CMS data object.\n");
-	goto loser;
-    }
-    /* 
-     * create & attach recipient information
-     */
-    for (i = 0; recipientcerts[i] != NULL; i++) {
-	if ((recipientinfo = NSS_CMSRecipientInfo_Create(cmsg, 
-	                                                 recipientcerts[i])) 
-	      == NULL) {
-	    fprintf(stderr, "ERROR: cannot create CMS recipientInfo object.\n");
-	    goto loser;
-	}
-	if (NSS_CMSEnvelopedData_AddRecipient(envd, recipientinfo) 
-	      != SECSuccess) {
-	    fprintf(stderr, "ERROR: cannot add CMS recipientInfo object.\n");
-	    goto loser;
-	}
-	CERT_DestroyCertificate(recipientcerts[i]);
-    }
-    if (tmppoolp)
-	PORT_FreeArena(tmppoolp, PR_FALSE);
-    return cmsg;
-loser:
-    if (recipientcerts) {
-	for (; recipientcerts[i] != NULL; i++) {
-	    CERT_DestroyCertificate(recipientcerts[i]);
-	}
-    }
-    if (cmsg)
-	NSS_CMSMessage_Destroy(cmsg);
-    if (tmppoolp)
-	PORT_FreeArena(tmppoolp, PR_FALSE);
-    return NULL;
-}
-
-PK11SymKey *dkcb(void *arg, SECAlgorithmID *algid)
-{
-    return (PK11SymKey*)arg;
-}
-
-static SECStatus
-get_enc_params(struct encryptOptionsStr *encryptOptions)
-{
-    struct envelopeOptionsStr envelopeOptions;
-    SECStatus rv = SECFailure;
-    NSSCMSMessage *env_cmsg;
-    NSSCMSContentInfo *cinfo;
-    int i, nlevels;
-    /*
-     * construct an enveloped data message to obtain bulk keys
-     */
-    if (encryptOptions->envmsg) {
-	env_cmsg = encryptOptions->envmsg; /* get it from an old message */
-    } else {
-	SECItem dummyOut = { 0, 0, 0 };
-	SECItem dummyIn  = { 0, 0, 0 };
-	char str[] = "Hello!";
-	PLArenaPool *tmparena = PORT_NewArena(1024);
-	dummyIn.data = (unsigned char *)str;
-	dummyIn.len = strlen(str);
-	envelopeOptions.options = encryptOptions->options;
-	envelopeOptions.recipients = encryptOptions->recipients;
-	env_cmsg = enveloped_data(&envelopeOptions);
-	NSS_CMSDEREncode(env_cmsg, &dummyIn, &dummyOut, tmparena);
-	PR_Write(encryptOptions->envFile, dummyOut.data, dummyOut.len);
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    /*
-     * get the content info for the enveloped data 
-     */
-    nlevels = NSS_CMSMessage_ContentLevelCount(env_cmsg);
-    for (i = 0; i < nlevels; i++) {
-    	SECOidTag typetag;
-	cinfo = NSS_CMSMessage_ContentLevel(env_cmsg, i);
-	typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-	if (typetag == SEC_OID_PKCS7_DATA) {
-	    /*
-	     * get the symmetric key
-	     */
-	    encryptOptions->bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo);
-	    encryptOptions->keysize = NSS_CMSContentInfo_GetBulkKeySize(cinfo);
-	    encryptOptions->bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo);
-	    rv = SECSuccess;
-	    break;
-	}
-    }
-    if (i == nlevels) {
-	fprintf(stderr, "%s: could not retrieve enveloped data.", progName);
-    }
-    if (env_cmsg)
-	NSS_CMSMessage_Destroy(env_cmsg);
-    return rv;
-}
-
-static NSSCMSMessage *
-encrypted_data(struct encryptOptionsStr *encryptOptions)
-{
-    SECStatus rv = SECFailure;
-    NSSCMSMessage *cmsg = NULL;
-    NSSCMSContentInfo *cinfo;
-    NSSCMSEncryptedData *encd;
-    NSSCMSEncoderContext *ecx = NULL;
-    PLArenaPool *tmppoolp = NULL;
-    SECItem derOut = { 0, 0, 0 };
-    /* arena for output */
-    tmppoolp = PORT_NewArena(1024);
-    if (!tmppoolp) {
-	fprintf(stderr, "%s: out of memory.\n", progName);
-	return NULL;
-    }
-    /*
-     * create the message object
-     */
-    cmsg = NSS_CMSMessage_Create(NULL);
-    if (cmsg == NULL) {
-	fprintf(stderr, "ERROR: cannot create CMS message.\n");
-	goto loser;
-    }
-    /*
-     * build chain of objects: message->encryptedData->data
-     */
-    if ((encd = NSS_CMSEncryptedData_Create(cmsg, encryptOptions->bulkalgtag, 
-                                                  encryptOptions->keysize)) 
-           == NULL) {
-	fprintf(stderr, "ERROR: cannot create CMS encryptedData object.\n");
-	goto loser;
-    }
-    cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
-    if (NSS_CMSContentInfo_SetContent_EncryptedData(cmsg, cinfo, encd)
-          != SECSuccess) {
-	fprintf(stderr, "ERROR: cannot attach CMS encryptedData object.\n");
-	goto loser;
-    }
-    cinfo = NSS_CMSEncryptedData_GetContentInfo(encd);
-    /* we're always passing data in, so the content is NULL */
-    if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, PR_FALSE) 
-          != SECSuccess) {
-	fprintf(stderr, "ERROR: cannot attach CMS data object.\n");
-	goto loser;
-    }
-    ecx = NSS_CMSEncoder_Start(cmsg, NULL, NULL, &derOut, tmppoolp, NULL, NULL,
-                               dkcb, encryptOptions->bulkkey, NULL, NULL);
-    if (!ecx) {
-	fprintf(stderr, "%s: cannot create encoder context.\n", progName);
-	goto loser;
-    }
-    rv = NSS_CMSEncoder_Update(ecx, (char *)encryptOptions->input->data, 
-                                    encryptOptions->input->len);
-    if (rv) {
-	fprintf(stderr, "%s: failed to add data to encoder.\n", progName);
-	goto loser;
-    }
-    rv = NSS_CMSEncoder_Finish(ecx);
-    if (rv) {
-	fprintf(stderr, "%s: failed to encrypt data.\n", progName);
-	goto loser;
-    }
-    fwrite(derOut.data, derOut.len, 1, encryptOptions->outfile);
-    /*
-    if (bulkkey)
-	PK11_FreeSymKey(bulkkey);
-	*/
-    if (tmppoolp)
-	PORT_FreeArena(tmppoolp, PR_FALSE);
-    return cmsg;
-loser:
-    /*
-    if (bulkkey)
-	PK11_FreeSymKey(bulkkey);
-	*/
-    if (tmppoolp)
-	PORT_FreeArena(tmppoolp, PR_FALSE);
-    if (cmsg)
-	NSS_CMSMessage_Destroy(cmsg);
-    return NULL;
-}
-
-static NSSCMSMessage *
-signed_data_certsonly(struct certsonlyOptionsStr *certsonlyOptions)
-{
-    NSSCMSMessage *cmsg = NULL;
-    NSSCMSContentInfo *cinfo;
-    NSSCMSSignedData *sigd;
-    CERTCertificate **certs = NULL;
-    CERTCertDBHandle *dbhandle;
-    PLArenaPool *tmppoolp = NULL;
-    int i = 0, cnt;
-    dbhandle = certsonlyOptions->options->certHandle;
-    if ((cnt = nss_CMSArray_Count((void**)certsonlyOptions->recipients)) == 0) {
-	fprintf(stderr, 
-        "ERROR: please indicate the nickname of a certificate to sign with.\n");
-	goto loser;
-    }
-    if (!(tmppoolp = PORT_NewArena(1024))) {
-	fprintf(stderr, "ERROR: out of memory.\n");
-	goto loser;
-    }
-    if (!(certs = PORT_ArenaZNewArray(tmppoolp, CERTCertificate *, cnt + 1))) {
-	fprintf(stderr, "ERROR: out of memory.\n");
-	goto loser;
-    }
-    for (i=0; certsonlyOptions->recipients[i] != NULL; i++) {
-	if ((certs[i] = 
-	      CERT_FindCertByNicknameOrEmailAddr(dbhandle,
-	                                      certsonlyOptions->recipients[i]))
-	        == NULL) {
-	    SECU_PrintError(progName, "cannot find certificate for \"%s\"", 
-	                    certsonlyOptions->recipients[i]);
-	    i=0;
-	    goto loser;
-	}
-    }
-    certs[i] = NULL;
-    i=0;
-    /*
-     * create the message object
-     */
-    cmsg = NSS_CMSMessage_Create(NULL);
-    if (cmsg == NULL) {
-	fprintf(stderr, "ERROR: cannot create CMS message.\n");
-	goto loser;
-    }
-    /*
-     * build chain of objects: message->signedData->data
-     */
-    if ((sigd = NSS_CMSSignedData_CreateCertsOnly(cmsg, certs[0], PR_TRUE))
-          == NULL) {
-	fprintf(stderr, "ERROR: cannot create CMS signedData object.\n");
-	goto loser;
-    }
-    CERT_DestroyCertificate(certs[0]);
-    for (i=1; i<cnt; i++) {
-	if (NSS_CMSSignedData_AddCertChain(sigd, certs[i])) {
-	    fprintf(stderr, "ERROR: cannot add cert chain for \"%s\".\n",
-	            certsonlyOptions->recipients[i]);
-	    goto loser;
-	}
-	CERT_DestroyCertificate(certs[i]);
-    }
-    cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
-    if (NSS_CMSContentInfo_SetContent_SignedData(cmsg, cinfo, sigd) 
-          != SECSuccess) {
-	fprintf(stderr, "ERROR: cannot attach CMS signedData object.\n");
-	goto loser;
-    }
-    cinfo = NSS_CMSSignedData_GetContentInfo(sigd);
-    if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, PR_FALSE) 
-	   != SECSuccess) {
-	fprintf(stderr, "ERROR: cannot attach CMS data object.\n");
-	goto loser;
-    }
-    if (tmppoolp)
-	PORT_FreeArena(tmppoolp, PR_FALSE);
-    return cmsg;
-loser:
-    if (certs) {
-	for (; i<cnt; i++) {
-	    CERT_DestroyCertificate(certs[i]);
-	}
-    }
-    if (cmsg)
-	NSS_CMSMessage_Destroy(cmsg);
-    if (tmppoolp)
-	PORT_FreeArena(tmppoolp, PR_FALSE);
-    return NULL;
-}
-
-static char *
-pl_fgets(char * buf, int size, PRFileDesc * fd)
-{
-    char * bp = buf;
-    int    nb = 0;;
-
-    while (size > 1) {
-    	nb = PR_Read(fd, bp, 1);
-	if (nb < 0) {
-	    /* deal with error */
-	    return NULL;
-	} else if (nb == 0) {
-	    /* deal with EOF */
-	    return NULL;
-	} else if (*bp == '\n') {
-	    /* deal with EOL */
-	    ++bp;  /* keep EOL character */
-	    break;
-	} else {
-	    /* ordinary character */
-	    ++bp;
-	    --size;
-	}
-    }
-    *bp = '\0';
-    return buf;
-}
-
-typedef enum { UNKNOWN, DECODE, SIGN, ENCRYPT, ENVELOPE, CERTSONLY } Mode;
-
-static int 
-doBatchDecode(FILE *outFile, PRFileDesc *batchFile, 
-              const struct decodeOptionsStr *decodeOptions)
-{
-    char * str;
-    int    exitStatus = 0;
-    char   batchLine[512];
-
-    while (NULL != (str = pl_fgets(batchLine, sizeof batchLine, batchFile))) {
-	NSSCMSMessage *cmsg = NULL;
-	PRFileDesc *   inFile;
-    	int            len = strlen(str);
-	SECStatus      rv;
-	SECItem        input = {0, 0, 0};
-	char           cc;
-
-	while (len > 0 && 
-	       ((cc = str[len - 1]) == '\n' || cc == '\r')) {
-	    str[--len] = '\0';
-	}
-	if (!len) /* skip empty line */
-	    continue;
-	if (str[0] == '#')
-	    continue;  /* skip comment line */
-	fprintf(outFile, "========== %s ==========\n", str);
-	inFile = PR_Open(str, PR_RDONLY, 00660);
-	if (inFile == NULL) {
-	    fprintf(outFile, "%s: unable to open \"%s\" for reading\n",
-		    progName, str);
-	    exitStatus = 1;
-	    continue;
-	}
-	rv = SECU_FileToItem(&input, inFile);
-	PR_Close(inFile);
-	if (rv != SECSuccess) {
-	    SECU_PrintError(progName, "unable to read infile");
-	    exitStatus = 1;
-	    continue;
-	}
-	cmsg = decode(outFile, &input, decodeOptions);
-	SECITEM_FreeItem(&input, PR_FALSE);
-	if (cmsg)
-	    NSS_CMSMessage_Destroy(cmsg);
-	else {
-	    SECU_PrintError(progName, "problem decoding");
-	    exitStatus = 1;
-	}
-    }
-    return exitStatus;
-}
-
-int
-main(int argc, char **argv)
-{
-    FILE *outFile;
-    NSSCMSMessage *cmsg = NULL;
-    PRFileDesc *inFile;
-    PLOptState *optstate;
-    PLOptStatus status;
-    Mode mode = UNKNOWN;
-    struct decodeOptionsStr decodeOptions = { 0 };
-    struct signOptionsStr signOptions = { 0 };
-    struct envelopeOptionsStr envelopeOptions = { 0 };
-    struct certsonlyOptionsStr certsonlyOptions = { 0 };
-    struct encryptOptionsStr encryptOptions = { 0 };
-    struct optionsStr options = { 0 };
-    int exitstatus;
-    static char *ptrarray[128] = { 0 };
-    int nrecipients = 0;
-    char *str, *tok;
-    char *envFileName;
-    SECItem input = { 0, 0, 0};
-    SECItem envmsg = { 0, 0, 0 };
-    SECStatus rv;
-    PRFileDesc *contentFile = NULL;
-    PRBool      batch = PR_FALSE;
-
-#ifdef NISCC_TEST
-    const char *ev = PR_GetEnv("NSS_DISABLE_ARENA_FREE_LIST");
-    PORT_Assert(ev); 
-    ev = PR_GetEnv("NSS_STRICT_SHUTDOWN");
-    PORT_Assert(ev); 
-#endif 
-
-    progName = strrchr(argv[0], '/');
-    if (!progName)
-       progName = strrchr(argv[0], '\\');
-    progName = progName ? progName+1 : argv[0];
-
-    inFile = PR_STDIN;
-    outFile = stdout;
-    envFileName = NULL;
-    mode = UNKNOWN;
-    decodeOptions.content.data = NULL;
-    decodeOptions.content.len  = 0;
-    decodeOptions.suppressContent = PR_FALSE;
-    decodeOptions.headerLevel = -1;
-    decodeOptions.keepCerts = PR_FALSE;
-    options.certUsage = certUsageEmailSigner;
-    options.password = NULL;
-    options.pwfile = NULL;
-    signOptions.nickname = NULL;
-    signOptions.detached = PR_FALSE;
-    signOptions.signingTime = PR_FALSE;
-    signOptions.smimeProfile = PR_FALSE;
-    signOptions.encryptionKeyPreferenceNick = NULL;
-    signOptions.hashAlgTag = SEC_OID_SHA1;
-    envelopeOptions.recipients = NULL;
-    encryptOptions.recipients = NULL;
-    encryptOptions.envmsg = NULL;
-    encryptOptions.envFile = NULL;
-    encryptOptions.bulkalgtag = SEC_OID_UNKNOWN;
-    encryptOptions.bulkkey = NULL;
-    encryptOptions.keysize = -1;
-
-    /*
-     * Parse command line arguments
-     */
-    optstate = PL_CreateOptState(argc, argv, 
-				 "CDEGH:N:OPSTY:bc:d:e:f:h:i:kno:p:r:s:u:v");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	case 'C':
-	    mode = ENCRYPT;
-	    break;
-	case 'D':
-	    mode = DECODE;
-	    break;
-	case 'E':
-	    mode = ENVELOPE;
-	    break;
-	case 'G':
-	    if (mode != SIGN) {
-		fprintf(stderr, 
-		        "%s: option -G only supported with option -S.\n", 
-		        progName);
-		Usage(progName);
-		exit(1);
-	    }
-	    signOptions.signingTime = PR_TRUE;
-	    break;
-       case 'H':
-           if (mode != SIGN) {
-               fprintf(stderr,
-                       "%s: option -H only supported with option -S.\n",
-                       progName);
-               Usage(progName);
-               exit(1);
-           }
-           decodeOptions.suppressContent = PR_TRUE;
-           if (!strcmp(optstate->value, "MD2"))
-               signOptions.hashAlgTag = SEC_OID_MD2;
-           else if (!strcmp(optstate->value, "MD4"))
-               signOptions.hashAlgTag = SEC_OID_MD4;
-           else if (!strcmp(optstate->value, "MD5"))
-               signOptions.hashAlgTag = SEC_OID_MD5;
-           else if (!strcmp(optstate->value, "SHA1"))
-               signOptions.hashAlgTag = SEC_OID_SHA1;
-           else if (!strcmp(optstate->value, "SHA256"))
-               signOptions.hashAlgTag = SEC_OID_SHA256;
-           else if (!strcmp(optstate->value, "SHA384"))
-               signOptions.hashAlgTag = SEC_OID_SHA384;
-           else if (!strcmp(optstate->value, "SHA512"))
-               signOptions.hashAlgTag = SEC_OID_SHA512;
-           else {
-               fprintf(stderr,
-           "%s: -H requires one of MD2,MD4,MD5,SHA1,SHA256,SHA384,SHA512\n",
-                       progName);
-               exit(1);
-           }
-           break;
-	case 'N':
-	    if (mode != SIGN) {
-		fprintf(stderr, 
-		        "%s: option -N only supported with option -S.\n", 
-		        progName);
-		Usage(progName);
-		exit(1);
-	    }
-	    signOptions.nickname = strdup(optstate->value);
-	    break;
-	case 'O':
-	    mode = CERTSONLY;
-	    break;
-	case 'P':
-	    if (mode != SIGN) {
-		fprintf(stderr, 
-		        "%s: option -P only supported with option -S.\n", 
-		        progName);
-		Usage(progName);
-		exit(1);
-	    }
-	    signOptions.smimeProfile = PR_TRUE;
-	    break;
-	case 'S':
-	    mode = SIGN;
-	    break;
-	case 'T':
-	    if (mode != SIGN) {
-		fprintf(stderr, 
-		        "%s: option -T only supported with option -S.\n", 
-		        progName);
-		Usage(progName);
-		exit(1);
-	    }
-	    signOptions.detached = PR_TRUE;
-	    break;
-	case 'Y':
-	    if (mode != SIGN) {
-		fprintf(stderr, 
-		        "%s: option -Y only supported with option -S.\n", 
-		        progName);
-		Usage(progName);
-		exit(1);
-	    }
-	    signOptions.encryptionKeyPreferenceNick = strdup(optstate->value);
-	    break;
-
-	case 'b':
-	    if (mode != DECODE) {
-		fprintf(stderr, 
-		        "%s: option -b only supported with option -D.\n", 
-		        progName);
-		Usage(progName);
-		exit(1);
-	    }
-	    batch = PR_TRUE;
-	    break;
-
-	case 'c':
-	    if (mode != DECODE) {
-		fprintf(stderr, 
-		        "%s: option -c only supported with option -D.\n", 
-		        progName);
-		Usage(progName);
-		exit(1);
-	    }
-	    contentFile = PR_Open(optstate->value, PR_RDONLY, 006600);
-	    if (contentFile == NULL) {
-		fprintf(stderr, "%s: unable to open \"%s\" for reading.\n",
-			progName, optstate->value);
-		exit(1);
-	    }
-
-	    rv = SECU_FileToItem(&decodeOptions.content, contentFile);
-	    PR_Close(contentFile);
-	    if (rv != SECSuccess) {
-		SECU_PrintError(progName, "problem reading content file");
-		exit(1);
-	    }
-	    if (!decodeOptions.content.data) {
-		/* file was zero length */
-		decodeOptions.content.data = (unsigned char *)PORT_Strdup("");
-		decodeOptions.content.len  = 0;
-	    }
-
-	    break;
-	case 'd':
-	    SECU_ConfigDirectory(optstate->value);
-	    break;
-	case 'e':
-	    envFileName = strdup(optstate->value);
-	    encryptOptions.envFile = PR_Open(envFileName, PR_RDONLY, 00660);
-	    break;
-
-	case 'h':
-	    if (mode != DECODE) {
-		fprintf(stderr, 
-		        "%s: option -h only supported with option -D.\n", 
-		        progName);
-		Usage(progName);
-		exit(1);
-	    }
-	    decodeOptions.headerLevel = atoi(optstate->value);
-	    if (decodeOptions.headerLevel < 0) {
-		fprintf(stderr, "option -h cannot have a negative value.\n");
-		exit(1);
-	    }
-	    break;
-	case 'i':
-	    if (!optstate->value) {
-	        fprintf(stderr, "-i option requires filename argument\n");
-	        exit(1);
-	    }
-	    inFile = PR_Open(optstate->value, PR_RDONLY, 00660);
-	    if (inFile == NULL) {
-		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-			progName, optstate->value);
-		exit(1);
-	    }
-	    break;
-
-	case 'k':
-	    if (mode != DECODE) {
-		fprintf(stderr, 
-		        "%s: option -k only supported with option -D.\n", 
-		        progName);
-		Usage(progName);
-		exit(1);
-	    }
-	    decodeOptions.keepCerts = PR_TRUE;
-	    break;
-
-	case 'n':
-	    if (mode != DECODE) {
-		fprintf(stderr, 
-		        "%s: option -n only supported with option -D.\n", 
-		        progName);
-		Usage(progName);
-		exit(1);
-	    }
-	    decodeOptions.suppressContent = PR_TRUE;
-	    break;
-	case 'o':
-	    outFile = fopen(optstate->value, "wb");
-	    if (outFile == NULL) {
-		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
-			progName, optstate->value);
-		exit(1);
-	    }
-	    break;
-	case 'p':
-	    if (!optstate->value) {
-		fprintf(stderr, "%s: option -p must have a value.\n", progName);
-		Usage(progName);
-		exit(1);
-	    }
-		
-	    options.password = strdup(optstate->value);
-	    break;
-
-        case 'f':
-            if (!optstate->value) {
-                fprintf(stderr, "%s: option -f must have a value.\n", progName);
-                Usage(progName);
-                exit(1);
-            }
-
-            options.pwfile = strdup(optstate->value);
-            break;
-
-	case 'r':
-	    if (!optstate->value) {
-		fprintf(stderr, "%s: option -r must have a value.\n", progName);
-		Usage(progName);
-		exit(1);
-	    }
-	    envelopeOptions.recipients = ptrarray;
-	    str = (char *)optstate->value;
-	    do {
-		tok = strchr(str, ',');
-		if (tok) *tok = '\0';
-		envelopeOptions.recipients[nrecipients++] = strdup(str);
-		if (tok) str = tok + 1;
-	    } while (tok);
-	    envelopeOptions.recipients[nrecipients] = NULL;
-	    encryptOptions.recipients = envelopeOptions.recipients;
-	    certsonlyOptions.recipients = envelopeOptions.recipients;
-	    break;
-
-	case 'u': {
-	    int usageType;
-
-	    usageType = atoi (strdup(optstate->value));
-	    if (usageType < certUsageSSLClient || usageType > certUsageAnyCA)
-		return -1;
-	    options.certUsage = (SECCertUsage)usageType;
-	    break;
-	  }
-	case 'v':
-	    cms_verbose = 1;
-	    break;
-
-	}
-    }
-    if (status == PL_OPT_BAD)
-	Usage(progName);
-    PL_DestroyOptState(optstate);
-
-    if (mode == UNKNOWN)
-	Usage(progName);
-
-    if (mode != CERTSONLY && !batch) {
-	rv = SECU_FileToItem(&input, inFile);
-	if (rv != SECSuccess) {
-	    SECU_PrintError(progName, "unable to read infile");
-	    exit(1);
-	}
-	if (inFile != PR_STDIN) {
-	    PR_Close(inFile);
-    	}
-    }
-    if (cms_verbose) {
-	fprintf(stderr, "received commands\n");
-    }
-
-    /* Call the NSS initialization routines */
-    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-    rv = NSS_InitReadWrite(SECU_ConfigDirectory(NULL));
-    if (SECSuccess != rv) {
-	SECU_PrintError(progName, "NSS_Init failed");
-	exit(1);
-    }
-    if (cms_verbose) {
-	fprintf(stderr, "NSS has been initialized.\n");
-    }
-    options.certHandle = CERT_GetDefaultCertDB();
-    if (!options.certHandle) {
-	SECU_PrintError(progName, "No default cert DB");
-	exit(1);
-    }
-    if (cms_verbose) {
-	fprintf(stderr, "Got default certdb\n");
-    }
-    if (options.password)
-    {
-    	pwdata.source = PW_PLAINTEXT;
-    	pwdata.data = options.password;
-    }
-    if (options.pwfile)
-    {
-    	pwdata.source = PW_FROMFILE;
-    	pwdata.data = options.pwfile;
-    }
-    pwcb = SECU_GetModulePassword;
-    pwcb_arg = (void *)&pwdata;
-
-    PK11_SetPasswordFunc(&SECU_GetModulePassword);
-
-
-#if defined(_WIN32)
-    if (outFile == stdout) {
-	/* If we're going to write binary data to stdout, we must put stdout
-	** into O_BINARY mode or else outgoing \n's will become \r\n's.
-	*/
-	int smrv = _setmode(_fileno(stdout), _O_BINARY);
-	if (smrv == -1) {
-	    fprintf(stderr,
-	    "%s: Cannot change stdout to binary mode. Use -o option instead.\n",
-	            progName);
-	    return smrv;
-	}
-    }
-#endif
-
-    exitstatus = 0;
-    switch (mode) {
-    case DECODE:       /* -D */
-	decodeOptions.options = &options;
-	if (encryptOptions.envFile) {
-	    /* Decoding encrypted-data, so get the bulkkey from an
-	     * enveloped-data message.
-	     */
-	    SECU_FileToItem(&envmsg, encryptOptions.envFile);
-	    decodeOptions.options = &options;
-	    encryptOptions.envmsg = decode(NULL, &envmsg, &decodeOptions);
-	    if (!encryptOptions.envmsg) {
-		SECU_PrintError(progName, "problem decoding env msg");
-		exitstatus = 1;
-		break;
-	    }
-	    rv = get_enc_params(&encryptOptions);
-	    decodeOptions.dkcb = dkcb;
-	    decodeOptions.bulkkey = encryptOptions.bulkkey;
-	}
-	if (!batch) {
-	    cmsg = decode(outFile, &input, &decodeOptions);
-	    if (!cmsg) {
-		SECU_PrintError(progName, "problem decoding");
-		exitstatus = 1;
-	    }
-	} else {
-	    exitstatus = doBatchDecode(outFile, inFile, &decodeOptions);
-	    if (inFile != PR_STDIN) {
-		PR_Close(inFile);
-	    }
-	}
-	break;
-    case SIGN:         /* -S */
-	signOptions.options = &options;
-	cmsg = signed_data(&signOptions);
-	if (!cmsg) {
-	    SECU_PrintError(progName, "problem signing");
-	    exitstatus = 1;
-	}
-	break;
-    case ENCRYPT:      /* -C */
-	if (!envFileName) {
-	    fprintf(stderr, "%s: you must specify an envelope file with -e.\n",
-	            progName);
-	    exit(1);
-	}
-	encryptOptions.options = &options;
-	encryptOptions.input = &input;
-	encryptOptions.outfile = outFile;
-	/* decode an enveloped-data message to get the bulkkey (create
-	 * a new one if neccessary)
-	 */
-	if (!encryptOptions.envFile) {
-	    encryptOptions.envFile = PR_Open(envFileName, 
-	                                     PR_WRONLY|PR_CREATE_FILE, 00660);
-	    if (!encryptOptions.envFile) {
-		fprintf(stderr, "%s: failed to create file %s.\n", progName,
-		        envFileName);
-		exit(1);
-	    }
-	} else {
-	    SECU_FileToItem(&envmsg, encryptOptions.envFile);
-	    decodeOptions.options = &options;
-	    encryptOptions.envmsg = decode(NULL, &envmsg, &decodeOptions);
-	    if (encryptOptions.envmsg == NULL) {
-	    	SECU_PrintError(progName, "problem decrypting env msg");
-		exitstatus = 1;
-	    	break;
-	    }
-	}
-	rv = get_enc_params(&encryptOptions);
-	/* create the encrypted-data message */
-	cmsg = encrypted_data(&encryptOptions);
-	if (!cmsg) {
-	    SECU_PrintError(progName, "problem encrypting");
-	    exitstatus = 1;
-	}
-	if (encryptOptions.bulkkey) {
-	    PK11_FreeSymKey(encryptOptions.bulkkey);
-	    encryptOptions.bulkkey = NULL;
-	}
-	break;
-    case ENVELOPE:     /* -E */
-	envelopeOptions.options = &options;
-	cmsg = enveloped_data(&envelopeOptions);
-	if (!cmsg) {
-	    SECU_PrintError(progName, "problem enveloping");
-	    exitstatus = 1;
-	}
-	break;
-    case CERTSONLY:    /* -O */
-	certsonlyOptions.options = &options;
-	cmsg = signed_data_certsonly(&certsonlyOptions);
-	if (!cmsg) {
-	    SECU_PrintError(progName, "problem with certs-only");
-	    exitstatus = 1;
-	}
-	break;
-    default:
-	fprintf(stderr, "One of options -D, -S or -E must be set.\n");
-	Usage(progName);
-	exitstatus = 1;
-    }
-    if ( (mode == SIGN || mode == ENVELOPE || mode == CERTSONLY)
-         && (!exitstatus) ) {
-	PLArenaPool *arena = PORT_NewArena(1024);
-	NSSCMSEncoderContext *ecx;
-	SECItem output = { 0, 0, 0 };
-
-	if (!arena) {
-	    fprintf(stderr, "%s: out of memory.\n", progName);
-	    exit(1);
-	}
-
-	if (cms_verbose) {
-	    fprintf(stderr, "cmsg [%p]\n", cmsg);
-	    fprintf(stderr, "arena [%p]\n", arena);
-	    if (pwcb_arg && (PW_PLAINTEXT == ((secuPWData*)pwcb_arg)->source))
-		fprintf(stderr, "password [%s]\n",
-                        ((secuPWData*)pwcb_arg)->data);
-	    else
-		fprintf(stderr, "password [NULL]\n");
-	}
-	ecx = NSS_CMSEncoder_Start(cmsg, 
-                                   NULL, NULL,     /* DER output callback  */
-                                   &output, arena, /* destination storage  */
-                                   pwcb, pwcb_arg, /* password callback    */
-                                   NULL, NULL,     /* decrypt key callback */
-                                   NULL, NULL );   /* detached digests    */
-	if (!ecx) {
-	    fprintf(stderr, "%s: cannot create encoder context.\n", progName);
-	    exit(1);
-	}
-	if (cms_verbose) {
-	    fprintf(stderr, "input len [%d]\n", input.len);
-	    { unsigned int j; 
-		for(j=0;j<input.len;j++)
-	     fprintf(stderr, "%2x%c", input.data[j], (j>0&&j%35==0)?'\n':' ');
-	    }
-	}
-	if (input.len > 0) { /* skip if certs-only (or other zero content) */
-	    rv = NSS_CMSEncoder_Update(ecx, (char *)input.data, input.len);
-	    if (rv) {
-		fprintf(stderr, 
-		        "%s: failed to add data to encoder.\n", progName);
-		exit(1);
-	    }
-	}
-	rv = NSS_CMSEncoder_Finish(ecx);
-	if (rv) {
-            SECU_PrintError(progName, "failed to encode data");
-	    exit(1);
-	}
-
-	if (cms_verbose) {
-	    fprintf(stderr, "encoding passed\n");
-	}
-	fwrite(output.data, output.len, 1, outFile);
-	if (cms_verbose) {
-	    fprintf(stderr, "wrote to file\n");
-	}
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    if (cmsg)
-	NSS_CMSMessage_Destroy(cmsg);
-    if (outFile != stdout)
-	fclose(outFile);
-
-    SECITEM_FreeItem(&decodeOptions.content, PR_FALSE);
-    SECITEM_FreeItem(&envmsg, PR_FALSE);
-    SECITEM_FreeItem(&input, PR_FALSE);
-    if (NSS_Shutdown() != SECSuccess) {
-	SECU_PrintError(progName, "NSS_Shutdown failed");
-	exitstatus = 1;
-    }
-    PR_Cleanup();
-    return exitstatus;
-}
diff --git a/security/nss/cmd/smimetools/manifest.mn b/security/nss/cmd/smimetools/manifest.mn
deleted file mode 100644
index ac2052ac4..000000000
--- a/security/nss/cmd/smimetools/manifest.mn
+++ /dev/null
@@ -1,49 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-CSRCS = cmsutil.c  
-
-MYLIB = $(DIST)/lib/libsmime.a
-
-REQUIRES = seccmd dbm
-
-PROGRAM = cmsutil
-SCRIPTS = smime
diff --git a/security/nss/cmd/smimetools/rules.mk b/security/nss/cmd/smimetools/rules.mk
deleted file mode 100644
index 1743a5e42..000000000
--- a/security/nss/cmd/smimetools/rules.mk
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-# $Id$
-
-install::
-	$(INSTALL) -m 755 $(SCRIPTS) $(SOURCE_BIN_DIR)
diff --git a/security/nss/cmd/smimetools/smime b/security/nss/cmd/smimetools/smime
deleted file mode 100755
index 0ac312e05..000000000
--- a/security/nss/cmd/smimetools/smime
+++ /dev/null
@@ -1,581 +0,0 @@
-#!/usr/local/bin/perl
-
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-# smime.pl - frontend for S/MIME message generation and parsing
-#
-# $Id$
-#
-
-use Getopt::Std;
-
-@boundarychars = ( "0" .. "9", "A" .. "F" );
-
-# path to cmsutil
-$cmsutilpath = "cmsutil";
-
-#
-# Thanks to Gisle Aas <gisle@aas.no> for the base64 functions
-# originally taken from MIME-Base64-2.11 at www.cpan.org
-#
-sub encode_base64($)
-{
-    my $res = "";
-    pos($_[0]) = 0;                          # ensure start at the beginning
-    while ($_[0] =~ /(.{1,45})/gs) {
-	$res .= substr(pack('u', $1), 1);    # get rid of length byte after packing
-	chop($res);
-    }
-    $res =~ tr|` -_|AA-Za-z0-9+/|;
-    # fix padding at the end
-    my $padding = (3 - length($_[0]) % 3) % 3;
-    $res =~ s/.{$padding}$/'=' x $padding/e if $padding;
-    # break encoded string into lines of no more than 76 characters each
-    $res =~ s/(.{1,76})/$1\n/g;
-    $res;
-}
-
-sub decode_base64($)
-{
-    local($^W) = 0; # unpack("u",...) gives bogus warning in 5.00[123]
-
-    my $str = shift;
-    my $res = "";
-
-    $str =~ tr|A-Za-z0-9+=/||cd;            # remove non-base64 chars
-    if (length($str) % 4) {
-	require Carp;
-	Carp::carp("Length of base64 data not a multiple of 4")
-    }
-    $str =~ s/=+$//;                        # remove padding
-    $str =~ tr|A-Za-z0-9+/| -_|;            # convert to uuencoded format
-    while ($str =~ /(.{1,60})/gs) {
-	my $len = chr(32 + length($1)*3/4); # compute length byte
-	$res .= unpack("u", $len . $1 );    # uudecode
-    }
-    $res;
-}
-
-#
-# parse headers into a hash
-#
-# %headers = parseheaders($headertext);
-#
-sub parseheaders($)
-{
-    my ($headerdata) = @_;
-    my $hdr;
-    my %hdrhash;
-    my $hdrname;
-    my $hdrvalue;
-    my @hdrvalues;
-    my $subhdrname;
-    my $subhdrvalue;
-
-    # the expression in split() correctly handles continuation lines
-    foreach $hdr (split(/\n(?=\S)/, $headerdata)) {
-	$hdr =~ s/\r*\n\s+/ /g;	# collapse continuation lines
-	($hdrname, $hdrvalue) = $hdr =~ m/^(\S+):\s+(.*)$/;
-
-	# ignore non-headers (or should we die horribly?)
-	next unless (defined($hdrname));
-	$hdrname =~ tr/A-Z/a-z/;			# lowercase the header name
-	@hdrvalues = split(/\s*;\s*/, $hdrvalue);	# split header values (XXXX quoting)
-
-	# there is guaranteed to be at least one value
-	$hdrvalue = shift @hdrvalues;
-	if ($hdrvalue =~ /^\s*\"(.*)\"\s*$/) {		# strip quotes if there
-	    $hdrvalue = $1;
-	}
-
-	$hdrhash{$hdrname}{MAIN} = $hdrvalue;
-	# print "XXX $hdrname = $hdrvalue\n";
-
-	# deal with additional name-value pairs
-	foreach $hdrvalue (@hdrvalues) {
-	    ($subhdrname, $subhdrvalue) = $hdrvalue =~ m/^(\S+)\s*=\s*(.*)$/;
-	    # ignore non-name-value pairs (or should we die?)
-	    next unless (defined($subhdrname));
-	    $subhdrname =~ tr/A-Z/a-z/;
-	    if ($subhdrvalue =~ /^\s*\"(.*)\"\s*$/) {	# strip quotes if there
-		$subhdrvalue = $1;
-	    }
-	    $hdrhash{$hdrname}{$subhdrname} = $subhdrvalue;
-	}
-
-    }
-    return %hdrhash;
-}
-
-#
-# encryptentity($entity, $options) - encrypt an S/MIME entity,
-#                                    creating a new application/pkcs7-smime entity
-#
-# entity  - string containing entire S/MIME entity to encrypt
-# options - options for cmsutil
-#
-# this will generate and return a new application/pkcs7-smime entity containing
-# the enveloped input entity.
-#
-sub encryptentity($$)
-{
-    my ($entity, $cmsutiloptions) = @_;
-    my $out = "";
-    my $boundary;
-
-    $tmpencfile = "/tmp/encryptentity.$$";
-
-    #
-    # generate a random boundary string
-    #
-    $boundary = "------------ms" . join("", @boundarychars[map{rand @boundarychars }( 1 .. 24 )]);
-
-    #
-    # tell cmsutil to generate a enveloped CMS message using our data
-    #
-    open(CMS, "|$cmsutilpath -E $cmsutiloptions -o $tmpencfile") or die "ERROR: cannot pipe to cmsutil";
-    print CMS $entity;
-    unless (close(CMS)) {
-	print STDERR "ERROR: encryption failed.\n";
-	unlink($tmpsigfile);
-	exit 1;
-    }
-
-    $out  = "Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m\n";
-    $out .= "Content-Transfer-Encoding: base64\n";
-    $out .= "Content-Disposition: attachment; filename=smime.p7m\n";
-    $out .= "\n";			# end of entity header
-
-    open (ENC, $tmpencfile) or die "ERROR: cannot find newly generated encrypted content";
-    local($/) = undef;			# slurp whole file
-    $out .= encode_base64(<ENC>), "\n";	# entity body is base64-encoded CMS message
-    close(ENC);
-
-    unlink($tmpencfile);
-
-    $out;
-}
-
-#
-# signentity($entity, $options) - sign an S/MIME entity
-#
-# entity  - string containing entire S/MIME entity to sign
-# options - options for cmsutil
-#
-# this will generate and return a new multipart/signed entity consisting
-# of the canonicalized original content, plus a signature block.
-#
-sub signentity($$)
-{
-    my ($entity, $cmsutiloptions) = @_;
-    my $out = "";
-    my $boundary;
-
-    $tmpsigfile = "/tmp/signentity.$$";
-
-    #
-    # generate a random boundary string
-    #
-    $boundary = "------------ms" . join("", @boundarychars[map{rand @boundarychars }( 1 .. 24 )]);
-
-    #
-    # tell cmsutil to generate a signed CMS message using the canonicalized data
-    # The signedData has detached content (-T) and includes a signing time attribute (-G)
-    #
-    # if we do not provide a password on the command line, here's where we would be asked for it
-    #
-    open(CMS, "|$cmsutilpath -S -T -G $cmsutiloptions -o $tmpsigfile") or die "ERROR: cannot pipe to cmsutil";
-    print CMS $entity;
-    unless (close(CMS)) {
-	print STDERR "ERROR: signature generation failed.\n";
-	unlink($tmpsigfile);
-	exit 1;
-    }
-
-    open (SIG, $tmpsigfile) or die "ERROR: cannot find newly generated signature";
-
-    #
-    # construct a new multipart/signed MIME entity consisting of the original content and
-    # the signature
-    #
-    # (we assume that cmsutil generates a SHA1 digest)
-    $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha1; boundary=\"${boundary}\"\n";
-    $out .= "\n";		# end of entity header
-    $out .= "This is a cryptographically signed message in MIME format.\n"; # explanatory comment
-    $out .= "\n--${boundary}\n";
-    $out .= $entity;
-    $out .= "\n--${boundary}\n";
-    $out .= "Content-Type: application/pkcs7-signature; name=smime.p7s\n";
-    $out .= "Content-Transfer-Encoding: base64\n";
-    $out .= "Content-Disposition: attachment; filename=smime.p7s\n";
-    $out .= "Content-Description: S/MIME Cryptographic Signature\n";
-    $out .= "\n";		# end of signature subentity header
-
-    local($/) = undef;		# slurp whole file
-    $out .= encode_base64(<SIG>);	# append base64-encoded signature
-    $out .= "\n--${boundary}--\n";
-
-    close(SIG);
-    unlink($tmpsigfile);
-
-    $out;
-}
-
-sub usage {
-    print STDERR "usage: smime [options]\n";
-    print STDERR " options:\n";
-    print STDERR " -S nick             generate signed message, use certificate named \"nick\"\n";
-    print STDERR "  -p passwd          use \"passwd\" as security module password\n";
-    print STDERR " -E rec1[,rec2...]   generate encrypted message for recipients\n";
-    print STDERR " -D                  decode a S/MIME message\n";
-    print STDERR "  -p passwd          use \"passwd\" as security module password\n";
-    print STDERR "                     (required for decrypting only)\n";
-    print STDERR " -C pathname         set pathname of \"cmsutil\"\n";
-    print STDERR " -d directory        set directory containing certificate db\n";
-    print STDERR "                     (default: ~/.netscape)\n";
-    print STDERR "\nWith -S or -E, smime will take a regular RFC822 message or MIME entity\n";
-    print STDERR "on stdin and generate a signed or encrypted S/MIME message with the same\n";
-    print STDERR "headers and content from it. The output can be used as input to a MTA.\n";
-    print STDERR "-D causes smime to strip off all S/MIME layers if possible and output\n";
-    print STDERR "the \"inner\" message.\n";
-}
-
-#
-# start of main procedures
-#
-
-#
-# process command line options
-#
-unless (getopts('S:E:p:d:C:D')) {
-    usage();
-    exit 1;
-}
-
-unless (defined($opt_S) or defined($opt_E) or defined($opt_D)) {
-    print STDERR "ERROR: -S and/or -E, or -D must be specified.\n";
-    usage();
-    exit 1;
-}
-
-$signopts = "";
-$encryptopts = "";
-$decodeopts = "";
-
-# pass -d option along
-if (defined($opt_d)) {
-    $signopts .= "-d \"$opt_d\" ";
-    $encryptopts .= "-d \"$opt_d\" ";
-    $decodeopts .= "-d \"$opt_d\" ";
-}
-
-if (defined($opt_S)) {
-    $signopts .= "-N \"$opt_S\" ";
-}
-
-if (defined($opt_p)) {
-    $signopts .= "-p \"$opt_p\" ";
-    $decodeopts .= "-p \"$opt_p\" ";
-}
-
-if (defined($opt_E)) {
-    @recipients = split(",", $opt_E);
-    $encryptopts .= "-r ";
-    $encryptopts .= join (" -r ", @recipients);
-}
-
-if (defined($opt_C)) {
-    $cmsutilpath = $opt_C;
-}
-
-#
-# split headers into mime entity headers and RFC822 headers
-# The RFC822 headers are preserved and stay on the outer layer of the message
-#
-$rfc822headers = "";
-$mimeheaders = "";
-$mimebody = "";
-$skippedheaders = "";
-while (<STDIN>) {
-    last if (/^$/);
-    if (/^content-\S+: /i) {
-	$lastref = \$mimeheaders;
-    } elsif (/^mime-version: /i) {
-	$lastref = \$skippedheaders;			# skip it
-    } elsif (/^\s/) {
-	;
-    } else {
-	$lastref = \$rfc822headers;
-    }
-    $$lastref .= $_;
-}
-
-#
-# if there are no MIME entity headers, generate some default ones
-#
-if ($mimeheaders eq "") {
-    $mimeheaders .= "Content-Type: text/plain; charset=us-ascii\n";
-    $mimeheaders .= "Content-Transfer-Encoding: 7bit\n";
-}
-
-#
-# slurp in the entity body
-#
-$saveRS = $/;
-$/ = undef;
-$mimebody = <STDIN>;
-$/ = $saveRS;
-chomp($mimebody);
-
-if (defined $opt_D) {
-    #
-    # decode
-    #
-    # possible options would be:
-    # - strip off only one layer
-    # - strip off outer signature (if present)
-    # - just print information about the structure of the message
-    # - strip n layers, then dump DER of CMS message
-
-    $layercounter = 1;
-
-    while (1) {
-	%hdrhash = parseheaders($mimeheaders);
-	unless (exists($hdrhash{"content-type"}{MAIN})) {
-	    print STDERR "ERROR: no content type header found in MIME entity\n";
-	    last;	# no content-type - we're done
-	}
-
-	$contenttype = $hdrhash{"content-type"}{MAIN};
-	if ($contenttype eq "application/pkcs7-mime") {
-	    #
-	    # opaque-signed or enveloped message
-	    #
-	    unless (exists($hdrhash{"content-type"}{"smime-type"})) {
-		print STDERR "ERROR: no smime-type attribute in application/pkcs7-smime entity.\n";
-		last;
-	    }
-	    $smimetype = $hdrhash{"content-type"}{"smime-type"};
-	    if ($smimetype eq "signed-data" or $smimetype eq "enveloped-data") {
-		# it's verification or decryption time!
-
-		# can handle only base64 encoding for now
-		# all other encodings are treated as binary (8bit)
-		if ($hdrhash{"content-transfer-encoding"}{MAIN} eq "base64") {
-		    $mimebody = decode_base64($mimebody);
-		}
-
-		# if we need to dump the DER, we would do it right here
-
-		# now write the DER
-		$tmpderfile = "/tmp/der.$$";
-		open(TMP, ">$tmpderfile") or die "ERROR: cannot write signature data to temporary file";
-		print TMP $mimebody;
-		unless (close(TMP)) {
-		    print STDERR "ERROR: writing signature data to temporary file.\n";
-		    unlink($tmpderfile);
-		    exit 1;
-		}
-
-		$mimeheaders = "";
-		open(TMP, "$cmsutilpath -D $decodeopts -h $layercounter -i $tmpderfile |") or die "ERROR: cannot open pipe to cmsutil";
-		$layercounter++;
-		while (<TMP>) {
-		    last if (/^\r?$/);			# empty lines mark end of header
-		    if (/^SMIME: /) {			# add all SMIME info to the rfc822 hdrs
-			$lastref = \$rfc822headers;
-		    } elsif (/^\s/) {
-			;				# continuation lines go to the last dest
-		    } else {
-			$lastref = \$mimeheaders;	# all other headers are mime headers
-		    }
-		    $$lastref .= $_;
-		}
-		# slurp in rest of the data to $mimebody
-		$saveRS = $/; $/ = undef; $mimebody = <TMP>; $/ = $saveRS;
-		close(TMP);
-
-		unlink($tmpderfile);
-
-	    } else {
-		print STDERR "ERROR: unknown smime-type \"$smimetype\" in application/pkcs7-smime entity.\n";
-		last;
-	    }
-	} elsif ($contenttype eq "multipart/signed") {
-	    #
-	    # clear signed message
-	    #
-	    unless (exists($hdrhash{"content-type"}{"protocol"})) {
-		print STDERR "ERROR: content type has no protocol attribute in multipart/signed entity.\n";
-		last;
-	    }
-	    if ($hdrhash{"content-type"}{"protocol"} ne "application/pkcs7-signature") {
-		# we cannot handle this guy
-		print STDERR "ERROR: unknown protocol \"", $hdrhash{"content-type"}{"protocol"},
-			"\" in multipart/signed entity.\n";
-		last;
-	    }
-	    unless (exists($hdrhash{"content-type"}{"boundary"})) {
-		print STDERR "ERROR: no boundary attribute in multipart/signed entity.\n";
-		last;
-	    }
-	    $boundary = $hdrhash{"content-type"}{"boundary"};
-
-	    # split $mimebody along \n--$boundary\n - gets you four parts
-	    # first (0), any comments the sending agent might have put in
-	    # second (1), the message itself
-	    # third (2), the signature as a mime entity
-	    # fourth (3), trailing data (there shouldn't be any)
-
-	    @multiparts = split(/\r?\n--$boundary(?:--)?\r?\n/, $mimebody);
-
-	    #
-	    # parse the signature headers
-	    ($submimeheaders, $submimebody) = split(/^$/m, $multiparts[2]);
-	    %sighdrhash = parseheaders($submimeheaders);
-	    unless (exists($sighdrhash{"content-type"}{MAIN})) {
-		print STDERR "ERROR: signature entity has no content type.\n";
-		last;
-	    }
-	    if ($sighdrhash{"content-type"}{MAIN} ne "application/pkcs7-signature") {
-		# we cannot handle this guy
-		print STDERR "ERROR: unknown content type \"", $sighdrhash{"content-type"}{MAIN},
-			"\" in signature entity.\n";
-		last;
-	    }
-	    if ($sighdrhash{"content-transfer-encoding"}{MAIN} eq "base64") {
-		$submimebody = decode_base64($submimebody);
-	    }
-
-	    # we would dump the DER at this point
-
-	    $tmpsigfile = "/tmp/sig.$$";
-	    open(TMP, ">$tmpsigfile") or die "ERROR: cannot write signature data to temporary file";
-	    print TMP $submimebody;
-	    unless (close(TMP)) {
-		print STDERR "ERROR: writing signature data to temporary file.\n";
-		unlink($tmpsigfile);
-		exit 1;
-	    }
-
-	    $tmpmsgfile = "/tmp/msg.$$";
-	    open(TMP, ">$tmpmsgfile") or die "ERROR: cannot write message data to temporary file";
-	    print TMP $multiparts[1];
-	    unless (close(TMP)) {
-		print STDERR "ERROR: writing message data to temporary file.\n";
-		unlink($tmpsigfile);
-		unlink($tmpmsgfile);
-		exit 1;
-	    }
-
-	    $mimeheaders = "";
-	    open(TMP, "$cmsutilpath -D $decodeopts -h $layercounter -c $tmpmsgfile -i $tmpsigfile |") or die "ERROR: cannot open pipe to cmsutil";
-	    $layercounter++;
-	    while (<TMP>) {
-		last if (/^\r?$/);
-		if (/^SMIME: /) {
-		    $lastref = \$rfc822headers;
-		} elsif (/^\s/) {
-		    ;
-		} else {
-		    $lastref = \$mimeheaders;
-		}
-		$$lastref .= $_;
-	    }
-	    $saveRS = $/; $/ = undef; $mimebody = <TMP>; $/ = $saveRS;
-	    close(TMP);
-	    unlink($tmpsigfile);
-	    unlink($tmpmsgfile);
-
-	} else {
-
-	    # not a content type we know - we're done
-	    last;
-
-	}
-    }
-
-    # so now we have the S/MIME parsing information in rfc822headers
-    # and the first mime entity we could not handle in mimeheaders and mimebody.
-    # dump 'em out and we're done.
-    print $rfc822headers;
-    print $mimeheaders . "\n" . $mimebody;
-
-} else {
-
-    #
-    # encode (which is much easier than decode)
-    #
-
-    $mimeentity = $mimeheaders . "\n" . $mimebody;
-
-    #
-    # canonicalize inner entity (rudimentary yet)
-    # convert single LFs to CRLF
-    # if no Content-Transfer-Encoding header present:
-    #  if 8 bit chars present, use Content-Transfer-Encoding: quoted-printable
-    #  otherwise, use Content-Transfer-Encoding: 7bit
-    #
-    $mimeentity =~ s/\r*\n/\r\n/mg;
-
-    #
-    # now do the wrapping
-    # we sign first, then encrypt because that's what Communicator needs
-    #
-    if (defined($opt_S)) {
-	$mimeentity = signentity($mimeentity, $signopts);
-    }
-
-    if (defined($opt_E)) {
-	$mimeentity = encryptentity($mimeentity, $encryptopts);	
-    }
-
-    #
-    # XXX sign again to do triple wrapping (RFC2634)
-    #
-
-    #
-    # now write out the RFC822 headers
-    # followed by the final $mimeentity
-    #
-    print $rfc822headers;
-    print "MIME-Version: 1.0 (NSS SMIME - http://www.mozilla.org/projects/security)\n";	# set up the flag
-    print $mimeentity;
-}
-
-exit 0;
diff --git a/security/nss/cmd/ssltap/Makefile b/security/nss/cmd/ssltap/Makefile
deleted file mode 100644
index c2eb4e1ce..000000000
--- a/security/nss/cmd/ssltap/Makefile
+++ /dev/null
@@ -1,83 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-# Since ssltap doesn't use any of NSS, we'll skip NSS's link libs,
-# and just link with NSPR.
-#
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
--include ../platrules.mk
-
diff --git a/security/nss/cmd/ssltap/manifest.mn b/security/nss/cmd/ssltap/manifest.mn
deleted file mode 100644
index 36937600b..000000000
--- a/security/nss/cmd/ssltap/manifest.mn
+++ /dev/null
@@ -1,55 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-EXPORTS = 
-
-CSRCS = ssltap.c	\
-	$(NULL)
-
-PROGRAM =  ssltap
-
-REQUIRES = seccmd dbm
-
-PACKAGE_FILES = ssltap-manual.html licence.doc ssltap.exe
-
-ARCHIVE_NAME = ssltap
-
diff --git a/security/nss/cmd/ssltap/ssltap-manual.html b/security/nss/cmd/ssltap/ssltap-manual.html
deleted file mode 100644
index f49bf7282..000000000
--- a/security/nss/cmd/ssltap/ssltap-manual.html
+++ /dev/null
@@ -1,202 +0,0 @@
-<HTML>

-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is the Netscape security libraries.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 1994-2000
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-<HEAD>

-   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">

-   <META NAME="GENERATOR" CONTENT="Mozilla/4.05 [en] (WinNT; U) [Netscape]">

-   <META NAME="Author" CONTENT="Steve Parkinson">

-   <TITLE>SSLTap - manual</TITLE>

-</HEAD>

-<BODY>

-

-<H1>

-SSLTap Manual page</H1>

-

-<H3>

-Summary</H3>

-A command-line proxy which is SSL-aware. It snoops on TCP connections,

-and displays the data going by, including SSL records and handshaking&nbsp;

-if the connection is SSL.

-<H3>

-Synopsis</H3>

-<TT>ssltap [-vhfsxl] [-p port] hostname:port</TT>

-

-<P><TT>&nbsp;&nbsp; -v&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [prints version string]</TT>

-<BR><TT>&nbsp;&nbsp; -h&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [outputs hex instead

-of ASCII]</TT>

-<BR><TT>&nbsp;&nbsp; -f&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [turn on Fancy HTML

-coloring]</TT>

-<BR><TT>&nbsp;&nbsp; -s&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [turn on SSL decoding]</TT>

-<BR><TT>&nbsp;&nbsp; -x&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [turn on extra SSL

-hex dumps]</TT>

-<BR><TT>&nbsp;&nbsp; -p port [specify rendezvous port (default 1924)]</TT>

-<BR><TT>&nbsp;&nbsp; -l&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [loop - continue

-to wait for more connections]</TT>

-<H3>

-Description</H3>

-SSLTap opens a socket on a rendezvous port, and waits for an incoming connection

-(client side). Once this connection arrives, SSLTap makes another connection

-to hostname:port (server side). It passes any data sent by the client to

-the server, and vice versa. However, SSLTap will also display the data

-to the console. It can do this for plain HTTP connections, or any TCP protocol.

-However, SSLTap can also work with SSL streams, as detailed below.

-

-<P>Let's assume your development machine is called 'intercept'. The simplest

-usage of SSLTap is to run the command <TT>'ssltap www.netscape.com:80'</TT>

-on intercept. The program will wait for an incoming connection on port

-1924. Next you would want to go to your browser, and enter the URL http://intercept:1924.

-The page retrieved by the browser will actually be gotten from the server

-at www.netscape.com, but will go via SSLTap.

-

-<P>Data sent from the client to the server is surrounded by a '--> [ ]'

-symbol, and data sent from the server to the client, a '&lt;---[&nbsp;

-]' symbol.

-

-<P>You'll notice that the page retrieved with this example looks incomplete.

-This is because SSLTap by default closes down after the first connection

-is complete, so the browser is not able to load images. To make the SSLTap

-continue to accept connections, switch on looping mode with the -l option.

-

-<P>You can change the default rendezvous port to something else with the

--p option.

-

-<P>The remaining options change the way the output is produced.

-

-<P>The -f option prints 'fancy' output - in colored HTML. Data sent from

-the client to the server is in blue. The server's reply is in red. This

-is designed so you can load the output up into a browser. When used with

-looping mode, the different connections are separated with horizontal lines.

-

-<P>-x will turn on HEX printing. Instead of being output as ascii, the

-data is shown as Hex, like this:

-<UL><TT>&lt;-- [</TT>

-<BR><TT>&nbsp;&nbsp; 0: 56 d5 16 3e&nbsp; a1 6b b1 4a&nbsp; 8f 67 c4 d7&nbsp;

-21 2f 6f dd&nbsp; | V..>.k.J.g..!/o.</TT>

-<BR><TT>&nbsp; 10: bb 22 c4 75&nbsp; 8c f4 ce 28&nbsp; 16 a6 20 aa&nbsp;

-fb 9a 59 a1&nbsp; | .".u...(.. ...Y.</TT>

-<BR><TT>&nbsp; 20: 51 91 14 d2&nbsp; fc 9f a7 ea&nbsp; 4d 9c f7 3a&nbsp;

-9d 83 62 4a&nbsp; | Q.......M..:..bJ</TT>

-<BR><TT>]</TT>

-<BR>&nbsp;</UL>

-

-<H4>

-SSL Parse mode</H4>

-The following options deal with SSL connections.

-<UL>-s will turn on SSL parsing. (SSLTap doesn't automatically detect SSL

-sessions.)

-<BR>-x will turn on extra SSL hexdumps. Mostly, if SSL can decode the data,

-it doesn't display the hex.</UL>

-The following SSL3 Data structures are parsed: Handshake, ClientHello,

-ServerHello, CertificateChain, Certificate. In addition, SSL2 ClientHello,

-ServerHello, ClientMasterKey are also partly parsed. NO DECRYPTION IS PERFORMED

-ON THE DATA. SSLTAP CANNOT DECRYPT the data.

-

-<P>If a certificate chain is detected, DER-encoded certificates will be

-saved into files in the current directory called 'cert.0x' where x is the

-sequence number of the certificate.

-<BR>&nbsp;

-<H3>

-Operation Hints</H3>

-Often, you'll find that the server certificate does not get transferred,

-or other parts of the handshake do not happen. This is because the browser

-is taking advantage of session-id-reuse (using the handshake results from

-a previous session). If you restart the browser, it'll clear the session

-id cache.

-

-<P>If you run the ssltap on a different machine that the ssl server you're

-trying to connect to, the browser will complain that the host name you're

-trying to connect to is different to the certificate, but it will still

-let you connect, after showing you a dialog.

-<H3>

-Bugs</H3>

-Please contact <A HREF="mailto:ssltap-support@netscape.com">ssltap-support@netscape.com</A>

-for bug reports.

-<H3>

-History</H3>

-2.1 - First public release (March 1998)

-<BR>&nbsp;

-<H3>

-Other</H3>

-For reference, here is a table of some well-known port numbers:

-<BR>&nbsp;

-<TABLE BORDER=2 >

-<TR>

-<TD>HTTP</TD>

-

-<TD>80</TD>

-</TR>

-

-<TR>

-<TD>SMTP</TD>

-

-<TD>25</TD>

-</TR>

-

-<TR>

-<TD>HTTPS</TD>

-

-<TD>443</TD>

-</TR>

-

-<TR>

-<TD>FTP</TD>

-

-<TD>21</TD>

-</TR>

-

-<TR>

-<TD>IMAPS</TD>

-

-<TD>993</TD>

-</TR>

-

-<TR>

-<TD>NNTP</TD>

-

-<TD>119</TD>

-</TR>

-

-<TR>

-<TD>NNTPS</TD>

-

-<TD>563</TD>

-</TR>

-</TABLE>

-&nbsp;

-

-<P>&nbsp;

-</BODY>

-</HTML>

diff --git a/security/nss/cmd/ssltap/ssltap.c b/security/nss/cmd/ssltap/ssltap.c
deleted file mode 100644
index 244168b0c..000000000
--- a/security/nss/cmd/ssltap/ssltap.c
+++ /dev/null
@@ -1,1759 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * ssltap.c
- *
- * Version 1.0 : Frederick Roeber : 11 June 1997
- * Version 2.0 : Steve Parkinson  : 13 November 1997
- * Version 3.0 : Nelson Bolyard   : 22 July 1998
- * Version 3.1 : Nelson Bolyard   : 24 May  1999
- *
- * changes in version 2.0:
- *  Uses NSPR20
- *  Shows structure of SSL negotiation, if enabled.
- *
- * This "proxies" a socket connection (like a socks tunnel), but displays the
- * data is it flies by.
- *
- * In the code, the 'client' socket is the one on the client side of the
- * proxy, and the server socket is on the server side.
- *
- */
-
-#include "nspr.h"
-#include "plstr.h"
-#include "secutil.h"
-#include <memory.h>	/* for memcpy, etc. */
-#include <string.h>
-#include <time.h>
-
-#include "plgetopt.h"
-#include "nss.h"
-#include "cert.h"
-#include "sslproto.h"
-
-#define VERSIONSTRING "$Revision$ ($Date$) $Author$"
-
-
-struct _DataBufferList;
-struct _DataBuffer;
-
-typedef struct _DataBufferList {
-  struct _DataBuffer *first,*last;
-  int size;
-  int isEncrypted;
-  char * msgBuf;
-  int    msgBufOffset;
-  int    msgBufSize;
-  int    hMACsize;
-} DataBufferList;
-
-typedef struct _DataBuffer {
-  unsigned char *buffer;
-  int length;
-  int offset;  /* offset of first good byte */
-  struct _DataBuffer *next;
-} DataBuffer;
-
-
-
-struct sslhandshake {
-  PRUint8 type;
-  PRUint32 length;
-};
-
-typedef struct _SSLRecord {
-  PRUint8 type;
-  PRUint8 ver_maj,ver_min;
-
-  PRUint8 length[2];
-} SSLRecord;
-
-typedef struct _ClientHelloV2 {
-  PRUint8 length[2];
-  PRUint8 type;
-  PRUint8 version[2];
-  PRUint8 cslength[2];
-  PRUint8 sidlength[2];
-  PRUint8 rndlength[2];
-  PRUint8 csuites[1];
-} ClientHelloV2;
-
-typedef struct _ServerHelloV2 {
-  PRUint8 length[2];
-  PRUint8 type;
-  PRUint8 sidhit;
-  PRUint8 certtype;
-  PRUint8 version[2];
-  PRUint8 certlength[2];
-  PRUint8 cslength[2];
-  PRUint8 cidlength[2];
-} ServerHelloV2;
-
-typedef struct _ClientMasterKeyV2 {
-  PRUint8 length[2];
-  PRUint8 type;
-
-  PRUint8 cipherkind[3];
-  PRUint8 clearkey[2];
-  PRUint8 secretkey[2];
-
-} ClientMasterKeyV2;
-
-/* forward declaration */
-void showErr(const char * msg);
-
-#define TAPBUFSIZ 16384
-
-#define DEFPORT 1924
-#include <ctype.h>
-
-const char * progName;
-int hexparse=0;
-int sslparse=0;
-int sslhexparse=0;
-int looparound=0;
-int fancy=0;
-int isV2Session=0;
-int currentcipher=0;
-DataBufferList clientstream, serverstream;
-
-#define PR_FPUTS(x) PR_fprintf(PR_STDOUT, x )
-
-#define GET_SHORT(x) ((PRUint16)(((PRUint16)((PRUint8*)x)[0]) << 8) + ((PRUint16)((PRUint8*)x)[1]))
-#define GET_24(x) ((PRUint32)   (  \
-				 (((PRUint32)((PRUint8*)x)[0]) << 16) \
-				 +                          \
-				 (((PRUint32)((PRUint8*)x)[1]) << 8)  \
-				 +                          \
-				 (((PRUint32)((PRUint8*)x)[2]) << 0)  \
-				 ) )
-#define GET_32(x) ((PRUint32)   (  \
-				 (((PRUint32)((PRUint8*)x)[0]) << 24) \
-				 +                          \
-				 (((PRUint32)((PRUint8*)x)[1]) << 16) \
-				 +                          \
-				 (((PRUint32)((PRUint8*)x)[2]) << 8)  \
-				 +                          \
-				 (((PRUint32)((PRUint8*)x)[3]) << 0)  \
-				 ) )
-
-void print_hex(int amt, unsigned char *buf);
-void read_stream_bytes(unsigned char *d, DataBufferList *db, int length);
-
-void myhalt(int dblsize,int collectedsize) 
-{
-
-  PR_fprintf(PR_STDERR,"HALTED\n");
-  PR_ASSERT(dblsize == collectedsize);
-  exit(13);
-}
-
-const char *get_error_text(int error) 
-{
-  switch (error) {
-  case PR_IO_TIMEOUT_ERROR:
-    return "Timeout";
-    break;
-  case PR_CONNECT_REFUSED_ERROR:
-    return "Connection refused";
-    break;
-  case PR_NETWORK_UNREACHABLE_ERROR:
-    return "Network unreachable";
-    break;
-  case PR_BAD_ADDRESS_ERROR:
-    return "Bad address";
-    break;
-  case PR_CONNECT_RESET_ERROR:
-    return "Connection reset";
-    break;
-  case PR_PIPE_ERROR:
-    return "Pipe error";
-    break;
-  }
-
-  return "";
-}
-
-
-
-
-
-void check_integrity(DataBufferList *dbl) 
-{
-  DataBuffer *db;
-  int i;
-
-  db = dbl->first;
-  i =0;
-  while (db) {
-    i+= db->length - db->offset;
-    db = db->next;
-  }
-  if (i != dbl->size) {
-    myhalt(dbl->size,i);
-  }
-}
-
-/* Free's the DataBuffer at the head of the list and returns the pointer
- * to the new head of the list.
- */
-DataBuffer * 
-free_head(DataBufferList *dbl)
-{
-  DataBuffer *db       = dbl->first;
-  PR_ASSERT(db->offset >= db->length);
-  if (db->offset >= db->length) {
-    dbl->first = db->next;
-    if (dbl->first == NULL) {
-      dbl->last = NULL;
-    }
-    PORT_Free(db->buffer);
-    PORT_Free(db);
-    db = dbl->first;
-  }
-  return db;
-}
-
-void 
-read_stream_bytes(unsigned char *d, DataBufferList *dbl, int length) 
-{
-  int         copied 	= 0;
-  DataBuffer *db	= dbl->first;
-
-  if (!db) {
-    PR_fprintf(PR_STDERR,"assert failed - dbl->first is null\n");
-    exit(8);
-  }
-  while (length) {
-    int         toCopy;
-    /* find the number of bytes to copy from the head buffer */
-    /* if there's too many in this buffer, then only copy 'length' */
-    toCopy = PR_MIN(db->length - db->offset, length);
-
-    memcpy(d + copied, db->buffer + db->offset, toCopy);
-    copied     += toCopy;
-    db->offset += toCopy;
-    length     -= toCopy;
-    dbl->size  -= toCopy;
-
-    /* if we emptied the head buffer */
-    if (db->offset >= db->length) {
-      db = free_head(dbl);
-    }
-  }
-
-  check_integrity(dbl);
-
-}
-
-void
-flush_stream(DataBufferList *dbl)
-{
-    DataBuffer *db = dbl->first;
-    check_integrity(dbl);
-    while (db) {
-	db->offset = db->length;
-    	db = free_head(dbl);
-    }
-    dbl->size = 0;
-    check_integrity(dbl);
-    if (dbl->msgBuf) {
-        PORT_Free(dbl->msgBuf);
-	dbl->msgBuf = NULL;
-    }
-    dbl->msgBufOffset = 0;
-    dbl->msgBufSize = 0;
-    dbl->hMACsize = 0;
-}
-
-
-const char * V2CipherString(int cs_int) 
-{
-  char *cs_str;
-  cs_str = NULL;
-  switch (cs_int) {
-
-  case 0x010080:    cs_str = "SSL2/RSA/RC4-128/MD5";       break;
-  case 0x020080:    cs_str = "SSL2/RSA/RC4-40/MD5";    break;
-  case 0x030080:    cs_str = "SSL2/RSA/RC2CBC128/MD5";     break;
-  case 0x040080:    cs_str = "SSL2/RSA/RC2CBC40/MD5";  break;
-  case 0x050080:    cs_str = "SSL2/RSA/IDEA128CBC/MD5";    break;
-  case 0x060040:    cs_str = "SSL2/RSA/DES56-CBC/MD5";      break;
-  case 0x0700C0:    cs_str = "SSL2/RSA/3DES192EDE-CBC/MD5"; break;
-
-  case 0x000001:    cs_str = "SSL3/RSA/NULL/MD5";             break;
-  case 0x000002:    cs_str = "SSL3/RSA/NULL/SHA";             break;
-  case 0x000003:    cs_str = "SSL3/RSA/RC4-40/MD5";       break;
-  case 0x000004:    cs_str = "SSL3/RSA/RC4-128/MD5";          break;
-  case 0x000005:    cs_str = "SSL3/RSA/RC4-128/SHA";          break;
-  case 0x000006:    cs_str = "SSL3/RSA/RC2CBC40/MD5";     break;
-  case 0x000007:    cs_str = "SSL3/RSA/IDEA128CBC/SHA";       break;
-  case 0x000008:    cs_str = "SSL3/RSA/DES40-CBC/SHA";         break;
-  case 0x000009:    cs_str = "SSL3/RSA/DES56-CBC/SHA";         break;
-  case 0x00000A:    cs_str = "SSL3/RSA/3DES192EDE-CBC/SHA";    break;
-
-  case 0x00000B:    cs_str = "SSL3/DH-DSS/DES40-CBC/SHA";      break;
-  case 0x00000C:    cs_str = "SSL3/DH-DSS/DES56-CBC/SHA";      break;
-  case 0x00000D:    cs_str = "SSL3/DH-DSS/DES192EDE3CBC/SHA"; break;
-  case 0x00000E:    cs_str = "SSL3/DH-RSA/DES40-CBC/SHA";      break;
-  case 0x00000F:    cs_str = "SSL3/DH-RSA/DES56-CBC/SHA";      break;
-  case 0x000010:    cs_str = "SSL3/DH-RSA/3DES192EDE-CBC/SHA"; break;
-
-  case 0x000011:    cs_str = "SSL3/DHE-DSS/DES40-CBC/SHA";      break;
-  case 0x000012:    cs_str = "SSL3/DHE-DSS/DES56-CBC/SHA";      break;
-  case 0x000013:    cs_str = "SSL3/DHE-DSS/DES192EDE3CBC/SHA"; break;
-  case 0x000014:    cs_str = "SSL3/DHE-RSA/DES40-CBC/SHA";      break;
-  case 0x000015:    cs_str = "SSL3/DHE-RSA/DES56-CBC/SHA";      break;
-  case 0x000016:    cs_str = "SSL3/DHE-RSA/3DES192EDE-CBC/SHA"; break;
-
-  case 0x000017:    cs_str = "SSL3/DH-anon/RC4-40/MD5";     break;
-  case 0x000018:    cs_str = "SSL3/DH-anon/RC4-128/MD5";        break;
-  case 0x000019:    cs_str = "SSL3/DH-anon/DES40-CBC/SHA";       break;
-  case 0x00001A:    cs_str = "SSL3/DH-anon/DES56-CBC/SHA";       break;
-  case 0x00001B:    cs_str = "SSL3/DH-anon/3DES192EDE-CBC/SHA"; break;
-
-  case 0x00001C:    cs_str = "SSL3/FORTEZZA-DMS/NULL/SHA";      break;
-  case 0x00001D:    cs_str = "SSL3/FORTEZZA-DMS/FORTEZZA-CBC/SHA";  break;
-  case 0x00001E:    cs_str = "SSL3/FORTEZZA-DMS/RC4-128/SHA";  break;
-
-  case 0x00002F:    cs_str = "TLS/RSA/AES128-CBC/SHA";  	break;
-  case 0x000030:    cs_str = "TLS/DH-DSS/AES128-CBC/SHA";	break;
-  case 0x000031:    cs_str = "TLS/DH-RSA/AES128-CBC/SHA";	break;
-  case 0x000032:    cs_str = "TLS/DHE-DSS/AES128-CBC/SHA";	break;
-  case 0x000033:    cs_str = "TLS/DHE-RSA/AES128-CBC/SHA";	break;
-  case 0x000034:    cs_str = "TLS/DH-ANON/AES128-CBC/SHA";	break;
-
-  case 0x000035:    cs_str = "TLS/RSA/AES256-CBC/SHA";  	break;
-  case 0x000036:    cs_str = "TLS/DH-DSS/AES256-CBC/SHA";	break;
-  case 0x000037:    cs_str = "TLS/DH-RSA/AES256-CBC/SHA";	break;
-  case 0x000038:    cs_str = "TLS/DHE-DSS/AES256-CBC/SHA";	break;
-  case 0x000039:    cs_str = "TLS/DHE-RSA/AES256-CBC/SHA";	break;
-  case 0x00003A:    cs_str = "TLS/DH-ANON/AES256-CBC/SHA";	break;
-
-  case 0x000041:    cs_str = "TLS/RSA/CAMELLIA128-CBC/SHA";	break;
-  case 0x000042:    cs_str = "TLS/DH-DSS/CAMELLIA128-CBC/SHA";	break;
-  case 0x000043:    cs_str = "TLS/DH-RSA/CAMELLIA128-CBC/SHA";	break;
-  case 0x000044:    cs_str = "TLS/DHE-DSS/CAMELLIA128-CBC/SHA";	break;
-  case 0x000045:    cs_str = "TLS/DHE-RSA/CAMELLIA128-CBC/SHA";	break;
-  case 0x000046:    cs_str = "TLS/DH-ANON/CAMELLIA128-CBC/SHA";	break;
-
-  case 0x000060:    cs_str = "TLS/RSA-EXPORT1024/RC4-56/MD5";	break;
-  case 0x000061:    cs_str = "TLS/RSA-EXPORT1024/RC2CBC56/MD5";	break;
-  case 0x000062:    cs_str = "TLS/RSA-EXPORT1024/DES56-CBC/SHA";   break;
-  case 0x000064:    cs_str = "TLS/RSA-EXPORT1024/RC4-56/SHA";	   break;
-  case 0x000063:    cs_str = "TLS/DHE-DSS_EXPORT1024/DES56-CBC/SHA"; break;
-  case 0x000065:    cs_str = "TLS/DHE-DSS_EXPORT1024/RC4-56/SHA";  break;
-  case 0x000066:    cs_str = "TLS/DHE-DSS/RC4-128/SHA";		   break;
-
-  case 0x000072:    cs_str = "TLS/DHE-DSS/3DESEDE-CBC/RMD160"; break;
-  case 0x000073:    cs_str = "TLS/DHE-DSS/AES128-CBC/RMD160";  break;
-  case 0x000074:    cs_str = "TLS/DHE-DSS/AES256-CBC/RMD160";  break;
-
-  case 0x000079:    cs_str = "TLS/DHE-RSA/AES256-CBC/RMD160";  break;
-
-  case 0x00007C:    cs_str = "TLS/RSA/3DESEDE-CBC/RMD160"; break;
-  case 0x00007D:    cs_str = "TLS/RSA/AES128-CBC/RMD160"; break;
-  case 0x00007E:    cs_str = "TLS/RSA/AES256-CBC/RMD160"; break;
-
-  case 0x000080:    cs_str = "TLS/GOST341094/GOST28147-OFB/GOST28147"; break;
-  case 0x000081:    cs_str = "TLS/GOST34102001/GOST28147-OFB/GOST28147"; break;
-  case 0x000082:    cs_str = "TLS/GOST341094/NULL/GOSTR3411"; break;
-  case 0x000083:    cs_str = "TLS/GOST34102001/NULL/GOSTR3411"; break;
-
-  case 0x000084:    cs_str = "TLS/RSA/CAMELLIA256-CBC/SHA";	break;
-  case 0x000085:    cs_str = "TLS/DH-DSS/CAMELLIA256-CBC/SHA";	break;
-  case 0x000086:    cs_str = "TLS/DH-RSA/CAMELLIA256-CBC/SHA";	break;
-  case 0x000087:    cs_str = "TLS/DHE-DSS/CAMELLIA256-CBC/SHA";	break;
-  case 0x000088:    cs_str = "TLS/DHE-RSA/CAMELLIA256-CBC/SHA";	break;
-  case 0x000089:    cs_str = "TLS/DH-ANON/CAMELLIA256-CBC/SHA";	break;
-  case 0x00008A:    cs_str = "TLS/PSK/RC4-128/SHA";		break;
-  case 0x00008B:    cs_str = "TLS/PSK/3DES-EDE-CBC/SHA";	break;
-  case 0x00008C:    cs_str = "TLS/PSK/AES128-CBC/SHA";		break;      
-  case 0x00008D:    cs_str = "TLS/PSK/AES256-CBC/SHA";		break;      
-  case 0x00008E:    cs_str = "TLS/DHE-PSK/RC4-128/SHA";		break;      
-  case 0x00008F:    cs_str = "TLS/DHE-PSK/3DES-EDE-CBC/SHA";	break; 
-  case 0x000090:    cs_str = "TLS/DHE-PSK/AES128-CBC/SHA";	break;  
-  case 0x000091:    cs_str = "TLS/DHE-PSK/AES256-CBC/SHA";	break;  
-  case 0x000092:    cs_str = "TLS/RSA-PSK/RC4-128/SHA";		break;      
-  case 0x000093:    cs_str = "TLS/RSA-PSK/3DES-EDE-CBC/SHA";	break; 
-  case 0x000094:    cs_str = "TLS/RSA-PSK/AES128-CBC/SHA";	break;  
-  case 0x000095:    cs_str = "TLS/RSA-PSK/AES256-CBC/SHA";	break;  
-  case 0x000096:    cs_str = "TLS/RSA/SEED-CBC/SHA";		break;         
-  case 0x000097:    cs_str = "TLS/DH-DSS/SEED-CBC/SHA";		break;      
-  case 0x000098:    cs_str = "TLS/DH-RSA/SEED-CBC/SHA";		break;      
-  case 0x000099:    cs_str = "TLS/DHE-DSS/SEED-CBC/SHA";	break;     
-  case 0x00009A:    cs_str = "TLS/DHE-RSA/SEED-CBC/SHA";	break;     
-  case 0x00009B:    cs_str = "TLS/DH-ANON/SEED-CBC/SHA";	break;     
-
-  case 0x00C001:    cs_str = "TLS/ECDH-ECDSA/NULL/SHA";         break;
-  case 0x00C002:    cs_str = "TLS/ECDH-ECDSA/RC4-128/SHA";      break;
-  case 0x00C003:    cs_str = "TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA"; break;
-  case 0x00C004:    cs_str = "TLS/ECDH-ECDSA/AES128-CBC/SHA";   break;
-  case 0x00C005:    cs_str = "TLS/ECDH-ECDSA/AES256-CBC/SHA";   break;
-  case 0x00C006:    cs_str = "TLS/ECDHE-ECDSA/NULL/SHA";        break;
-  case 0x00C007:    cs_str = "TLS/ECDHE-ECDSA/RC4-128/SHA";     break;
-  case 0x00C008:    cs_str = "TLS/ECDHE-ECDSA/3DES-EDE-CBC/SHA";break;
-  case 0x00C009:    cs_str = "TLS/ECDHE-ECDSA/AES128-CBC/SHA";  break;
-  case 0x00C00A:    cs_str = "TLS/ECDHE-ECDSA/AES256-CBC/SHA";  break;
-  case 0x00C00B:    cs_str = "TLS/ECDH-RSA/NULL/SHA";           break;
-  case 0x00C00C:    cs_str = "TLS/ECDH-RSA/RC4-128/SHA";        break;
-  case 0x00C00D:    cs_str = "TLS/ECDH-RSA/3DES-EDE-CBC/SHA";   break;
-  case 0x00C00E:    cs_str = "TLS/ECDH-RSA/AES128-CBC/SHA";     break;
-  case 0x00C00F:    cs_str = "TLS/ECDH-RSA/AES256-CBC/SHA";     break;
-  case 0x00C010:    cs_str = "TLS/ECDHE-RSA/NULL/SHA";          break;
-  case 0x00C011:    cs_str = "TLS/ECDHE-RSA/RC4-128/SHA";       break;
-  case 0x00C012:    cs_str = "TLS/ECDHE-RSA/3DES-EDE-CBC/SHA";  break;
-  case 0x00C013:    cs_str = "TLS/ECDHE-RSA/AES128-CBC/SHA";    break;
-  case 0x00C014:    cs_str = "TLS/ECDHE-RSA/AES256-CBC/SHA";    break;
-  case 0x00C015:    cs_str = "TLS/ECDH-anon/NULL/SHA";          break;
-  case 0x00C016:    cs_str = "TLS/ECDH-anon/RC4-128/SHA";       break;
-  case 0x00C017:    cs_str = "TLS/ECDH-anon/3DES-EDE-CBC/SHA";  break;
-  case 0x00C018:    cs_str = "TLS/ECDH-anon/AES128-CBC/SHA";    break;
-  case 0x00C019:    cs_str = "TLS/ECDH-anon/AES256-CBC/SHA";    break;
-
-  case 0x00feff:    cs_str = "SSL3/RSA-FIPS/3DESEDE-CBC/SHA";	break;
-  case 0x00fefe:    cs_str = "SSL3/RSA-FIPS/DES-CBC/SHA";	break;
-  case 0x00ffe1:    cs_str = "SSL3/RSA-FIPS/DES56-CBC/SHA";     break;
-  case 0x00ffe0:    cs_str = "SSL3/RSA-FIPS/3DES192EDE-CBC/SHA";break;
-
-  /* the string literal is broken up to avoid trigraphs */
-  default:          cs_str = "????" "/????????" "/?????????" "/???"; break;
-  }
-
-  return cs_str;
-}
-
-const char * helloExtensionNameString(int ex_num) 
-{
-  const char *ex_name = NULL;
-  static char buf[10];
-
-  switch (ex_num) {
-  case  0: ex_name = "server_name";                    break;
-  case  1: ex_name = "max_fragment_length";            break;
-  case  2: ex_name = "client_certificate_url";         break;
-  case  3: ex_name = "trusted_ca_keys";                break;
-  case  4: ex_name = "truncated_hmac";                 break;
-  case  5: ex_name = "status_request";                 break;
-  case 10: ex_name = "elliptic_curves";                break;
-  case 11: ex_name = "ec_point_formats";               break;
-  case 35: ex_name = "session_ticket";                 break;
-  default: sprintf(buf, "%d", ex_num);  ex_name = (const char *)buf; break;
-  }
-
-  return ex_name;
-}
-
-static int isNULLmac(int cs_int)
-{
-    return (cs_int == SSL_NULL_WITH_NULL_NULL); 
-}
-
-static int isNULLcipher(int cs_int)
-{
- return ((cs_int == SSL_RSA_WITH_NULL_MD5) ||
-         (cs_int == SSL_RSA_WITH_NULL_SHA) ||
-         (cs_int == SSL_FORTEZZA_DMS_WITH_NULL_SHA) ||
-         (cs_int == TLS_ECDH_ECDSA_WITH_NULL_SHA) ||
-         (cs_int == TLS_ECDHE_ECDSA_WITH_NULL_SHA) ||
-         (cs_int == TLS_ECDH_RSA_WITH_NULL_SHA) ||
-         (cs_int == TLS_ECDHE_RSA_WITH_NULL_SHA));
-} 
-
-void partial_packet(int thispacket, int size, int needed)
-{
-  PR_fprintf(PR_STDOUT,"(%u bytes", thispacket);
-  if (thispacket < needed) {
-    PR_fprintf(PR_STDOUT,", making %u", size);
-  }
-  PR_fprintf(PR_STDOUT," of %u", needed);
-  if (size > needed) {
-    PR_fprintf(PR_STDOUT,", with %u left over", size - needed);
-  }
-  PR_fprintf(PR_STDOUT,")\n");
-}
-
-char * get_time_string(void)
-{
-  char      *cp;
-  char      *eol;
-  time_t     tt;
-
-  time(&tt);
-  cp = ctime(&tt);
-  eol = strchr(cp, '\n');
-  if (eol) 
-    *eol = 0;
-  return cp;
-}
-
-void print_sslv2(DataBufferList *s, unsigned char *recordBuf, unsigned int recordLen)
-{
-  ClientHelloV2 *chv2;
-  ServerHelloV2 *shv2;
-  unsigned char *pos;
-  unsigned int   p;
-  unsigned int   q;
-  PRUint32       len;
-
-  chv2 = (ClientHelloV2 *)recordBuf;
-  shv2 = (ServerHelloV2 *)recordBuf;
-  if (s->isEncrypted) {
-    PR_fprintf(PR_STDOUT," [ssl2]  Encrypted {...}\n");
-    return;
-  }
-  PR_fprintf(PR_STDOUT," [%s]", get_time_string() );
-  switch(chv2->type) {
-  case 1:
-    PR_fprintf(PR_STDOUT," [ssl2]  ClientHelloV2 {\n");
-    PR_fprintf(PR_STDOUT,"           version = {0x%02x, 0x%02x}\n",
-	       (PRUint32)chv2->version[0],(PRUint32)chv2->version[1]);
-    PR_fprintf(PR_STDOUT,"           cipher-specs-length = %d (0x%02x)\n",
-	       (PRUint32)(GET_SHORT((chv2->cslength))),
-	       (PRUint32)(GET_SHORT((chv2->cslength))));
-    PR_fprintf(PR_STDOUT,"           sid-length = %d (0x%02x)\n",
-	       (PRUint32)(GET_SHORT((chv2->sidlength))),
-	       (PRUint32)(GET_SHORT((chv2->sidlength))));
-    PR_fprintf(PR_STDOUT,"           challenge-length = %d (0x%02x)\n",
-	       (PRUint32)(GET_SHORT((chv2->rndlength))),
-	       (PRUint32)(GET_SHORT((chv2->rndlength))));
-    PR_fprintf(PR_STDOUT,"           cipher-suites = { \n");
-    for (p=0;p<GET_SHORT((chv2->cslength));p+=3) {
-      const char *cs_str=NULL;
-      PRUint32 cs_int=0;
-      cs_int = GET_24((&chv2->csuites[p]));
-      cs_str = V2CipherString(cs_int);
-
-      PR_fprintf(PR_STDOUT,"                (0x%06x) %s\n",
-		  cs_int, cs_str);
-    }
-    q = p;
-    PR_fprintf(PR_STDOUT,"                }\n");
-    if (chv2->sidlength) {
-      PR_fprintf(PR_STDOUT,"           session-id = { ");
-      for (p=0;p<GET_SHORT((chv2->sidlength));p+=2) {
-	PR_fprintf(PR_STDOUT,"0x%04x ",(PRUint32)(GET_SHORT((&chv2->csuites[p+q]))));
-      }
-    }
-    q += p;
-    PR_fprintf(PR_STDOUT,"}\n");
-    if (chv2->rndlength) {
-      PR_fprintf(PR_STDOUT,"           challenge = { ");
-      for (p=0;p<GET_SHORT((chv2->rndlength));p+=2) {
-	PR_fprintf(PR_STDOUT,"0x%04x ",(PRUint32)(GET_SHORT((&chv2->csuites[p+q]))));
-      }
-      PR_fprintf(PR_STDOUT,"}\n");
-    }
-    PR_fprintf(PR_STDOUT,"}\n");
-    break;
-    /* end of V2 CLientHello Parsing */
-
-  case 2:  /* Client Master Key  */
-    {
-    const char *cs_str=NULL;
-    PRUint32 cs_int=0;
-    ClientMasterKeyV2 *cmkv2;
-    cmkv2 = (ClientMasterKeyV2 *)chv2;
-    isV2Session = 1;
-
-    PR_fprintf(PR_STDOUT," [ssl2]  ClientMasterKeyV2 { \n");
-
-    cs_int = GET_24(&cmkv2->cipherkind[0]);
-    cs_str = V2CipherString(cs_int);
-    PR_fprintf(PR_STDOUT,"         cipher-spec-chosen = (0x%06x) %s\n",
-	       cs_int, cs_str);
-
-    PR_fprintf(PR_STDOUT,"         clear-portion = %d bits\n",
-	       8*(PRUint32)(GET_SHORT((cmkv2->clearkey))));
-
-    PR_fprintf(PR_STDOUT,"      }\n");
-    clientstream.isEncrypted = 1;
-    serverstream.isEncrypted = 1;
-    }
-    break;
-
-
-  case 3:
-    PR_fprintf(PR_STDOUT," [ssl2]  Client Finished V2 {...}\n");
-    isV2Session = 1;
-    break;
-
-
-  case 4:  /* V2 Server Hello */
-    isV2Session = 1;
-
-    PR_fprintf(PR_STDOUT," [ssl2]  ServerHelloV2 {\n");
-    PR_fprintf(PR_STDOUT,"           sid hit = {0x%02x}\n",
-	       (PRUintn)shv2->sidhit);
-    PR_fprintf(PR_STDOUT,"           version = {0x%02x, 0x%02x}\n",
-	       (PRUint32)shv2->version[0],(PRUint32)shv2->version[1]);
-    PR_fprintf(PR_STDOUT,"           cipher-specs-length = %d (0x%02x)\n",
-	       (PRUint32)(GET_SHORT((shv2->cslength))),
-	       (PRUint32)(GET_SHORT((shv2->cslength))));
-    PR_fprintf(PR_STDOUT,"           sid-length = %d (0x%02x)\n",
-	       (PRUint32)(GET_SHORT((shv2->cidlength))),
-	       (PRUint32)(GET_SHORT((shv2->cidlength))));
-
-    pos = (unsigned char *)shv2;
-    pos += 2;   /* skip length header */
-    pos += 11;  /* position pointer to Certificate data area */
-    q = GET_SHORT(&shv2->certlength);
-    if (q >recordLen) {
-      goto eosh;
-    }
-    pos += q; 			/* skip certificate */
-
-    PR_fprintf(PR_STDOUT,"           cipher-suites = { ");
-    len = GET_SHORT((shv2->cslength));
-    for (p = 0; p < len; p += 3) {
-      const char *cs_str=NULL;
-      PRUint32 cs_int=0;
-      cs_int = GET_24((pos+p));
-      cs_str = V2CipherString(cs_int);
-      PR_fprintf(PR_STDOUT,"\n              ");
-      PR_fprintf(PR_STDOUT,"(0x%06x) %s", cs_int, cs_str);
-    }
-    pos += len;
-    PR_fprintf(PR_STDOUT,"   }\n");	/* End of cipher suites */
-    len = (PRUint32)GET_SHORT((shv2->cidlength));
-    if (len) {
-      PR_fprintf(PR_STDOUT,"           connection-id = { ");
-      for (p = 0; p < len; p += 2) {
-	PR_fprintf(PR_STDOUT,"0x%04x ", (PRUint32)(GET_SHORT((pos + p))));
-      }
-      PR_fprintf(PR_STDOUT,"   }\n");	/* End of connection id */
-    }
-eosh:
-    PR_fprintf(PR_STDOUT,"\n              }\n"); /* end of ServerHelloV2 */
-    if (shv2->sidhit) {
-      clientstream.isEncrypted = 1;
-      serverstream.isEncrypted = 1;
-    }
-    break;
-
-  case 5:
-    PR_fprintf(PR_STDOUT," [ssl2]  Server Verify V2 {...}\n");
-    isV2Session = 1;
-    break;
-
-  case 6:
-    PR_fprintf(PR_STDOUT," [ssl2]  Server Finished V2 {...}\n");
-    isV2Session = 1;
-    break;
-
-  case 7:
-    PR_fprintf(PR_STDOUT," [ssl2]  Request Certificate V2 {...}\n");
-    isV2Session = 1;
-    break;
-
-  case 8:
-    PR_fprintf(PR_STDOUT," [ssl2]  Client Certificate V2 {...}\n");
-    isV2Session = 1;
-    break;
-
-  default:
-    PR_fprintf(PR_STDOUT," [ssl2]  UnknownType 0x%02x {...}\n",
-	  (PRUint32)chv2->type);
-    break;
-  }
-}
-
-
-
-unsigned int print_hello_extension(unsigned char *  hsdata,
-				   unsigned int     length,
-				   unsigned int     pos)
-{
-  /* pretty print extensions, if any */
-  if (pos < length) {
-    int exListLen = GET_SHORT((hsdata+pos)); pos += 2;
-    PR_fprintf(PR_STDOUT,
-	       "            extensions[%d] = {\n", exListLen);
-    while (exListLen > 0 && pos < length) {
-      int exLen;
-      int exType = GET_SHORT((hsdata+pos)); pos += 2;
-      exLen = GET_SHORT((hsdata+pos)); pos += 2;
-      /* dump the extension */
-      PR_fprintf(PR_STDOUT,
-		 "              extension type %s, length [%d]",
-		 helloExtensionNameString(exType), exLen);
-      if (exLen > 0) {
-	  PR_fprintf(PR_STDOUT, " = {\n");
-	  print_hex(exLen, hsdata + pos);
-	  PR_fprintf(PR_STDOUT, "              }\n");
-      } else {
-	  PR_fprintf(PR_STDOUT, "\n");
-      }
-      pos += exLen;
-      exListLen -= 2 + exLen;
-    }
-    PR_fprintf(PR_STDOUT,"            }\n");
-  }
-  return pos;
-}
-
-
-void print_ssl3_handshake(unsigned char *recordBuf, 
-                          unsigned int   recordLen,
-                          SSLRecord *    sr,
-			  DataBufferList *s)
-{
-  struct sslhandshake sslh; 
-  unsigned char *     hsdata;  
-  int                 offset=0;
-
-  PR_fprintf(PR_STDOUT,"   handshake {\n");
-
-  if (s->msgBufOffset && s->msgBuf) {
-    /* append recordBuf to msgBuf, then use msgBuf */
-    if (s->msgBufOffset + recordLen > s->msgBufSize) {
-      int    newSize = s->msgBufOffset + recordLen;
-      char * newBuf = PORT_Realloc(s->msgBuf, newSize);
-      if (!newBuf) {
-	PR_ASSERT(newBuf);
-	showErr( "Realloc failed");
-        exit(10);
-      }
-      s->msgBuf = newBuf;
-      s->msgBufSize = newSize;
-    }
-    memcpy(s->msgBuf + s->msgBufOffset, recordBuf, recordLen);
-    s->msgBufOffset += recordLen;
-    recordLen = s->msgBufOffset;
-    recordBuf = s->msgBuf;
-  }
-  while (offset + 4 + s->hMACsize <= recordLen) {
-    sslh.type = recordBuf[offset]; 
-    sslh.length = GET_24(recordBuf+offset+1);
-    if (offset + 4 + sslh.length + s->hMACsize > recordLen)
-      break;
-    /* finally have a complete message */
-    if (sslhexparse) 
-      print_hex(4,recordBuf+offset);
-
-    hsdata = &recordBuf[offset+4];
-
-    PR_fprintf(PR_STDOUT,"      type = %d (",sslh.type);
-    switch(sslh.type) {
-    case 0:  PR_FPUTS("hello_request)\n"               ); break;
-    case 1:  PR_FPUTS("client_hello)\n"                ); break;
-    case 2:  PR_FPUTS("server_hello)\n"                ); break;
-    case 4:  PR_FPUTS("new_session_ticket)\n"          ); break;
-    case 11: PR_FPUTS("certificate)\n"                 ); break;
-    case 12: PR_FPUTS("server_key_exchange)\n"         ); break;
-    case 13: PR_FPUTS("certificate_request)\n"         ); break;
-    case 14: PR_FPUTS("server_hello_done)\n"           ); break;
-    case 15: PR_FPUTS("certificate_verify)\n"          ); break;
-    case 16: PR_FPUTS("client_key_exchange)\n"         ); break;
-    case 20: PR_FPUTS("finished)\n"                    ); break;
-    default: PR_FPUTS("unknown)\n"                     ); break;
-    }
-
-    PR_fprintf(PR_STDOUT,"      length = %d (0x%06x)\n",sslh.length,sslh.length);
-    switch (sslh.type) {
-
-    case 0: /* hello_request */ /* not much to show here. */ break;
-
-    case 1: /* client hello */
-      switch (sr->ver_maj)  {
-      case 3:  /* ssl version 3 */
-	{
-	  unsigned int pos;
-	  int w;
-
-	  PR_fprintf(PR_STDOUT,"         ClientHelloV3 {\n");
-	  PR_fprintf(PR_STDOUT,"            client_version = {%d, %d}\n",
-		     (PRUint8)hsdata[0],(PRUint8)hsdata[1]);
-	  PR_fprintf(PR_STDOUT,"            random = {...}\n");
-	  if (sslhexparse) print_hex(32,&hsdata[2]);
-
-	  /* pretty print Session ID */
-	  {
-	    int sidlength = (int)hsdata[2+32];
-	    PR_fprintf(PR_STDOUT,"            session ID = {\n");
-	    PR_fprintf(PR_STDOUT,"                length = %d\n",sidlength);
-	    PR_fprintf(PR_STDOUT,"                contents = {...}\n");
-	    if (sslhexparse) print_hex(sidlength,&hsdata[2+32+1]);
-	    PR_fprintf(PR_STDOUT,"            }\n");
-	    pos = 2+32+1+sidlength;
-	  }
-
-	  /* pretty print cipher suites */
-	  {
-	    int csuitelength = GET_SHORT((hsdata+pos));
-	    PR_fprintf(PR_STDOUT,"            cipher_suites[%d] = { \n",
-		       csuitelength/2);
-	    if (csuitelength % 2) {
-	      PR_fprintf(PR_STDOUT,
-		 "*error in protocol - csuitelength shouldn't be odd*\n");
-	    }
-	    for (w=0; w<csuitelength; w+=2) {
-	      const char *cs_str=NULL;
-	      PRUint32 cs_int=0;
-	      cs_int = GET_SHORT((hsdata+pos+2+w));
-	      cs_str = V2CipherString(cs_int);
-	      PR_fprintf(PR_STDOUT,
-		"                (0x%04x) %s\n", cs_int, cs_str);
-	    }
-	    pos += 2 + csuitelength;
-	    PR_fprintf(PR_STDOUT,"            }\n");
-	  }
-
-	  /* pretty print compression methods */
-	  {
-	    int complength = hsdata[pos];
-	    PR_fprintf(PR_STDOUT,"            compression[%d] = {",
-	               complength);
-	    for (w=0; w < complength; w++) {
-	      PR_fprintf(PR_STDOUT, " %02x", hsdata[pos+1+w]);
-	    }
-	    pos += 1 + complength;
-	    PR_fprintf(PR_STDOUT," }\n");
-	  }
-
-	  /* pretty print extensions, if any */
-	  pos = print_hello_extension(hsdata, sslh.length, pos);
-
-	  PR_fprintf(PR_STDOUT,"         }\n");
-	} /* end of ssl version 3 */
-	break;
-      default:
-	PR_fprintf(PR_STDOUT,"         UNDEFINED VERSION %d.%d {...}\n",
-	                     sr->ver_maj, sr->ver_min );
-	if (sslhexparse) print_hex(sslh.length, hsdata);
-	break;
-      } /* end of switch sr->ver_maj */
-      break;
-
-    case 2: /* server hello */
-      {
-	unsigned int sidlength, pos;
-
-	PR_fprintf(PR_STDOUT,"         ServerHello {\n");
-
-	PR_fprintf(PR_STDOUT,"            server_version = {%d, %d}\n",
-		   (PRUint8)hsdata[0],(PRUint8)hsdata[1]);
-	PR_fprintf(PR_STDOUT,"            random = {...}\n");
-	if (sslhexparse) print_hex(32,&hsdata[2]);
-	PR_fprintf(PR_STDOUT,"            session ID = {\n");
-	sidlength = (int)hsdata[2+32];
-	PR_fprintf(PR_STDOUT,"                length = %d\n",sidlength);
-	PR_fprintf(PR_STDOUT,"                contents = {...}\n");
-	if (sslhexparse) print_hex(sidlength,&hsdata[2+32+1]);
-	PR_fprintf(PR_STDOUT,"            }\n");
-	pos = 2+32+1+sidlength;
-
-	/* pretty print chosen cipher suite */
-	{
-	  PRUint32 cs_int    = GET_SHORT((hsdata+pos));
-	  const char *cs_str = V2CipherString(cs_int);
-	  PR_fprintf(PR_STDOUT,"            cipher_suite = (0x%04x) %s\n",
-		     cs_int, cs_str);
-	  currentcipher = cs_int;
-	  pos += 2;
-	}
-	PR_fprintf(PR_STDOUT,  "            compression method = %02x\n", 
-		   hsdata[pos++]);
-
-	/* pretty print extensions, if any */
-	pos = print_hello_extension(hsdata, sslh.length, pos);
-
-	PR_fprintf(PR_STDOUT,"         }\n");
-      }
-      break;
-
-    case 4: /* new session ticket */
-      {
-	PRUint32 lifetimehint;
-	PRUint16 ticketlength;
-	char lifetime[32];
-	lifetimehint = GET_32(hsdata);
-	if (lifetimehint) {
-	  PRExplodedTime et;
-	  PRTime t = lifetimehint;
-	  t *= PR_USEC_PER_SEC;
-	  PR_ExplodeTime(t, PR_GMTParameters, &et);
-	  /* use HTTP Cookie header's date format */
-	  PR_FormatTimeUSEnglish(lifetime, sizeof lifetime,
-				 "%a, %d-%b-%Y %H:%M:%S GMT", &et);
-	} else {
-	  /* 0 means the lifetime of the ticket is unspecified */
-	  strcpy(lifetime, "unspecified");
-	}
-	ticketlength = GET_SHORT((hsdata+4));
-	PR_fprintf(PR_STDOUT,"         NewSessionTicket {\n");
-	PR_fprintf(PR_STDOUT,"            ticket_lifetime_hint = %s\n",
-		   lifetime);
-	PR_fprintf(PR_STDOUT,"            ticket = {\n");
-	PR_fprintf(PR_STDOUT,"                length = %d\n",ticketlength);
-	PR_fprintf(PR_STDOUT,"                contents = {...}\n");
-	if (sslhexparse) print_hex(ticketlength,&hsdata[4+2]);
-	PR_fprintf(PR_STDOUT,"            }\n");
-	PR_fprintf(PR_STDOUT,"         }\n");
-      }
-      break;
-
-    case 11: /* certificate */
-      {
-	PRFileDesc *cfd;
-	int         pos;
-	int         certslength;
-	int         certlength;
-	int         certbytesread	= 0;
-	static int  certFileNumber;
-	char        certFileName[20];
-
-	PR_fprintf(PR_STDOUT,"         CertificateChain {\n");
-	certslength = GET_24(hsdata);
-	PR_fprintf(PR_STDOUT,"            chainlength = %d (0x%04x)\n",
-		certslength,certslength);
-	pos = 3;
-	while (certbytesread < certslength) {
-	  certlength = GET_24((hsdata+pos));
-	  pos += 3;
-	  PR_fprintf(PR_STDOUT,"            Certificate {\n");
-	  PR_fprintf(PR_STDOUT,"               size = %d (0x%04x)\n",
-		certlength,certlength);
-	  certbytesread += certlength+3;
-	  if (certbytesread <= certslength) {
-	    PR_snprintf(certFileName, sizeof certFileName, "cert.%03d",
-			++certFileNumber);
-	    cfd = PR_Open(certFileName, PR_WRONLY|PR_CREATE_FILE|PR_TRUNCATE, 
-			  0664);
-	    if (!cfd) {
-	      PR_fprintf(PR_STDOUT,
-			 "               data = { couldn't save file '%s' }\n",
-			 certFileName);
-	    } else {
-	      PR_Write(cfd, (hsdata+pos), certlength);
-	      PR_fprintf(PR_STDOUT,
-			 "               data = { saved in file '%s' }\n",
-			 certFileName);
-	      PR_Close(cfd);
-	    }
-	  }
-
-	  PR_fprintf(PR_STDOUT,"            }\n");
-	  pos           += certlength;
-	}
-	PR_fprintf(PR_STDOUT,"         }\n");
-      }
-      break;
-
-    case 12: /* server_key_exchange */                    
-      if (sslhexparse) print_hex(sslh.length, hsdata);
-      break;
-
-    case 13: /* certificate request */
-      { 
-	unsigned int pos = 0;
-	int w, reqLength;
-
-	PR_fprintf(PR_STDOUT,"         CertificateRequest {\n");
-
-	/* pretty print requested certificate types */
-	reqLength = hsdata[pos];
-	PR_fprintf(PR_STDOUT,"            certificate types[%d] = {",
-		   reqLength);
-	for (w=0; w < reqLength; w++) {
-	  PR_fprintf(PR_STDOUT, " %02x", hsdata[pos+1+w]);
-	}
-	pos += 1 + reqLength;
-	PR_fprintf(PR_STDOUT," }\n");
-
-	/* pretty print CA names, if any */
-	if (pos < sslh.length) {
-	  int exListLen = GET_SHORT((hsdata+pos)); pos += 2;
-	  PR_fprintf(PR_STDOUT,
-		     "            certificate_authorities[%d] = {\n", 
-		     exListLen);
-	  while (exListLen > 0 && pos < sslh.length) {
-	    char *  ca_name;
-	    SECItem it;
-	    int     dnLen = GET_SHORT((hsdata+pos)); pos += 2;
-
-	    /* dump the CA name */
-	    it.type = siBuffer;
-	    it.data = hsdata + pos;
-	    it.len  = dnLen;
-	    ca_name = CERT_DerNameToAscii(&it);
-	    if (ca_name) {
-	      PR_fprintf(PR_STDOUT,"   %s\n", ca_name);
-	      PORT_Free(ca_name);
-	    } else {
-	      PR_fprintf(PR_STDOUT,
-			 "              distinguished name [%d]", dnLen);
-	      if (dnLen > 0 && sslhexparse) {
-		  PR_fprintf(PR_STDOUT, " = {\n");
-		  print_hex(dnLen, hsdata + pos);
-		  PR_fprintf(PR_STDOUT, "              }\n");
-	      } else {
-		  PR_fprintf(PR_STDOUT, "\n");
-	      }
-            }
-	    pos += dnLen;
-	    exListLen -= 2 + dnLen;
-	  }
-	  PR_fprintf(PR_STDOUT,"            }\n");
-	}
-
-	PR_fprintf(PR_STDOUT,"         }\n");
-      }
-      break;
-
-    case 14: /* server_hello_done */ /* not much to show here. */ break;
-
-    case 15: /* certificate_verify */	           
-      if (sslhexparse) print_hex(sslh.length, hsdata);
-      break;
-
-    case 16: /* client key exchange */
-      {
-	PR_fprintf(PR_STDOUT,"         ClientKeyExchange {\n");
-	PR_fprintf(PR_STDOUT,"            message = {...}\n");
-	PR_fprintf(PR_STDOUT,"         }\n");
-      }
-      break;
-
-    case 20: /* finished */			 
-      PR_fprintf(PR_STDOUT,"         Finished {\n");
-      PR_fprintf(PR_STDOUT,"            verify_data = {...}\n");
-      if (sslhexparse) print_hex(sslh.length, hsdata);
-      PR_fprintf(PR_STDOUT,"         }\n");
-
-      if (!isNULLmac(currentcipher) && !s->hMACsize) {
-          /* To calculate the size of MAC, we subtract the number
-           * of known bytes of message from the number of remaining
-           * bytes in the record. */
-          s->hMACsize = recordLen - (sslh.length + 4);
-      }
-      break;
-
-    default:
-      {
-	PR_fprintf(PR_STDOUT,"         UNKNOWN MESSAGE TYPE %d [%d] {\n",
-	                     sslh.type, sslh.length);
-	if (sslhexparse) print_hex(sslh.length, hsdata);
-	PR_fprintf(PR_STDOUT,"         }\n");
-
-      }
-    }  /* end of switch sslh.type */
-    offset += sslh.length + 4; 
-  } /* while */
-  if (offset + s->hMACsize < recordLen) { /* stuff left over */
-    int newMsgLen = recordLen - (offset + s->hMACsize);
-    if (!s->msgBuf) {
-      s->msgBuf = PORT_Alloc(newMsgLen);
-      if (!s->msgBuf) {
-	PR_ASSERT(s->msgBuf);
-	showErr( "Malloc failed");
-        exit(11);
-      }
-      s->msgBufSize = newMsgLen;
-      memcpy(s->msgBuf, recordBuf + offset, newMsgLen);
-    } else if (newMsgLen > s->msgBufSize) {
-      char * newBuf = PORT_Realloc(s->msgBuf, newMsgLen);
-      if (!newBuf) {
-	PR_ASSERT(newBuf);
-	showErr( "Realloc failed");
-        exit(12);
-      }
-      s->msgBuf = newBuf;
-      s->msgBufSize = newMsgLen;
-    } else if (offset || s->msgBuf != recordBuf) {
-      memmove(s->msgBuf, recordBuf + offset, newMsgLen);
-    }
-    s->msgBufOffset = newMsgLen;
-    PR_fprintf(PR_STDOUT,"     [incomplete handshake message]\n");
-  } else {
-    s->msgBufOffset = 0;
-  }
-  PR_fprintf(PR_STDOUT,"   }\n");
-}
-
-
-void print_ssl(DataBufferList *s, int length, unsigned char *buffer)
-{
-  /* --------------------------------------------------------  */
-  /* first, create a new buffer object for this piece of data. */
-
-  DataBuffer *db;
-  int i,l;
-
-  if (s->size == 0 && length > 0 && buffer[0] >= 32 && buffer[0] < 128) {
-    /* Not an SSL record, treat entire buffer as plaintext */
-    PR_Write(PR_STDOUT,buffer,length);
-    return;
-  }
-
-
-  check_integrity(s);
-
-  i = 0;
-  l = length;
-
-  db = PR_NEW(struct _DataBuffer);
-
-  db->buffer = (unsigned char*)PORT_Alloc(length);
-  db->length = length;
-  db->offset = 0;
-  memcpy(db->buffer, buffer, length);
-  db->next = NULL;
-
-  /* now, add it to the stream */
-
-  if (s->last != NULL) s->last->next = db;
-  s->last = db;
-  s->size += length;
-  if (s->first == NULL) s->first = db;
-
-  check_integrity(s);
-
-  /*------------------------------------------------------- */
-  /* now we look at the stream to see if we have enough data to
-     decode  */
-
-  while (s->size > 0 ) {
-    unsigned char *recordBuf = NULL;
-
-    SSLRecord sr;
-    unsigned recordLen;
-    unsigned recordsize;
-
-    check_integrity(s);
-
-    if ( s->first == NULL) {
-      PR_fprintf(PR_STDOUT,"ERROR: s->first is null\n");
-      exit(9);
-    }
-
-    /* in the case of an SSL 2 client-hello  */
-    /* will have the high-bit set, whereas an SSL 3 client-hello will not  */
-    /* SSL2 can also send records that begin with the high bit clear.
-     * This code will incorrectly handle them. XXX
-     */
-    if (isV2Session || s->first->buffer[s->first->offset] & 0x80) {
-      /* it's an SSL 2 packet */
-      unsigned char lenbuf[3];
-
-      /* first, we check if there's enough data for it to be an SSL2-type
-       * record.  What a pain.*/
-      if (s->size < sizeof lenbuf) {
-	partial_packet(length, s->size, sizeof lenbuf);
-	return;
-      }
-
-      /* read the first two bytes off the stream. */
-      read_stream_bytes(lenbuf, s, sizeof(lenbuf));
-      recordLen = ((unsigned int)(lenbuf[0] & 0x7f) << 8) + lenbuf[1] + 
-                 ((lenbuf[0] & 0x80) ? 2 : 3);
-      PR_fprintf(PR_STDOUT, "recordLen = %u bytes\n", recordLen);
-
-      /* put 'em back on the head of the stream. */
-      db = PR_NEW(struct _DataBuffer);
-
-      db->length = sizeof lenbuf;
-      db->buffer = (unsigned char*) PORT_Alloc(db->length);
-      db->offset = 0;
-      memcpy(db->buffer, lenbuf, sizeof lenbuf);
-
-      db->next = s->first;
-      s->first = db;
-      if (s->last == NULL) 
-	s->last = db;
-      s->size += db->length;
-
-      /* if there wasn't enough, go back for more. */
-      if (s->size < recordLen) {
-	check_integrity(s);
-	partial_packet(length, s->size, recordLen);
-	return;
-      }
-      partial_packet(length, s->size, recordLen);
-
-      /* read in the whole record. */
-      recordBuf = PORT_Alloc(recordLen);
-      read_stream_bytes(recordBuf, s, recordLen);
-
-      print_sslv2(s, recordBuf, recordLen);
-      PR_FREEIF(recordBuf);
-      check_integrity(s);
-
-      continue;
-    }
-
-    /***********************************************************/
-    /* It's SSL v3 */
-    /***********************************************************/
-    check_integrity(s);
-
-    if (s->size < sizeof sr) {
-      partial_packet(length, s->size, sizeof(SSLRecord));
-      return;
-    }
-
-    read_stream_bytes((unsigned char *)&sr, s, sizeof sr);
-
-    /* we have read the stream bytes. Look at the length of
-       the ssl record. If we don't have enough data to satisfy this
-       request, then put the bytes we just took back at the head
-       of the queue */
-    recordsize = GET_SHORT(sr.length);
-
-    if (recordsize > s->size) {
-      db = PR_NEW(struct _DataBuffer);
-
-      db->length = sizeof sr;
-      db->buffer = (unsigned char*) PORT_Alloc(db->length);
-      db->offset = 0;
-      memcpy(db->buffer, &sr, sizeof sr);
-      db->next = s->first;
-
-      /* now, add it back on to the head of the stream */
-
-      s->first = db;
-      if (s->last == NULL) 
-        s->last = db;
-      s->size += db->length;
-
-      check_integrity(s);
-      partial_packet(length, s->size, recordsize);
-      return;
-    }
-    partial_packet(length, s->size, recordsize);
-
-
-    PR_fprintf(PR_STDOUT,"SSLRecord { [%s]\n", get_time_string() );
-    if (sslhexparse) {
-      print_hex(5,(unsigned char*)&sr);
-    }
-
-    check_integrity(s);
-
-    PR_fprintf(PR_STDOUT,"   type    = %d (",sr.type);
-    switch(sr.type) {
-    case 20 :
-      PR_fprintf(PR_STDOUT,"change_cipher_spec)\n");
-      break;
-    case 21 :
-      PR_fprintf(PR_STDOUT,"alert)\n");
-      break;
-    case 22 :
-      PR_fprintf(PR_STDOUT,"handshake)\n");
-      break;
-    case 23 :
-      PR_fprintf(PR_STDOUT,"application_data)\n");
-      break;
-    default:
-      PR_fprintf(PR_STDOUT,"unknown)\n");
-      break;
-    }
-    PR_fprintf(PR_STDOUT,"   version = { %d,%d }\n",
-	       (PRUint32)sr.ver_maj,(PRUint32)sr.ver_min);
-    PR_fprintf(PR_STDOUT,"   length  = %d (0x%x)\n",
-    	(PRUint32)GET_SHORT(sr.length), (PRUint32)GET_SHORT(sr.length));
-
-
-    recordLen = recordsize;
-    PR_ASSERT(s->size >= recordLen);
-    if (s->size >= recordLen) {
-      recordBuf = (unsigned char*) PORT_Alloc(recordLen);
-      read_stream_bytes(recordBuf, s, recordLen);
-
-      if (s->isEncrypted) {
-	PR_fprintf(PR_STDOUT,"            < encrypted >\n");
-      } else { /* not encrypted */
-
-      switch(sr.type) {
-      case 20 : /* change_cipher_spec */
-	if (sslhexparse) print_hex(recordLen - s->hMACsize,recordBuf);
-         /* mark to say we can only dump hex form now on
-          * if it is not one on a null cipher */
-	s->isEncrypted = isNULLcipher(currentcipher) ? 0 : 1; 
-	break;
-
-      case 21 : /* alert */
-	switch(recordBuf[0]) {
-	case 1: PR_fprintf(PR_STDOUT, "   warning: "); break;
-	case 2: PR_fprintf(PR_STDOUT, "   fatal: "); break;
-	default: PR_fprintf(PR_STDOUT, "   unknown level %d: ", recordBuf[0]); break;
-	}
-
-	switch(recordBuf[1]) {
-	case 0:   PR_FPUTS("close_notify\n"                    ); break;
-	case 10:  PR_FPUTS("unexpected_message\n"              ); break;
-	case 20:  PR_FPUTS("bad_record_mac\n"                  ); break;
-	case 21:  PR_FPUTS("decryption_failed\n"               ); break;
-	case 22:  PR_FPUTS("record_overflow\n"                 ); break;
-	case 30:  PR_FPUTS("decompression_failure\n"           ); break;
-	case 40:  PR_FPUTS("handshake_failure\n"               ); break;
-	case 41:  PR_FPUTS("no_certificate\n"                  ); break;
-	case 42:  PR_FPUTS("bad_certificate\n"                 ); break;
-	case 43:  PR_FPUTS("unsupported_certificate\n"         ); break;
-	case 44:  PR_FPUTS("certificate_revoked\n"             ); break;
-	case 45:  PR_FPUTS("certificate_expired\n"             ); break;
-	case 46:  PR_FPUTS("certificate_unknown\n"             ); break;
-	case 47:  PR_FPUTS("illegal_parameter\n"               ); break;
-	case 48:  PR_FPUTS("unknown_ca\n"                      ); break;
-	case 49:  PR_FPUTS("access_denied\n"                   ); break;
-	case 50:  PR_FPUTS("decode_error\n"                    ); break;
-	case 51:  PR_FPUTS("decrypt_error\n"                   ); break;
-	case 60:  PR_FPUTS("export_restriction\n"              ); break;
-	case 70:  PR_FPUTS("protocol_version\n"                ); break;
-	case 71:  PR_FPUTS("insufficient_security\n"           ); break;
-	case 80:  PR_FPUTS("internal_error\n"                  ); break;
-	case 90:  PR_FPUTS("user_canceled\n"                   ); break;
-	case 100: PR_FPUTS("no_renegotiation\n"                ); break;
-	case 110: PR_FPUTS("unsupported_extension\n"           ); break;
-	case 111: PR_FPUTS("certificate_unobtainable\n"        ); break;
-	case 112: PR_FPUTS("unrecognized_name\n"               ); break;
-	case 113: PR_FPUTS("bad_certificate_status_response\n" ); break;
-	case 114: PR_FPUTS("bad_certificate_hash_value\n"      ); break;
-
-	default: PR_fprintf(PR_STDOUT, "unknown alert %d\n", recordBuf[1]); 
-	         break;
-	}
-
-	if (sslhexparse) print_hex(recordLen - s->hMACsize,recordBuf);
-	break;
-
-      case 22 : /* handshake */ 	
-        print_ssl3_handshake( recordBuf, recordLen - s->hMACsize, &sr, s );
-	break;
-
-      case 23 : /* application data */
-	 print_hex(recordLen - s->hMACsize,recordBuf);
-         break;
-
-      default:
-	print_hex(recordLen - s->hMACsize,recordBuf);
-	break;
-      }
-      if (s->hMACsize) {
-	  PR_fprintf(PR_STDOUT,"      MAC = {...}\n");
-	  if (sslhexparse) {
-	      unsigned char *offset = recordBuf + (recordLen - s->hMACsize);
-	      print_hex(s->hMACsize, offset);
-	  }
-      }
-     } /* not encrypted */
-    }
-    PR_fprintf(PR_STDOUT,"}\n");
-    PR_FREEIF(recordBuf);
-    check_integrity(s);
-  }
-}
-
-void print_hex(int amt, unsigned char *buf) 
-{
-  int i,j,k;
-  char t[20];
-  static char string[5000];
-
-
-  for(i=0;i<amt;i++) {
-    t[1] =0;
-
-    if (i%16 ==0) {  /* if we are at the beginning of a line */
-      PR_fprintf(PR_STDOUT,"%4x:",i); /* print the line number  */
-      strcpy(string,"");
-    }
-
-    if (i%4 == 0) {
-      PR_fprintf(PR_STDOUT," ");
-    }
-
-    j = buf[i];
-
-    t[0] = (j >= 0x20 && j < 0x80) ? j : '.';
-
-    if (fancy)  {
-      switch (t[0]) {
-      case '<':
-        strcpy(t,"&lt;");
-        break;
-      case '>':
-        strcpy(t,"&gt;");
-        break;
-      case '&':
-        strcpy(t,"&amp;");
-        break;
-      }
-    }
-    strcat(string,t);
-
-    PR_fprintf(PR_STDOUT,"%02x ",(PRUint8) buf[i]);
-
-    /* if we've reached the end of the line - add the string */
-    if (i%16 == 15) PR_fprintf(PR_STDOUT," | %s\n",string);
-  }
-  /* we reached the end of the buffer,*/
-  /* do we have buffer left over? */
-  j = i%16;
-  if (j > 0) {
-    for (k=0;k<(16-j);k++) {
-        /* print additional space after every four bytes */
-        if ((k + j)%4 == 0) {
-            PR_fprintf(PR_STDOUT," ");
-        }
-        PR_fprintf(PR_STDOUT,"   ");
-    }
-    PR_fprintf(PR_STDOUT," | %s\n",string);
-  }
-}
-
-void Usage(void) 
-{
-  PR_fprintf(PR_STDERR, "SSLTAP (C) 1997, 1998 Netscape Communications Corporation.\n");
-  PR_fprintf(PR_STDERR, "Usage: ssltap [-vhfsxl] [-p port] hostname:port\n");
-  PR_fprintf(PR_STDERR, "   -v      [prints version string]\n");
-  PR_fprintf(PR_STDERR, "   -h      [outputs hex instead of ASCII]\n");
-  PR_fprintf(PR_STDERR, "   -f      [turn on Fancy HTML coloring]\n");
-  PR_fprintf(PR_STDERR, "   -s      [turn on SSL decoding]\n");
-  PR_fprintf(PR_STDERR, "   -x      [turn on extra SSL hex dumps]\n");
-  PR_fprintf(PR_STDERR, "   -p port [specify rendezvous port (default 1924)]\n");
-  PR_fprintf(PR_STDERR, "   -l      [loop - continue to wait for more connections]\n");
-
-
-}
-
-void
-showErr(const char * msg) 
-{
-  PRErrorCode  err       = PR_GetError();
-  const char * errString;
-
-  if (err == PR_UNKNOWN_ERROR)
-    err = PR_CONNECT_RESET_ERROR;	/* bug in NSPR. */
-  errString = SECU_Strerror(err);
-
-  if (!errString)
-    errString = "(no text available)";
-  PR_fprintf(PR_STDERR, "%s: Error %d: %s: %s", progName, err, errString, msg);
-}
-
-int main(int argc,  char *argv[])
-{
-  char *hostname=NULL;
-  PRUint16 rendport=DEFPORT,port;
-  PRHostEnt hp;
-  PRStatus r;
-  PRNetAddr na_client,na_server,na_rend;
-  PRFileDesc *s_server,*s_client,*s_rend; /*rendezvous */
-  char netdbbuf[PR_NETDB_BUF_SIZE];
-  int c_count=0;
-  PLOptState *optstate;
-  PLOptStatus status;
-  SECStatus   rv;
-
-  progName = argv[0];
-  optstate = PL_CreateOptState(argc,argv,"fvxhslp:");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-    switch (optstate->option) {
-    case 'f':
-      fancy++;
-      break;
-    case 'h':
-      hexparse++;
-      break;
-    case 'v':
-      PR_fprintf(PR_STDOUT,"Version: %s\n",VERSIONSTRING);
-      break;
-    case 's':
-      sslparse++;
-      break;
-    case 'x':
-      sslhexparse++;
-      break;
-    case 'l':
-      looparound++;
-      break;
-    case 'p':
-      rendport = atoi(optstate->value);
-      break;
-    case '\0':
-      hostname = PL_strdup(optstate->value);
-    }
-  }
-  if (status == PL_OPT_BAD)
-    Usage();
-
-  if (fancy) {
-    if (!hexparse && !sslparse) {
-      PR_fprintf(PR_STDERR,
-"Note: use of -f without -s or -h not recommended, \n"
-"as the output looks a little strange. It may be useful, however\n");
-    }
-  }
-
-  if(! hostname ) Usage(), exit(2);
-
-  {
-    char *colon = (char *)strchr(hostname, ':');
-    if (!colon) {
-      PR_fprintf(PR_STDERR,
-      "You must specify the host AND port you wish to connect to\n");
-      Usage(), exit(3);
-    }
-    port = atoi(&colon[1]);
-    *colon = '\0';
-
-    if (port == 0) {
-	PR_fprintf(PR_STDERR, "Port must be a nonzero number.\n");
-	exit(4);
-      }
-  }
-
-  /* find the 'server' IP address so we don't have to look it up later */
-
-  if (fancy) {
-      PR_fprintf(PR_STDOUT,"<HTML><HEAD><TITLE>SSLTAP output</TITLE></HEAD>\n");
-      PR_fprintf(PR_STDOUT,"<BODY><PRE>\n");
-    }
-  PR_fprintf(PR_STDERR,"Looking up \"%s\"...\n", hostname);
-  r = PR_GetHostByName(hostname,netdbbuf,PR_NETDB_BUF_SIZE,&hp);
-  if (r) {
-    showErr("Host Name lookup failed\n");
-    exit(5);
-  }
-
-  PR_EnumerateHostEnt(0,&hp,0,&na_server);
-  PR_InitializeNetAddr(PR_IpAddrNull,port,&na_server);
-  /* set up the port which the client will connect to */
-
-  r = PR_InitializeNetAddr(PR_IpAddrAny,rendport,&na_rend);
-  if (r == PR_FAILURE) {
-    PR_fprintf(PR_STDERR,
-    "PR_InitializeNetAddr(,%d,) failed with error %d\n",PR_GetError());
-    exit(0);
-  }
-
-  rv = NSS_NoDB_Init("");
-  if (rv != SECSuccess) {
-    PR_fprintf(PR_STDERR,
-    "NSS_NoDB_Init() failed with error %d\n",PR_GetError());
-    exit(5);
-  }
-
-  s_rend = PR_NewTCPSocket();
-  if (!s_rend) {
-    showErr("Couldn't create socket\n");
-    exit(6);
-  }
-
-  if (PR_Bind(s_rend, &na_rend )) {
-    PR_fprintf(PR_STDERR,"Couldn't bind to port %d (error %d)\n",rendport, PR_GetError());
-    exit(-1);
-  }
-
-  if ( PR_Listen(s_rend, 5)) {
-    showErr("Couldn't listen\n");
-    exit(-1);
-  }
-
-  PR_fprintf(PR_STDERR,"Proxy socket ready and listening\n");
-  do {	/* accept one connection and process it. */
-      PRPollDesc pds[2];
-
-      s_client = PR_Accept(s_rend,&na_client,PR_SecondsToInterval(3600));
-      if (s_client == NULL) {
-	showErr("accept timed out\n");
-	exit(7);
-      }
-
-      s_server = PR_NewTCPSocket();
-      if (s_server == NULL) {
-	showErr("couldn't open new socket to connect to server \n");
-	exit(8);
-      }
-
-      r = PR_Connect(s_server,&na_server,PR_SecondsToInterval(5));
-
-      if ( r == PR_FAILURE )
-        {
-	  showErr("Couldn't connect\n");
-	  return -1;
-        }
-
-      if (looparound) {
-	if (fancy)  PR_fprintf(PR_STDOUT,"<p><HR><H2>");
-	PR_fprintf(PR_STDOUT,"Connection #%d [%s]\n", c_count+1,
-	                     get_time_string());
-	if (fancy)  PR_fprintf(PR_STDOUT,"</H2>");
-	}
-
-
-      PR_fprintf(PR_STDOUT,"Connected to %s:%d\n", hostname, port);
-
-#define PD_C 0
-#define PD_S 1
-
-      pds[PD_C].fd = s_client;
-      pds[PD_S].fd = s_server;
-      pds[PD_C].in_flags = PR_POLL_READ;
-      pds[PD_S].in_flags = PR_POLL_READ;
-
-      /* make sure the new connections don't start out encrypted. */
-      clientstream.isEncrypted = 0;
-      serverstream.isEncrypted = 0;
-      isV2Session = 0;
-
-      while( (pds[PD_C].in_flags & PR_POLL_READ) != 0 ||
-             (pds[PD_S].in_flags & PR_POLL_READ) != 0 )
-        {  /* Handle all messages on the connection */
-	  PRInt32 amt;
-	  PRInt32 wrote;
-	  unsigned char buffer[ TAPBUFSIZ ];
-
-	  amt = PR_Poll(pds,2,PR_INTERVAL_NO_TIMEOUT);
-	  if (amt <= 0) {
-	    if (amt)
-		showErr( "PR_Poll failed.\n");
-	    else
-		showErr( "PR_Poll timed out.\n");
-	    break;
-	  }
-
-	  if (pds[PD_C].out_flags & PR_POLL_EXCEPT) {
-	    showErr( "Exception on client-side socket.\n");
-	    break;
-	  }
-
-	  if (pds[PD_S].out_flags & PR_POLL_EXCEPT) {
-	    showErr( "Exception on server-side socket.\n");
-	    break;
-	  }
-
-
-/* read data, copy it to stdout, and write to other socket */
-
-	  if ((pds[PD_C].in_flags  & PR_POLL_READ) != 0 &&
-	      (pds[PD_C].out_flags & PR_POLL_READ) != 0 ) {
-
-	    amt = PR_Read(s_client, buffer, sizeof(buffer));
-
-	    if ( amt < 0)  {
-	      showErr( "Client socket read failed.\n");
-	      break;
-	    }
-
-	    if( amt == 0 ) {
-	      PR_fprintf(PR_STDOUT, "Read EOF on Client socket. [%s]\n",
-	                            get_time_string() );
-	      pds[PD_C].in_flags &= ~PR_POLL_READ;
-	      PR_Shutdown(s_server, PR_SHUTDOWN_SEND);
-	      continue;
-	    }
-
-	    PR_fprintf(PR_STDOUT,"--> [\n");
-	    if (fancy) PR_fprintf(PR_STDOUT,"<font color=blue>");
-
-	    if (hexparse)  print_hex(amt, buffer);
-	    if (sslparse)  print_ssl(&clientstream,amt,buffer);
-	    if (!hexparse && !sslparse)  PR_Write(PR_STDOUT,buffer,amt);
-	    if (fancy) PR_fprintf(PR_STDOUT,"</font>");
-	    PR_fprintf(PR_STDOUT,"]\n");
-
-	    wrote = PR_Write(s_server, buffer, amt);
-	    if (wrote != amt )  {
-	      if (wrote < 0) {
-	        showErr("Write to server socket failed.\n");
-		break;
-	      } else {
-		PR_fprintf(PR_STDERR, "Short write to server socket!\n");
-	      }
-	    }
-	  }  /* end of read from client socket. */
-
-/* read data, copy it to stdout, and write to other socket */
-	  if ((pds[PD_S].in_flags  & PR_POLL_READ) != 0 &&
-	      (pds[PD_S].out_flags & PR_POLL_READ) != 0 ) {
-
-	    amt = PR_Read(s_server, buffer, sizeof(buffer));
-
-	    if ( amt < 0)  {
-	      showErr( "error on server-side socket.\n");
-	      break;
-	    }
-
-	    if( amt == 0 ) {
-	      PR_fprintf(PR_STDOUT, "Read EOF on Server socket. [%s]\n",
-	                            get_time_string() );
-	      pds[PD_S].in_flags &= ~PR_POLL_READ;
-	      PR_Shutdown(s_client, PR_SHUTDOWN_SEND);
-	      continue;
-	    } 
-
-	    PR_fprintf(PR_STDOUT,"<-- [\n");
-	    if (fancy) PR_fprintf(PR_STDOUT,"<font color=red>");
-	    if (hexparse)  print_hex(amt, (unsigned char *)buffer);
-	    if (sslparse)  print_ssl(&serverstream,amt,(unsigned char *)buffer);
-	    if (!hexparse && !sslparse)  PR_Write(PR_STDOUT,buffer,amt);
-	    if (fancy) PR_fprintf(PR_STDOUT,"</font>");
-	    PR_fprintf(PR_STDOUT,"]\n");
-
-
-	    wrote = PR_Write(s_client, buffer, amt);
-	    if (wrote != amt )  {
-	      if (wrote < 0) {
-	        showErr("Write to client socket failed.\n");
-		break;
-	      } else {
-		PR_fprintf(PR_STDERR, "Short write to client socket!\n");
-	      }
-	    }
-
-	  } /* end of read from server socket. */
-
-/* Loop, handle next message. */
-
-        }	/* handle messages during a connection loop */
-      PR_Close(s_client);
-      PR_Close(s_server);
-      flush_stream(&clientstream);
-      flush_stream(&serverstream);
-      /* Connection is closed, so reset the current cipher */
-      currentcipher = 0;
-      c_count++;
-      PR_fprintf(PR_STDERR,"Connection %d Complete [%s]\n", c_count,
-                            get_time_string() );
-    }  while (looparound); /* accept connection and process it. */
-    PR_Close(s_rend);
-    NSS_Shutdown();
-    return 0;
-}
diff --git a/security/nss/cmd/strsclnt/Makefile b/security/nss/cmd/strsclnt/Makefile
deleted file mode 100644
index 9ee2a8f00..000000000
--- a/security/nss/cmd/strsclnt/Makefile
+++ /dev/null
@@ -1,79 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/strsclnt/manifest.mn b/security/nss/cmd/strsclnt/manifest.mn
deleted file mode 100644
index 8f284ce45..000000000
--- a/security/nss/cmd/strsclnt/manifest.mn
+++ /dev/null
@@ -1,51 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CORE_DEPTH = ../../..
-
-DEFINES += -DNSPR20
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = strsclnt.c
-
-# the MODULE above is always implicitly REQUIREd
-REQUIRES = seccmd dbm 
-
-PROGRAM = strsclnt
-# PROGRAM = ./$(OBJDIR)/strsclnt.exe
-
diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c
deleted file mode 100644
index 10c64bd3a..000000000
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ /dev/null
@@ -1,1540 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include <stdio.h>
-#include <string.h>
-
-#include "secutil.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-#include <stdlib.h>
-#if !defined(_WIN32_WCE)
-#include <errno.h>
-#include <fcntl.h>
-#endif
-#include <stdarg.h>
-
-#include "plgetopt.h"
-
-#include "nspr.h"
-#include "prio.h"
-#include "prnetdb.h"
-#include "prerror.h"
-
-#include "pk11func.h"
-#include "secitem.h"
-#include "sslproto.h"
-#include "nss.h"
-#include "ssl.h"
-
-#ifndef PORT_Sprintf
-#define PORT_Sprintf sprintf
-#endif
-
-#ifndef PORT_Strstr
-#define PORT_Strstr strstr
-#endif
-
-#ifndef PORT_Malloc
-#define PORT_Malloc PR_Malloc
-#endif
-
-#define RD_BUF_SIZE (60 * 1024)
-
-/* Include these cipher suite arrays to re-use tstclnt's 
- * cipher selection code.
- */
-
-int ssl2CipherSuites[] = {
-    SSL_EN_RC4_128_WITH_MD5,                    /* A */
-    SSL_EN_RC4_128_EXPORT40_WITH_MD5,           /* B */
-    SSL_EN_RC2_128_CBC_WITH_MD5,                /* C */
-    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,       /* D */
-    SSL_EN_DES_64_CBC_WITH_MD5,                 /* E */
-    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,           /* F */
-    0
-};
-
-int ssl3CipherSuites[] = {
-    -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
-    -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA     * b */
-    SSL_RSA_WITH_RC4_128_MD5,                   /* c */
-    SSL_RSA_WITH_3DES_EDE_CBC_SHA,              /* d */
-    SSL_RSA_WITH_DES_CBC_SHA,                   /* e */
-    SSL_RSA_EXPORT_WITH_RC4_40_MD5,             /* f */
-    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,         /* g */
-    -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA        * h */
-    SSL_RSA_WITH_NULL_MD5,                      /* i */
-    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,         /* j */
-    SSL_RSA_FIPS_WITH_DES_CBC_SHA,              /* k */
-    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 	/* l */
-    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,		/* m */
-    SSL_RSA_WITH_RC4_128_SHA,                   /* n */
-    TLS_DHE_DSS_WITH_RC4_128_SHA,		/* o */
-    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,		/* p */
-    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,		/* q */
-    SSL_DHE_RSA_WITH_DES_CBC_SHA,		/* r */
-    SSL_DHE_DSS_WITH_DES_CBC_SHA,		/* s */
-    TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	    	/* t */
-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       	/* u */
-    TLS_RSA_WITH_AES_128_CBC_SHA,     	    	/* v */
-    TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	    	/* w */
-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       	/* x */
-    TLS_RSA_WITH_AES_256_CBC_SHA,     	    	/* y */
-    SSL_RSA_WITH_NULL_SHA,			/* z */
-    0
-};
-
-#define NO_FULLHS_PERCENTAGE -1
-
-/* This global string is so that client main can see 
- * which ciphers to use. 
- */
-
-static const char *cipherString;
-
-static PRInt32 certsTested;
-static int MakeCertOK;
-static int NoReuse;
-static int fullhs = NO_FULLHS_PERCENTAGE; /* percentage of full handshakes to
-                                          ** perform */
-static PRInt32 globalconid = 0; /* atomically set */
-static int total_connections;  /* total number of connections to perform */
-static int total_connections_rounded_down_to_hundreds;
-static int total_connections_modulo_100;
-
-static PRBool NoDelay;
-static PRBool QuitOnTimeout = PR_FALSE;
-static PRBool ThrottleUp = PR_FALSE;
-
-static PRLock    * threadLock; /* protects the global variables below */
-static PRTime lastConnectFailure;
-static PRTime lastConnectSuccess;
-static PRTime lastThrottleUp;
-static PRInt32 remaining_connections;  /* number of connections left */
-static int active_threads = 8; /* number of threads currently trying to
-                               ** connect */
-static PRInt32 numUsed;
-/* end of variables protected by threadLock */
-
-static SSL3Statistics * ssl3stats;
-
-static int failed_already = 0;
-static PRBool disableSSL2     = PR_FALSE;
-static PRBool disableSSL3     = PR_FALSE;
-static PRBool disableTLS      = PR_FALSE;
-static PRBool bypassPKCS11    = PR_FALSE;
-static PRBool disableLocking  = PR_FALSE;
-static PRBool ignoreErrors    = PR_FALSE;
-static PRBool enableSessionTickets = PR_FALSE;
-
-PRIntervalTime maxInterval    = PR_INTERVAL_NO_TIMEOUT;
-
-char * progName;
-
-int	stopping;
-int	verbose;
-SECItem	bigBuf;
-
-#define PRINTF  if (verbose)  printf
-#define FPRINTF if (verbose) fprintf
-
-static void
-Usage(const char *progName)
-{
-    fprintf(stderr, 
-    	"Usage: %s [-n nickname] [-p port] [-d dbdir] [-c connections]\n"
- 	"          [-23BDNTovqs] [-f filename] [-N | -P percentage]\n"
-	"          [-w dbpasswd] [-C cipher(s)] [-t threads] hostname\n"
-        "          [-W pwfile]\n"
-	" where -v means verbose\n"
-        "       -o flag is interpreted as follows:\n"
-        "          1 -o   means override the result of server certificate validation.\n"
-        "          2 -o's mean skip server certificate validation altogether.\n"
-	"       -D means no TCP delays\n"
-	"       -q means quit when server gone (timeout rather than retry forever)\n"
-	"       -s means disable SSL socket locking\n"
-	"       -N means no session reuse\n"
-	"       -P means do a specified percentage of full handshakes (0-100)\n"
-        "       -2 means disable SSL2\n"
-        "       -3 means disable SSL3\n"
-        "       -T means disable TLS\n"
-        "       -U means enable throttling up threads\n"
-	"       -B bypasses the PKCS11 layer for SSL encryption and MACing\n"
-	"       -u enable TLS Session Ticket extension\n",
-	progName);
-    exit(1);
-}
-
-
-static void
-errWarn(char * funcString)
-{
-    PRErrorCode  perr      = PR_GetError();
-    const char * errString = SECU_Strerror(perr);
-
-    fprintf(stderr, "strsclnt: %s returned error %d:\n%s\n",
-            funcString, perr, errString);
-}
-
-static void
-errExit(char * funcString)
-{
-    errWarn(funcString);
-    exit(1);
-}
-
-/**************************************************************************
-** 
-** Routines for disabling SSL ciphers.
-**
-**************************************************************************/
-
-void
-disableAllSSLCiphers(void)
-{
-    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
-    int             i            = SSL_NumImplementedCiphers;
-    SECStatus       rv;
-
-    /* disable all the SSL3 cipher suites */
-    while (--i >= 0) {
-	PRUint16 suite = cipherSuites[i];
-        rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
-	if (rv != SECSuccess) {
-	    printf("SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n",
-	    	   suite, i);
-	    errWarn("SSL_CipherPrefSetDefault");
-	    exit(2);
-	}
-    }
-}
-
-/* This invokes the "default" AuthCert handler in libssl.
-** The only reason to use this one is that it prints out info as it goes. 
-*/
-static SECStatus
-mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
-		     PRBool isServer)
-{
-    SECStatus rv;
-    CERTCertificate *    peerCert;
-
-    if (MakeCertOK>=2) {
-        return SECSuccess;
-    }
-    peerCert = SSL_PeerCertificate(fd);
-
-    PRINTF("strsclnt: Subject: %s\nstrsclnt: Issuer : %s\n", 
-           peerCert->subjectName, peerCert->issuerName); 
-    /* invoke the "default" AuthCert handler. */
-    rv = SSL_AuthCertificate(arg, fd, checkSig, isServer);
-
-    PR_AtomicIncrement(&certsTested);
-    if (rv == SECSuccess) {
-	fputs("strsclnt: -- SSL: Server Certificate Validated.\n", stderr);
-    }
-    CERT_DestroyCertificate(peerCert);
-    /* error, if any, will be displayed by the Bad Cert Handler. */
-    return rv;  
-}
-
-static SECStatus
-myBadCertHandler( void *arg, PRFileDesc *fd)
-{
-    int err = PR_GetError();
-    if (!MakeCertOK)
-	fprintf(stderr, 
-	    "strsclnt: -- SSL: Server Certificate Invalid, err %d.\n%s\n", 
-            err, SECU_Strerror(err));
-    return (MakeCertOK ? SECSuccess : SECFailure);
-}
-
-void 
-printSecurityInfo(PRFileDesc *fd)
-{
-    CERTCertificate * cert = NULL;
-    SSL3Statistics * ssl3stats = SSL_GetStatistics();
-    SECStatus result;
-    SSLChannelInfo    channel;
-    SSLCipherSuiteInfo suite;
-
-    static int only_once;
-
-    if (only_once && verbose < 2)
-    	return;
-    only_once = 1;
-
-    result = SSL_GetChannelInfo(fd, &channel, sizeof channel);
-    if (result == SECSuccess && 
-        channel.length == sizeof channel && 
-	channel.cipherSuite) {
-	result = SSL_GetCipherSuiteInfo(channel.cipherSuite, 
-					&suite, sizeof suite);
-	if (result == SECSuccess) {
-	    FPRINTF(stderr, 
-	    "strsclnt: SSL version %d.%d using %d-bit %s with %d-bit %s MAC\n",
-	       channel.protocolVersion >> 8, channel.protocolVersion & 0xff,
-	       suite.effectiveKeyBits, suite.symCipherName, 
-	       suite.macBits, suite.macAlgorithmName);
-	    FPRINTF(stderr, 
-	    "strsclnt: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n",
-	       channel.authKeyBits, suite.authAlgorithmName,
-	       channel.keaKeyBits,  suite.keaTypeName);
-    	}
-    }
-
-    cert = SSL_LocalCertificate(fd);
-    if (!cert)
-	cert = SSL_PeerCertificate(fd);
-
-    if (verbose && cert) {
-	char * ip = CERT_NameToAscii(&cert->issuer);
-	char * sp = CERT_NameToAscii(&cert->subject);
-        if (sp) {
-	    fprintf(stderr, "strsclnt: subject DN: %s\n", sp);
-	    PORT_Free(sp);
-	}
-        if (ip) {
-	    fprintf(stderr, "strsclnt: issuer  DN: %s\n", ip);
-	    PORT_Free(ip);
-	}
-    }
-    if (cert) {
-	CERT_DestroyCertificate(cert);
-	cert = NULL;
-    }
-    fprintf(stderr,
-    	"strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n"
-	"          %ld stateless resumes\n",
-    	ssl3stats->hsh_sid_cache_hits, 
-	ssl3stats->hsh_sid_cache_misses,
-	ssl3stats->hsh_sid_cache_not_ok,
-	ssl3stats->hsh_sid_stateless_resumes);
-
-}
-
-/**************************************************************************
-** Begin thread management routines and data.
-**************************************************************************/
-
-#define MAX_THREADS 128
-
-typedef int startFn(void *a, void *b, int c);
-
-
-static PRInt32     numConnected;
-static int         max_threads;    /* peak threads allowed */
-
-typedef struct perThreadStr {
-    void *	a;
-    void *	b;
-    int         tid;
-    int         rv;
-    startFn  *  startFunc;
-    PRThread *  prThread;
-    PRBool	inUse;
-} perThread;
-
-perThread threads[MAX_THREADS];
-
-void
-thread_wrapper(void * arg)
-{
-    perThread * slot = (perThread *)arg;
-    PRBool done = PR_FALSE;
-
-    do {
-        PRBool doop = PR_FALSE;
-        PRBool dosleep = PR_FALSE;
-        PRTime now = PR_Now();
-
-        PR_Lock(threadLock);
-        if (! (slot->tid < active_threads)) {
-            /* this thread isn't supposed to be running */
-            if (!ThrottleUp) {
-                /* we'll never need this thread again, so abort it */
-                done = PR_TRUE;
-            } else if (remaining_connections > 0) {
-                /* we may still need this thread, so just sleep for 1s */
-                dosleep = PR_TRUE;
-                /* the conditions to trigger a throttle up are :
-                ** 1. last PR_Connect failure must have happened more than
-                **    10s ago
-                ** 2. last throttling up must have happened more than 0.5s ago
-                ** 3. there must be a more recent PR_Connect success than
-                **    failure
-                */
-                if ( (now - lastConnectFailure > 10 * PR_USEC_PER_SEC) &&
-                    ( (!lastThrottleUp) || ( (now - lastThrottleUp) >=
-                                             (PR_USEC_PER_SEC/2)) ) &&
-                    (lastConnectSuccess > lastConnectFailure) ) {
-                    /* try throttling up by one thread */
-                    active_threads = PR_MIN(max_threads, active_threads+1);
-                    fprintf(stderr,"active_threads set up to %d\n",
-                            active_threads);
-                    lastThrottleUp = PR_MAX(now, lastThrottleUp);
-                }
-            } else {
-                /* no more connections left, we are done */
-                done = PR_TRUE;
-            }
-        } else {
-            /* this thread should run */
-            if (--remaining_connections >= 0) { /* protected by threadLock */
-                doop = PR_TRUE;
-            } else {
-                done = PR_TRUE;
-            }
-        }
-        PR_Unlock(threadLock);
-        if (doop) {
-            slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid);
-            PRINTF("strsclnt: Thread in slot %d returned %d\n", 
-                   slot->tid, slot->rv);
-        }
-        if (dosleep) {
-            PR_Sleep(PR_SecondsToInterval(1));
-        }
-    } while (!done && (!failed_already || ignoreErrors));
-}
-
-SECStatus
-launch_thread(
-    startFn *	startFunc,
-    void *	a,
-    void *	b,
-    int         tid)
-{
-    PRUint32 i;
-    perThread * slot;
-
-    PR_Lock(threadLock);
-
-    PORT_Assert(numUsed < MAX_THREADS);
-    if (! (numUsed < MAX_THREADS)) {
-        PR_Unlock(threadLock);
-        return SECFailure;
-    }
-
-    i = numUsed++;
-    slot = &threads[i];
-    slot->a = a;
-    slot->b = b;
-    slot->tid = tid;
-
-    slot->startFunc = startFunc;
-
-    slot->prThread      = PR_CreateThread(PR_USER_THREAD,
-                                      thread_wrapper, slot,
-				      PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
-				      PR_JOINABLE_THREAD, 0);
-    if (slot->prThread == NULL) {
-	PR_Unlock(threadLock);
-	printf("strsclnt: Failed to launch thread!\n");
-	return SECFailure;
-    } 
-
-    slot->inUse   = 1;
-    PR_Unlock(threadLock);
-    PRINTF("strsclnt: Launched thread in slot %d \n", i);
-
-    return SECSuccess;
-}
-
-/* join all the threads */
-int 
-reap_threads(void)
-{
-    int         i;
-
-    for (i = 0; i < MAX_THREADS; ++i) {
-        if (threads[i].prThread) {
-            PR_JoinThread(threads[i].prThread);
-            threads[i].prThread = NULL;
-        }
-    }
-    return 0;
-}
-
-void
-destroy_thread_data(void)
-{
-    PORT_Memset(threads, 0, sizeof threads);
-
-    if (threadLock) {
-    	PR_DestroyLock(threadLock);
-	threadLock = NULL;
-    }
-}
-
-void
-init_thread_data(void)
-{
-    threadLock = PR_NewLock();
-}
-
-/**************************************************************************
-** End   thread management routines.
-**************************************************************************/
-
-PRBool useModelSocket = PR_TRUE;
-
-static const char stopCmd[] = { "GET /stop " };
-static const char outHeader[] = {
-    "HTTP/1.0 200 OK\r\n"
-    "Server: Netscape-Enterprise/2.0a\r\n"
-    "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n"
-    "Content-type: text/plain\r\n"
-    "\r\n"
-};
-
-struct lockedVarsStr {
-    PRLock *	lock;
-    int		count;
-    int		waiters;
-    PRCondVar *	condVar;
-};
-
-typedef struct lockedVarsStr lockedVars;
-
-void 
-lockedVars_Init( lockedVars * lv)
-{
-    lv->count   = 0;
-    lv->waiters = 0;
-    lv->lock    = PR_NewLock();
-    lv->condVar = PR_NewCondVar(lv->lock);
-}
-
-void
-lockedVars_Destroy( lockedVars * lv)
-{
-    PR_DestroyCondVar(lv->condVar);
-    lv->condVar = NULL;
-
-    PR_DestroyLock(lv->lock);
-    lv->lock = NULL;
-}
-
-void
-lockedVars_WaitForDone(lockedVars * lv)
-{
-    PR_Lock(lv->lock);
-    while (lv->count > 0) {
-    	PR_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT);
-    }
-    PR_Unlock(lv->lock);
-}
-
-int	/* returns count */
-lockedVars_AddToCount(lockedVars * lv, int addend)
-{
-    int rv;
-
-    PR_Lock(lv->lock);
-    rv = lv->count += addend;
-    if (rv <= 0) {
-	PR_NotifyCondVar(lv->condVar);
-    }
-    PR_Unlock(lv->lock);
-    return rv;
-}
-
-int
-do_writes(
-    void *       a,
-    void *       b,
-    int          c)
-{
-    PRFileDesc *	ssl_sock	= (PRFileDesc *)a;
-    lockedVars *	lv 		= (lockedVars *)b;
-    int			sent  		= 0;
-    int 		count		= 0;
-
-    while (sent < bigBuf.len) {
-
-	count = PR_Send(ssl_sock, bigBuf.data + sent, bigBuf.len - sent, 
-	                0, maxInterval);
-	if (count < 0) {
-	    errWarn("PR_Send bigBuf");
-	    break;
-	}
-	FPRINTF(stderr, "strsclnt: PR_Send wrote %d bytes from bigBuf\n", 
-		count );
-	sent += count;
-    }
-    if (count >= 0) {	/* last write didn't fail. */
-    	PR_Shutdown(ssl_sock, PR_SHUTDOWN_SEND);
-    }
-
-    /* notify the reader that we're done. */
-    lockedVars_AddToCount(lv, -1);
-    return (sent < bigBuf.len) ? SECFailure : SECSuccess;
-}
-
-int 
-handle_fdx_connection( PRFileDesc * ssl_sock, int connection)
-{
-    SECStatus          result;
-    int                firstTime = 1;
-    int                countRead = 0;
-    lockedVars         lv;
-    char               *buf;
-
-
-    lockedVars_Init(&lv);
-    lockedVars_AddToCount(&lv, 1);
-
-    /* Attempt to launch the writer thread. */
-    result = launch_thread(do_writes, ssl_sock, &lv, connection);
-
-    if (result != SECSuccess) 
-    	goto cleanup;
-
-    buf = PR_Malloc(RD_BUF_SIZE);
-
-    if (buf) {
-	do {
-	    /* do reads here. */
-	    PRInt32 count;
-
-	    count = PR_Recv(ssl_sock, buf, RD_BUF_SIZE, 0, maxInterval);
-	    if (count < 0) {
-		errWarn("PR_Recv");
-		break;
-	    }
-	    countRead += count;
-	    FPRINTF(stderr, 
-		    "strsclnt: connection %d read %d bytes (%d total).\n", 
-		    connection, count, countRead );
-	    if (firstTime) {
-		firstTime = 0;
-		printSecurityInfo(ssl_sock);
-	    }
-	} while (lockedVars_AddToCount(&lv, 0) > 0);
-	PR_Free(buf);
-	buf = 0;
-    }
-
-    /* Wait for writer to finish */
-    lockedVars_WaitForDone(&lv);
-    lockedVars_Destroy(&lv);
-
-    FPRINTF(stderr, 
-    "strsclnt: connection %d read %d bytes total. -----------------------\n", 
-    	    connection, countRead);
-
-cleanup:
-    /* Caller closes the socket. */
-
-    return SECSuccess;
-}
-
-const char request[] = {"GET /abc HTTP/1.0\r\n\r\n" };
-
-SECStatus
-handle_connection( PRFileDesc *ssl_sock, int tid)
-{
-    int	    countRead = 0;
-    PRInt32 rv;
-    char    *buf;
-
-    buf = PR_Malloc(RD_BUF_SIZE);
-    if (!buf)
-	return SECFailure;
-
-    /* compose the http request here. */
-
-    rv = PR_Send(ssl_sock, request, strlen(request), 0, maxInterval);
-    if (rv <= 0) {
-	errWarn("PR_Send");
-	PR_Free(buf);
-	buf = 0;
-        failed_already = 1;
-	return SECFailure;
-    }
-    printSecurityInfo(ssl_sock);
-
-    /* read until EOF */
-    while (1) {
-	rv = PR_Recv(ssl_sock, buf, RD_BUF_SIZE, 0, maxInterval);
-	if (rv == 0) {
-	    break;	/* EOF */
-	}
-	if (rv < 0) {
-	    errWarn("PR_Recv");
-	    failed_already = 1;
-	    break;
-	}
-
-	countRead += rv;
-	FPRINTF(stderr,
-                "strsclnt: connection on thread %d read %d bytes (%d total).\n",
-		tid, rv, countRead );
-    }
-    PR_Free(buf);
-    buf = 0;
-
-    /* Caller closes the socket. */
-
-    FPRINTF(stderr, 
-    "strsclnt: connection on thread %d read %d bytes total. ---------\n", 
-    	    tid, countRead);
-
-    return SECSuccess;	/* success */
-}
-
-#define USE_SOCK_PEER_ID 1
-
-#ifdef USE_SOCK_PEER_ID
-
-PRInt32 lastFullHandshakePeerID;
-
-void
-myHandshakeCallback(PRFileDesc *socket, void *arg) 
-{
-    PR_AtomicSet(&lastFullHandshakePeerID, (PRInt32) arg);
-}
-
-#endif
-
-/* one copy of this function is launched in a separate thread for each
-** connection to be made.
-*/
-int
-do_connects(
-    void *	a,
-    void *	b,
-    int         tid)
-{
-    PRNetAddr  *        addr		= (PRNetAddr *)  a;
-    PRFileDesc *        model_sock	= (PRFileDesc *) b;
-    PRFileDesc *        ssl_sock	= 0;
-    PRFileDesc *        tcp_sock	= 0;
-    PRStatus	        prStatus;
-    PRUint32            sleepInterval	= 50; /* milliseconds */
-    SECStatus   	result;
-    int                 rv 		= SECSuccess;
-    PRSocketOptionData  opt;
-
-retry:
-
-    tcp_sock = PR_OpenTCPSocket(addr->raw.family);
-    if (tcp_sock == NULL) {
-	errExit("PR_OpenTCPSocket");
-    }
-
-    opt.option             = PR_SockOpt_Nonblocking;
-    opt.value.non_blocking = PR_FALSE;
-    prStatus = PR_SetSocketOption(tcp_sock, &opt);
-    if (prStatus != PR_SUCCESS) {
-	errWarn("PR_SetSocketOption(PR_SockOpt_Nonblocking, PR_FALSE)");
-    	PR_Close(tcp_sock);
-	return SECSuccess;
-    } 
-
-    if (NoDelay) {
-	opt.option         = PR_SockOpt_NoDelay;
-	opt.value.no_delay = PR_TRUE;
-	prStatus = PR_SetSocketOption(tcp_sock, &opt);
-	if (prStatus != PR_SUCCESS) {
-	    errWarn("PR_SetSocketOption(PR_SockOpt_NoDelay, PR_TRUE)");
-	    PR_Close(tcp_sock);
-	    return SECSuccess;
-	} 
-    }
-
-    prStatus = PR_Connect(tcp_sock, addr, PR_INTERVAL_NO_TIMEOUT);
-    if (prStatus != PR_SUCCESS) {
-        PRErrorCode err = PR_GetError(); /* save error code */
-        if (ThrottleUp) {
-            PRTime now = PR_Now();
-            PR_Lock(threadLock);
-            lastConnectFailure = PR_MAX(now, lastConnectFailure);
-            PR_Unlock(threadLock);
-        }
-        if ((err == PR_CONNECT_REFUSED_ERROR) || 
-	    (err == PR_CONNECT_RESET_ERROR)      ) {
-	    int connections = numConnected;
-
-	    PR_Close(tcp_sock);
-            PR_Lock(threadLock);
-            if (connections > 2 && active_threads >= connections) {
-                active_threads = connections - 1;
-                fprintf(stderr,"active_threads set down to %d\n",
-                        active_threads);
-            }
-            PR_Unlock(threadLock);
-
-            if (QuitOnTimeout && sleepInterval > 40000) {
-                fprintf(stderr,
-	            "strsclnt: Client timed out waiting for connection to server.\n");
-                exit(1);
-            }
-	    PR_Sleep(PR_MillisecondsToInterval(sleepInterval));
-	    sleepInterval <<= 1;
-	    goto retry;
-	}
-	errWarn("PR_Connect");
-	rv = SECFailure;
-	goto done;
-    } else {
-        if (ThrottleUp) {
-            PRTime now = PR_Now();
-            PR_Lock(threadLock);
-            lastConnectSuccess = PR_MAX(now, lastConnectSuccess);
-            PR_Unlock(threadLock);
-        }
-    }
-
-    ssl_sock = SSL_ImportFD(model_sock, tcp_sock);
-    /* XXX if this import fails, close tcp_sock and return. */
-    if (!ssl_sock) {
-    	PR_Close(tcp_sock);
-	return SECSuccess;
-    }
-    if (fullhs != NO_FULLHS_PERCENTAGE) {
-#ifdef USE_SOCK_PEER_ID
-        char sockPeerIDString[512];
-        static PRInt32 sockPeerID = 0; /* atomically incremented */
-        PRInt32 thisPeerID;
-#endif
-        PRInt32 savid = PR_AtomicIncrement(&globalconid);
-        PRInt32 conid = 1 + (savid - 1) % 100;
-        /* don't change peer ID on the very first handshake, which is always
-           a full, so the session gets stored into the client cache */
-        if ( (savid != 1) &&
-            ( ( (savid <= total_connections_rounded_down_to_hundreds) &&
-                (conid <= fullhs) ) ||
-              (conid*100 <= total_connections_modulo_100*fullhs ) ) ) 
-#ifdef USE_SOCK_PEER_ID
-        {
-            /* force a full handshake by changing the socket peer ID */
-            thisPeerID = PR_AtomicIncrement(&sockPeerID);
-        } else {
-            /* reuse previous sockPeerID for restart handhsake */
-            thisPeerID = lastFullHandshakePeerID;
-        }
-        PR_snprintf(sockPeerIDString, sizeof(sockPeerIDString), "ID%d",
-                    thisPeerID);
-        SSL_SetSockPeerID(ssl_sock, sockPeerIDString);
-        SSL_HandshakeCallback(ssl_sock, myHandshakeCallback, (void*)thisPeerID);
-#else
-            /* force a full handshake by setting the no cache option */
-            SSL_OptionSet(ssl_sock, SSL_NO_CACHE, 1);
-#endif
-    }
-    rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 0);
-    if (rv != SECSuccess) {
-	errWarn("SSL_ResetHandshake");
-	goto done;
-    }
-
-    PR_AtomicIncrement(&numConnected);
-
-    if (bigBuf.data != NULL) {
-	result = handle_fdx_connection( ssl_sock, tid);
-    } else {
-	result = handle_connection( ssl_sock, tid);
-    }
-
-    PR_AtomicDecrement(&numConnected);
-
-done:
-    if (ssl_sock) {
-	PR_Close(ssl_sock);
-    } else if (tcp_sock) {
-	PR_Close(tcp_sock);
-    }
-    return SECSuccess;
-}
-
-
-typedef struct {
-    PRLock* lock;
-    char* nickname;
-    CERTCertificate* cert;
-    SECKEYPrivateKey* key;
-    void* wincx;
-} cert_and_key;
-
-PRBool FindCertAndKey(cert_and_key* Cert_And_Key)
-{
-    if ( (NULL == Cert_And_Key->nickname) || (0 == strcmp(Cert_And_Key->nickname,"none"))) {
-        return PR_TRUE;
-    }
-    Cert_And_Key->cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
-                            Cert_And_Key->nickname, certUsageSSLClient,
-                            PR_FALSE, Cert_And_Key->wincx);
-    if (Cert_And_Key->cert) {
-        Cert_And_Key->key = PK11_FindKeyByAnyCert(Cert_And_Key->cert, Cert_And_Key->wincx);
-    }
-    if (Cert_And_Key->cert && Cert_And_Key->key) {
-        return PR_TRUE;
-    } else {
-        return PR_FALSE;
-    }
-}
-
-PRBool LoggedIn(CERTCertificate* cert, SECKEYPrivateKey* key)
-{
-    if ( (cert->slot) && (key->pkcs11Slot) &&
-         (PR_TRUE == PK11_IsLoggedIn(cert->slot, NULL)) &&
-         (PR_TRUE == PK11_IsLoggedIn(key->pkcs11Slot, NULL)) ) {
-        return PR_TRUE;
-    }
- 
-    return PR_FALSE;
-}
-
-SECStatus 
-StressClient_GetClientAuthData(void * arg,
-                      PRFileDesc * socket,
-		      struct CERTDistNamesStr * caNames,
-		      struct CERTCertificateStr ** pRetCert,
-		      struct SECKEYPrivateKeyStr **pRetKey)
-{
-    cert_and_key* Cert_And_Key = (cert_and_key*) arg;
-
-    if (!pRetCert || !pRetKey) {
-        /* bad pointers, can't return a cert or key */
-        return SECFailure;
-    }
-
-    *pRetCert = NULL;
-    *pRetKey = NULL;
-
-    if (Cert_And_Key && Cert_And_Key->nickname) {
-        while (PR_TRUE) {
-            if (Cert_And_Key && Cert_And_Key->lock) {
-                int timeout = 0;
-                PR_Lock(Cert_And_Key->lock);
-
-                if (Cert_And_Key->cert) {
-                    *pRetCert = CERT_DupCertificate(Cert_And_Key->cert);
-                }
-
-                if (Cert_And_Key->key) {
-                    *pRetKey = SECKEY_CopyPrivateKey(Cert_And_Key->key);
-                }
-                PR_Unlock(Cert_And_Key->lock);
-                if (!*pRetCert || !*pRetKey) {
-                    /* one or both of them failed to copy. Either the source was NULL, or there was
-                    ** an out of memory condition. Free any allocated copy and fail */
-                    if (*pRetCert) {
-                        CERT_DestroyCertificate(*pRetCert);
-                        *pRetCert = NULL;
-                    }
-                    if (*pRetKey) {
-                        SECKEY_DestroyPrivateKey(*pRetKey);
-                        *pRetKey = NULL;
-                    }
-                    break;
-                }
-                /* now check if those objects are valid */
-                if ( PR_FALSE == LoggedIn(*pRetCert, *pRetKey) ) {
-                    /* token is no longer logged in, it was removed */
-
-                    /* first, delete and clear our invalid local objects */
-                    CERT_DestroyCertificate(*pRetCert);
-                    SECKEY_DestroyPrivateKey(*pRetKey);
-                    *pRetCert = NULL;
-                    *pRetKey = NULL;
-
-                    PR_Lock(Cert_And_Key->lock);
-                    /* check if another thread already logged back in */
-                    if (PR_TRUE == LoggedIn(Cert_And_Key->cert, Cert_And_Key->key)) {
-                        /* yes : try again */
-                        PR_Unlock(Cert_And_Key->lock);
-                        continue;
-                    }
-                    /* this is the thread to retry */
-                    CERT_DestroyCertificate(Cert_And_Key->cert);
-                    SECKEY_DestroyPrivateKey(Cert_And_Key->key);
-                    Cert_And_Key->cert = NULL;
-                    Cert_And_Key->key = NULL;
-
-
-                    /* now look up the cert and key again */
-                    while (PR_FALSE == FindCertAndKey(Cert_And_Key) ) {
-                        PR_Sleep(PR_SecondsToInterval(1));
-                        timeout++;
-                        if (timeout>=60) {
-                            printf("\nToken pulled and not reinserted early enough : aborting.\n");
-                            exit(1);
-                        }
-                    }
-                    PR_Unlock(Cert_And_Key->lock);
-                    continue;
-                    /* try again to reduce code size */
-                }
-                return SECSuccess;
-            }
-        }
-        *pRetCert = NULL;
-        *pRetKey = NULL;
-        return SECFailure;
-    } else {
-        /* no cert configured, automatically find the right cert. */
-        CERTCertificate *  cert = NULL;
-        SECKEYPrivateKey * privkey = NULL;
-        CERTCertNicknames * names;
-        int                 i;
-        void *             proto_win = NULL;
-        SECStatus          rv         = SECFailure;
-
-        if (Cert_And_Key) {
-            proto_win = Cert_And_Key->wincx;
-        }
-
-        names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
-                                      SEC_CERT_NICKNAMES_USER, proto_win);
-        if (names != NULL) {
-            for (i = 0; i < names->numnicknames; i++) {
-                cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
-                            names->nicknames[i], certUsageSSLClient,
-                            PR_FALSE, proto_win);	
-                if ( !cert )
-                    continue;
-                /* Only check unexpired certs */
-                if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != 
-                                             secCertTimeValid ) {
-                    CERT_DestroyCertificate(cert);
-                    continue;
-                }
-                rv = NSS_CmpCertChainWCANames(cert, caNames);
-                if ( rv == SECSuccess ) {
-                    privkey = PK11_FindKeyByAnyCert(cert, proto_win);
-                    if ( privkey )
-                        break;
-                }
-                rv = SECFailure;
-                CERT_DestroyCertificate(cert);
-            }
-            CERT_FreeNicknames(names);
-        }
-        if (rv == SECSuccess) {
-            *pRetCert = cert;
-            *pRetKey  = privkey;
-        }
-        return rv;
-    }
-}
-
-int 
-hexchar_to_int(int c) 
-{
-    if (((c) >= '0') && ((c) <= '9'))
-	return (c) - '0'; 
-    if (((c) >= 'a') && ((c) <= 'f'))
-	return (c) - 'a' + 10;
-    if (((c) >= 'A') && ((c) <= 'F'))
-	return (c) - 'A' + 10; 
-    failed_already = 1;
-    return -1;
-}
-
-void
-client_main(
-    unsigned short      port, 
-    int                 connections,
-    cert_and_key* Cert_And_Key,
-    const char *	hostName)
-{
-    PRFileDesc *model_sock	= NULL;
-    int         i;
-    int         rv;
-    PRStatus    status;
-    PRNetAddr   addr;
-
-    status = PR_StringToNetAddr(hostName, &addr);
-    if (status == PR_SUCCESS) {
-    	addr.inet.port = PR_htons(port);
-    } else {
-	/* Lookup host */
-	PRAddrInfo *addrInfo;
-	void       *enumPtr   = NULL;
-
-	addrInfo = PR_GetAddrInfoByName(hostName, PR_AF_UNSPEC, 
-	                                PR_AI_ADDRCONFIG | PR_AI_NOCANONNAME);
-	if (!addrInfo) {
-	    SECU_PrintError(progName, "error looking up host");
-	    return;
-	}
-	do {
-	    enumPtr = PR_EnumerateAddrInfo(enumPtr, addrInfo, port, &addr);
-	} while (enumPtr != NULL &&
-		 addr.raw.family != PR_AF_INET &&
-		 addr.raw.family != PR_AF_INET6);
-	PR_FreeAddrInfo(addrInfo);
-	if (enumPtr == NULL) {
-	    SECU_PrintError(progName, "error looking up host address");
-	    return;
-	}
-    }
-
-    /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */
-    NSS_SetDomesticPolicy();
-
-    /* all the SSL2 and SSL3 cipher suites are enabled by default. */
-    if (cipherString) {
-        int ndx;
-
-        /* disable all the ciphers, then enable the ones we want. */
-        disableAllSSLCiphers();
-
-        while (0 != (ndx = *cipherString)) {
-	    const char * startCipher = cipherString++;
-            int  cipher = 0;
-	    SECStatus rv;
-
-	    if (ndx == ':') {
-		cipher  = hexchar_to_int(*cipherString++);
-		cipher <<= 4;
-		cipher |= hexchar_to_int(*cipherString++);
-		cipher <<= 4;
-		cipher |= hexchar_to_int(*cipherString++);
-		cipher <<= 4;
-		cipher |= hexchar_to_int(*cipherString++);
-		if (cipher <= 0) {
-		    fprintf(stderr, "strsclnt: Invalid cipher value: %-5.5s\n",
-		                    startCipher);
-		    failed_already = 1;
-		    return;
-		}
-	    } else {
-		if (isalpha(ndx)) {
-		    const int *cptr;
-
-		    cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
-		    for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) 
-			/* do nothing */;
-		}
-	    	if (cipher <= 0) {
-		    fprintf(stderr, "strsclnt: Invalid cipher letter: %c\n", 
-		                    *startCipher);
-		    failed_already = 1;
-		    return;
-		}
-	    }
-	    rv = SSL_CipherPrefSetDefault(cipher, PR_TRUE);
-	    if (rv != SECSuccess) {
-		fprintf(stderr, 
-			"strsclnt: SSL_CipherPrefSetDefault(0x%04x) failed\n",
-			cipher);
-		failed_already = 1;
-		return;
-	    }
-        }
-    }
-
-    /* configure model SSL socket. */
-
-    model_sock = PR_OpenTCPSocket(addr.raw.family);
-    if (model_sock == NULL) {
-	errExit("PR_OpenTCPSocket for model socket");
-    }
-
-    model_sock = SSL_ImportFD(NULL, model_sock);
-    if (model_sock == NULL) {
-	errExit("SSL_ImportFD");
-    }
-
-    /* do SSL configuration. */
-
-    rv = SSL_OptionSet(model_sock, SSL_SECURITY,
-        !(disableSSL2 && disableSSL3 && disableTLS));
-    if (rv < 0) {
-	errExit("SSL_OptionSet SSL_SECURITY");
-    }
-
-    /* disabling SSL2 compatible hellos also disables SSL2 */
-    rv = SSL_OptionSet(model_sock, SSL_V2_COMPATIBLE_HELLO, !disableSSL2);
-    if (rv != SECSuccess) {
-	errExit("error enabling SSLv2 compatible hellos ");
-    }
-
-    rv = SSL_OptionSet(model_sock, SSL_ENABLE_SSL3, !disableSSL3);
-    if (rv != SECSuccess) {
-	errExit("error enabling SSLv3 ");
-    }
-
-    rv = SSL_OptionSet(model_sock, SSL_ENABLE_TLS, !disableTLS);
-    if (rv != SECSuccess) {
-	errExit("error enabling TLS ");
-    }
-
-    if (bigBuf.data) { /* doing FDX */
-	rv = SSL_OptionSet(model_sock, SSL_ENABLE_FDX, 1);
-	if (rv < 0) {
-	    errExit("SSL_OptionSet SSL_ENABLE_FDX");
-	}
-    }
-
-    if (NoReuse) {
-	rv = SSL_OptionSet(model_sock, SSL_NO_CACHE, 1);
-	if (rv < 0) {
-	    errExit("SSL_OptionSet SSL_NO_CACHE");
-	}
-    }
-
-    if (bypassPKCS11) {
-	rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, 1);
-	if (rv < 0) {
-	    errExit("SSL_OptionSet SSL_BYPASS_PKCS11");
-	}
-    }
-
-    if (disableLocking) {
-        rv = SSL_OptionSet(model_sock, SSL_NO_LOCKS, 1);
-	if (rv < 0) {
-	    errExit("SSL_OptionSet SSL_NO_LOCKS");
-	}
-    }
-
-    if (enableSessionTickets) {
-	rv = SSL_OptionSet(model_sock, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
-	if (rv != SECSuccess)
-	    errExit("SSL_OptionSet SSL_ENABLE_SESSION_TICKETS");
-    }
-
-    SSL_SetURL(model_sock, hostName);
-
-    SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, 
-			(void *)CERT_GetDefaultCertDB());
-    SSL_BadCertHook(model_sock, myBadCertHandler, NULL);
-
-    SSL_GetClientAuthDataHook(model_sock, StressClient_GetClientAuthData, (void*)Cert_And_Key);
-
-    /* I'm not going to set the HandshakeCallback function. */
-
-    /* end of ssl configuration. */
-
-    init_thread_data();
-
-    remaining_connections = total_connections = connections;
-    total_connections_modulo_100 = total_connections % 100;
-    total_connections_rounded_down_to_hundreds =
-        total_connections - total_connections_modulo_100;
-
-    if (!NoReuse) {
-        remaining_connections = 1;
-	rv = launch_thread(do_connects, &addr, model_sock, 0);
-	/* wait for the first connection to terminate, then launch the rest. */
-	reap_threads();
-        remaining_connections = total_connections - 1 ;
-    }
-    if (remaining_connections > 0) {
-        active_threads  = PR_MIN(active_threads, remaining_connections);
-	/* Start up the threads */
-	for (i=0;i<active_threads;i++) {
-	    rv = launch_thread(do_connects, &addr, model_sock, i);
-	}
-	reap_threads();
-    }
-    destroy_thread_data();
-
-    PR_Close(model_sock);
-}
-
-SECStatus
-readBigFile(const char * fileName)
-{
-    PRFileInfo  info;
-    PRStatus	status;
-    SECStatus	rv	= SECFailure;
-    int		count;
-    int		hdrLen;
-    PRFileDesc *local_file_fd = NULL;
-
-    status = PR_GetFileInfo(fileName, &info);
-
-    if (status == PR_SUCCESS &&
-	info.type == PR_FILE_FILE &&
-	info.size > 0 &&
-	NULL != (local_file_fd = PR_Open(fileName, PR_RDONLY, 0))) {
-
-	hdrLen      = PORT_Strlen(outHeader);
-	bigBuf.len  = hdrLen + info.size;
-	bigBuf.data = PORT_Malloc(bigBuf.len + 4095);
-	if (!bigBuf.data) {
-	    errWarn("PORT_Malloc");
-	    goto done;
-	}
-
-	PORT_Memcpy(bigBuf.data, outHeader, hdrLen);
-
-	count = PR_Read(local_file_fd, bigBuf.data + hdrLen, info.size);
-	if (count != info.size) {
-	    errWarn("PR_Read local file");
-	    goto done;
-	}
-	rv = SECSuccess;
-done:
-	PR_Close(local_file_fd);
-    }
-    return rv;
-}
-
-int
-main(int argc, char **argv)
-{
-    const char *         dir         = ".";
-    const char *         fileName    = NULL;
-    char *               hostName    = NULL;
-    char *               nickName    = NULL;
-    char *               tmp         = NULL;
-    int                  connections = 1;
-    int                  exitVal;
-    int                  tmpInt;
-    unsigned short       port        = 443;
-    SECStatus            rv;
-    PLOptState *         optstate;
-    PLOptStatus          status;
-    cert_and_key Cert_And_Key;
-    secuPWData  pwdata          = { PW_NONE, 0 };
-
-    /* Call the NSPR initialization routines */
-    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
-    tmp      = strrchr(argv[0], '/');
-    tmp      = tmp ? tmp + 1 : argv[0];
-    progName = strrchr(tmp, '\\');
-    progName = progName ? progName + 1 : tmp;
- 
-
-    optstate = PL_CreateOptState(argc, argv, "23BC:DNP:TUW:c:d:f:in:op:qst:uvw:");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch(optstate->option) {
-
-	case '2': disableSSL2 = PR_TRUE; break;
-
-	case '3': disableSSL3 = PR_TRUE; break;
-
-	case 'B': bypassPKCS11 = PR_TRUE; break;
-
-	case 'C': cipherString = optstate->value; break;
-
-	case 'D': NoDelay = PR_TRUE; break;
-
-	case 'N': NoReuse = 1; break;
-        
-	case 'P': fullhs = PORT_Atoi(optstate->value); break;
-
-	case 'T': disableTLS = PR_TRUE; break;
-            
-	case 'U': ThrottleUp = PR_TRUE; break;
-
-	case 'c': connections = PORT_Atoi(optstate->value); break;
-
-	case 'd': dir = optstate->value; break;
-
-	case 'f': fileName = optstate->value; break;
-
-	case 'i': ignoreErrors = PR_TRUE; break;
-
-        case 'n': nickName = PL_strdup(optstate->value); break;
-
-	case 'o': MakeCertOK++; break;
-
-	case 'p': port = PORT_Atoi(optstate->value); break;
-
-	case 'q': QuitOnTimeout = PR_TRUE; break;
-
-	case 's': disableLocking = PR_TRUE; break;
-
-	case 't':
-	    tmpInt = PORT_Atoi(optstate->value);
-	    if (tmpInt > 0 && tmpInt < MAX_THREADS) 
-	        max_threads = active_threads = tmpInt;
-	    break;
-
-	case 'u': enableSessionTickets = PR_TRUE; break;
-
-	case 'v': verbose++; break;
-
-        case 'w':
-            pwdata.source = PW_PLAINTEXT;
-            pwdata.data = PL_strdup(optstate->value);
-            break;
-
-        case 'W':
-            pwdata.source = PW_FROMFILE;
-            pwdata.data = PL_strdup(optstate->value);
-            break;
-
-	case 0:   /* positional parameter */
-	    if (hostName) {
-		Usage(progName);
-	    }
-	    hostName = PL_strdup(optstate->value);
-	    break;
-
-	default:
-	case '?':
-	    Usage(progName);
-	    break;
-
-	}
-    }
-    PL_DestroyOptState(optstate);
-
-    if (!hostName || status == PL_OPT_BAD)
-    	Usage(progName);
-
-    if (fullhs!= NO_FULLHS_PERCENTAGE && (fullhs < 0 || fullhs>100 || NoReuse) )
-        Usage(progName);
-
-    if (port == 0)
-	Usage(progName);
-
-    if (fileName)
-    	readBigFile(fileName);
-
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-    tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
-    if (tmp && tmp[0]) {
-        int sec = PORT_Atoi(tmp);
-	if (sec > 0) {
-	    maxInterval = PR_SecondsToInterval(sec);
-    	}
-    }
-
-    /* Call the NSS initialization routines */
-    rv = NSS_Initialize(dir, "", "", SECMOD_DB, NSS_INIT_READONLY);
-    if (rv != SECSuccess) {
-    	fputs("NSS_Init failed.\n", stderr);
-	exit(1);
-    }
-    ssl3stats = SSL_GetStatistics();
-    Cert_And_Key.lock = PR_NewLock();
-    Cert_And_Key.nickname = nickName;
-    Cert_And_Key.wincx = &pwdata;
-    Cert_And_Key.cert = NULL;
-    Cert_And_Key.key = NULL;
-
-    if (PR_FALSE == FindCertAndKey(&Cert_And_Key)) {
-
-	if (Cert_And_Key.cert == NULL) {
-	    fprintf(stderr, "strsclnt: Can't find certificate %s\n", Cert_And_Key.nickname);
-	    exit(1);
-	}
-
-	if (Cert_And_Key.key == NULL) {
-	    fprintf(stderr, "strsclnt: Can't find Private Key for cert %s\n", 
-		    Cert_And_Key.nickname);
-	    exit(1);
-	}
-
-    }
-
-    client_main(port, connections, &Cert_And_Key, hostName);
-
-    /* clean up */
-    if (Cert_And_Key.cert) {
-	CERT_DestroyCertificate(Cert_And_Key.cert);
-    }
-    if (Cert_And_Key.key) {
-	SECKEY_DestroyPrivateKey(Cert_And_Key.key);
-    }
-
-    PR_DestroyLock(Cert_And_Key.lock);
-
-    if (pwdata.data) {
-        PL_strfree(pwdata.data);
-    }
-    if (Cert_And_Key.nickname) {
-        PL_strfree(Cert_And_Key.nickname);
-    }
-
-    PL_strfree(hostName);
-
-    /* some final stats. */
-    if (ssl3stats->hsh_sid_cache_hits +
-	ssl3stats->hsh_sid_cache_misses +
-	ssl3stats->hsh_sid_cache_not_ok +
-	ssl3stats->hsh_sid_stateless_resumes == 0) {
-	/* presumably we were testing SSL2. */
-	printf("strsclnt: SSL2 - %d server certificates tested.\n",
-               certsTested);
-    } else {
-	printf(
-	"strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n"
-	"          %ld stateless resumes\n",
-	    ssl3stats->hsh_sid_cache_hits, 
-	    ssl3stats->hsh_sid_cache_misses,
-	    ssl3stats->hsh_sid_cache_not_ok,
-	    ssl3stats->hsh_sid_stateless_resumes);
-    }
-
-    if (!NoReuse) {
-	if (enableSessionTickets)
-	    exitVal = (ssl3stats->hsh_sid_stateless_resumes == 0);
-	else
-	    exitVal = (ssl3stats->hsh_sid_cache_misses > 1) ||
-		      (ssl3stats->hsh_sid_stateless_resumes != 0);
-	if (!exitVal)
-	    exitVal = (ssl3stats->hsh_sid_cache_not_ok != 0) ||
-		      (certsTested > 1);
-    } else {
-	printf("strsclnt: NoReuse - %d server certificates tested.\n",
-               certsTested);
-        if (ssl3stats->hsh_sid_cache_hits +
-            ssl3stats->hsh_sid_cache_misses +
-            ssl3stats->hsh_sid_cache_not_ok +
-            ssl3stats->hsh_sid_stateless_resumes > 0) {
-            exitVal = (ssl3stats->hsh_sid_cache_misses != connections) ||
-                (ssl3stats->hsh_sid_stateless_resumes != 0) ||
-                (certsTested != connections);
-        } else {                /* ssl2 connections */
-            exitVal = (certsTested != connections);
-        }
-    }
-
-    exitVal = ( exitVal || failed_already );
-    SSL_ClearSessionCache();
-    if (NSS_Shutdown() != SECSuccess) {
-        printf("strsclnt: NSS_Shutdown() failed.\n");
-        exit(1);
-    }
-
-    PR_Cleanup();
-    return exitVal;
-}
-
diff --git a/security/nss/cmd/symkeyutil/Makefile b/security/nss/cmd/symkeyutil/Makefile
deleted file mode 100644
index fe7991878..000000000
--- a/security/nss/cmd/symkeyutil/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
- 
diff --git a/security/nss/cmd/symkeyutil/manifest.mn b/security/nss/cmd/symkeyutil/manifest.mn
deleted file mode 100644
index 3755edcdd..000000000
--- a/security/nss/cmd/symkeyutil/manifest.mn
+++ /dev/null
@@ -1,55 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-DEFINES += -DNSPR20
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-CSRCS = symkeyutil.c 
-#CSRCS = symkeytest.c 
-
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = dbm seccmd
-
-PROGRAM = symkeyutil
-#PROGRAM = symkeytest
-
-#USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/symkeyutil/symkey.man b/security/nss/cmd/symkeyutil/symkey.man
deleted file mode 100644
index 4cf7b19f6..000000000
--- a/security/nss/cmd/symkeyutil/symkey.man
+++ /dev/null
@@ -1,182 +0,0 @@
-
-NAME
-    symkeyutil - manage fixed keys in the database
-
-SYNOPSIS
-    symkeyutil -H
-    symkeyutil -L [std_opts] [-r]
-    symkeyutil -K [-n name] -t type [-s size] [-i id |-j id_file] [std_opts]
-    symkeyutil -D <[-n name | -i id | -j id_file> [std_opts]
-    symkeyutil -I [-n name] [-t type] [-i id | -j id_file] -k data_file [std_opts]
-    symkeyutil -E  <-nname | -i id | -j id_file> [-t type] -k data_file [-r] [std_opts]
-    symkeyutil -U [-n name] [-t type] [-i id | -j id_file] -k data_file <wrap_opts> [std_opts]
-    symkeyutil -W <-n name | -i id | -j id_file> [-t type] -k data_file [-r] <wrap_opts> [std_opts]
-    symkeyutil -M <-n name | -i id | -j id_file> -g target_token [std_opts]
-      std_opts -> [-d certdir] [-P dbprefix] [-p password] [-f passwordFile] [-h token]
-      wrap_opts -> <-w wrap_name | -x wrap_id | -y id_file>
-
-DESCRIPTION
-
-    NSS can store fixed keys as well as asymetric keys in the database. The
-    symkeyutil command can be used to manage these keys. 
-
-    As with certutil, symkeyutil takes two types of arguments, commands and
-    options. Most commands fall into one of two catagories: commands which
-    create keys and commands which extract or destroy keys. 
-
-    Exceptions to these catagories are listed first:
-
-    -H    takes no additional options. It lists a more detailed help message.
-    -L    takes the standard set of options. It lists all the keys in a the 
-          specified token (NSS Internal DB Token is the default).  Only the 
-          -L option accepts the all option for tokens to list all the fixed 
-          keys.
-
-    Key Creation commands:
-    For these commands, the key type (-t) option is always required. 
-    In addition, the -s option may be required for certain key types.
-    The standard set of options may be specified.
-
-    -K   Create a new key using the token key gen function.
-    -I   Import a new key from the raw data specified in the data file,
-         specified with the -k options (required). This command may fail on 
-         some tokens that don't support direct import of key material. 
-    -U   Unwrap a new key from an encrypted data file specified with the -k
-         option. The -w, -x, or -y option specifies the unwrapping key.
-         The unwrapping algorithm is selected based on the type of the 
-         unwrapping key.
-
-    Key extraction/destruction options:
-    For these keys, one and only of of the -n, -i, or -j options must be 
-    specified. If more than one key matches the -n option, the 'first' key
-    matching will be used.  The standard set of options may be specified.
-
-    -D   Delete the key specified by the -n, -i, or -j options.
-    -E   Export the key specified by the -n, -i, or -j options and store the
-         contents to a file specified by the -k file (required). 
-         This command will seldom work on any token since most keys are 
-         protected from export.
-    -W   Wrap the key specified by the -n, -i, or -j options and store the
-         encrypted contents to a file specified by the -k file (required). 
-         The -w, -x, or -y option specifies the key used to wrap the 
-         target key. 
-    -M   Move the key specified by the -n, -i, or -j options to the token
-         specified by the -g option (required). The new key will have the
-         same attributes as the source key.
-
-OPTIONS
-
-    Standard options are those options that may be used by any command, and
-    whose meaning is the same for all commands.
-
-    -h token         Specify the token which the command will operate on. 
-                     If -h is not specified the internal token is presumed. In
-                     addition the special value 'all' may be used to specify 
-                     that all tokens should be used. This is only valid for 
-                     the '-L' command.
-    -d certdir       Specify the location of the NSS databases. The default
-                     value is platform dependent.
-    -P dbprefix      Specify the prefix for the NSS database. The default value
-                     is NULL.
-    -p password      Specify the password for the token. On the command line. 
-                     The -p and -f options are mutually exclusive. If 
-                     neither option is specified, the password would be 
-                     prompted from the user.
-    -f passwordFile  Specify a file that contains the password for the token.
-                     This option is mutually exclusive to the -p option.
-
-    In addition to the standard options are the following command specific 
-    options are.
-
-    -r               Opens the NSS databases Read/Write. By default the -L,
-                     -E, and -W commands open the database read only. Other
-                     commands automatically opens the databases Read/Write and
-                     igore this option if it is specified.
-
-    -n name          Specifies the nickname for the key.
-
-                     For the -K, -I, or -U options, name is the name for 
-                     the new key.  If -n is not specified, no name is 
-                     assumed. There is not check for duplicate names.
-
-                     For the -D, -E, -W, or -M, the name specifies the key to
-                     operate on. In this case one andy only one of the -n, -i
-                     or -j options should be specifed. It is possible that
-                     the -n options specifies and ambiguous key. In that case
-                     the 'first' valid key is used.
-
-                     For the -M option, the nickname for the new key is copied
-                     from it's original key, even if the original key is
-                     specified using -i or -j.
-
-    -i key id
-    -j key id file   These options are equivalent and mutually exclusive. 
-                     They specify the key id for the file. The -i option
-                     specifies the key id on the command line using a hex 
-                     string. The -j specifies a file to read the raw key
-                     id from.
-
-                     For the -K, -I, or -U options, key id is the key id for 
-                     the new key.  If -i or -j is not specified, no key id 
-                     is assumed.  Some tokens may generate their own unique 
-                     id for the key in this case (but it is not guarrenteed).
-
-                     For the -D, -E, -W, or -M, the key id specifies the key to
-                     operate on. In this case one andy only one of the -n, -i
-                     or -j options should be specifed. 
-
-   -t type           Specifies the key Type for the new key. This option is
-                     required for the -K, -I, and -U commands. Valid values
-                     are:
-			generic, rc2, rc4, des, des2, des3, cast, cast3,
-                        cast5, cast128, rc5, idea, skipjack, baton, juniper,
-                        cdmf, aes, camellia
-
-                     Not all tokens support all key types. The generic key
-                     type is usually used in MACing and key derivation 
-                     algorithms. Neither generic nor rc4 keys may be used
-                     to wrap other keys. Fixed rc4 keys are dangerous since
-                     multiple use of the same stream cipher key to encrypted
-                     different data can compromise all data encrypted with
-                     that key.
-
-   -s size           Specifies the key size. For most situations the key size
-                     is already known and need not be specified. For some 
-                     algorithms, however, it is necessary to specify the key
-                     size when generation or unwrapping the key.
-
-   -k key file       Specifies the name of a file that contains key data to
-                     import or unwrap (-I or -U), or the location to store
-                     key data or encrypted key data (-E or -W).
-
-   -g target token   Specifies the target token when moving a key (-M). This
-                     option is required for the -M command. It is invalid for
-                     all other commands.
-
-
-
-   -w wrap name
-   -x wrap key id
-   -y wrap key id file Specifies the wrapping key used int the -U and -W
-                      command. Exactly one of these must be specified for the
-                      -U or -W commands. Same semantics as the -n, -i, and -j
-                      options above.
-
-BUGS
-
-   There is no way display the key id of a key.
-
-   The -p and -f options only specifies one password. Multiple passwords may
-   be needed for the -L -h all command and the -M command.
-
-   Perhaps RC4 should not be supported as a key type. Use of these keys as
-   fixed keys is exceedingly dangerous.
-
-   The handling of multiple keys with the same nickname should be more 
-   deterministic than 'the first one'
-
-   There is no way to specify, or display the operation flags of a key. The
-   operation flags are not copied with the -M option as they should be.
-
-   There is no way to change the attributes of a key (nickname, id, operation
-   flags).
diff --git a/security/nss/cmd/symkeyutil/symkeyutil.c b/security/nss/cmd/symkeyutil/symkeyutil.c
deleted file mode 100644
index 100834318..000000000
--- a/security/nss/cmd/symkeyutil/symkeyutil.c
+++ /dev/null
@@ -1,1135 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-** symkeyutil.c
-**
-** utility for managing symetric keys in the database or the token
-**
-*/
-
-/*
- * Wish List for this utility:
- *  1) Display and Set the CKA_ operation flags for the key.
- *  2) Modify existing keys
- *  3) Copy keys
- *  4) Read CKA_ID and display for keys.
- *  5) Option to store CKA_ID in a file on key creation.
- *  6) Encrypt, Decrypt, Hash, and Mac with generated keys.
- *  7) Use asymetric keys to wrap and unwrap keys.
- *  8) Derive.
- *  9) PBE keys.
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include "secutil.h"
-
-#include "nspr.h"
-
-#include "pk11func.h"
-#include "secasn1.h"
-#include "cert.h"
-#include "cryptohi.h"
-#include "secoid.h"
-#include "certdb.h"
-#include "nss.h"
-
-typedef struct _KeyTypes {
-    CK_KEY_TYPE	keyType;
-    CK_MECHANISM_TYPE mechType;
-    CK_MECHANISM_TYPE wrapMech;
-    char *label;
-} KeyTypes;
-
-static KeyTypes keyArray[] = {
-#ifdef RECOGNIZE_ASYMETRIC_TYPES
-    { CKK_RSA, CKM_RSA_PKCS, CKM_RSA_PKCS, "rsa" },
-    { CKK_DSA, CKM_DSA, CKM_INVALID_MECHANISM, "dsa" },
-    { CKK_DH, CKM_DH_PKCS_DERIVE, CKM_INVALID_MECHANISM, "dh" },
-    { CKK_EC, CKM_ECDSA, CKM_INVALID_MECHANISM, "ec" },
-    { CKK_X9_42_DH, CKM_X9_42_DH_DERIVE, CKM_INVALID_MECHANISM, "x9.42dh" },
-    { CKK_KEA, CKM_KEA_KEY_DERIVE, CKM_INVALID_MECHANISM, "kea" },
-#endif
-    { CKK_GENERIC_SECRET, CKM_SHA_1_HMAC, CKM_INVALID_MECHANISM, "generic" },
-    { CKK_RC2, CKM_RC2_CBC, CKM_RC2_ECB,"rc2" },
-    /* don't define a wrap mech for RC-4 since it's note really safe */
-    { CKK_RC4, CKM_RC4, CKM_INVALID_MECHANISM, "rc4" }, 
-    { CKK_DES, CKM_DES_CBC, CKM_DES_ECB,"des" },
-    { CKK_DES2, CKM_DES2_KEY_GEN, CKM_DES3_ECB, "des2" },
-    { CKK_DES3, CKM_DES3_KEY_GEN, CKM_DES3_ECB, "des3" },
-    { CKK_CAST, CKM_CAST_CBC, CKM_CAST_ECB, "cast" },
-    { CKK_CAST3, CKM_CAST3_CBC, CKM_CAST3_ECB, "cast3" },
-    { CKK_CAST5, CKM_CAST5_CBC, CKM_CAST5_ECB, "cast5" },
-    { CKK_CAST128, CKM_CAST128_CBC, CKM_CAST128_ECB, "cast128" },
-    { CKK_RC5, CKM_RC5_CBC, CKM_RC5_ECB, "rc5" },
-    { CKK_IDEA, CKM_IDEA_CBC, CKM_IDEA_ECB, "idea" },
-    { CKK_SKIPJACK, CKM_SKIPJACK_CBC64, CKM_SKIPJACK_WRAP, "skipjack" },
-    { CKK_BATON, CKM_BATON_CBC128, CKM_BATON_WRAP, "baton" },
-    { CKK_JUNIPER, CKM_JUNIPER_CBC128, CKM_JUNIPER_WRAP, "juniper" },
-    { CKK_CDMF, CKM_CDMF_CBC, CKM_CDMF_ECB, "cdmf" },
-    { CKK_AES, CKM_AES_CBC, CKM_AES_ECB, "aes" },
-    { CKK_CAMELLIA, CKM_CAMELLIA_CBC, CKM_CAMELLIA_ECB, "camellia" },
-};
-
-static int keyArraySize = sizeof(keyArray)/sizeof(keyArray[0]);
-
-int
-GetLen(PRFileDesc* fd)
-{
-    PRFileInfo info;
-
-    if (PR_SUCCESS != PR_GetOpenFileInfo(fd, &info)) {
-        return -1;
-    }
-
-    return info.size;
-}
-
-int
-ReadBuf(char *inFile, SECItem *item)
-{
-    int len;
-    int ret;
-    PRFileDesc* fd = PR_Open(inFile, PR_RDONLY, 0);
-    if (NULL == fd) {
-        SECU_PrintError("symkeyutil", "PR_Open failed");
-	return -1;
-    }
-
-    len = GetLen(fd);
-    if (len < 0) {
-	SECU_PrintError("symkeyutil", "PR_GetOpenFileInfo failed");
-	return -1;
-    }
-    item->data = (unsigned char *)PORT_Alloc(len);
-    if (item->data == NULL) {
-	fprintf(stderr,"Failed to allocate %d to read file %s\n",len,inFile);
-	return -1;
-    }
-
-    ret = PR_Read(fd,item->data,item->len);
-    if (ret < 0) {
-	SECU_PrintError("symkeyutil", "PR_Read failed");
-	PORT_Free(item->data);
-	item->data = NULL;
-	return -1;
-    }
-    PR_Close(fd);
-    item->len = len;
-    return 0;
-}
-
-int
-WriteBuf(char *inFile, SECItem *item)
-{
-    int ret;
-    PRFileDesc* fd = PR_Open(inFile, PR_WRONLY|PR_CREATE_FILE, 0x200);
-    if (NULL == fd) {
-        SECU_PrintError("symkeyutil", "PR_Open failed");
-	return -1;
-    }
-
-    ret = PR_Write(fd,item->data,item->len);
-    if (ret < 0) {
-	SECU_PrintError("symkeyutil", "PR_Write failed");
-	return -1;
-    }
-    PR_Close(fd);
-    return 0;
-}
-
-CK_KEY_TYPE
-GetKeyTypeFromString(const char *keyString)
-{
-    int i;
-    for (i=0; i < keyArraySize; i++) {
-	if (PL_strcasecmp(keyString,keyArray[i].label) == 0) {
-	    return keyArray[i].keyType;
-	}
-    }
-    return (CK_KEY_TYPE)-1;
-}
-
-CK_MECHANISM_TYPE
-GetKeyMechFromString(const char *keyString)
-{
-    int i;
-    for (i=0; i < keyArraySize; i++) {
-	if (PL_strcasecmp(keyString,keyArray[i].label) == 0) {
-	    return keyArray[i].mechType;
-	}
-    }
-    return (CK_MECHANISM_TYPE)-1;
-}
-
-const char *
-GetStringFromKeyType(CK_KEY_TYPE type)
-{
-    int i;
-    for (i=0; i < keyArraySize; i++) {
-	if (keyArray[i].keyType == type) {
-	    return keyArray[i].label;
-	}
-    }
-    return "unmatched";
-}
-
-CK_MECHANISM_TYPE
-GetWrapFromKeyType(CK_KEY_TYPE type)
-{
-    int i;
-    for (i=0; i < keyArraySize; i++) {
-	if (keyArray[i].keyType == type) {
-	    return keyArray[i].wrapMech;
-	}
-    }
-    return CKM_INVALID_MECHANISM;
-}
-
-CK_MECHANISM_TYPE
-GetWrapMechanism(PK11SymKey *symKey)
-{
-    CK_KEY_TYPE type = PK11_GetSymKeyType(symKey);
-
-    return GetWrapFromKeyType(type);
-}
-
-int
-GetDigit(char c)
-{
-    if (c == 0) {
-	return -1;
-    }
-    if (c <= '9' && c >= '0') {
-	return c - '0';
-    }
-    if (c <= 'f' && c >= 'a') {
-	return c - 'a' + 0xa;
-    }
-    if (c <= 'F' && c >= 'A') {
-	return c - 'A' + 0xa;
-    }
-    return -1;
-}
-
-char
-ToDigit(unsigned char c)
-{
-    c = c & 0xf;
-    if (c <= 9) {
-	return (char) (c+'0');
-    }
-    return (char) (c+'a'-0xa);
-}
-
-char *
-BufToHex(SECItem *outbuf)
-{
-    int len = outbuf->len * 2 +1;
-    char *string, *ptr;
-    unsigned int i;
-
-    string = PORT_Alloc(len);
-
-    ptr = string;
-    for (i=0; i < outbuf->len; i++) {
-	*ptr++ = ToDigit(outbuf->data[i] >> 4);
-	*ptr++ = ToDigit(outbuf->data[i] & 0xf);
-    }
-    *ptr = 0;
-    return string;
-}
-
-
-int
-HexToBuf(char *inString, SECItem *outbuf)
-{
-    int len = strlen(inString);
-    int outlen = len+1/2;
-    int trueLen = 0;
-
-    outbuf->data = PORT_Alloc(outlen);
-    if (outbuf->data) {
-	return -1;
-    }
-
-    while (*inString) {
-	int digit1, digit2;
-	digit1 = GetDigit(*inString++);
-	digit2 = GetDigit(*inString++);
-	if ((digit1 == -1) || (digit2 == -1)) {
-	    PORT_Free(outbuf->data);
-	    outbuf->data = NULL;
-	    return -1;
-	}
-	outbuf->data[trueLen++] = digit1 << 4 | digit2;
-    }
-    outbuf->len = trueLen;
-    return 0;
-}
-
-void
-printBuf(unsigned char *data, int len)
-{
-    int i;
-
-    for (i=0; i < len; i++) {
-	printf("%02x",data[i]);
-    }
-}
-
-void
-PrintKey(PK11SymKey *symKey)
-{
-    char *name = PK11_GetSymKeyNickname(symKey);
-    int len = PK11_GetKeyLength(symKey);
-    int strength = PK11_GetKeyStrength(symKey, NULL);
-    SECItem *value = NULL;
-    CK_KEY_TYPE type = PK11_GetSymKeyType(symKey);
-    (void) PK11_ExtractKeyValue(symKey);
-
-    value = PK11_GetKeyData(symKey);
-
-    printf("%-20s %3d   %4d   %10s  ", name ? name: " ", len, strength, 
-				GetStringFromKeyType(type));
-    if (value && value->data) {
-	printBuf(value->data, value->len);
-    } else {
-	printf("<restricted>");
-    }
-    printf("\n");
-}
-
-SECStatus
-ListKeys(PK11SlotInfo *slot, int *printLabel, void *pwd) {
-    PK11SymKey *keyList;
-    SECStatus rv = PK11_Authenticate(slot, PR_FALSE, pwd);
-    if (rv != SECSuccess) {
-        return rv;;
-    }
-
-    keyList = PK11_ListFixedKeysInSlot(slot, NULL, pwd);
-    if (keyList) {
-	if (*printLabel) {
-            printf("     Name            Len Strength     Type    Data\n");
-	    *printLabel = 0;
-	}
-	printf("%s:\n",PK11_GetTokenName(slot));
-    }
-    while (keyList) {
-        PK11SymKey *freeKey = keyList;
-        PrintKey(keyList);
-        keyList = PK11_GetNextSymKey(keyList);
-        PK11_FreeSymKey(freeKey);
-    }
-    return SECSuccess;
-}
-
-PK11SymKey *
-FindKey(PK11SlotInfo *slot, char *name, SECItem *id, void *pwd)
-{
-    PK11SymKey *key = NULL;
-    SECStatus rv = PK11_Authenticate(slot, PR_FALSE, pwd);
-
-    if (rv != SECSuccess) {
-	return NULL;
-    }
-
-
-    if (id->data) {
-	key = PK11_FindFixedKey(slot,CKM_INVALID_MECHANISM, id, pwd);
-    }
-    if (name && !key) {
-	key = PK11_ListFixedKeysInSlot(slot,name, pwd);
-    }
-
-    if (key) {
-	printf("Found a key\n");
-	PrintKey(key);
-    }
-    return key;
-}
-
-PRBool
-IsKeyList(PK11SymKey *symKey)
-{
-   return (PRBool) (PK11_GetNextSymKey(symKey) != NULL);
-}
-
-void
-FreeKeyList(PK11SymKey *symKey)
-{
-   PK11SymKey *next,*current;
-
-   for (current = symKey; current; current = next) {
-	next = PK11_GetNextSymKey(current);
-	PK11_FreeSymKey(current);
-   }
-   return;
-}
-	   
-static void 
-Usage(char *progName)
-{
-#define FPS fprintf(stderr, 
-    FPS "Type %s -H for more detailed descriptions\n", progName);
-    FPS "Usage:");
-    FPS "\t%s -L [std_opts] [-r]\n", progName);
-    FPS "\t%s -K [-n name] -t type [-s size] [-i id |-j id_file] [std_opts]\n", progName);
-    FPS "\t%s -D <[-n name | -i id | -j id_file> [std_opts]\n", progName);
-    FPS "\t%s -I [-n name] [-t type] [-i id | -j id_file] -k data_file [std_opts]\n", progName);
-    FPS "\t%s -E  <-nname | -i id | -j id_file> [-t type] -k data_file [-r] [std_opts]\n", progName);
-    FPS "\t%s -U [-n name] [-t type] [-i id | -j id_file] -k data_file <wrap_opts> [std_opts]\n", progName);
-    FPS "\t%s -W <-n name | -i id | -j id_file> [-t type] -k data_file [-r] <wrap_opts> [std_opts]\n", progName);
-    FPS "\t%s -M <-n name | -i id | -j id_file> -g target_token [std_opts]\n", progName);
-    FPS "\t\t std_opts -> [-d certdir] [-P dbprefix] [-p password] [-f passwordFile] [-h token]\n");
-    FPS "\t\t wrap_opts -> <-w wrap_name | -x wrap_id | -y id_file>\n");
-    exit(1);
-}
-
-static void LongUsage(char *progName)
-{
-    int i;
-    FPS "%-15s List all the keys.\n", "-L");
-    FPS "%-15s Generate a new key.\n", "-K");
-    FPS "%-20s Specify the nickname of the new key\n",
-	"   -n name");
-    FPS "%-20s Specify the id in hex of the new key\n",
-	"   -i key id");
-    FPS "%-20s Specify a file to read the id of the new key\n",
-	"   -j key id file");
-    FPS "%-20s Specify the keyType of the new key\n",
-	"   -t type");
-    FPS "%-20s", "  valid types: ");
-    for (i=0; i < keyArraySize ; i++) {
-	FPS "%s%c", keyArray[i].label, i == keyArraySize-1? '\n':',');
-    }
-    FPS "%-20s Specify the size of the new key in bytes (required by some types)\n",
-	"   -s size");
-    FPS "%-15s Delete a key.\n", "-D");
-    FPS "%-20s Specify the nickname of the key to delete\n",
-	"   -n name");
-    FPS "%-20s Specify the id in hex of the key to delete\n",
-	"   -i key id");
-    FPS "%-20s Specify a file to read the id of the key to delete\n",
-	"   -j key id file");
-    FPS "%-15s Import a new key from a data file.\n", "-I");
-    FPS "%-20s Specify the data file to read the key from.\n",
-	"   -k key file");
-    FPS "%-20s Specify the nickname of the new key\n",
-	"   -n name");
-    FPS "%-20s Specify the id in hex of the new key\n",
-	"   -i key id");
-    FPS "%-20s Specify a file to read the id of the new key\n",
-	"   -j key id file");
-    FPS "%-20s Specify the keyType of the new key\n",
-	"   -t type");
-    FPS "%-20s", "  valid types: ");
-    for (i=0; i < keyArraySize ; i++) {
-	FPS "%s%c", keyArray[i].label, i == keyArraySize-1? '\n':',');
-    }
-    FPS "%-15s Export a key to a data file.\n", "-E");
-    FPS "%-20s Specify the data file to write the key to.\n",
-	"   -k key file");
-    FPS "%-20s Specify the nickname of the key to export\n",
-	"   -n name");
-    FPS "%-20s Specify the id in hex of the key to export\n",
-	"   -i key id");
-    FPS "%-20s Specify a file to read the id of the key to export\n",
-	"   -j key id file");
-    FPS "%-15s Move a key to a new token.\n", "-M");
-    FPS "%-20s Specify the nickname of the key to move\n",
-	"   -n name");
-    FPS "%-20s Specify the id in hex of the key to move\n",
-	"   -i key id");
-    FPS "%-20s Specify a file to read the id of the key to move\n",
-	"   -j key id file");
-    FPS "%-20s Specify the token to move the key to\n",
-	"   -g target token");
-    FPS "%-15s Unwrap a new key from a data file.\n", "-U");
-    FPS "%-20s Specify the data file to read the encrypted key from.\n",
-	"   -k key file");
-    FPS "%-20s Specify the nickname of the new key\n",
-	"   -n name");
-    FPS "%-20s Specify the id in hex of the new key\n",
-	"   -i key id");
-    FPS "%-20s Specify a file to read the id of the new key\n",
-	"   -j key id file");
-    FPS "%-20s Specify the keyType of the new key\n",
-	"   -t type");
-    FPS "%-20s", "  valid types: ");
-    for (i=0; i < keyArraySize ; i++) {
-	FPS "%s%c", keyArray[i].label, i == keyArraySize-1? '\n':',');
-    }
-    FPS "%-20s Specify the nickname of the wrapping key\n",
-	"   -w wrap name");
-    FPS "%-20s Specify the id in hex of the wrapping key\n",
-	"   -x wrap key id");
-    FPS "%-20s Specify a file to read the id of the wrapping key\n",
-	"   -y wrap key id file");
-    FPS "%-15s Wrap a new key to a data file. [not yet implemented]\n", "-W");
-    FPS "%-20s Specify the data file to write the encrypted key to.\n",
-	"   -k key file");
-    FPS "%-20s Specify the nickname of the key to wrap\n",
-	"   -n name");
-    FPS "%-20s Specify the id in hex of the key to wrap\n",
-	"   -i key id");
-    FPS "%-20s Specify a file to read the id of the key to wrap\n",
-	"   -j key id file");
-    FPS "%-20s Specify the nickname of the wrapping key\n",
-	"   -w wrap name");
-    FPS "%-20s Specify the id in hex of the wrapping key\n",
-	"   -x wrap key id");
-    FPS "%-20s Specify a file to read the id of the wrapping key\n",
-	"   -y wrap key id file");
-    FPS "%-15s Options valid for all commands\n", "std_opts");
-    FPS "%-20s The directory where the NSS db's reside\n",
-	"   -d certdir");
-    FPS "%-20s Prefix for the NSS db's\n",
-	"   -P db prefix");
-    FPS "%-20s Specify password on the command line\n",
-	"   -p password");
-    FPS "%-20s Specify password file on the command line\n",
-	"   -f password file");
-    FPS "%-20s Specify token to act on\n",
-	"   -h token");
-    exit(1);
-#undef FPS
-}
-
-/*  Certutil commands  */
-enum {
-    cmd_CreateNewKey = 0,
-    cmd_DeleteKey,
-    cmd_ImportKey,
-    cmd_ExportKey,
-    cmd_WrapKey,
-    cmd_UnwrapKey,
-    cmd_MoveKey,
-    cmd_ListKeys,
-    cmd_PrintHelp
-};
-
-/*  Certutil options */
-enum {
-    opt_CertDir = 0,
-    opt_PasswordFile,
-    opt_TargetToken,
-    opt_TokenName,
-    opt_KeyID,
-    opt_KeyIDFile,
-    opt_KeyType,
-    opt_Nickname,
-    opt_KeyFile,
-    opt_Password,
-    opt_dbPrefix,
-    opt_RW,
-    opt_KeySize,
-    opt_WrapKeyName,
-    opt_WrapKeyID,
-    opt_WrapKeyIDFile,
-    opt_NoiseFile
-};
-
-static secuCommandFlag symKeyUtil_commands[] =
-{
-	{ /* cmd_CreateNewKey        */  'K', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_DeleteKey           */  'D', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_ImportKey           */  'I', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_ExportKey           */  'E', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_WrapKey             */  'W', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_UnwrapKey           */  'U', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_MoveKey             */  'M', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_ListKeys            */  'L', PR_FALSE, 0, PR_FALSE },
-	{ /* cmd_PrintHelp           */  'H', PR_FALSE, 0, PR_FALSE },
-};
-
-static secuCommandFlag symKeyUtil_options[] =
-{
-	{ /* opt_CertDir             */  'd', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_PasswordFile        */  'f', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_TargetToken         */  'g', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_TokenName           */  'h', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_KeyID               */  'i', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_KeyIDFile           */  'j', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_KeyType             */  't', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_Nickname            */  'n', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_KeyFile             */  'k', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_Password            */  'p', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_dbPrefix            */  'P', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_RW                  */  'r', PR_FALSE, 0, PR_FALSE },
-	{ /* opt_KeySize             */  's', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_WrapKeyName         */  'w', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_WrapKeyID           */  'x', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_WrapKeyIDFile       */  'y', PR_TRUE,  0, PR_FALSE },
-	{ /* opt_NoiseFile           */  'z', PR_TRUE,  0, PR_FALSE },
-};
-
-int 
-main(int argc, char **argv)
-{
-    PK11SlotInfo *slot = NULL;
-    char *      slotname        = "internal";
-    char *      certPrefix      = "";
-    CK_MECHANISM_TYPE keyType   = CKM_SHA_1_HMAC;
-    int         keySize		= 0;
-    char *      name            = NULL;
-    char *      wrapName        = NULL;
-    secuPWData  pwdata          = { PW_NONE, 0 };
-    PRBool 	readOnly	= PR_FALSE;
-    SECItem	key;
-    SECItem	keyID;
-    SECItem	wrapKeyID;
-    int commandsEntered = 0;
-    int commandToRun = 0;
-    char *progName;
-    int i;
-    SECStatus rv = SECFailure;
-
-    secuCommand symKeyUtil;
-    symKeyUtil.numCommands=sizeof(symKeyUtil_commands)/sizeof(secuCommandFlag);
-    symKeyUtil.numOptions=sizeof(symKeyUtil_options)/sizeof(secuCommandFlag);
-    symKeyUtil.commands = symKeyUtil_commands;
-    symKeyUtil.options = symKeyUtil_options;
-
-    key.data = NULL; key.len = 0;
-    keyID.data = NULL; keyID.len = 0;
-    wrapKeyID.data = NULL; wrapKeyID.len = 0;
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    rv = SECU_ParseCommandLine(argc, argv, progName, &symKeyUtil);
-
-    if (rv != SECSuccess)
-	Usage(progName);
-
-    rv = SECFailure;
-
-    /* -H print help */
-    if (symKeyUtil.commands[cmd_PrintHelp].activated)
-	LongUsage(progName);
-
-    /* -f password file, -p password */
-    if (symKeyUtil.options[opt_PasswordFile].arg) {
-	pwdata.source = PW_FROMFILE;
-	pwdata.data = symKeyUtil.options[opt_PasswordFile].arg;
-    } else if (symKeyUtil.options[opt_Password].arg) {
-	pwdata.source = PW_PLAINTEXT;
-	pwdata.data = symKeyUtil.options[opt_Password].arg;
-    } 
-
-    /* -d directory */
-    if (symKeyUtil.options[opt_CertDir].activated)
-	SECU_ConfigDirectory(symKeyUtil.options[opt_CertDir].arg);
-
-    /* -s key size */
-    if (symKeyUtil.options[opt_KeySize].activated) {
-	keySize = PORT_Atoi(symKeyUtil.options[opt_KeySize].arg);
-    }
-
-    /*  -h specify token name  */
-    if (symKeyUtil.options[opt_TokenName].activated) {
-	if (PL_strcmp(symKeyUtil.options[opt_TokenName].arg, "all") == 0)
-	    slotname = NULL;
-	else
-	    slotname = PL_strdup(symKeyUtil.options[opt_TokenName].arg);
-    }
-
-    /* -t key type */
-    if  (symKeyUtil.options[opt_KeyType].activated) {
-	keyType = GetKeyMechFromString(symKeyUtil.options[opt_KeyType].arg);
-	if (keyType == (CK_MECHANISM_TYPE)-1) {
-	    PR_fprintf(PR_STDERR, 
-	          "%s unknown key type (%s).\n",
-	           progName, symKeyUtil.options[opt_KeyType].arg);
-	    return 255;
-	}
-    }
-
-    /* -k for import and unwrap, it specifies an input file to read from,
-     * for export and wrap it specifies an output file to write to */
-    if (symKeyUtil.options[opt_KeyFile].activated) {
-        if (symKeyUtil.commands[cmd_ImportKey].activated ||
-		symKeyUtil.commands[cmd_UnwrapKey].activated ) {
-	    int ret = ReadBuf(symKeyUtil.options[opt_KeyFile].arg, &key);
-	    if (ret < 0) {
-	        PR_fprintf(PR_STDERR, 
-	          "%s Couldn't read key file (%s).\n",
-	           progName, symKeyUtil.options[opt_KeyFile].arg);
-		return 255;
-	    }
-	}
-    }
-
-    /* -i specify the key ID */
-    if (symKeyUtil.options[opt_KeyID].activated) {
-	int ret = HexToBuf(symKeyUtil.options[opt_KeyID].arg, &keyID);
-	if (ret < 0) {
-	    PR_fprintf(PR_STDERR, 
-	          "%s invalid key ID (%s).\n",
-	           progName, symKeyUtil.options[opt_KeyID].arg);
-	    return 255;
-	}
-    }
-
-    /* -i & -j are mutually exclusive */
-    if ((symKeyUtil.options[opt_KeyID].activated) &&
-		 (symKeyUtil.options[opt_KeyIDFile].activated)) {
-	PR_fprintf(PR_STDERR, 
-	          "%s -i and -j options are mutually exclusive.\n", progName);
-	return 255;
-    }
-
-    /* -x specify the Wrap key ID */
-    if (symKeyUtil.options[opt_WrapKeyID].activated) {
-	int ret = HexToBuf(symKeyUtil.options[opt_WrapKeyID].arg, &wrapKeyID);
-	if (ret < 0) {
-	    PR_fprintf(PR_STDERR, 
-	          "%s invalid key ID (%s).\n",
-	           progName, symKeyUtil.options[opt_WrapKeyID].arg);
-	    return 255;
-	}
-    }
-
-    /* -x & -y are mutually exclusive */
-    if ((symKeyUtil.options[opt_KeyID].activated) &&
-		 (symKeyUtil.options[opt_KeyIDFile].activated)) {
-	PR_fprintf(PR_STDERR, 
-	          "%s -i and -j options are mutually exclusive.\n", progName);
-	return 255;
-    }
-	
-
-    /* -y specify the key ID */
-    if (symKeyUtil.options[opt_WrapKeyIDFile].activated) {
-	int ret = ReadBuf(symKeyUtil.options[opt_WrapKeyIDFile].arg,
-								 &wrapKeyID);
-	if (ret < 0) {
-	    PR_fprintf(PR_STDERR, 
-	          "%s Couldn't read key ID file (%s).\n",
-	           progName, symKeyUtil.options[opt_WrapKeyIDFile].arg);
-	    return 255;
-	}
-    }
-
-    /*  -P certdb name prefix */
-    if (symKeyUtil.options[opt_dbPrefix].activated)
-	certPrefix = strdup(symKeyUtil.options[opt_dbPrefix].arg);
-
-    /*  Check number of commands entered.  */
-    commandsEntered = 0;
-    for (i=0; i< symKeyUtil.numCommands; i++) {
-	if (symKeyUtil.commands[i].activated) {
-	    commandToRun = symKeyUtil.commands[i].flag;
-	    commandsEntered++;
-	}
-	if (commandsEntered > 1)
-	    break;
-    }
-    if (commandsEntered > 1) {
-	PR_fprintf(PR_STDERR, "%s: only one command at a time!\n", progName);
-	PR_fprintf(PR_STDERR, "You entered: ");
-	for (i=0; i< symKeyUtil.numCommands; i++) {
-	    if (symKeyUtil.commands[i].activated)
-		PR_fprintf(PR_STDERR, " -%c", symKeyUtil.commands[i].flag);
-	}
-	PR_fprintf(PR_STDERR, "\n");
-	return 255;
-    }
-    if (commandsEntered == 0) {
-	PR_fprintf(PR_STDERR, "%s: you must enter a command!\n", progName);
-	Usage(progName);
-    }
-
-    if (symKeyUtil.commands[cmd_ListKeys].activated ||
-         symKeyUtil.commands[cmd_PrintHelp].activated ||
-         symKeyUtil.commands[cmd_ExportKey].activated ||
-         symKeyUtil.commands[cmd_WrapKey].activated) {
-	readOnly = !symKeyUtil.options[opt_RW].activated;
-    }
-
-    if ((symKeyUtil.commands[cmd_ImportKey].activated ||
-         symKeyUtil.commands[cmd_ExportKey].activated ||
-         symKeyUtil.commands[cmd_WrapKey].activated ||
-         symKeyUtil.commands[cmd_UnwrapKey].activated ) &&
-        !symKeyUtil.options[opt_KeyFile].activated) {
-	PR_fprintf(PR_STDERR, 
-	          "%s -%c: keyfile is required for this command (-k).\n",
-	           progName, commandToRun);
-	return 255;
-    }
-
-    /*  -E, -D, -W, and all require -n, -i, or -j to identify the key  */
-    if ((symKeyUtil.commands[cmd_ExportKey].activated ||
-         symKeyUtil.commands[cmd_DeleteKey].activated ||
-         symKeyUtil.commands[cmd_WrapKey].activated) &&
-        !(symKeyUtil.options[opt_Nickname].activated ||
-	  symKeyUtil.options[opt_KeyID].activated ||
-	  symKeyUtil.options[opt_KeyIDFile].activated)) {
-	PR_fprintf(PR_STDERR, 
-	  "%s -%c: nickname or id is required for this command (-n, -i, -j).\n",
-	           progName, commandToRun);
-	return 255;
-    }
-
-    /*  -W, -U, and all  -w, -x, or -y to identify the wrapping key  */
-    if (( symKeyUtil.commands[cmd_WrapKey].activated ||
-         symKeyUtil.commands[cmd_UnwrapKey].activated) &&
-        !(symKeyUtil.options[opt_WrapKeyName].activated ||
-	  symKeyUtil.options[opt_WrapKeyID].activated ||
-	  symKeyUtil.options[opt_WrapKeyIDFile].activated)) {
-	PR_fprintf(PR_STDERR, 
-	  "%s -%c: wrap key is required for this command (-w, -x, or -y).\n",
-	           progName, commandToRun);
-	return 255;
-    }
-
-    /* -M needs the target slot  (-g) */
-    if (symKeyUtil.commands[cmd_MoveKey].activated  &&
-			!symKeyUtil.options[opt_TargetToken].activated) {
-	PR_fprintf(PR_STDERR, 
-	          "%s -%c: target token is required for this command (-g).\n",
-	           progName, commandToRun);
-	return 255;
-    }
-
-    /*  Using slotname == NULL for listing keys and certs on all slots, 
-     *  but only that. */
-    if (!(symKeyUtil.commands[cmd_ListKeys].activated) && slotname == NULL) {
-	PR_fprintf(PR_STDERR,
-	           "%s -%c: cannot use \"-h all\" for this command.\n",
-	           progName, commandToRun);
-	return 255;
-    }
-
-    name = SECU_GetOptionArg(&symKeyUtil, opt_Nickname);
-    wrapName = SECU_GetOptionArg(&symKeyUtil, opt_WrapKeyName);
-
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-    /*  Initialize NSPR and NSS.  */
-    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-    rv = NSS_Initialize(SECU_ConfigDirectory(NULL), certPrefix, certPrefix,
-                        "secmod.db", readOnly ? NSS_INIT_READONLY: 0);
-    if (rv != SECSuccess) {
-	SECU_PrintPRandOSError(progName);
-	goto shutdown;
-    }
-    rv = SECFailure;
-
-    if (PL_strcmp(slotname, "internal") == 0)
-	slot = PK11_GetInternalKeySlot();
-    else if (slotname != NULL)
-	slot = PK11_FindSlotByName(slotname);
-
-    /* generating a new key */
-    if (symKeyUtil.commands[cmd_CreateNewKey].activated)  {
-	PK11SymKey *symKey;
-
-	symKey = PK11_TokenKeyGen(slot, keyType, NULL, keySize, 
-							NULL, PR_TRUE, &pwdata);
-	if (!symKey) {
-	    PR_fprintf(PR_STDERR, "%s: Token Key Gen Failed\n", progName);
-	    goto shutdown;
-	}
-	if (symKeyUtil.options[opt_Nickname].activated) {
-	    rv = PK11_SetSymKeyNickname(symKey, name);
-	    if (rv != SECSuccess) {
-		PK11_DeleteTokenSymKey(symKey);
-		PK11_FreeSymKey(symKey);
-	        PR_fprintf(PR_STDERR, "%s: Couldn't set nickname on key\n",
-								 progName);
-		goto shutdown;
-	    }
-	}
-	rv = SECSuccess;
-	PrintKey(symKey);
-	PK11_FreeSymKey(symKey);
-    }
-    if (symKeyUtil.commands[cmd_DeleteKey].activated) {
-	PK11SymKey *symKey = FindKey(slot,name,&keyID,&pwdata);
-
-	if (!symKey) {
-	    char *keyName = keyID.data ? BufToHex(&keyID) : PORT_Strdup(name);
-	    PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",
-			progName, keyName, PK11_GetTokenName(slot));
-	    PORT_Free(keyName);
-	    goto shutdown;
-	}
-
-	rv = PK11_DeleteTokenSymKey(symKey);
-	FreeKeyList(symKey);
-	if (rv != SECSuccess) {
-	    PR_fprintf(PR_STDERR, "%s: Couldn't Delete Key \n", progName);
-	    goto shutdown;
-	}
-    }
-    if (symKeyUtil.commands[cmd_UnwrapKey].activated) {
-	PK11SymKey *wrapKey = FindKey(slot,wrapName,&wrapKeyID,&pwdata);
-	PK11SymKey *symKey;
- 	CK_MECHANISM_TYPE mechanism;
-
-	if (!wrapKey) {
-	    char *keyName = wrapKeyID.data ? BufToHex(&wrapKeyID) 
-							: PORT_Strdup(wrapName);
-	    PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",
-			progName, keyName, PK11_GetTokenName(slot));
-	    PORT_Free(keyName);
-	    goto shutdown;
-	}
-	mechanism = GetWrapMechanism(wrapKey);
-	if (mechanism == CKM_INVALID_MECHANISM) {
-	    char *keyName = wrapKeyID.data ? BufToHex(&wrapKeyID) 
-							: PORT_Strdup(wrapName);
-	    PR_fprintf(PR_STDERR, "%s: %s on %s is an invalid wrapping key\n",
-			progName, keyName, PK11_GetTokenName(slot));
-	    PORT_Free(keyName);
-	    PK11_FreeSymKey(wrapKey);
-	    goto shutdown;
-	}
-
-	symKey = PK11_UnwrapSymKeyWithFlagsPerm(wrapKey, mechanism, NULL,
-			&key, keyType, CKA_ENCRYPT, keySize, 0, PR_TRUE);
-	PK11_FreeSymKey(wrapKey);
-	if (!symKey) {
-	    PR_fprintf(PR_STDERR, "%s: Unwrap Key Failed\n", progName);
-	    goto shutdown;
-	}
-
-	if (symKeyUtil.options[opt_Nickname].activated) {
-	    rv = PK11_SetSymKeyNickname(symKey, name);
-	    if (rv != SECSuccess) {
-	        PR_fprintf(PR_STDERR, "%s: Couldn't set name on key\n", 
-								progName);
-		PK11_DeleteTokenSymKey(symKey);
-		PK11_FreeSymKey(symKey);
-		goto shutdown;
-	    }
-	}
-	rv = SECSuccess;
-	PrintKey(symKey);
-	PK11_FreeSymKey(symKey);
-    }
-
-#define MAX_KEY_SIZE 4098
-    if (symKeyUtil.commands[cmd_WrapKey].activated) {
-	PK11SymKey *symKey = FindKey(slot, name, &keyID, &pwdata);
-	PK11SymKey *wrapKey;
-	CK_MECHANISM_TYPE mechanism;
-	SECItem data;
-	unsigned char buf[MAX_KEY_SIZE];
-	int ret;
-
-	if (!symKey) {
-	    char *keyName = keyID.data ? BufToHex(&keyID) : PORT_Strdup(name);
-	    PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",
-			progName, keyName, PK11_GetTokenName(slot));
-	    PORT_Free(keyName);
-	    goto shutdown;
-	}
-
-	wrapKey = FindKey(slot, wrapName, &wrapKeyID, &pwdata);
-	if (!wrapKey) {
-	    char *keyName = wrapKeyID.data ? BufToHex(&wrapKeyID) 
-							: PORT_Strdup(wrapName);
-	    PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",
-			progName, keyName, PK11_GetTokenName(slot));
-	    PORT_Free(keyName);
-	    PK11_FreeSymKey(symKey);
-	    goto shutdown;
-	}
-
-	mechanism = GetWrapMechanism(wrapKey);
-	if (mechanism == CKM_INVALID_MECHANISM) {
-	    char *keyName = wrapKeyID.data ? BufToHex(&wrapKeyID) 
-							: PORT_Strdup(wrapName);
-	    PR_fprintf(PR_STDERR, "%s: %s on %s is an invalid wrapping key\n",
-			progName, keyName, PK11_GetTokenName(slot));
-	    PORT_Free(keyName);
-	    PK11_FreeSymKey(symKey);
-	    PK11_FreeSymKey(wrapKey);
-	    goto shutdown;
-	}
-
-	data.data = buf;
-	data.len = sizeof(buf);
-	rv = PK11_WrapSymKey(mechanism, NULL,  wrapKey, symKey, &data);
-	PK11_FreeSymKey(symKey);
-	PK11_FreeSymKey(wrapKey);
-	if (rv != SECSuccess) {
-	    PR_fprintf(PR_STDERR, "%s: Couldn't wrap key\n",progName);
-	    goto shutdown;
-	}
-
-	/* WriteBuf outputs it's own error using SECU_PrintError */
-	ret = WriteBuf(symKeyUtil.options[opt_KeyFile].arg, &data);
-	if (ret < 0) {
-	    goto shutdown;
-	}
-    }
-
-    if (symKeyUtil.commands[cmd_ImportKey].activated) {
-	PK11SymKey *symKey = PK11_ImportSymKey(slot, keyType,
-			 PK11_OriginUnwrap, CKA_ENCRYPT, &key,&pwdata);
-	if (!symKey) {
-	    PR_fprintf(PR_STDERR, "%s: Import Key Failed\n", progName);
-	    goto shutdown;
-	}
-	if (symKeyUtil.options[opt_Nickname].activated) {
-	    rv = PK11_SetSymKeyNickname(symKey, name);
-	    if (rv != SECSuccess) {
-	        PR_fprintf(PR_STDERR, "%s: Couldn't set name on key\n", 
-								progName);
-		PK11_DeleteTokenSymKey(symKey);
-		PK11_FreeSymKey(symKey);
-		goto shutdown;
-	    }
-	}
-	rv = SECSuccess;
-	PrintKey(symKey);
-	PK11_FreeSymKey(symKey);
-    }
-
-    /*  List certs (-L)  */
-    if (symKeyUtil.commands[cmd_ListKeys].activated) {
-	int printLabel = 1;
-	if (slot) {
-	    rv = ListKeys(slot,&printLabel,&pwdata);
-	} else {
-	    /* loop over all the slots */
-	    PK11SlotList *slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
-					PR_FALSE, PR_FALSE, &pwdata);
-	    if (slotList == NULL) {
-	        PR_fprintf(PR_STDERR, "%s: No tokens found\n",progName);
-	    } else {
-                PK11SlotListElement *se;
-                for (se = PK11_GetFirstSafe(slotList); se; 
-                                    se=PK11_GetNextSafe(slotList,se, PR_FALSE)) {
-                    rv = ListKeys(se->slot,&printLabel,&pwdata);
-                    if (rv !=SECSuccess) {
-                        break;
-                    }
-                }
-                if (se) {
-                    SECStatus rv2 = PK11_FreeSlotListElement(slotList, se);
-                    PORT_Assert(SECSuccess == rv2);
-                }
-                PK11_FreeSlotList(slotList);
-            }
-	}
-    }
-
-    /*  Move key (-M)  */
-    if (symKeyUtil.commands[cmd_MoveKey].activated) {
-	PK11SlotInfo *target;
-	char *targetName = symKeyUtil.options[opt_TargetToken].arg;
-	PK11SymKey *newKey;
-	PK11SymKey *symKey = FindKey(slot,name,&keyID,&pwdata);
-	char *keyName = PK11_GetSymKeyNickname(symKey);
-
-	if (!symKey) {
-	    char *keyName = keyID.data ? BufToHex(&keyID) : PORT_Strdup(name);
-	    PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",
-			progName, keyName, PK11_GetTokenName(slot));
-	    PORT_Free(keyName);
-	    goto shutdown;
-	}
-	target = PK11_FindSlotByName(targetName);
-	if (!target) {
-	    PR_fprintf(PR_STDERR, "%s: Couldn't find slot %s\n",
-			progName, targetName);
-	    goto shutdown;
-	}
-	rv = PK11_Authenticate(target, PR_FALSE, &pwdata);
-	if (rv != SECSuccess) {
-	    PR_fprintf(PR_STDERR, "%s: Failed to log into %s\n",
-			progName, targetName);
-	    goto shutdown;
-	}
-	rv = SECFailure;
-	newKey = PK11_MoveSymKey(target, CKA_ENCRYPT, 0, PR_TRUE, symKey);
-	if (!newKey) {
-	    PR_fprintf(PR_STDERR, "%s: Couldn't move the key \n",progName);
-	    goto shutdown;
-	}
-	if (keyName) {
-	    rv = PK11_SetSymKeyNickname(newKey, keyName);
-	    if (rv != SECSuccess) {
-		PK11_DeleteTokenSymKey(newKey);
-		PK11_FreeSymKey(newKey);
-	        PR_fprintf(PR_STDERR, "%s: Couldn't set nickname on key\n",
-								 progName);
-		goto shutdown;
-	    }
-	}
-	PK11_FreeSymKey(newKey);
-	rv = SECSuccess;
-    }
-
-shutdown:
-    if (rv != SECSuccess) {
-	PR_fprintf(PR_STDERR, "%s: %s\n", progName,
-					SECU_Strerror(PORT_GetError()));
-    }
-
-    if (key.data) {
-	PORT_Free(key.data);
-    }
-
-    if (keyID.data) {
-	PORT_Free(keyID.data);
-    }
-
-    if (slot) {
-	PK11_FreeSlot(slot);
-    }
-
-    if (NSS_Shutdown() != SECSuccess) {
-        exit(1);
-    }
-
-    if (rv == SECSuccess) {
-	return 0;
-    } else {
-	return 255;
-    }
-}
-
-
-
diff --git a/security/nss/cmd/tests/Makefile b/security/nss/cmd/tests/Makefile
deleted file mode 100644
index f4e0038c0..000000000
--- a/security/nss/cmd/tests/Makefile
+++ /dev/null
@@ -1,77 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-include ../platrules.mk
diff --git a/security/nss/cmd/tests/conflict.c b/security/nss/cmd/tests/conflict.c
deleted file mode 100644
index 7dc95b57a..000000000
--- a/security/nss/cmd/tests/conflict.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2008
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * This test verifies that NSS public headers don't conflict with common
- * identifier names.
- */
-
-#include "nssilckt.h"
-
-/*
- * Bug 455424: nssilckt.h used to define the enumeration constant 'Lock',
- * which conflicts with C++ code that defines a Lock class.  This is a
- * reduced test case in C for that name conflict.
- */
-typedef struct {
-    int dummy;
-} Lock;
-
-Lock lock;
-
-int main()
-{
-    return 0;
-}
diff --git a/security/nss/cmd/tests/manifest.mn b/security/nss/cmd/tests/manifest.mn
deleted file mode 100644
index 1418d08f3..000000000
--- a/security/nss/cmd/tests/manifest.mn
+++ /dev/null
@@ -1,57 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-CSRCS = \
-	conflict.c \
-	nonspr10.c \
-	remtest.c \
-	$(NULL)
-
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = seccmd dbm
-
-PROGRAMS = $(CSRCS:.c=)
-
-TARGETS = $(PROGRAMS)
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/tests/nonspr10.c b/security/nss/cmd/tests/nonspr10.c
deleted file mode 100644
index a610bce54..000000000
--- a/security/nss/cmd/tests/nonspr10.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2008
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * This test verifies that NSS public headers can be compiled with no
- * NSPR 1.0 support.
- */
-
-#define NO_NSPR_10_SUPPORT 1
-
-#include "base64.h"
-#include "blapit.h"
-#include "cert.h"
-#include "certdb.h"
-#include "certt.h"
-#include "ciferfam.h"
-#include "cmmf.h"
-#include "cmmft.h"
-#include "cms.h"
-#include "cmsreclist.h"
-#include "cmst.h"
-#include "crmf.h"
-#include "crmft.h"
-#include "cryptohi.h"
-#include "cryptoht.h"
-#include "ecl-exp.h"
-#include "hasht.h"
-#include "key.h"
-#include "keyhi.h"
-#include "keyt.h"
-#include "keythi.h"
-#include "nss.h"
-#include "nssb64.h"
-#include "nssb64t.h"
-#include "nssbase.h"
-#include "nssbaset.h"
-#include "nssckbi.h"
-#include "nssilckt.h"
-#include "nssilock.h"
-#include "nsslocks.h"
-#include "nssrwlk.h"
-#include "nssrwlkt.h"
-#include "ocsp.h"
-#include "ocspt.h"
-#include "p12.h"
-#include "p12plcy.h"
-#include "p12t.h"
-#include "pk11func.h"
-#include "pk11pqg.h"
-#include "pk11priv.h"
-#include "pk11pub.h"
-#include "pk11sdr.h"
-#include "pkcs11.h"
-#include "pkcs11t.h"
-#include "pkcs12.h"
-#include "pkcs12t.h"
-#include "pkcs7t.h"
-#include "portreg.h"
-#include "preenc.h"
-#include "secasn1.h"
-#include "secasn1t.h"
-#include "seccomon.h"
-#include "secder.h"
-#include "secdert.h"
-#include "secdig.h"
-#include "secdigt.h"
-#include "secerr.h"
-#include "sechash.h"
-#include "secitem.h"
-#include "secmime.h"
-#include "secmod.h"
-#include "secmodt.h"
-#include "secoid.h"
-#include "secoidt.h"
-#include "secpkcs5.h"
-#include "secpkcs7.h"
-#include "secport.h"
-#include "shsign.h"
-#include "smime.h"
-#include "ssl.h"
-#include "sslerr.h"
-#include "sslproto.h"
-#include "sslt.h"
-
-int main()
-{
-    return 0;
-}
diff --git a/security/nss/cmd/tests/remtest.c b/security/nss/cmd/tests/remtest.c
deleted file mode 100644
index c49c7e4f1..000000000
--- a/security/nss/cmd/tests/remtest.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-**
-** Sample client side test program that uses SSL and NSS
-**
-*/
-
-#include "secutil.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#else
-#include "ctype.h"	/* for isalpha() */
-#endif
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <stdarg.h>
-
-#include "nspr.h"
-#include "prio.h"
-#include "prnetdb.h"
-#include "nss.h"
-#include "pk11func.h"
-#include "plgetopt.h"
-
-void
-Usage(char *progName) 
-{
-    fprintf(stderr,"usage: %s [-d profiledir] -t tokenName [-r]\n", progName);
-    exit(1);
-}
-
-int main(int argc, char **argv)
-{
-    char *             certDir  =  NULL;
-    PLOptState *optstate;
-    PLOptStatus optstatus;
-    SECStatus rv;
-    char * tokenName = NULL;
-    PRBool cont=PR_TRUE;
-    PK11TokenEvent event = PK11TokenPresentEvent;
-    PK11TokenStatus status;
-    char *progName;
-    PK11SlotInfo *slot;
-
-    progName = strrchr(argv[0], '/');
-    if (!progName)
-	progName = strrchr(argv[0], '\\');
-    progName = progName ? progName+1 : argv[0];
-
-    optstate = PL_CreateOptState(argc, argv, "rd:t:");
-    while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-
-	  case 'd':
-	    certDir = strdup(optstate->value);
-	    certDir = SECU_ConfigDirectory(certDir);
-	    break;
-	  case 't':
-	    tokenName = strdup(optstate->value);
-	    break;
-	  case 'r':
-	    event = PK11TokenRemovedOrChangedEvent;
-	    break;
-	}
-    }
-    if (optstatus == PL_OPT_BAD)
-	Usage(progName);
-
-    if (tokenName == NULL) {
-	Usage(progName);
-    }
-
-    if (!certDir) {
-	certDir = SECU_DefaultSSLDir();	/* Look in $SSL_DIR */
-	certDir = SECU_ConfigDirectory(certDir); /* call even if it's NULL */
-    }
-
-    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-    /* open the cert DB, the key DB, and the secmod DB. */
-    rv = NSS_Init(certDir);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "unable to open cert database");
-	return 1;
-    }
-
-    printf("Looking up tokenNamed: <%s>\n",tokenName);
-    slot = PK11_FindSlotByName(tokenName);
-    if (slot == NULL) {
-	SECU_PrintError(progName, "unable to find token");
-	return 1;
-    }
-
-    do {
-	status = 
-	   PK11_WaitForTokenEvent(slot,event,PR_INTERVAL_NO_TIMEOUT, 0, 0);
-
-	switch (status) {
-	case PK11TokenNotRemovable:
-	    cont = PR_FALSE;
-	    printf("%s Token Not Removable\n",tokenName);
-	    break;
-	case PK11TokenChanged:
-	    event = PK11TokenRemovedOrChangedEvent;
-	    printf("%s Token Changed\n", tokenName);
-	    break;
-	case PK11TokenRemoved:
-	    event = PK11TokenPresentEvent;
-	    printf("%s Token Removed\n", tokenName);
-	    break;
-	case PK11TokenPresent:
-	    event = PK11TokenRemovedOrChangedEvent;
-	    printf("%s Token Present\n", tokenName);
-	    break;
-	}
-    } while (cont);
-
-    PK11_FreeSlot(slot);
-
-    if (NSS_Shutdown() != SECSuccess) {
-        exit(1);
-    }
-    PR_Cleanup();
-    return 0;
-}
diff --git a/security/nss/cmd/tstclnt/Makefile b/security/nss/cmd/tstclnt/Makefile
deleted file mode 100644
index 297114522..000000000
--- a/security/nss/cmd/tstclnt/Makefile
+++ /dev/null
@@ -1,78 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-#include ../platlibs.mk
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/tstclnt/manifest.mn b/security/nss/cmd/tstclnt/manifest.mn
deleted file mode 100644
index fa3f5fe16..000000000
--- a/security/nss/cmd/tstclnt/manifest.mn
+++ /dev/null
@@ -1,54 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = seccmd dbm 
-
-# DIRS = 
-
-CSRCS	= tstclnt.c  
-
-PROGRAM	= tstclnt
-
diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c
deleted file mode 100644
index 06c154108..000000000
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ /dev/null
@@ -1,1065 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-**
-** Sample client side test program that uses SSL and NSS
-**
-*/
-
-#include "secutil.h"
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#else
-#include <ctype.h>	/* for isalpha() */
-#endif
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <stdarg.h>
-
-#include "nspr.h"
-#include "prio.h"
-#include "prnetdb.h"
-#include "nss.h"
-#include "ssl.h"
-#include "sslproto.h"
-#include "pk11func.h"
-#include "plgetopt.h"
-#include "plstr.h"
-
-#if defined(WIN32)
-#include <fcntl.h>
-#include <io.h>
-#endif
-
-#define PRINTF  if (verbose)  printf
-#define FPRINTF if (verbose) fprintf
-
-#define MAX_WAIT_FOR_SERVER 600
-#define WAIT_INTERVAL       100
-
-PRIntervalTime maxInterval    = PR_INTERVAL_NO_TIMEOUT;
-
-int ssl2CipherSuites[] = {
-    SSL_EN_RC4_128_WITH_MD5,			/* A */
-    SSL_EN_RC4_128_EXPORT40_WITH_MD5,		/* B */
-    SSL_EN_RC2_128_CBC_WITH_MD5,		/* C */
-    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,	/* D */
-    SSL_EN_DES_64_CBC_WITH_MD5,			/* E */
-    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,		/* F */
-    0
-};
-
-int ssl3CipherSuites[] = {
-    -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
-    -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,	 * b */
-    SSL_RSA_WITH_RC4_128_MD5,			/* c */
-    SSL_RSA_WITH_3DES_EDE_CBC_SHA,		/* d */
-    SSL_RSA_WITH_DES_CBC_SHA,			/* e */
-    SSL_RSA_EXPORT_WITH_RC4_40_MD5,		/* f */
-    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,		/* g */
-    -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA,	 * h */
-    SSL_RSA_WITH_NULL_MD5,			/* i */
-    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,		/* j */
-    SSL_RSA_FIPS_WITH_DES_CBC_SHA,		/* k */
-    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,	/* l */
-    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,	        /* m */
-    SSL_RSA_WITH_RC4_128_SHA,			/* n */
-    TLS_DHE_DSS_WITH_RC4_128_SHA,		/* o */
-    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,		/* p */
-    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,		/* q */
-    SSL_DHE_RSA_WITH_DES_CBC_SHA,		/* r */
-    SSL_DHE_DSS_WITH_DES_CBC_SHA,		/* s */
-    TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	    	/* t */
-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       	/* u */
-    TLS_RSA_WITH_AES_128_CBC_SHA,     	    	/* v */
-    TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	    	/* w */
-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       	/* x */
-    TLS_RSA_WITH_AES_256_CBC_SHA,     	    	/* y */
-    SSL_RSA_WITH_NULL_SHA,			/* z */
-    0
-};
-
-unsigned long __cmp_umuls;
-PRBool verbose;
-int renegotiate = 0;
-
-static char *progName;
-
-secuPWData  pwdata          = { PW_NONE, 0 };
-
-void printSecurityInfo(PRFileDesc *fd)
-{
-    CERTCertificate * cert;
-    SSL3Statistics * ssl3stats = SSL_GetStatistics();
-    SECStatus result;
-    SSLChannelInfo    channel;
-    SSLCipherSuiteInfo suite;
-
-    result = SSL_GetChannelInfo(fd, &channel, sizeof channel);
-    if (result == SECSuccess && 
-        channel.length == sizeof channel && 
-	channel.cipherSuite) {
-	result = SSL_GetCipherSuiteInfo(channel.cipherSuite, 
-					&suite, sizeof suite);
-	if (result == SECSuccess) {
-	    FPRINTF(stderr, 
-	    "tstclnt: SSL version %d.%d using %d-bit %s with %d-bit %s MAC\n",
-	       channel.protocolVersion >> 8, channel.protocolVersion & 0xff,
-	       suite.effectiveKeyBits, suite.symCipherName, 
-	       suite.macBits, suite.macAlgorithmName);
-	    FPRINTF(stderr, 
-	    "tstclnt: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n",
-	       channel.authKeyBits, suite.authAlgorithmName,
-	       channel.keaKeyBits,  suite.keaTypeName);
-    	}
-    }
-    cert = SSL_RevealCert(fd);
-    if (cert) {
-	char * ip = CERT_NameToAscii(&cert->issuer);
-	char * sp = CERT_NameToAscii(&cert->subject);
-        if (sp) {
-	    fprintf(stderr, "subject DN: %s\n", sp);
-	    PORT_Free(sp);
-	}
-        if (ip) {
-	    fprintf(stderr, "issuer  DN: %s\n", ip);
-	    PORT_Free(ip);
-	}
-	CERT_DestroyCertificate(cert);
-	cert = NULL;
-    }
-    fprintf(stderr,
-    	"%ld cache hits; %ld cache misses, %ld cache not reusable\n"
-	"%ld stateless resumes\n",
-    	ssl3stats->hsh_sid_cache_hits, ssl3stats->hsh_sid_cache_misses,
-	ssl3stats->hsh_sid_cache_not_ok, ssl3stats->hsh_sid_stateless_resumes);
-}
-
-void
-handshakeCallback(PRFileDesc *fd, void *client_data)
-{
-    printSecurityInfo(fd);
-    if (renegotiate > 0) {
-	renegotiate--;
-	SSL_ReHandshake(fd, PR_FALSE);
-    }
-}
-
-static void Usage(const char *progName)
-{
-    fprintf(stderr, 
-"Usage:  %s -h host [-p port] [-d certdir] [-n nickname] [-23BTfosvxr] \n"
-"                   [-c ciphers] [-w passwd] [-W pwfile] [-q]\n", progName);
-    fprintf(stderr, "%-20s Hostname to connect with\n", "-h host");
-    fprintf(stderr, "%-20s Port number for SSL server\n", "-p port");
-    fprintf(stderr, 
-            "%-20s Directory with cert database (default is ~/.netscape)\n",
-	    "-d certdir");
-    fprintf(stderr, "%-20s Nickname of key and cert for client auth\n", 
-                    "-n nickname");
-    fprintf(stderr, 
-            "%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B");
-    fprintf(stderr, "%-20s Disable SSL v2.\n", "-2");
-    fprintf(stderr, "%-20s Disable SSL v3.\n", "-3");
-    fprintf(stderr, "%-20s Disable TLS (SSL v3.1).\n", "-T");
-    fprintf(stderr, "%-20s Prints only payload data. Skips HTTP header.\n", "-S");
-    fprintf(stderr, "%-20s Client speaks first. \n", "-f");
-    fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o");
-    fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s");
-    fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v");
-    fprintf(stderr, "%-20s Use export policy.\n", "-x");
-    fprintf(stderr, "%-20s Ping the server and then exit.\n", "-q");
-    fprintf(stderr, "%-20s Renegotiate with session resumption.\n", "-r");
-    fprintf(stderr, "%-20s Enable the session ticket extension.\n", "-u");
-    fprintf(stderr, "%-20s Letter(s) chosen from the following list\n", 
-                    "-c ciphers");
-    fprintf(stderr, 
-"A    SSL2 RC4 128 WITH MD5\n"
-"B    SSL2 RC4 128 EXPORT40 WITH MD5\n"
-"C    SSL2 RC2 128 CBC WITH MD5\n"
-"D    SSL2 RC2 128 CBC EXPORT40 WITH MD5\n"
-"E    SSL2 DES 64 CBC WITH MD5\n"
-"F    SSL2 DES 192 EDE3 CBC WITH MD5\n"
-"\n"
-"c    SSL3 RSA WITH RC4 128 MD5\n"
-"d    SSL3 RSA WITH 3DES EDE CBC SHA\n"
-"e    SSL3 RSA WITH DES CBC SHA\n"
-"f    SSL3 RSA EXPORT WITH RC4 40 MD5\n"
-"g    SSL3 RSA EXPORT WITH RC2 CBC 40 MD5\n"
-"i    SSL3 RSA WITH NULL MD5\n"
-"j    SSL3 RSA FIPS WITH 3DES EDE CBC SHA\n"
-"k    SSL3 RSA FIPS WITH DES CBC SHA\n"
-"l    SSL3 RSA EXPORT WITH DES CBC SHA\t(new)\n"
-"m    SSL3 RSA EXPORT WITH RC4 56 SHA\t(new)\n"
-"n    SSL3 RSA WITH RC4 128 SHA\n"
-"o    SSL3 DHE DSS WITH RC4 128 SHA\n"
-"p    SSL3 DHE RSA WITH 3DES EDE CBC SHA\n"
-"q    SSL3 DHE DSS WITH 3DES EDE CBC SHA\n"
-"r    SSL3 DHE RSA WITH DES CBC SHA\n"
-"s    SSL3 DHE DSS WITH DES CBC SHA\n"
-"t    SSL3 DHE DSS WITH AES 128 CBC SHA\n"
-"u    SSL3 DHE RSA WITH AES 128 CBC SHA\n"
-"v    SSL3 RSA WITH AES 128 CBC SHA\n"
-"w    SSL3 DHE DSS WITH AES 256 CBC SHA\n"
-"x    SSL3 DHE RSA WITH AES 256 CBC SHA\n"
-"y    SSL3 RSA WITH AES 256 CBC SHA\n"
-"z    SSL3 RSA WITH NULL SHA\n"
-"\n"
-":WXYZ  Use cipher with hex code { 0xWX , 0xYZ } in TLS\n"
-	);
-    exit(1);
-}
-
-void
-milliPause(PRUint32 milli)
-{
-    PRIntervalTime ticks = PR_MillisecondsToInterval(milli);
-    PR_Sleep(ticks);
-}
-
-void
-disableAllSSLCiphers(void)
-{
-    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
-    int             i            = SSL_NumImplementedCiphers;
-    SECStatus       rv;
-
-    /* disable all the SSL3 cipher suites */
-    while (--i >= 0) {
-	PRUint16 suite = cipherSuites[i];
-        rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
-	if (rv != SECSuccess) {
-	    PRErrorCode err = PR_GetError();
-	    fprintf(stderr,
-	            "SSL_CipherPrefSet didn't like value 0x%04x (i = %d): %s\n",
-	    	   suite, i, SECU_Strerror(err));
-	    exit(2);
-	}
-    }
-}
-
-/*
- * Callback is called when incoming certificate is not valid.
- * Returns SECSuccess to accept the cert anyway, SECFailure to reject.
- */
-static SECStatus 
-ownBadCertHandler(void * arg, PRFileDesc * socket)
-{
-    PRErrorCode err = PR_GetError();
-    /* can log invalid cert here */
-    fprintf(stderr, "Bad server certificate: %d, %s\n", err, 
-            SECU_Strerror(err));
-    return SECSuccess;	/* override, say it's OK. */
-}
-
-SECStatus
-own_GetClientAuthData(void *                       arg,
-                      PRFileDesc *                 socket,
-                      struct CERTDistNamesStr *    caNames,
-                      struct CERTCertificateStr ** pRetCert,
-                      struct SECKEYPrivateKeyStr **pRetKey)
-{
-    if (verbose > 1) {
-	SECStatus rv;
-        fprintf(stderr, "Server requested Client Authentication\n");
-	if (caNames && caNames->nnames > 0) {
-	    PLArenaPool *arena = caNames->arena;
-	    if (!arena)
-		arena = PORT_NewArena(2048);
-	    if (arena) {
-		int i;
-		for (i = 0; i < caNames->nnames; ++i) {
-		    char *nameString;
-		    CERTName dn;
-		    rv = SEC_QuickDERDecodeItem(arena, 
-					    &dn,
-					    SEC_ASN1_GET(CERT_NameTemplate), 
-					    caNames->names + i);
-		    if (rv != SECSuccess)
-			continue;
-		    nameString = CERT_NameToAscii(&dn);
-		    if (!nameString)
-			continue;
-		    fprintf(stderr, "CA[%d]: %s\n", i + 1, nameString);
-		    PORT_Free(nameString);
-		}
-		if (!caNames->arena) {
-		    PORT_FreeArena(arena, PR_FALSE);
-		}
-	    }
-	}
-	rv = NSS_GetClientAuthData(arg, socket, caNames, pRetCert, pRetKey);
-	if (rv == SECSuccess && *pRetCert) {
-	    char *nameString = CERT_NameToAscii(&((*pRetCert)->subject));
-	    if (nameString) {
-		fprintf(stderr, "sent cert: %s\n", nameString);
-		PORT_Free(nameString);
-	    }
-	} else {
-	    fprintf(stderr, "send no cert\n");
-	}
-	return rv;
-    }
-    return NSS_GetClientAuthData(arg, socket, caNames, pRetCert, pRetKey);
-}
-
-#if defined(WIN32) || defined(OS2)
-void
-thread_main(void * arg)
-{
-    PRFileDesc * ps     = (PRFileDesc *)arg;
-    PRFileDesc * std_in = PR_GetSpecialFD(PR_StandardInput);
-    int wc, rc;
-    char buf[256];
-
-#ifdef WIN32
-    {
-	/* Put stdin into O_BINARY mode 
-	** or else incoming \r\n's will become \n's.
-	*/
-	int smrv = _setmode(_fileno(stdin), _O_BINARY);
-	if (smrv == -1) {
-	    fprintf(stderr,
-	    "%s: Cannot change stdin to binary mode. Use -i option instead.\n",
-	            progName);
-	    /* plow ahead anyway */
-	}
-    }
-#endif
-
-    do {
-	rc = PR_Read(std_in, buf, sizeof buf);
-	if (rc <= 0)
-	    break;
-	wc = PR_Send(ps, buf, rc, 0, maxInterval);
-    } while (wc == rc);
-    PR_Close(ps);
-}
-
-#endif
-
-static void
-printHostNameAndAddr(const char * host, const PRNetAddr * addr)
-{
-    PRUint16 port = PR_NetAddrInetPort(addr);
-    char addrBuf[80];
-    PRStatus st = PR_NetAddrToString(addr, addrBuf, sizeof addrBuf);
-
-    if (st == PR_SUCCESS) {
-	port = PR_ntohs(port);
-	FPRINTF(stderr, "%s: connecting to %s:%hu (address=%s)\n",
-	       progName, host, port, addrBuf);
-    }
-}
-
-/*
- *  Prints output according to skipProtoHeader flag. If skipProtoHeader
- *  is not set, prints without any changes, otherwise looking
- *  for \n\r\n(empty line sequence: HTTP header separator) and
- *  prints everything after it.
- */
-static void
-separateReqHeader(const PRFileDesc* outFd, const char* buf, const int nb,
-                  PRBool *wrStarted, int *ptrnMatched) {
-
-    /* it is sufficient to look for only "\n\r\n". Hopping that
-     * HTTP response format satisfies the standard */
-    char *ptrnStr = "\n\r\n";
-    char *resPtr;
-
-    if (nb == 0) {
-        return;
-    }
-
-    if (*ptrnMatched > 0) {
-        /* Get here only if previous separateReqHeader call found
-         * only a fragment of "\n\r\n" in previous buffer. */
-        PORT_Assert(*ptrnMatched < 3);
-
-        /* the size of fragment of "\n\r\n" what we want to find in this
-         * buffer is equal to *ptrnMatched */
-        if (*ptrnMatched <= nb) {
-            /* move the pointer to the beginning of the fragment */
-            int strSize = *ptrnMatched;
-            char *tmpPtrn = ptrnStr + (3 - strSize);
-            if (PL_strncmp(buf, tmpPtrn, strSize) == 0) {
-                /* print the rest of the buffer(without the fragment) */
-                PR_Write((void*)outFd, buf + strSize, nb - strSize);
-                *wrStarted = PR_TRUE;
-                return;
-            }
-        } else {
-            /* we are here only when nb == 1 && *ptrnMatched == 2 */
-            if (*buf == '\r') {
-                *ptrnMatched = 1;
-            } else {
-                *ptrnMatched = 0;
-            }
-            return;
-        }
-    }
-    resPtr = PL_strnstr(buf, ptrnStr, nb);
-    if (resPtr != NULL) {
-        /* if "\n\r\n" was found in the buffer, calculate offset
-         * and print the rest of the buffer */
-        int newBn = nb - (resPtr - buf + 3); /* 3 is the length of "\n\r\n" */
-
-        PR_Write((void*)outFd, resPtr + 3, newBn);
-        *wrStarted = PR_TRUE;
-        return;
-    } else {
-        /* try to find a fragment of "\n\r\n" at the end of the buffer.
-         * if found, set *ptrnMatched to the number of chars left to find
-         * in the next buffer.*/
-        int i;
-        for(i = 1 ;i < 3;i++) {
-            char *bufPrt;
-            int strSize = 3 - i;
-            
-            if (strSize > nb) {
-                continue;
-            }
-            bufPrt = (char*)(buf + nb - strSize);
-            
-            if (PL_strncmp(bufPrt, ptrnStr, strSize) == 0) {
-                *ptrnMatched = i;
-                return;
-            }
-        }
-    }
-}
-
-#define SSOCK_FD 0
-#define STDIN_FD 1
-
-#define HEXCHAR_TO_INT(c, i) \
-    if (((c) >= '0') && ((c) <= '9')) { \
-	i = (c) - '0'; \
-    } else if (((c) >= 'a') && ((c) <= 'f')) { \
-	i = (c) - 'a' + 10; \
-    } else if (((c) >= 'A') && ((c) <= 'F')) { \
-	i = (c) - 'A' + 10; \
-    } else { \
-	Usage(progName); \
-    }
-
-int main(int argc, char **argv)
-{
-    PRFileDesc *       s;
-    PRFileDesc *       std_out;
-    CERTCertDBHandle * handle;
-    char *             host	=  NULL;
-    char *             certDir  =  NULL;
-    char *             nickname =  NULL;
-    char *             cipherString = NULL;
-    char *             tmp;
-    int                multiplier = 0;
-    SECStatus          rv;
-    PRStatus           status;
-    PRInt32            filesReady;
-    int                npds;
-    int                override = 0;
-    int                disableSSL2 = 0;
-    int                disableSSL3 = 0;
-    int                disableTLS  = 0;
-    int                bypassPKCS11 = 0;
-    int                disableLocking = 0;
-    int                useExportPolicy = 0;
-    int                enableSessionTickets = 0;
-    PRSocketOptionData opt;
-    PRNetAddr          addr;
-    PRPollDesc         pollset[2];
-    PRBool             pingServerFirst = PR_FALSE;
-    PRBool             clientSpeaksFirst = PR_FALSE;
-    PRBool             wrStarted = PR_FALSE;
-    PRBool             skipProtoHeader = PR_FALSE;
-    int                headerSeparatorPtrnId = 0;
-    int                error = 0;
-    PRUint16           portno = 443;
-    PLOptState *optstate;
-    PLOptStatus optstatus;
-    PRStatus prStatus;
-
-    progName = strrchr(argv[0], '/');
-    if (!progName)
-	progName = strrchr(argv[0], '\\');
-    progName = progName ? progName+1 : argv[0];
-
-    tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
-    if (tmp && tmp[0]) {
-       int sec = PORT_Atoi(tmp);
-       if (sec > 0) {
-           maxInterval = PR_SecondsToInterval(sec);
-       }
-    }
-
-    optstate = PL_CreateOptState(argc, argv, "23BTSfc:h:p:d:m:n:oqr:suvw:xW:");
-    while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case '?':
-	  default : Usage(progName); 			break;
-
-          case '2': disableSSL2 = 1; 			break;
-
-          case '3': disableSSL3 = 1; 			break;
-
-          case 'B': bypassPKCS11 = 1; 			break;
-
-          case 'T': disableTLS  = 1; 			break;
-
-          case 'S': skipProtoHeader = PR_TRUE;                 break;
-
-          case 'c': cipherString = PORT_Strdup(optstate->value); break;
-
-          case 'h': host = PORT_Strdup(optstate->value);	break;
-
-          case 'f':  clientSpeaksFirst = PR_TRUE;       break;
-
-          case 'd': certDir = PORT_Strdup(optstate->value);   break;
-
-	  case 'm':
-	    multiplier = atoi(optstate->value);
-	    if (multiplier < 0)
-	    	multiplier = 0;
-	    break;
-
-	  case 'n': nickname = PORT_Strdup(optstate->value);	break;
-
-	  case 'o': override = 1; 			break;
-
-	  case 'p': portno = (PRUint16)atoi(optstate->value);	break;
-
-	  case 'q': pingServerFirst = PR_TRUE;          break;
-
-	  case 's': disableLocking = 1;                 break;
-
-	  case 'u': enableSessionTickets = PR_TRUE;	break;
-
-	  case 'v': verbose++;	 			break;
-
-	  case 'r': renegotiate = atoi(optstate->value);	break;
-
-          case 'w':
-                pwdata.source = PW_PLAINTEXT;
-		pwdata.data = PORT_Strdup(optstate->value);
-		break;
-
-          case 'W':
-                pwdata.source = PW_FROMFILE;
-                pwdata.data = PORT_Strdup(optstate->value);
-                break;
-
-	  case 'x': useExportPolicy = 1; 		break;
-	}
-    }
-
-    PL_DestroyOptState(optstate);
-
-    if (optstatus == PL_OPT_BAD)
-	Usage(progName);
-
-    if (!host || !portno) 
-    	Usage(progName);
-
-    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-    /* open the cert DB, the key DB, and the secmod DB. */
-    if (!certDir) {
-	certDir = SECU_DefaultSSLDir();	/* Look in $SSL_DIR */
-	certDir = SECU_ConfigDirectory(certDir);
-    } else {
-	char *certDirTmp = certDir;
-	certDir = SECU_ConfigDirectory(certDirTmp);
-	PORT_Free(certDirTmp);
-    }
-    rv = NSS_Init(certDir);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "unable to open cert database");
-#if 0
-    rv = CERT_OpenVolatileCertDB(handle);
-	CERT_SetDefaultCertDB(handle);
-#else
-	return 1;
-#endif
-    }
-    handle = CERT_GetDefaultCertDB();
-
-    /* set the policy bits true for all the cipher suites. */
-    if (useExportPolicy)
-	NSS_SetExportPolicy();
-    else
-	NSS_SetDomesticPolicy();
-
-    /* all the SSL2 and SSL3 cipher suites are enabled by default. */
-    if (cipherString) {
-	/* disable all the ciphers, then enable the ones we want. */
-	disableAllSSLCiphers();
-    }
-
-    status = PR_StringToNetAddr(host, &addr);
-    if (status == PR_SUCCESS) {
-    	addr.inet.port = PR_htons(portno);
-    } else {
-	/* Lookup host */
-	PRAddrInfo *addrInfo;
-	void       *enumPtr   = NULL;
-
-	addrInfo = PR_GetAddrInfoByName(host, PR_AF_UNSPEC, 
-	                                PR_AI_ADDRCONFIG | PR_AI_NOCANONNAME);
-	if (!addrInfo) {
-	    SECU_PrintError(progName, "error looking up host");
-	    return 1;
-	}
-	do {
-	    enumPtr = PR_EnumerateAddrInfo(enumPtr, addrInfo, portno, &addr);
-	} while (enumPtr != NULL &&
-		 addr.raw.family != PR_AF_INET &&
-		 addr.raw.family != PR_AF_INET6);
-	PR_FreeAddrInfo(addrInfo);
-	if (enumPtr == NULL) {
-	    SECU_PrintError(progName, "error looking up host address");
-	    return 1;
-	}
-    }
-
-    printHostNameAndAddr(host, &addr);
-
-    if (pingServerFirst) {
-	int iter = 0;
-	PRErrorCode err;
-	do {
-	    s = PR_OpenTCPSocket(addr.raw.family);
-	    if (s == NULL) {
-		SECU_PrintError(progName, "Failed to create a TCP socket");
-	    }
-	    opt.option             = PR_SockOpt_Nonblocking;
-	    opt.value.non_blocking = PR_FALSE;
-	    prStatus = PR_SetSocketOption(s, &opt);
-	    if (prStatus != PR_SUCCESS) {
-		PR_Close(s);
-		SECU_PrintError(progName, 
-		                "Failed to set blocking socket option");
-		return 1;
-	    }
-	    prStatus = PR_Connect(s, &addr, PR_INTERVAL_NO_TIMEOUT);
-	    if (prStatus == PR_SUCCESS) {
-    		PR_Shutdown(s, PR_SHUTDOWN_BOTH);
-    		PR_Close(s);
-               if (NSS_Shutdown() != SECSuccess) {
-                   exit(1);
-               }
-    		PR_Cleanup();
-		return 0;
-	    }
-	    err = PR_GetError();
-	    if ((err != PR_CONNECT_REFUSED_ERROR) && 
-	        (err != PR_CONNECT_RESET_ERROR)) {
-		SECU_PrintError(progName, "TCP Connection failed");
-		return 1;
-	    }
-	    PR_Close(s);
-	    PR_Sleep(PR_MillisecondsToInterval(WAIT_INTERVAL));
-	} while (++iter < MAX_WAIT_FOR_SERVER);
-	SECU_PrintError(progName, 
-                     "Client timed out while waiting for connection to server");
-	return 1;
-    }
-
-    /* Create socket */
-    s = PR_OpenTCPSocket(addr.raw.family);
-    if (s == NULL) {
-	SECU_PrintError(progName, "error creating socket");
-	return 1;
-    }
-
-    opt.option = PR_SockOpt_Nonblocking;
-    opt.value.non_blocking = PR_TRUE;
-    PR_SetSocketOption(s, &opt);
-    /*PR_SetSocketOption(PR_GetSpecialFD(PR_StandardInput), &opt);*/
-
-    s = SSL_ImportFD(NULL, s);
-    if (s == NULL) {
-	SECU_PrintError(progName, "error importing socket");
-	return 1;
-    }
-
-    rv = SSL_OptionSet(s, SSL_SECURITY, 1);
-    if (rv != SECSuccess) {
-        SECU_PrintError(progName, "error enabling socket");
-	return 1;
-    }
-
-    rv = SSL_OptionSet(s, SSL_HANDSHAKE_AS_CLIENT, 1);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "error enabling client handshake");
-	return 1;
-    }
-
-    /* all the SSL2 and SSL3 cipher suites are enabled by default. */
-    if (cipherString) {
-    	char *cstringSaved = cipherString;
-    	int ndx;
-
-	while (0 != (ndx = *cipherString++)) {
-	    int  cipher;
-
-	    if (ndx == ':') {
-		int ctmp;
-
-		cipher = 0;
-		HEXCHAR_TO_INT(*cipherString, ctmp)
-		cipher |= (ctmp << 12);
-		cipherString++;
-		HEXCHAR_TO_INT(*cipherString, ctmp)
-		cipher |= (ctmp << 8);
-		cipherString++;
-		HEXCHAR_TO_INT(*cipherString, ctmp)
-		cipher |= (ctmp << 4);
-		cipherString++;
-		HEXCHAR_TO_INT(*cipherString, ctmp)
-		cipher |= ctmp;
-		cipherString++;
-	    } else {
-		const int *cptr;
-
-		if (! isalpha(ndx))
-		    Usage(progName);
-		cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
-		for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) 
-		    /* do nothing */;
-	    }
-	    if (cipher > 0) {
-		SECStatus status;
-		status = SSL_CipherPrefSet(s, cipher, SSL_ALLOWED);
-		if (status != SECSuccess) 
-		    SECU_PrintError(progName, "SSL_CipherPrefSet()");
-	    } else {
-		Usage(progName);
-	    }
-	}
-	PORT_Free(cstringSaved);
-    }
-
-    rv = SSL_OptionSet(s, SSL_ENABLE_SSL2, !disableSSL2);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "error enabling SSLv2 ");
-	return 1;
-    }
-
-    rv = SSL_OptionSet(s, SSL_ENABLE_SSL3, !disableSSL3);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "error enabling SSLv3 ");
-	return 1;
-    }
-
-    rv = SSL_OptionSet(s, SSL_ENABLE_TLS, !disableTLS);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "error enabling TLS ");
-	return 1;
-    }
-
-    /* disable ssl2 and ssl2-compatible client hellos. */
-    rv = SSL_OptionSet(s, SSL_V2_COMPATIBLE_HELLO, !disableSSL2);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "error disabling v2 compatibility");
-	return 1;
-    }
-
-    /* enable PKCS11 bypass */
-    rv = SSL_OptionSet(s, SSL_BYPASS_PKCS11, bypassPKCS11);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "error enabling PKCS11 bypass");
-	return 1;
-    }
-
-    /* disable SSL socket locking */
-    rv = SSL_OptionSet(s, SSL_NO_LOCKS, disableLocking);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "error disabling SSL socket locking");
-	return 1;
-    }
-
-    /* enable Session Ticket extension. */
-    rv = SSL_OptionSet(s, SSL_ENABLE_SESSION_TICKETS, enableSessionTickets);
-    if (rv != SECSuccess) {
-	SECU_PrintError(progName, "error enabling Session Ticket extension");
-	return 1;
-    }
-
-    SSL_SetPKCS11PinArg(s, &pwdata);
-
-    SSL_AuthCertificateHook(s, SSL_AuthCertificate, (void *)handle);
-    if (override) {
-	SSL_BadCertHook(s, ownBadCertHandler, NULL);
-    }
-    SSL_GetClientAuthDataHook(s, own_GetClientAuthData, (void *)nickname);
-    SSL_HandshakeCallback(s, handshakeCallback, NULL);
-    SSL_SetURL(s, host);
-
-    /* Try to connect to the server */
-    status = PR_Connect(s, &addr, PR_INTERVAL_NO_TIMEOUT);
-    if (status != PR_SUCCESS) {
-	if (PR_GetError() == PR_IN_PROGRESS_ERROR) {
-	    if (verbose)
-		SECU_PrintError(progName, "connect");
-	    milliPause(50 * multiplier);
-	    pollset[SSOCK_FD].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT;
-	    pollset[SSOCK_FD].out_flags = 0;
-	    pollset[SSOCK_FD].fd = s;
-	    while(1) {
-		FPRINTF(stderr, 
-		        "%s: about to call PR_Poll for connect completion!\n", 
-			progName);
-		filesReady = PR_Poll(pollset, 1, PR_INTERVAL_NO_TIMEOUT);
-		if (filesReady < 0) {
-		    SECU_PrintError(progName, "unable to connect (poll)");
-		    return 1;
-		}
-		FPRINTF(stderr,
-		        "%s: PR_Poll returned 0x%02x for socket out_flags.\n",
-			progName, pollset[SSOCK_FD].out_flags);
-		if (filesReady == 0) {	/* shouldn't happen! */
-		    FPRINTF(stderr, "%s: PR_Poll returned zero!\n", progName);
-		    return 1;
-		}
-		/* Must milliPause between PR_Poll and PR_GetConnectStatus,
-		 * Or else winsock gets mighty confused.
-		 * Sleep(0);
-		 */
-		milliPause(1);
-		status = PR_GetConnectStatus(pollset);
-		if (status == PR_SUCCESS) {
-		    break;
-		}
-		if (PR_GetError() != PR_IN_PROGRESS_ERROR) {
-		    SECU_PrintError(progName, "unable to connect (poll)");
-		    return 1;
-		}
-		SECU_PrintError(progName, "poll");
-		milliPause(50 * multiplier);
-	    }
-	} else {
-	    SECU_PrintError(progName, "unable to connect");
-	    return 1;
-	}
-    }
-
-    pollset[SSOCK_FD].fd        = s;
-    pollset[SSOCK_FD].in_flags  = PR_POLL_EXCEPT |
-                                  (clientSpeaksFirst ? 0 : PR_POLL_READ);
-    pollset[STDIN_FD].fd        = PR_GetSpecialFD(PR_StandardInput);
-    pollset[STDIN_FD].in_flags  = PR_POLL_READ;
-    npds                 = 2;
-    std_out              = PR_GetSpecialFD(PR_StandardOutput);
-
-#if defined(WIN32) || defined(OS2)
-    /* PR_Poll cannot be used with stdin on Windows or OS/2.  (sigh). 
-    ** But use of PR_Poll and non-blocking sockets is a major feature
-    ** of this program.  So, we simulate a pollable stdin with a 
-    ** TCP socket pair and a  thread that reads stdin and writes to 
-    ** that socket pair.
-    */
-  {
-    PRFileDesc * fds[2];
-    PRThread *   thread;
-
-    int nspr_rv = PR_NewTCPSocketPair(fds);
-    if (nspr_rv != PR_SUCCESS) {
-        SECU_PrintError(progName, "PR_NewTCPSocketPair failed");
-	error = 1;
-	goto done;
-    }
-    pollset[STDIN_FD].fd = fds[1];
-
-    thread = PR_CreateThread(PR_USER_THREAD, thread_main, fds[0], 
-                             PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, 
-                             PR_UNJOINABLE_THREAD, 0);
-    if (!thread) {
-        SECU_PrintError(progName, "PR_CreateThread failed");
-	error = 1;
-	goto done;
-    }
-  }
-#endif
-
-    /*
-    ** Select on stdin and on the socket. Write data from stdin to
-    ** socket, read data from socket and write to stdout.
-    */
-    FPRINTF(stderr, "%s: ready...\n", progName);
-
-    while (pollset[SSOCK_FD].in_flags | pollset[STDIN_FD].in_flags) {
-	char buf[4000];	/* buffer for stdin */
-	int nb;		/* num bytes read from stdin. */
-
-	pollset[SSOCK_FD].out_flags = 0;
-	pollset[STDIN_FD].out_flags = 0;
-
-	FPRINTF(stderr, "%s: about to call PR_Poll !\n", progName);
-	filesReady = PR_Poll(pollset, npds, PR_INTERVAL_NO_TIMEOUT);
-	if (filesReady < 0) {
-	    SECU_PrintError(progName, "select failed");
-	    error = 1;
-	    goto done;
-	}
-	if (filesReady == 0) {	/* shouldn't happen! */
-	    FPRINTF(stderr, "%s: PR_Poll returned zero!\n", progName);
-	    return 1;
-	}
-	FPRINTF(stderr, "%s: PR_Poll returned!\n", progName);
-	if (pollset[STDIN_FD].in_flags) {
-	    FPRINTF(stderr,
-		    "%s: PR_Poll returned 0x%02x for stdin out_flags.\n",
-		    progName, pollset[STDIN_FD].out_flags);
-	}
-	if (pollset[SSOCK_FD].in_flags) {
-	    FPRINTF(stderr, 
-	            "%s: PR_Poll returned 0x%02x for socket out_flags.\n",
-		    progName, pollset[SSOCK_FD].out_flags);
-	}
-	if (pollset[STDIN_FD].out_flags & PR_POLL_READ) {
-	    /* Read from stdin and write to socket */
-	    nb = PR_Read(pollset[STDIN_FD].fd, buf, sizeof(buf));
-	    FPRINTF(stderr, "%s: stdin read %d bytes\n", progName, nb);
-	    if (nb < 0) {
-		if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
-		    SECU_PrintError(progName, "read from stdin failed");
-	            error = 1;
-		    break;
-		}
-	    } else if (nb == 0) {
-		/* EOF on stdin, stop polling stdin for read. */
-		pollset[STDIN_FD].in_flags = 0;
-	    } else {
-		char * bufp = buf;
-		FPRINTF(stderr, "%s: Writing %d bytes to server\n", 
-		        progName, nb);
-		do {
-		    PRInt32 cc = PR_Send(s, bufp, nb, 0, maxInterval);
-		    if (cc < 0) {
-		    	PRErrorCode err = PR_GetError();
-			if (err != PR_WOULD_BLOCK_ERROR) {
-			    SECU_PrintError(progName, 
-			                    "write to SSL socket failed");
-			    error = 254;
-			    goto done;
-			}
-			cc = 0;
-		    }
-		    bufp += cc;
-		    nb   -= cc;
-		    if (nb <= 0) 
-		    	break;
-		    pollset[SSOCK_FD].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT;
-		    pollset[SSOCK_FD].out_flags = 0;
-		    FPRINTF(stderr,
-		            "%s: about to call PR_Poll on writable socket !\n", 
-			    progName);
-		    cc = PR_Poll(pollset, 1, PR_INTERVAL_NO_TIMEOUT);
-		    FPRINTF(stderr,
-		            "%s: PR_Poll returned with writable socket !\n", 
-			    progName);
-		} while (1);
-		pollset[SSOCK_FD].in_flags  = PR_POLL_READ;
-	    }
-	}
-
-	if (pollset[SSOCK_FD].in_flags) {
-	    FPRINTF(stderr, 
-	            "%s: PR_Poll returned 0x%02x for socket out_flags.\n",
-		    progName, pollset[SSOCK_FD].out_flags);
-	}
-	if (   (pollset[SSOCK_FD].out_flags & PR_POLL_READ) 
-	    || (pollset[SSOCK_FD].out_flags & PR_POLL_ERR)  
-#ifdef PR_POLL_HUP
-	    || (pollset[SSOCK_FD].out_flags & PR_POLL_HUP)
-#endif
-	    ) {
-	    /* Read from socket and write to stdout */
-	    nb = PR_Recv(pollset[SSOCK_FD].fd, buf, sizeof buf, 0, maxInterval);
-	    FPRINTF(stderr, "%s: Read from server %d bytes\n", progName, nb);
-	    if (nb < 0) {
-		if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
-		    SECU_PrintError(progName, "read from socket failed");
-		    error = 1;
-		    goto done;
-	    	}
-	    } else if (nb == 0) {
-		/* EOF from socket... stop polling socket for read */
-		pollset[SSOCK_FD].in_flags = 0;
-	    } else {
-		if (skipProtoHeader != PR_TRUE || wrStarted == PR_TRUE) {
-		    PR_Write(std_out, buf, nb);
-		} else {
-		    separateReqHeader(std_out, buf, nb, &wrStarted,
-		                      &headerSeparatorPtrnId);
-		}
-		if (verbose)
-		    fputs("\n\n", stderr);
-	    }
-	}
-	milliPause(50 * multiplier);
-    }
-
-  done:
-    if (nickname) {
-        PORT_Free(nickname);
-    }
-    if (pwdata.data) {
-        PORT_Free(pwdata.data);
-    }
-    PORT_Free(host);
-
-    PR_Close(s);
-    SSL_ClearSessionCache();
-    if (NSS_Shutdown() != SECSuccess) {
-        exit(1);
-    }
-
-    FPRINTF(stderr, "tstclnt: exiting with return code %d\n", error);
-    PR_Cleanup();
-    return error;
-}
diff --git a/security/nss/cmd/vfychain/Makefile b/security/nss/cmd/vfychain/Makefile
deleted file mode 100644
index 297114522..000000000
--- a/security/nss/cmd/vfychain/Makefile
+++ /dev/null
@@ -1,78 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-#include ../platlibs.mk
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/vfychain/manifest.mn b/security/nss/cmd/vfychain/manifest.mn
deleted file mode 100644
index 981d55bb8..000000000
--- a/security/nss/cmd/vfychain/manifest.mn
+++ /dev/null
@@ -1,55 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = seccmd 
-
-# DIRS = 
-
-CSRCS	= vfychain.c  
-DEFINES += -DDLL_PREFIX=\"$(DLL_PREFIX)\" -DDLL_SUFFIX=\"$(DLL_SUFFIX)\"
-
-PROGRAM	= vfychain
-
diff --git a/security/nss/cmd/vfychain/vfychain.c b/security/nss/cmd/vfychain/vfychain.c
deleted file mode 100644
index fb60bad0f..000000000
--- a/security/nss/cmd/vfychain/vfychain.c
+++ /dev/null
@@ -1,794 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/****************************************************************************
- *  Read in a cert chain from one or more files, and verify the chain for
- *  some usage.
- *                                                                          *
- *  This code was modified from other code also kept in the NSS directory.
- ****************************************************************************/ 
-
-#include <stdio.h>
-#include <string.h>
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#include "prerror.h"
-
-#include "pk11func.h"
-#include "seccomon.h"
-#include "secutil.h"
-#include "secmod.h"
-#include "secitem.h"
-#include "cert.h"
-#include "ocsp.h"
-
-
-/* #include <stdlib.h> */
-/* #include <errno.h> */
-/* #include <fcntl.h> */
-/* #include <stdarg.h> */
-
-#include "nspr.h"
-#include "plgetopt.h"
-#include "prio.h"
-#include "nss.h"
-
-/* #include "vfyutil.h" */
-
-#define RD_BUF_SIZE (60 * 1024)
-
-int verbose;
-
-secuPWData  pwdata          = { PW_NONE, 0 };
-
-static void
-Usage(const char *progName)
-{
-    fprintf(stderr, 
-	"Usage: %s [options] [revocation options] certfile "
-            "[[options] certfile] ...\n"
-	"\tWhere options are:\n"
-	"\t-a\t\t Following certfile is base64 encoded\n"
-	"\t-b YYMMDDHHMMZ\t Validate date (default: now)\n"
-	"\t-d directory\t Database directory\n"
-	"\t-i number of consecutive verifications\n"
-	"\t-f \t\t Enable cert fetching from AIA URL\n"
-	"\t-o oid\t\t Set policy OID for cert validation(Format OID.1.2.3)\n"
-	"\t-p \t\t Use PKIX Library to validate certificate by calling:\n"
-	"\t\t\t   * CERT_VerifyCertificate if specified once,\n"
-	"\t\t\t   * CERT_PKIXVerifyCert if specified twice and more.\n"
-	"\t-r\t\t Following certfile is raw binary DER (default)\n"
-        "\t-t\t\t Following cert is explicitly trusted (overrides db trust).\n"
-	"\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n"
-	"\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n"
-	"\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n"
-	"\t-v\t\t Verbose mode. Prints root cert subject(double the\n"
-	"\t\t\t argument for whole root cert info)\n"
-	"\t-w password\t Database password.\n"
-	"\t-W pwfile\t Password file.\n\n"
-        "\tRevocation options for PKIX API(invoked with -pp options) is a\n"
-        "\tcollection of the following flags:\n"
-        "\t\t[-g type [-h flags] [-m type [-s flags]] ...] ...\n"
-        "\tWhere:\n"
-        "\t-g test type\t Sets status checking test type. Possible values\n"
-        "\t\t\tare \"leaf\" or \"chain\"\n"
-        "\t-h test flags\t Sets revocation flags for the test type it\n"
-        "\t\t\tfollows. Possible flags: \"testLocalInfoFirst\" and\n"
-        "\t\t\t\"requireFreshInfo\".\n"
-        "\t-m method type\t Sets method type for the test type it follows.\n"
-        "\t\t\tPossible types are \"crl\" and \"ocsp\".\n"
-        "\t-s method flags\t Sets revocation flags for the method it follows.\n"
-        "\t\t\tPossible types are \"doNotUse\", \"forbidFetching\",\n"
-        "\t\t\t\"ignoreDefaultSrc\", \"requireInfo\" and \"failIfNoInfo\".\n",
-        progName);
-    exit(1);
-}
-
-/**************************************************************************
-** 
-** Error and information routines.
-**
-**************************************************************************/
-
-void
-errWarn(char *function)
-{
-    PRErrorCode  errorNumber = PR_GetError();
-    const char * errorString = SECU_Strerror(errorNumber);
-
-    fprintf(stderr, "Error in function %s: %d\n - %s\n",
-		    function, errorNumber, errorString);
-}
-
-void
-exitErr(char *function)
-{
-    errWarn(function);
-    /* Exit gracefully. */
-    /* ignoring return value of NSS_Shutdown as code exits with 1 anyway*/
-    (void) NSS_Shutdown();
-    PR_Cleanup();
-    exit(1);
-}
-
-typedef struct certMemStr {
-    struct certMemStr * next;
-    CERTCertificate * cert;
-} certMem;
-
-certMem * theCerts;
-CERTCertList *trustedCertList;
-
-void
-rememberCert(CERTCertificate * cert, PRBool trusted)
-{
-    if (trusted) {
-        if (!trustedCertList) {
-            trustedCertList = CERT_NewCertList();
-        }
-        CERT_AddCertToListTail(trustedCertList, cert);
-    } else {
-        certMem * newCertMem = PORT_ZNew(certMem);
-        if (newCertMem) {
-            newCertMem->next = theCerts;
-            newCertMem->cert = cert;
-            theCerts = newCertMem;
-        }
-    }
-}
-
-void
-forgetCerts(void)
-{
-    certMem * oldCertMem;
-    while (theCerts) {
-	oldCertMem = theCerts;
-    	theCerts = theCerts->next;
-	CERT_DestroyCertificate(oldCertMem->cert);
-	PORT_Free(oldCertMem);
-    }
-    if (trustedCertList) {
-        CERT_DestroyCertList(trustedCertList);
-    }
-}
-
-
-CERTCertificate *
-getCert(const char *name, PRBool isAscii, const char * progName)
-{
-    CERTCertificate * cert;
-    CERTCertDBHandle *defaultDB;
-    PRFileDesc*     fd;
-    SECStatus       rv;
-    SECItem         item        = {0, NULL, 0};
-
-    defaultDB = CERT_GetDefaultCertDB();
-
-    /* First, let's try to find the cert in existing DB. */
-    cert = CERT_FindCertByNicknameOrEmailAddr(defaultDB, name);
-    if (cert) {
-        return cert;
-    }
-
-    /* Don't have a cert with name "name" in the DB. Try to
-     * open a file with such name and get the cert from there.*/
-    fd = PR_Open(name, PR_RDONLY, 0777); 
-    if (!fd) {
-	PRIntn err = PR_GetError();
-    	fprintf(stderr, "open of %s failed, %d = %s\n", 
-	        name, err, SECU_Strerror(err));
-	return cert;
-    }
-
-    rv = SECU_ReadDERFromFile(&item, fd, isAscii);
-    PR_Close(fd);
-    if (rv != SECSuccess) {
-	fprintf(stderr, "%s: SECU_ReadDERFromFile failed\n", progName);
-	return cert;
-    }
-
-    if (!item.len) { /* file was empty */
-	fprintf(stderr, "cert file %s was empty.\n", name);
-	return cert;
-    }
-
-    cert = CERT_NewTempCertificate(defaultDB, &item, 
-                                   NULL     /* nickname */, 
-                                   PR_FALSE /* isPerm */, 
-				   PR_TRUE  /* copyDER */);
-    if (!cert) {
-	PRIntn err = PR_GetError();
-	fprintf(stderr, "couldn't import %s, %d = %s\n",
-	        name, err, SECU_Strerror(err));
-    }
-    PORT_Free(item.data);
-    return cert;
-}
-
-
-#define REVCONFIG_TEST_UNDEFINED      0
-#define REVCONFIG_TEST_LEAF           1
-#define REVCONFIG_TEST_CHAIN          2
-#define REVCONFIG_METHOD_CRL          1
-#define REVCONFIG_METHOD_OCSP         2
-
-#define REVCONFIG_TEST_LEAF_STR       "leaf"
-#define REVCONFIG_TEST_CHAIN_STR      "chain"
-#define REVCONFIG_METHOD_CRL_STR      "crl"
-#define REVCONFIG_METHOD_OCSP_STR     "ocsp"
-
-#define REVCONFIG_TEST_TESTLOCALINFOFIRST_STR     "testLocalInfoFirst"
-#define REVCONFIG_TEST_REQUIREFRESHINFO_STR       "requireFreshInfo"
-#define REVCONFIG_METHOD_DONOTUSEMETHOD_STR       "doNotUse"
-#define REVCONFIG_METHOD_FORBIDNETWORKFETCHIN_STR "forbidFetching"
-#define REVCONFIG_METHOD_IGNOREDEFAULTSRC_STR     "ignoreDefaultSrc"
-#define REVCONFIG_METHOD_REQUIREINFO_STR          "requireInfo"
-#define REVCONFIG_METHOD_FAILIFNOINFO_STR         "failIfNoInfo" 
-
-#define REV_METHOD_INDEX_MAX  4
-
-typedef struct RevMethodsStruct {
-    uint testType;
-    char *testTypeStr;
-    uint testFlags;
-    char *testFlagsStr;
-    uint methodType;
-    char *methodTypeStr;
-    uint methodFlags;
-    char *methodFlagsStr;
-} RevMethods;
-
-RevMethods revMethodsData[REV_METHOD_INDEX_MAX];
-
-SECStatus
-parseRevMethodsAndFlags()
-{
-    int i;
-    uint testType = 0;
-
-    for(i = 0;i < REV_METHOD_INDEX_MAX;i++) {
-        /* testType */
-        if (revMethodsData[i].testTypeStr) {
-            char *typeStr = revMethodsData[i].testTypeStr;
-
-            testType = 0;
-            if (!PORT_Strcmp(typeStr, REVCONFIG_TEST_LEAF_STR)) {
-                testType = REVCONFIG_TEST_LEAF;
-            } else if (!PORT_Strcmp(typeStr, REVCONFIG_TEST_CHAIN_STR)) {
-                testType = REVCONFIG_TEST_CHAIN;
-            }
-        }
-        if (!testType) {
-            return SECFailure;
-        }
-        revMethodsData[i].testType = testType;
-        /* testFlags */
-        if (revMethodsData[i].testFlagsStr) {
-            char *flagStr = revMethodsData[i].testFlagsStr;
-            uint testFlags = 0;
-
-            if (PORT_Strstr(flagStr, REVCONFIG_TEST_TESTLOCALINFOFIRST_STR)) {
-                testFlags |= CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
-            } 
-            if (PORT_Strstr(flagStr, REVCONFIG_TEST_REQUIREFRESHINFO_STR)) {
-                testFlags |= CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
-            }
-            revMethodsData[i].testFlags = testFlags;
-        }
-        /* method type */
-        if (revMethodsData[i].methodTypeStr) {
-            char *methodStr = revMethodsData[i].methodTypeStr;
-            uint methodType = 0;
-            
-            if (!PORT_Strcmp(methodStr, REVCONFIG_METHOD_CRL_STR)) {
-                methodType = REVCONFIG_METHOD_CRL;
-            } else if (!PORT_Strcmp(methodStr, REVCONFIG_METHOD_OCSP_STR)) {
-                methodType = REVCONFIG_METHOD_OCSP;
-            }
-            if (!methodType) {
-                return SECFailure;
-            }
-            revMethodsData[i].methodType = methodType;
-        }
-        if (!revMethodsData[i].methodType) {
-            revMethodsData[i].testType = REVCONFIG_TEST_UNDEFINED;
-            continue;
-        }
-        /* method flags */
-        if (revMethodsData[i].methodFlagsStr) {
-            char *flagStr = revMethodsData[i].methodFlagsStr;
-            uint methodFlags = 0;
-
-            if (!PORT_Strstr(flagStr, REVCONFIG_METHOD_DONOTUSEMETHOD_STR)) {
-                methodFlags |= CERT_REV_M_TEST_USING_THIS_METHOD;
-            } 
-            if (PORT_Strstr(flagStr,
-                            REVCONFIG_METHOD_FORBIDNETWORKFETCHIN_STR)) {
-                methodFlags |= CERT_REV_M_FORBID_NETWORK_FETCHING;
-            }
-            if (PORT_Strstr(flagStr, REVCONFIG_METHOD_IGNOREDEFAULTSRC_STR)) {
-                methodFlags |= CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
-            }
-            if (PORT_Strstr(flagStr, REVCONFIG_METHOD_REQUIREINFO_STR)) {
-                methodFlags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE;
-            }
-            if (PORT_Strstr(flagStr, REVCONFIG_METHOD_FAILIFNOINFO_STR)) {
-                methodFlags |= CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO;
-            }
-            revMethodsData[i].methodFlags = methodFlags;
-        } else {
-            revMethodsData[i].methodFlags |= CERT_REV_M_TEST_USING_THIS_METHOD;
-        }
-    }
-    return SECSuccess;
-}
-
-SECStatus
-configureRevocationParams(CERTRevocationFlags *flags)
-{
-   int i;
-   uint testType = REVCONFIG_TEST_UNDEFINED;
-   static CERTRevocationTests *revTests = NULL;
-   PRUint64 *revFlags;
-
-   for(i = 0;i < REV_METHOD_INDEX_MAX;i++) {
-       if (revMethodsData[i].testType == REVCONFIG_TEST_UNDEFINED) {
-           continue;
-       }
-       if (revMethodsData[i].testType != testType) {
-           testType = revMethodsData[i].testType;
-           if (testType == REVCONFIG_TEST_CHAIN) {
-               revTests = &flags->chainTests;
-           } else {
-               revTests = &flags->leafTests;
-           }
-           revTests->number_of_preferred_methods = 0;
-           revTests->preferred_methods = 0;
-           revFlags = revTests->cert_rev_flags_per_method;
-       }
-       /* Set the number of the methods independently to the max number of
-        * methods. If method flags are not set it will be ignored due to
-        * default DO_NOT_USE flag. */
-       revTests->number_of_defined_methods = cert_revocation_method_count;
-       revTests->cert_rev_method_independent_flags |=
-           revMethodsData[i].testFlags;
-       if (revMethodsData[i].methodType == REVCONFIG_METHOD_CRL) {
-           revFlags[cert_revocation_method_crl] =
-               revMethodsData[i].methodFlags;
-       } else if (revMethodsData[i].methodType == REVCONFIG_METHOD_OCSP) {
-           revFlags[cert_revocation_method_ocsp] =
-               revMethodsData[i].methodFlags;
-       }
-   }
-   return SECSuccess;
-}
-
-void
-freeRevocationMethodData()
-{
-    int i = 0;
-    for(;i < REV_METHOD_INDEX_MAX;i++) {
-        if (revMethodsData[i].testTypeStr) {
-            PORT_Free(revMethodsData[i].testTypeStr);
-        }
-        if (revMethodsData[i].testFlagsStr) {
-            PORT_Free(revMethodsData[i].testFlagsStr);
-        }
-        if (revMethodsData[i].methodTypeStr) {
-            PORT_Free(revMethodsData[i].methodTypeStr);
-        }
-        if (revMethodsData[i].methodFlagsStr) {
-            PORT_Free(revMethodsData[i].methodFlagsStr);
-        }
-    }
-}
-
-PRBool
-isOCSPEnabled()
-{
-    int i;
-
-    for(i = 0;i < REV_METHOD_INDEX_MAX;i++) {
-        if (revMethodsData[i].methodType == REVCONFIG_METHOD_OCSP) {
-            return PR_TRUE;
-        }
-    }
-    return PR_FALSE;
-}
-
-int
-main(int argc, char *argv[], char *envp[])
-{
-    char *               certDir      = NULL;
-    char *               progName     = NULL;
-    char *               oidStr       = NULL;
-    CERTCertificate *    cert;
-    CERTCertificate *    firstCert    = NULL;
-    CERTCertificate *    issuerCert   = NULL;
-    CERTCertDBHandle *   defaultDB    = NULL;
-    PRBool               isAscii      = PR_FALSE;
-    PRBool               trusted      = PR_FALSE;
-    SECStatus            secStatus;
-    SECCertificateUsage  certUsage    = certificateUsageSSLServer;
-    PLOptState *         optstate;
-    PRTime               time         = 0;
-    PLOptStatus          status;
-    int                  usePkix      = 0;
-    int                  rv           = 1;
-    int                  usage;
-    CERTVerifyLog        log;
-    CERTCertList        *builtChain = NULL;
-    PRBool               certFetching = PR_FALSE;
-    int                  revDataIndex = 0;
-    PRBool               ocsp_fetchingFailureIsAFailure = PR_TRUE;
-    PRBool               useDefaultRevFlags = PR_TRUE;
-    int                  vfyCounts = 1;
-
-    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
-    progName = PL_strdup(argv[0]);
-
-    optstate = PL_CreateOptState(argc, argv, "ab:c:d:efg:h:i:m:o:prs:tu:vw:W:");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch(optstate->option) {
-	case  0  : /* positional parameter */  goto breakout;
-	case 'a' : isAscii  = PR_TRUE;                        break;
-	case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value);
-	           if (secStatus != SECSuccess) Usage(progName); break;
-	case 'd' : certDir  = PL_strdup(optstate->value);     break;
-	case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE;  break;
-	case 'f' : certFetching = PR_TRUE;                    break;
-	case 'g' : 
-                   if (revMethodsData[revDataIndex].testTypeStr ||
-                       revMethodsData[revDataIndex].methodTypeStr) {
-                       revDataIndex += 1;
-                       if (revDataIndex == REV_METHOD_INDEX_MAX) {
-                           fprintf(stderr, "Invalid revocation configuration"
-                                   "specified.\n");
-                           secStatus = SECFailure;
-                           break;
-                       }
-                   }
-                   useDefaultRevFlags = PR_FALSE;
-                   revMethodsData[revDataIndex].
-                       testTypeStr = PL_strdup(optstate->value); break;
-	case 'h' : 
-                   revMethodsData[revDataIndex].
-                       testFlagsStr = PL_strdup(optstate->value);break;
-        case 'i' : vfyCounts = PORT_Atoi(optstate->value);       break;
-                   break;
-	case 'm' : 
-                   if (revMethodsData[revDataIndex].methodTypeStr) {
-                       revDataIndex += 1;
-                       if (revDataIndex == REV_METHOD_INDEX_MAX) {
-                           fprintf(stderr, "Invalid revocation configuration"
-                                   "specified.\n");
-                           secStatus = SECFailure;
-                           break;
-                       }
-                   }
-                   useDefaultRevFlags = PR_FALSE;
-                   revMethodsData[revDataIndex].
-                       methodTypeStr = PL_strdup(optstate->value); break;
-	case 'o' : oidStr = PL_strdup(optstate->value);       break;
-	case 'p' : usePkix += 1;                              break;
-	case 'r' : isAscii  = PR_FALSE;                       break;
-	case 's' : 
-                   revMethodsData[revDataIndex].
-                       methodFlagsStr = PL_strdup(optstate->value); break;
-	case 't' : trusted  = PR_TRUE;                        break;
-	case 'u' : usage    = PORT_Atoi(optstate->value);
-	           if (usage < 0 || usage > 62) Usage(progName);
-		   certUsage = ((SECCertificateUsage)1) << usage; 
-		   if (certUsage > certificateUsageHighest) Usage(progName);
-		   break;
-        case 'w':
-                  pwdata.source = PW_PLAINTEXT;
-                  pwdata.data = PORT_Strdup(optstate->value);
-                  break;
-
-        case 'W':
-                  pwdata.source = PW_FROMFILE;
-                  pwdata.data = PORT_Strdup(optstate->value);
-                  break;
-	case 'v' : verbose++;                                 break;
-	default  : Usage(progName);                           break;
-	}
-    }
-breakout:
-    if (status != PL_OPT_OK)
-	Usage(progName);
-
-    if (usePkix < 2) {
-        if (oidStr) {
-            fprintf(stderr, "Policy oid(-o) can be used only with"
-                    " CERT_PKIXVerifyChain(-pp) function.\n");
-            Usage(progName);
-        }
-        if (trusted) {
-            fprintf(stderr, "Cert trust flag can be used only with"
-                    " CERT_PKIXVerifyChain(-pp) function.\n");
-            Usage(progName);
-        }
-    }
-
-    if (!useDefaultRevFlags && parseRevMethodsAndFlags()) {
-        fprintf(stderr, "Invalid revocation configuration specified.\n");
-        goto punt;
-    }
-
-    /* Set our password function callback. */
-    PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-    /* Initialize the NSS libraries. */
-    if (certDir) {
-	secStatus = NSS_Init(certDir);
-    } else {
-	secStatus = NSS_NoDB_Init(NULL);
-
-	/* load the builtins */
-	SECMOD_AddNewModule("Builtins", DLL_PREFIX"nssckbi."DLL_SUFFIX, 0, 0);
-    }
-    if (secStatus != SECSuccess) {
-	exitErr("NSS_Init");
-    }
-    SECU_RegisterDynamicOids();
-    if (isOCSPEnabled()) {
-        CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
-        CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
-        if (!ocsp_fetchingFailureIsAFailure) {
-            CERT_SetOCSPFailureMode(ocspMode_FailureIsNotAVerificationFailure);
-        }
-    }
-
-    while (status == PL_OPT_OK) {
-	switch(optstate->option) {
-	default  : Usage(progName);                           break;
-	case 'a' : isAscii  = PR_TRUE;                        break;
-	case 'r' : isAscii  = PR_FALSE;                       break;
-	case 't' : trusted  = PR_TRUE;                       break;
-	case  0  : /* positional parameter */
-            if (usePkix < 2 && trusted) {
-                fprintf(stderr, "Cert trust flag can be used only with"
-                        " CERT_PKIXVerifyChain(-pp) function.\n");
-                Usage(progName);
-            }
-	    cert = getCert(optstate->value, isAscii, progName);
-	    if (!cert) 
-	        goto punt;
-	    rememberCert(cert, trusted);
-	    if (!firstCert)
-	        firstCert = cert;
-            trusted = PR_FALSE;
-	}
-        status = PL_GetNextOpt(optstate);
-    }
-    PL_DestroyOptState(optstate);
-    if (status == PL_OPT_BAD || !firstCert)
-	Usage(progName);
-
-    /* Initialize log structure */
-    log.arena = PORT_NewArena(512);
-    log.head = log.tail = NULL;
-    log.count = 0;
-
-    do {
-        if (usePkix < 2) {
-            /* NOW, verify the cert chain. */
-            if (usePkix) {
-                /* Use old API with libpkix validation lib */
-                CERT_SetUsePKIXForValidation(PR_TRUE);
-            }
-            if (!time)
-                time = PR_Now();
-
-            defaultDB = CERT_GetDefaultCertDB();
-            secStatus = CERT_VerifyCertificate(defaultDB, firstCert, 
-                                               PR_TRUE /* check sig */,
-                                               certUsage, 
-                                               time,
-                                               &pwdata, /* wincx  */
-                                               &log, /* error log */
-                                           NULL);/* returned usages */
-        } else do {
-                static CERTValOutParam cvout[4];
-                static CERTValInParam cvin[6];
-                SECOidTag oidTag;
-                int inParamIndex = 0;
-                static PRUint64 revFlagsLeaf[2];
-                static PRUint64 revFlagsChain[2];
-                static CERTRevocationFlags rev;
-                
-                if (oidStr) {
-                    PRArenaPool *arena;
-                    SECOidData od;
-                    memset(&od, 0, sizeof od);
-                    od.offset = SEC_OID_UNKNOWN;
-                    od.desc = "User Defined Policy OID";
-                    od.mechanism = CKM_INVALID_MECHANISM;
-                    od.supportedExtension = INVALID_CERT_EXTENSION;
-
-                    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-                    if ( !arena ) {
-                        fprintf(stderr, "out of memory");
-                        goto punt;
-                    }
-                    
-                    secStatus = SEC_StringToOID(arena, &od.oid, oidStr, 0);
-                    if (secStatus != SECSuccess) {
-                        PORT_FreeArena(arena, PR_FALSE);
-                        fprintf(stderr, "Can not encode oid: %s(%s)\n", oidStr,
-                                SECU_Strerror(PORT_GetError()));
-                        break;
-                    }
-                    
-                    oidTag = SECOID_AddEntry(&od);
-                    PORT_FreeArena(arena, PR_FALSE);
-                    if (oidTag == SEC_OID_UNKNOWN) {
-                        fprintf(stderr, "Can not add new oid to the dynamic "
-                                "table: %s\n", oidStr);
-                        secStatus = SECFailure;
-                        break;
-                    }
-                    
-                    cvin[inParamIndex].type = cert_pi_policyOID;
-                    cvin[inParamIndex].value.arraySize = 1;
-                    cvin[inParamIndex].value.array.oids = &oidTag;
-                    
-                    inParamIndex++;
-                }
-                
-                if (trustedCertList) {
-                    cvin[inParamIndex].type = cert_pi_trustAnchors;
-                    cvin[inParamIndex].value.pointer.chain = trustedCertList;
-                    
-                    inParamIndex++;
-                }
-                
-                cvin[inParamIndex].type = cert_pi_useAIACertFetch;
-                cvin[inParamIndex].value.scalar.b = certFetching;
-                inParamIndex++;
-                
-                rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
-                rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
-                secStatus = configureRevocationParams(&rev);
-                if (secStatus) {
-                    fprintf(stderr, "Can not config revocation parameters ");
-                    break;
-                }
-                
-                cvin[inParamIndex].type = cert_pi_revocationFlags;
-                cvin[inParamIndex].value.pointer.revocation = &rev;
-                inParamIndex++;
-                
-                if (time) {
-                    cvin[inParamIndex].type = cert_pi_date;
-                    cvin[inParamIndex].value.scalar.time = time;
-                    inParamIndex++;
-                }
-                
-                cvin[inParamIndex].type = cert_pi_end;
-                
-                cvout[0].type = cert_po_trustAnchor;
-                cvout[0].value.pointer.cert = NULL;
-                cvout[1].type = cert_po_certList;
-                cvout[1].value.pointer.chain = NULL;
-                
-                /* setting pointer to CERTVerifyLog. Initialized structure
-                 * will be used CERT_PKIXVerifyCert */
-                cvout[2].type = cert_po_errorLog;
-                cvout[2].value.pointer.log = &log;
-                
-                cvout[3].type = cert_po_end;
-                
-                secStatus = CERT_PKIXVerifyCert(firstCert, certUsage,
-                                                cvin, cvout, &pwdata);
-                if (secStatus != SECSuccess) {
-                    break;
-                }
-                issuerCert = cvout[0].value.pointer.cert;
-                builtChain = cvout[1].value.pointer.chain;
-            } while (0);
-        
-        /* Display validation results */
-        if (secStatus != SECSuccess || log.count > 0) {
-            CERTVerifyLogNode *node = NULL;
-            PRIntn err = PR_GetError();
-            fprintf(stderr, "Chain is bad, %d = %s\n", err, SECU_Strerror(err));
-            
-            SECU_displayVerifyLog(stderr, &log, verbose); 
-            /* Have cert refs in the log only in case of failure.
-             * Destroy them. */
-            for (node = log.head; node; node = node->next) {
-                if (node->cert)
-                    CERT_DestroyCertificate(node->cert);
-            }
-            rv = 1;
-        } else {
-            fprintf(stderr, "Chain is good!\n");
-            if (issuerCert) {
-                if (verbose > 1) {
-                    rv = SEC_PrintCertificateAndTrust(issuerCert, "Root Certificate",
-                                                      NULL);
-                    if (rv != SECSuccess) {
-                        SECU_PrintError(progName, "problem printing certificate");
-                    }
-                } else if (verbose > 0) {
-                    SECU_PrintName(stdout, &issuerCert->subject, "Root "
-                                   "Certificate Subject:", 0);
-                }
-                CERT_DestroyCertificate(issuerCert);
-            }
-            if (builtChain) {
-                CERTCertListNode *node;
-                int count = 0;
-                char buff[256];
-                
-                if (verbose) { 
-                    for(node = CERT_LIST_HEAD(builtChain); !CERT_LIST_END(node, builtChain);
-                        node = CERT_LIST_NEXT(node), count++ ) {
-                        sprintf(buff, "Certificate %d Subject", count + 1);
-                        SECU_PrintName(stdout, &node->cert->subject, buff, 0);
-                    }
-                }
-                CERT_DestroyCertList(builtChain);
-            }
-            rv = 0;
-        }
-    } while (--vfyCounts > 0);
-
-    /* Need to destroy CERTVerifyLog arena at the end */
-    PORT_FreeArena(log.arena, PR_FALSE);
-
-punt:
-    forgetCerts();
-    if (NSS_Shutdown() != SECSuccess) {
-	SECU_PrintError(progName, "NSS_Shutdown");
-	rv = 1;
-    }
-    PORT_Free(progName);
-    PORT_Free(certDir);
-    PORT_Free(oidStr);
-    freeRevocationMethodData();
-    if (pwdata.data) {
-        PORT_Free(pwdata.data);
-    }
-    PR_Cleanup();
-    return rv;
-}
diff --git a/security/nss/cmd/vfyserv/Makefile b/security/nss/cmd/vfyserv/Makefile
deleted file mode 100644
index 297114522..000000000
--- a/security/nss/cmd/vfyserv/Makefile
+++ /dev/null
@@ -1,78 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-#include ../platlibs.mk
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/vfyserv/manifest.mn b/security/nss/cmd/vfyserv/manifest.mn
deleted file mode 100644
index eb9c5bd32..000000000
--- a/security/nss/cmd/vfyserv/manifest.mn
+++ /dev/null
@@ -1,55 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-# The MODULE is always implicitly required.
-# Listing it here in REQUIRES makes it appear twice in the cc command line.
-REQUIRES = seccmd dbm 
-
-# DIRS = 
-
-CSRCS	= vfyserv.c  vfyutil.c
-DEFINES += -DDLL_PREFIX=\"$(DLL_PREFIX)\" -DDLL_SUFFIX=\"$(DLL_SUFFIX)\"
-
-PROGRAM	= vfyserv
-
diff --git a/security/nss/cmd/vfyserv/vfyserv.c b/security/nss/cmd/vfyserv/vfyserv.c
deleted file mode 100644
index 84ee69eef..000000000
--- a/security/nss/cmd/vfyserv/vfyserv.c
+++ /dev/null
@@ -1,594 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/****************************************************************************
- *  SSL client program that tests  a server for proper operation of SSL2,   *
- *  SSL3, and TLS. Test propder certificate installation.                   *
- *                                                                          *
- *  This code was modified from the SSLSample code also kept in the NSS     *
- *  directory.                                                              *
- ****************************************************************************/ 
-
-#include <stdio.h>
-#include <string.h>
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#include "prerror.h"
-
-#include "pk11func.h"
-#include "secmod.h"
-#include "secitem.h"
-
-
-#include <stdlib.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <stdarg.h>
-
-#include "nspr.h"
-#include "plgetopt.h"
-#include "prio.h"
-#include "prnetdb.h"
-#include "nss.h"
-#include "secutil.h"
-#include "ocsp.h"
-
-#include "vfyserv.h"
-
-#define RD_BUF_SIZE (60 * 1024)
-
-extern int ssl2CipherSuites[];
-extern int ssl3CipherSuites[];
-
-GlobalThreadMgr threadMGR;
-char *certNickname = NULL;
-char *hostName = NULL;
-secuPWData  pwdata          = { PW_NONE, 0 };
-unsigned short port = 0;
-PRBool dumpChain;
-
-static void
-Usage(const char *progName)
-{
-    PRFileDesc *pr_stderr;
-
-    pr_stderr = PR_STDERR;
-
-    PR_fprintf(pr_stderr, "Usage:\n"
-               "   %s  [-c ] [-o] [-p port] [-d dbdir] [-w password] [-f pwfile]\n"
-               "   \t\t[-C cipher(s)]  [-l <url> -t <nickname> ] hostname",
-               progName);
-    PR_fprintf (pr_stderr, "\nWhere:\n");
-    PR_fprintf (pr_stderr,
-                "  %-13s dump server cert chain into files\n",
-                "-c");
-    PR_fprintf (pr_stderr,
-                "  %-13s perform server cert OCSP check\n",
-                "-o");
-    PR_fprintf (pr_stderr,
-                "  %-13s server port to be used\n",
-                "-p");
-    PR_fprintf (pr_stderr,
-                "  %-13s use security databases in \"dbdir\"\n",
-                "-d dbdir");
-    PR_fprintf (pr_stderr,
-                "  %-13s key database password\n",
-                "-w password");
-    PR_fprintf (pr_stderr,
-                "  %-13s token password file\n",
-                "-f pwfile");
-    PR_fprintf (pr_stderr,
-                "  %-13s communication cipher list\n",
-                "-C cipher(s)");
-    PR_fprintf (pr_stderr,
-                "  %-13s OCSP responder location. This location is used to\n"
-                "  %-13s check  status  of a server  certificate.  If  not \n"
-                "  %-13s specified, location  will  be taken  from the AIA\n"
-                "  %-13s server certificate extension.\n",
-                "-l url", "", "", "");
-    PR_fprintf (pr_stderr,
-                "  %-13s OCSP Trusted Responder Cert nickname\n\n",
-                "-t nickname");
-
-	exit(1);
-}
-
-PRFileDesc *
-setupSSLSocket(PRNetAddr *addr)
-{
-	PRFileDesc         *tcpSocket;
-	PRFileDesc         *sslSocket;
-	PRSocketOptionData	socketOption;
-	PRStatus            prStatus;
-	SECStatus           secStatus;
-
-
-	tcpSocket = PR_NewTCPSocket();
-	if (tcpSocket == NULL) {
-		errWarn("PR_NewTCPSocket");
-	}
-
-	/* Make the socket blocking. */
-	socketOption.option	            = PR_SockOpt_Nonblocking;
-	socketOption.value.non_blocking = PR_FALSE;
-
-	prStatus = PR_SetSocketOption(tcpSocket, &socketOption);
-	if (prStatus != PR_SUCCESS) {
-		errWarn("PR_SetSocketOption");
-		goto loser;
-	} 
-
-
-	/* Import the socket into the SSL layer. */
-	sslSocket = SSL_ImportFD(NULL, tcpSocket);
-	if (!sslSocket) {
-		errWarn("SSL_ImportFD");
-		goto loser;
-	}
-
-	/* Set configuration options. */
-	secStatus = SSL_OptionSet(sslSocket, SSL_SECURITY, PR_TRUE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_SECURITY");
-		goto loser;
-	}
-
-	secStatus = SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_HANDSHAKE_AS_CLIENT");
-		goto loser;
-	}
-
-	/* Set SSL callback routines. */
-	secStatus = SSL_GetClientAuthDataHook(sslSocket,
-	                          (SSLGetClientAuthData)myGetClientAuthData,
-	                          (void *)certNickname);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_GetClientAuthDataHook");
-		goto loser;
-	}
-
-	secStatus = SSL_AuthCertificateHook(sslSocket,
-	                                   (SSLAuthCertificate)myAuthCertificate,
-                                       (void *)CERT_GetDefaultCertDB());
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_AuthCertificateHook");
-		goto loser;
-	}
-
-	secStatus = SSL_BadCertHook(sslSocket, 
-	                           (SSLBadCertHandler)myBadCertHandler, NULL);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_BadCertHook");
-		goto loser;
-	}
-
-	secStatus = SSL_HandshakeCallback(sslSocket, 
-	                                  myHandshakeCallback,
-	                                  NULL);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_HandshakeCallback");
-		goto loser;
-	}
-
-	return sslSocket;
-
-loser:
-
-	PR_Close(tcpSocket);
-	return NULL;
-}
-
-
-const char requestString[] = {"GET /testfile HTTP/1.0\r\n\r\n" };
-
-SECStatus
-handle_connection(PRFileDesc *sslSocket, int connection)
-{
-	int	countRead = 0;
-	PRInt32  numBytes;
-	char    *readBuffer;
-
-	readBuffer = PORT_Alloc(RD_BUF_SIZE);
-	if (!readBuffer) {
-		exitErr("PORT_Alloc");
-	}
-
-	/* compose the http request here. */
-
-	numBytes = PR_Write(sslSocket, requestString, strlen(requestString));
-	if (numBytes <= 0) {
-		errWarn("PR_Write");
-		PR_Free(readBuffer);
-		readBuffer = NULL;
-		return SECFailure;
-	}
-
-	/* read until EOF */
-	while (PR_TRUE) {
-		numBytes = PR_Read(sslSocket, readBuffer, RD_BUF_SIZE);
-		if (numBytes == 0) {
-			break;	/* EOF */
-		}
-		if (numBytes < 0) {
-			errWarn("PR_Read");
-			break;
-		}
-		countRead += numBytes;
-	}
-
-	printSecurityInfo(stderr, sslSocket);
-	
-	PR_Free(readBuffer);
-	readBuffer = NULL;
-
-	/* Caller closes the socket. */
-
-	fprintf(stderr, 
-	        "***** Connection %d read %d bytes total.\n", 
-	        connection, countRead);
-
-	return SECSuccess;	/* success */
-}
-
-#define BYTE(n,i) (((i)>>((n)*8))&0xff)
-
-/* one copy of this function is launched in a separate thread for each
-** connection to be made.
-*/
-SECStatus
-do_connects(void *a, int connection)
-{
-	PRNetAddr  *addr = (PRNetAddr *)a;
-	PRFileDesc *sslSocket;
-	PRHostEnt   hostEntry;
-	char        buffer[PR_NETDB_BUF_SIZE];
-	PRStatus    prStatus;
-	PRIntn      hostenum;
-	PRInt32    ip;
-	SECStatus   secStatus;
-
-	/* Set up SSL secure socket. */
-	sslSocket = setupSSLSocket(addr);
-	if (sslSocket == NULL) {
-		errWarn("setupSSLSocket");
-		return SECFailure;
-	}
-
-	secStatus = SSL_SetPKCS11PinArg(sslSocket, &pwdata);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_SetPKCS11PinArg");
-		return secStatus;
-	}
-
-	secStatus = SSL_SetURL(sslSocket, hostName);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_SetURL");
-		return secStatus;
-	}
-
-	/* Prepare and setup network connection. */
-	prStatus = PR_GetHostByName(hostName, buffer, sizeof(buffer), &hostEntry);
-	if (prStatus != PR_SUCCESS) {
-		errWarn("PR_GetHostByName");
-		return SECFailure;
-	}
-
-	hostenum = PR_EnumerateHostEnt(0, &hostEntry, port, addr);
-	if (hostenum == -1) {
-		errWarn("PR_EnumerateHostEnt");
-		return SECFailure;
-	}
-
- 	ip = PR_ntohl(addr->inet.ip);
-	fprintf(stderr,
-	 	"Connecting to host %s (addr %d.%d.%d.%d) on port %d\n",
-			hostName, BYTE(3,ip), BYTE(2,ip), BYTE(1,ip), 
-			BYTE(0,ip), PR_ntohs(addr->inet.port)); 
-
-	prStatus = PR_Connect(sslSocket, addr, PR_INTERVAL_NO_TIMEOUT);
-	if (prStatus != PR_SUCCESS) {
-		errWarn("PR_Connect");
-		return SECFailure;
-	}
-
-	/* Established SSL connection, ready to send data. */
-#if 0
-	secStatus = SSL_ForceHandshake(sslSocket);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_ForceHandshake");
-		return secStatus;
-	}
-#endif
-
-	secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_FALSE);
-	if (secStatus != SECSuccess) {
-		errWarn("SSL_ResetHandshake");
-		prStatus = PR_Close(sslSocket);
-		if (prStatus != PR_SUCCESS) {
-			errWarn("PR_Close");
-		}
-		return secStatus;
-	}
-
-	secStatus = handle_connection(sslSocket, connection);
-	if (secStatus != SECSuccess) {
-		/* error already printed out in handle_connection */
-		/* errWarn("handle_connection"); */
-		prStatus = PR_Close(sslSocket);
-		if (prStatus != PR_SUCCESS) {
-			errWarn("PR_Close");
-		}
-		return secStatus;
-	}
-
-	PR_Close(sslSocket);
-	return SECSuccess;
-}
-
-void
-client_main(unsigned short      port, 
-            int	                connections, 
-            const char *        hostName)
-{
-	int			i;
-	SECStatus	secStatus;
-	PRStatus    prStatus;
-	PRInt32     rv;
-	PRNetAddr	addr;
-	PRHostEnt   hostEntry;
-	char        buffer[PR_NETDB_BUF_SIZE];
-
-	/* Setup network connection. */
-	prStatus = PR_GetHostByName(hostName, buffer, sizeof(buffer), &hostEntry);
-	if (prStatus != PR_SUCCESS) {
-		exitErr("PR_GetHostByName");
-	}
-
-	rv = PR_EnumerateHostEnt(0, &hostEntry, port, &addr);
-	if (rv < 0) {
-		exitErr("PR_EnumerateHostEnt");
-	}
-
-	secStatus = launch_thread(&threadMGR, do_connects, &addr, 1);
-	if (secStatus != SECSuccess) {
-		exitErr("launch_thread");
-	}
-
-	if (connections > 1) {
-		/* wait for the first connection to terminate, then launch the rest. */
-		reap_threads(&threadMGR);
-		/* Start up the connections */
-		for (i = 2; i <= connections; ++i) {
-			secStatus = launch_thread(&threadMGR, do_connects, &addr, i);
-			if (secStatus != SECSuccess) {
-				errWarn("launch_thread");
-			}
-		}
-	}
-
-	reap_threads(&threadMGR);
-	destroy_thread_data(&threadMGR);
-}
-
-#define HEXCHAR_TO_INT(c, i) \
-    if (((c) >= '0') && ((c) <= '9')) { \
-	i = (c) - '0'; \
-    } else if (((c) >= 'a') && ((c) <= 'f')) { \
-	i = (c) - 'a' + 10; \
-    } else if (((c) >= 'A') && ((c) <= 'F')) { \
-	i = (c) - 'A' + 10; \
-    } else { \
-	Usage(progName); \
-    }
-
-int
-main(int argc, char **argv)
-{
-	char *               certDir = NULL;
-	char *               progName     = NULL;
-	int                  connections  = 1;
-	char *               cipherString = NULL;
-	char *               respUrl = NULL;
-	char *               respCertName = NULL;
-	SECStatus            secStatus;
-	PLOptState *         optstate;
-	PLOptStatus          status;
-	PRBool               doOcspCheck = PR_FALSE;
-
-	/* Call the NSPR initialization routines */
-	PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
-	progName = PORT_Strdup(argv[0]);
-
-	hostName = NULL;
-	optstate = PL_CreateOptState(argc, argv, "C:cd:f:l:n:p:ot:w:");
-	while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-		switch(optstate->option) {
-		case 'C' : cipherString = PL_strdup(optstate->value); break;
- 		case 'c' : dumpChain = PR_TRUE;                       break;
-		case 'd' : certDir = PL_strdup(optstate->value);      break;
-		case 'l' : respUrl = PL_strdup(optstate->value);      break;
-		case 'p' : port = PORT_Atoi(optstate->value);         break;
-		case 'o' : doOcspCheck = PR_TRUE;                     break;
-		case 't' : respCertName = PL_strdup(optstate->value); break;
-                case 'w':
-                           pwdata.source = PW_PLAINTEXT;
-                           pwdata.data = PORT_Strdup(optstate->value);
-                           break;
-
-                case 'f':
-                           pwdata.source = PW_FROMFILE;
-                           pwdata.data = PORT_Strdup(optstate->value);
-                           break;
-		case '\0': hostName = PL_strdup(optstate->value);     break;
-		default  : Usage(progName);
-		}
-	}
-
-	if (port == 0) {
-		port = 443;
-	}
-
-	if (port == 0 || hostName == NULL)
-		Usage(progName);
-
-        if (doOcspCheck &&
-            ((respCertName != NULL && respUrl == NULL) ||
-             (respUrl != NULL && respCertName == NULL))) {
-	    SECU_PrintError (progName, "options -l <url> and -t "
-	                     "<responder> must be used together");
-	    Usage(progName);
-        }
-    
-	PK11_SetPasswordFunc(SECU_GetModulePassword);
-
-	/* Initialize the NSS libraries. */
-	if (certDir) {
-	    secStatus = NSS_Init(certDir);
-	} else {
-	    secStatus = NSS_NoDB_Init(NULL);
-
-	    /* load the builtins */
-	    SECMOD_AddNewModule("Builtins",
-				DLL_PREFIX"nssckbi."DLL_SUFFIX, 0, 0);
-	}
-	if (secStatus != SECSuccess) {
-		exitErr("NSS_Init");
-	}
-	SECU_RegisterDynamicOids();
-
-	if (doOcspCheck == PR_TRUE) {
-            SECStatus rv;
-            CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
-            if (handle == NULL) {
-                SECU_PrintError (progName, "problem getting certdb handle");
-                goto cleanup;
-            }
-            
-            rv = CERT_EnableOCSPChecking (handle);
-            if (rv != SECSuccess) {
-                SECU_PrintError (progName, "error enabling OCSP checking");
-                goto cleanup;
-            }
-
-            if (respUrl != NULL) {
-                rv = CERT_SetOCSPDefaultResponder (handle, respUrl,
-                                                   respCertName);
-                if (rv != SECSuccess) {
-                    SECU_PrintError (progName,
-                                     "error setting default responder");
-                    goto cleanup;
-                }
-                
-                rv = CERT_EnableOCSPDefaultResponder (handle);
-                if (rv != SECSuccess) {
-                    SECU_PrintError (progName,
-                                     "error enabling default responder");
-                    goto cleanup;
-                }
-            }
-	}
-
-	/* All cipher suites except RSA_NULL_MD5 are enabled by 
-	 * Domestic Policy. */
-	NSS_SetDomesticPolicy();
-	SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE);
-
-	/* all the SSL2 and SSL3 cipher suites are enabled by default. */
-	if (cipherString) {
-	    int ndx;
-
-	    /* disable all the ciphers, then enable the ones we want. */
-	    disableAllSSLCiphers();
-
-	    while (0 != (ndx = *cipherString++)) {
-		int  cipher;
-
-		if (ndx == ':') {
-		    int ctmp;
-
-		    cipher = 0;
-		    HEXCHAR_TO_INT(*cipherString, ctmp)
-		    cipher |= (ctmp << 12);
-		    cipherString++;
-		    HEXCHAR_TO_INT(*cipherString, ctmp)
-		    cipher |= (ctmp << 8);
-		    cipherString++;
-		    HEXCHAR_TO_INT(*cipherString, ctmp)
-		    cipher |= (ctmp << 4);
-		    cipherString++;
-		    HEXCHAR_TO_INT(*cipherString, ctmp)
-		    cipher |= ctmp;
-		    cipherString++;
-		} else {
-		    const int *cptr;
-		    if (! isalpha(ndx))
-			Usage(progName);
-		    cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
-		    for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; )
-			/* do nothing */;
-		}
-		if (cipher > 0) {
-		    SSL_CipherPrefSetDefault(cipher, PR_TRUE);
-		} else {
-		    Usage(progName);
-		}
-	    }
-	}
-
-	client_main(port, connections, hostName);
-
-cleanup:
-        if (doOcspCheck) {
-            CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
-            CERT_DisableOCSPDefaultResponder(handle);        
-            CERT_DisableOCSPChecking (handle);
-        }
-
-        if (NSS_Shutdown() != SECSuccess) {
-            exit(1);
-        }
-
-	PR_Cleanup();
-	PORT_Free(progName);
-	return 0;
-}
-
diff --git a/security/nss/cmd/vfyserv/vfyserv.h b/security/nss/cmd/vfyserv/vfyserv.h
deleted file mode 100644
index 9d172cfda..000000000
--- a/security/nss/cmd/vfyserv/vfyserv.h
+++ /dev/null
@@ -1,180 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef SSLSAMPLE_H
-#define SSLSAMPLE_H
-
-/* Generic header files */
-
-#include <stdio.h>
-#include <string.h>
-
-/* NSPR header files */
-
-#include "nspr.h"
-#include "prerror.h"
-#include "prnetdb.h"
-
-/* NSS header files */
-
-#include "pk11func.h"
-#include "secitem.h"
-#include "ssl.h"
-#include "certt.h"
-#include "nss.h"
-#include "secder.h"
-#include "key.h"
-#include "sslproto.h"
-
-/* Custom header files */
-
-/*
-#include "sslerror.h"
-*/
-
-#define BUFFER_SIZE 10240
-
-/* Declare SSL cipher suites. */
-
-extern int cipherSuites[];
-extern int ssl2CipherSuites[];
-extern int ssl3CipherSuites[];
-
-/* Data buffer read from a socket. */
-typedef struct DataBufferStr {
-	char data[BUFFER_SIZE];
-	int  index;
-	int  remaining;
-	int  dataStart;
-	int  dataEnd;
-} DataBuffer;
-
-/* SSL callback routines. */
-
-char * myPasswd(PK11SlotInfo *info, PRBool retry, void *arg);
-
-SECStatus myAuthCertificate(void *arg, PRFileDesc *socket,
-                            PRBool checksig, PRBool isServer);
-
-SECStatus myBadCertHandler(void *arg, PRFileDesc *socket);
-
-void myHandshakeCallback(PRFileDesc *socket, void *arg);
-
-SECStatus myGetClientAuthData(void *arg, PRFileDesc *socket,
-                              struct CERTDistNamesStr *caNames,
-                              struct CERTCertificateStr **pRetCert,
-                              struct SECKEYPrivateKeyStr **pRetKey);
-
-/* Disable all v2/v3 SSL ciphers. */
-
-void disableAllSSLCiphers(void);
-
-
-/* Error and information utilities. */
-
-void errWarn(char *function);
-
-void exitErr(char *function);
-
-void printSecurityInfo(FILE *outfile, PRFileDesc *fd);
-
-/* Some simple thread management routines. */
-
-#define MAX_THREADS 32
-
-typedef SECStatus startFn(void *a, int b);
-
-typedef enum { rs_idle = 0, rs_running = 1, rs_zombie = 2 } runState;
-
-typedef struct perThreadStr {
-	PRFileDesc *a;
-	int         b;
-	int         rv;
-	startFn    *startFunc;
-	PRThread   *prThread;
-	PRBool      inUse;
-	runState    running;
-} perThread;
-
-typedef struct GlobalThreadMgrStr {
-	PRLock	  *threadLock;
-	PRCondVar *threadStartQ;
-	PRCondVar *threadEndQ;
-	perThread  threads[MAX_THREADS];
-	int        index;
-	int        numUsed;
-	int        numRunning;
-} GlobalThreadMgr;
-
-void thread_wrapper(void * arg);
-
-SECStatus launch_thread(GlobalThreadMgr *threadMGR, 
-                        startFn *startFunc, void *a, int b);
-
-SECStatus reap_threads(GlobalThreadMgr *threadMGR);
-
-void destroy_thread_data(GlobalThreadMgr *threadMGR);
-
-/* Management of locked variables. */
-
-struct lockedVarsStr {
-	PRLock *    lock;
-	int         count;
-	int         waiters;
-	PRCondVar * condVar;
-};
-
-typedef struct lockedVarsStr lockedVars;
-
-void lockedVars_Init(lockedVars *lv);
-
-void lockedVars_Destroy(lockedVars *lv);
-
-void lockedVars_WaitForDone(lockedVars *lv);
-
-int lockedVars_AddToCount(lockedVars *lv, int addend);
-
-/* Buffer stuff. */
-
-static const char stopCmd[] = { "GET /stop " };
-static const char defaultHeader[] = {
-	"HTTP/1.0 200 OK\r\n"
-	"Server: SSL sample server\r\n"
-	"Content-type: text/plain\r\n"
-	"\r\n"
-};
-
-#endif
diff --git a/security/nss/cmd/vfyserv/vfyutil.c b/security/nss/cmd/vfyserv/vfyutil.c
deleted file mode 100644
index 101152d6b..000000000
--- a/security/nss/cmd/vfyserv/vfyutil.c
+++ /dev/null
@@ -1,665 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "vfyserv.h"
-#include "secerr.h"
-#include "sslerr.h"
-#include "nspr.h"
-#include "secutil.h"
-
-
-extern PRBool dumpChain;
-extern void dumpCertChain(CERTCertificate *, SECCertUsage);
-
-/* Declare SSL cipher suites. */
-
-int ssl2CipherSuites[] = {
-    SSL_EN_RC4_128_WITH_MD5,              /* A */
-    SSL_EN_RC4_128_EXPORT40_WITH_MD5,     /* B */
-    SSL_EN_RC2_128_CBC_WITH_MD5,          /* C */
-    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, /* D */
-    SSL_EN_DES_64_CBC_WITH_MD5,           /* E */
-    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,     /* F */
-    0
-};
-
-int ssl3CipherSuites[] = {
-    -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
-    -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,	 * b */
-    SSL_RSA_WITH_RC4_128_MD5,			/* c */
-    SSL_RSA_WITH_3DES_EDE_CBC_SHA,		/* d */
-    SSL_RSA_WITH_DES_CBC_SHA,			/* e */
-    SSL_RSA_EXPORT_WITH_RC4_40_MD5,		/* f */
-    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,		/* g */
-    -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA,	 * h */
-    SSL_RSA_WITH_NULL_MD5,			/* i */
-    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,		/* j */
-    SSL_RSA_FIPS_WITH_DES_CBC_SHA,		/* k */
-    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,	/* l */
-    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,	        /* m */
-    SSL_RSA_WITH_RC4_128_SHA,			/* n */
-    TLS_DHE_DSS_WITH_RC4_128_SHA,		/* o */
-    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,		/* p */
-    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,		/* q */
-    SSL_DHE_RSA_WITH_DES_CBC_SHA,		/* r */
-    SSL_DHE_DSS_WITH_DES_CBC_SHA,		/* s */
-    TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	    	/* t */
-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       	/* u */
-    TLS_RSA_WITH_AES_128_CBC_SHA,     	    	/* v */
-    TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	    	/* w */
-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       	/* x */
-    TLS_RSA_WITH_AES_256_CBC_SHA,     	    	/* y */
-    SSL_RSA_WITH_NULL_SHA,			/* z */
-    0
-};
-
-/**************************************************************************
-** 
-** SSL callback routines.
-**
-**************************************************************************/
-
-/* Function: char * myPasswd()
- * 
- * Purpose: This function is our custom password handler that is called by
- * SSL when retreiving private certs and keys from the database. Returns a
- * pointer to a string that with a password for the database. Password pointer
- * should point to dynamically allocated memory that will be freed later.
- */
-char *
-myPasswd(PK11SlotInfo *info, PRBool retry, void *arg)
-{
-    char * passwd = NULL;
-
-    if ( (!retry) && arg ) {
-	passwd = PORT_Strdup((char *)arg);
-    }
-    return passwd;
-}
-
-/* Function: SECStatus myAuthCertificate()
- *
- * Purpose: This function is our custom certificate authentication handler.
- * 
- * Note: This implementation is essentially the same as the default 
- *       SSL_AuthCertificate().
- */
-SECStatus 
-myAuthCertificate(void *arg, PRFileDesc *socket, 
-                  PRBool checksig, PRBool isServer) 
-{
-
-    SECCertificateUsage certUsage;
-    CERTCertificate *   cert;
-    void *              pinArg;
-    char *              hostName;
-    SECStatus           secStatus;
-
-    if (!arg || !socket) {
-	errWarn("myAuthCertificate");
-	return SECFailure;
-    }
-
-    /* Define how the cert is being used based upon the isServer flag. */
-
-    certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
-
-    cert = SSL_PeerCertificate(socket);
-	
-    pinArg = SSL_RevealPinArg(socket);
-    
-    if (dumpChain == PR_TRUE) {
-        dumpCertChain(cert, certUsage);
-    }
-
-    secStatus = CERT_VerifyCertificateNow((CERTCertDBHandle *)arg,
-				   cert,
-				   checksig,
-				   certUsage,
-				   pinArg,
-                                   NULL);
-
-    /* If this is a server, we're finished. */
-    if (isServer || secStatus != SECSuccess) {
-	SECU_printCertProblems(stderr, (CERTCertDBHandle *)arg, cert, 
-			  checksig, certUsage, pinArg, PR_FALSE);
-	CERT_DestroyCertificate(cert);
-	return secStatus;
-    }
-
-    /* Certificate is OK.  Since this is the client side of an SSL
-     * connection, we need to verify that the name field in the cert
-     * matches the desired hostname.  This is our defense against
-     * man-in-the-middle attacks.
-     */
-
-    /* SSL_RevealURL returns a hostName, not an URL. */
-    hostName = SSL_RevealURL(socket);
-
-    if (hostName && hostName[0]) {
-	secStatus = CERT_VerifyCertName(cert, hostName);
-    } else {
-	PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0);
-	secStatus = SECFailure;
-    }
-
-    if (hostName)
-	PR_Free(hostName);
-
-    CERT_DestroyCertificate(cert);
-    return secStatus;
-}
-
-/* Function: SECStatus myBadCertHandler()
- *
- * Purpose: This callback is called when the incoming certificate is not
- * valid. We define a certain set of parameters that still cause the
- * certificate to be "valid" for this session, and return SECSuccess to cause
- * the server to continue processing the request when any of these conditions
- * are met. Otherwise, SECFailure is return and the server rejects the 
- * request.
- */
-SECStatus 
-myBadCertHandler(void *arg, PRFileDesc *socket) 
-{
-
-    SECStatus	secStatus = SECFailure;
-    PRErrorCode	err;
-
-    /* log invalid cert here */
-
-    if (!arg) {
-	return secStatus;
-    }
-
-    *(PRErrorCode *)arg = err = PORT_GetError();
-
-    /* If any of the cases in the switch are met, then we will proceed   */
-    /* with the processing of the request anyway. Otherwise, the default */	
-    /* case will be reached and we will reject the request.              */
-
-    switch (err) {
-    case SEC_ERROR_INVALID_AVA:
-    case SEC_ERROR_INVALID_TIME:
-    case SEC_ERROR_BAD_SIGNATURE:
-    case SEC_ERROR_EXPIRED_CERTIFICATE:
-    case SEC_ERROR_UNKNOWN_ISSUER:
-    case SEC_ERROR_UNTRUSTED_CERT:
-    case SEC_ERROR_CERT_VALID:
-    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
-    case SEC_ERROR_CRL_EXPIRED:
-    case SEC_ERROR_CRL_BAD_SIGNATURE:
-    case SEC_ERROR_EXTENSION_VALUE_INVALID:
-    case SEC_ERROR_CA_CERT_INVALID:
-    case SEC_ERROR_CERT_USAGES_INVALID:
-    case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
-	secStatus = SECSuccess;
-	break;
-    default:
-	secStatus = SECFailure;
-	break;
-    }
-
-    fprintf(stderr, "Bad certificate: %d, %s\n", err, SECU_Strerror(err));
-
-    return secStatus;
-}
-
-/* Function: SECStatus ownGetClientAuthData()
- *
- * Purpose: This callback is used by SSL to pull client certificate 
- * information upon server request.
- */
-SECStatus 
-myGetClientAuthData(void *arg,
-                    PRFileDesc *socket,
-                    struct CERTDistNamesStr *caNames,
-                    struct CERTCertificateStr **pRetCert,
-                    struct SECKEYPrivateKeyStr **pRetKey) 
-{
-
-    CERTCertificate *  cert;
-    SECKEYPrivateKey * privKey;
-    char *             chosenNickName = (char *)arg;
-    void *             proto_win      = NULL;
-    SECStatus          secStatus      = SECFailure;
-
-    proto_win = SSL_RevealPinArg(socket);
-
-    if (chosenNickName) {
-	cert = PK11_FindCertFromNickname(chosenNickName, proto_win);
-	if (cert) {
-	    privKey = PK11_FindKeyByAnyCert(cert, proto_win);
-	    if (privKey) {
-		secStatus = SECSuccess;
-	    } else {
-		CERT_DestroyCertificate(cert);
-	    }
-	}
-    } else { /* no nickname given, automatically find the right cert */
-	CERTCertNicknames *names;
-	int                i;
-
-	names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), 
-				      SEC_CERT_NICKNAMES_USER, proto_win);
-
-	if (names != NULL) {
-	    for(i = 0; i < names->numnicknames; i++ ) {
-
-		cert = PK11_FindCertFromNickname(names->nicknames[i], 
-						 proto_win);
-		if (!cert) {
-		    continue;
-		}
-
-		/* Only check unexpired certs */
-		if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE)
-		      != secCertTimeValid ) {
-		    CERT_DestroyCertificate(cert);
-		    continue;
-		}
-
-		secStatus = NSS_CmpCertChainWCANames(cert, caNames);
-		if (secStatus == SECSuccess) {
-		    privKey = PK11_FindKeyByAnyCert(cert, proto_win);
-		    if (privKey) {
-			break;
-		    }
-		    secStatus = SECFailure;
-		}
-		CERT_DestroyCertificate(cert);
-	    } /* for loop */
-	    CERT_FreeNicknames(names);
-	}
-    }
-
-    if (secStatus == SECSuccess) {
-	*pRetCert = cert;
-	*pRetKey  = privKey;
-    }
-
-    return secStatus;
-}
-
-/* Function: void myHandshakeCallback()
- *
- * Purpose: Called by SSL to inform application that the handshake is
- * complete. This function is mostly used on the server side of an SSL
- * connection, although it is provided for a client as well.
- * Useful when a non-blocking SSL_ReHandshake or SSL_ResetHandshake 
- * is used to initiate a handshake.
- *
- * A typical scenario would be:
- *
- * 1. Server accepts an SSL connection from the client without client auth.
- * 2. Client sends a request.
- * 3. Server determines that to service request it needs to authenticate the
- * client and initiates another handshake requesting client auth.
- * 4. While handshake is in progress, server can do other work or spin waiting
- * for the handshake to complete.
- * 5. Server is notified that handshake has been successfully completed by
- * the custom handshake callback function and it can service the client's
- * request.
- *
- * Note: This function is not implemented in this sample, as we are using
- * blocking sockets.
- */
-void
-myHandshakeCallback(PRFileDesc *socket, void *arg) 
-{
-    fprintf(stderr,"Handshake Complete: SERVER CONFIGURED CORRECTLY\n");
-}
-
-
-/**************************************************************************
-** 
-** Routines for disabling SSL ciphers.
-**
-**************************************************************************/
-
-void
-disableAllSSLCiphers(void)
-{
-    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
-    int             i            = SSL_NumImplementedCiphers;
-    SECStatus       rv;
-
-    /* disable all the SSL3 cipher suites */
-    while (--i >= 0) {
-	PRUint16 suite = cipherSuites[i];
-        rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
-	if (rv != SECSuccess) {
-	    fprintf(stderr,
-		"SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n",
-	    	   suite, i);
-	    errWarn("SSL_CipherPrefSetDefault");
-	    exit(2);
-	}
-    }
-}
-
-/**************************************************************************
-** 
-** Error and information routines.
-**
-**************************************************************************/
-
-void
-errWarn(char *function)
-{
-    PRErrorCode  errorNumber = PR_GetError();
-    const char * errorString = SECU_Strerror(errorNumber);
-
-    fprintf(stderr, "Error in function %s: %d\n - %s\n",
-		    function, errorNumber, errorString);
-}
-
-void
-exitErr(char *function)
-{
-    errWarn(function);
-    /* Exit gracefully. */
-    /* ignoring return value of NSS_Shutdown as code exits with 1 anyway*/
-    (void) NSS_Shutdown();
-    PR_Cleanup();
-    exit(1);
-}
-
-void 
-printSecurityInfo(FILE *outfile, PRFileDesc *fd)
-{
-    char * cp;	/* bulk cipher name */
-    char * ip;	/* cert issuer DN */
-    char * sp;	/* cert subject DN */
-    int    op;	/* High, Low, Off */
-    int    kp0;	/* total key bits */
-    int    kp1;	/* secret key bits */
-    int    result;
-    SSL3Statistics * ssl3stats = SSL_GetStatistics();
-
-    if (!outfile) {
-	outfile = stdout;
-    }
-
-    result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp);
-    if (result != SECSuccess)
-	return;
-    fprintf(outfile,
-     "   bulk cipher %s, %d secret key bits, %d key bits, status: %d\n"
-     "   subject DN:\n %s\n"
-     "   issuer  DN:\n %s\n", cp, kp1, kp0, op, sp, ip);
-    PR_Free(cp);
-    PR_Free(ip);
-    PR_Free(sp);
-
-    fprintf(outfile,
-      "   %ld cache hits; %ld cache misses, %ld cache not reusable\n",
-	    ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses,
-    ssl3stats->hch_sid_cache_not_ok);
-
-}
-
-
-/**************************************************************************
-** Begin thread management routines and data.
-**************************************************************************/
-
-void
-thread_wrapper(void * arg)
-{
-    GlobalThreadMgr *threadMGR = (GlobalThreadMgr *)arg;
-    perThread *slot = &threadMGR->threads[threadMGR->index];
-
-    /* wait for parent to finish launching us before proceeding. */
-    PR_Lock(threadMGR->threadLock);
-    PR_Unlock(threadMGR->threadLock);
-
-    slot->rv = (* slot->startFunc)(slot->a, slot->b);
-
-    PR_Lock(threadMGR->threadLock);
-    slot->running = rs_zombie;
-
-    /* notify the thread exit handler. */
-    PR_NotifyCondVar(threadMGR->threadEndQ);
-
-    PR_Unlock(threadMGR->threadLock);
-}
-
-SECStatus
-launch_thread(GlobalThreadMgr *threadMGR,
-              startFn         *startFunc,
-              void            *a,
-              int              b)
-{
-    perThread *slot;
-    int        i;
-
-    if (!threadMGR->threadStartQ) {
-	threadMGR->threadLock   = PR_NewLock();
-	threadMGR->threadStartQ = PR_NewCondVar(threadMGR->threadLock);
-	threadMGR->threadEndQ   = PR_NewCondVar(threadMGR->threadLock);
-    }
-    PR_Lock(threadMGR->threadLock);
-    while (threadMGR->numRunning >= MAX_THREADS) {
-	PR_WaitCondVar(threadMGR->threadStartQ, PR_INTERVAL_NO_TIMEOUT);
-    }
-    for (i = 0; i < threadMGR->numUsed; ++i) {
-	slot = &threadMGR->threads[i];
-	if (slot->running == rs_idle) 
-	    break;
-    }
-    if (i >= threadMGR->numUsed) {
-	if (i >= MAX_THREADS) {
-	    /* something's really wrong here. */
-	    PORT_Assert(i < MAX_THREADS);
-	    PR_Unlock(threadMGR->threadLock);
-	    return SECFailure;
-	}
-	++(threadMGR->numUsed);
-	PORT_Assert(threadMGR->numUsed == i + 1);
-	slot = &threadMGR->threads[i];
-    }
-
-    slot->a = a;
-    slot->b = b;
-    slot->startFunc = startFunc;
-
-    threadMGR->index = i;
-
-    slot->prThread = PR_CreateThread(PR_USER_THREAD,
-				     thread_wrapper, threadMGR,
-				     PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
-				     PR_JOINABLE_THREAD, 0);
-
-    if (slot->prThread == NULL) {
-	PR_Unlock(threadMGR->threadLock);
-	printf("Failed to launch thread!\n");
-	return SECFailure;
-    } 
-
-    slot->inUse   = 1;
-    slot->running = 1;
-    ++(threadMGR->numRunning);
-    PR_Unlock(threadMGR->threadLock);
-
-    return SECSuccess;
-}
-
-SECStatus 
-reap_threads(GlobalThreadMgr *threadMGR)
-{
-    perThread * slot;
-    int			i;
-
-    if (!threadMGR->threadLock)
-	return SECSuccess;
-    PR_Lock(threadMGR->threadLock);
-    while (threadMGR->numRunning > 0) {
-	PR_WaitCondVar(threadMGR->threadEndQ, PR_INTERVAL_NO_TIMEOUT);
-	for (i = 0; i < threadMGR->numUsed; ++i) {
-	    slot = &threadMGR->threads[i];
-	    if (slot->running == rs_zombie)  {
-		/* Handle cleanup of thread here. */
-
-		/* Now make sure the thread has ended OK. */
-		PR_JoinThread(slot->prThread);
-		slot->running = rs_idle;
-		--threadMGR->numRunning;
-
-		/* notify the thread launcher. */
-		PR_NotifyCondVar(threadMGR->threadStartQ);
-	    }
-	}
-    }
-
-    /* Safety Sam sez: make sure count is right. */
-    for (i = 0; i < threadMGR->numUsed; ++i) {
-	slot = &threadMGR->threads[i];
-	if (slot->running != rs_idle)  {
-	    fprintf(stderr, "Thread in slot %d is in state %d!\n", 
-			     i, slot->running);
-	}
-    }
-    PR_Unlock(threadMGR->threadLock);
-    return SECSuccess;
-}
-
-void
-destroy_thread_data(GlobalThreadMgr *threadMGR)
-{
-    PORT_Memset(threadMGR->threads, 0, sizeof(threadMGR->threads));
-
-    if (threadMGR->threadEndQ) {
-	PR_DestroyCondVar(threadMGR->threadEndQ);
-	threadMGR->threadEndQ = NULL;
-    }
-    if (threadMGR->threadStartQ) {
-	PR_DestroyCondVar(threadMGR->threadStartQ);
-	threadMGR->threadStartQ = NULL;
-    }
-    if (threadMGR->threadLock) {
-	PR_DestroyLock(threadMGR->threadLock);
-	threadMGR->threadLock = NULL;
-    }
-}
-
-/**************************************************************************
-** End	 thread management routines.
-**************************************************************************/
-
-void 
-lockedVars_Init( lockedVars * lv)
-{
-    lv->count	= 0;
-    lv->waiters = 0;
-    lv->lock	= PR_NewLock();
-    lv->condVar = PR_NewCondVar(lv->lock);
-}
-
-void
-lockedVars_Destroy( lockedVars * lv)
-{
-    PR_DestroyCondVar(lv->condVar);
-    lv->condVar = NULL;
-
-    PR_DestroyLock(lv->lock);
-    lv->lock = NULL;
-}
-
-void
-lockedVars_WaitForDone(lockedVars * lv)
-{
-    PR_Lock(lv->lock);
-    while (lv->count > 0) {
-	PR_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT);
-    }
-    PR_Unlock(lv->lock);
-}
-
-int	/* returns count */
-lockedVars_AddToCount(lockedVars * lv, int addend)
-{
-    int rv;
-
-    PR_Lock(lv->lock);
-    rv = lv->count += addend;
-    if (rv <= 0) {
-	PR_NotifyCondVar(lv->condVar);
-    }
-    PR_Unlock(lv->lock);
-    return rv;
-}
-
-
-/*
- * Dump cert chain in to cert.* files. This function is will
- * create collisions while dumping cert chains if called from
- * multiple treads. But it should not be a problem since we
- * consider vfyserv to be single threaded(see bug 353477).
- */
-
-void
-dumpCertChain(CERTCertificate *cert, SECCertUsage usage)
-{
-    CERTCertificateList *certList;
-    int count = 0;
-
-    certList = CERT_CertChainFromCert(cert, usage, PR_TRUE);
-    if (certList == NULL) {
-        errWarn("CERT_CertChainFromCert");
-        return;
-    }
-
-    for(count = 0; count < (unsigned int)certList->len; count++) {
-        char certFileName[16];
-        PRFileDesc *cfd;
-
-        PR_snprintf(certFileName, sizeof certFileName, "cert.%03d",
-                    count);
-        cfd = PR_Open(certFileName, PR_WRONLY|PR_CREATE_FILE|PR_TRUNCATE, 
-                      0664);
-        if (!cfd) {
-            PR_fprintf(PR_STDOUT,
-                       "Error: couldn't save cert der in file '%s'\n",
-                       certFileName);
-        } else {
-            PR_Write(cfd,  certList->certs[count].data,  certList->certs[count].len);
-            PR_Close(cfd);
-            PR_fprintf(PR_STDOUT, "Cert file %s was created.\n", certFileName);
-        }
-    }
-    CERT_DestroyCertificateList(certList);
-}
diff --git a/security/nss/cmd/zlib/Makefile b/security/nss/cmd/zlib/Makefile
deleted file mode 100644
index 52596b760..000000000
--- a/security/nss/cmd/zlib/Makefile
+++ /dev/null
@@ -1,88 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
-test: $(PROGRAMS)
-	@cd $(OBJDIR); \
-	echo hello world | ./minigzip | ./minigzip -d || \
-	  echo '		*** minigzip test FAILED ***' ; \
-	if ./example; then \
-	  echo '		*** zlib test OK ***'; \
-	else \
-	  echo '		*** zlib test FAILED ***'; \
-	fi
diff --git a/security/nss/cmd/zlib/README b/security/nss/cmd/zlib/README
deleted file mode 100644
index 758cc5002..000000000
--- a/security/nss/cmd/zlib/README
+++ /dev/null
@@ -1,125 +0,0 @@
-ZLIB DATA COMPRESSION LIBRARY
-
-zlib 1.2.3 is a general purpose data compression library.  All the code is
-thread safe.  The data format used by the zlib library is described by RFCs
-(Request for Comments) 1950 to 1952 in the files
-http://www.ietf.org/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate format)
-and rfc1952.txt (gzip format). These documents are also available in other
-formats from ftp://ftp.uu.net/graphics/png/documents/zlib/zdoc-index.html
-
-All functions of the compression library are documented in the file zlib.h
-(volunteer to write man pages welcome, contact zlib@gzip.org). A usage example
-of the library is given in the file example.c which also tests that the library
-is working correctly. Another example is given in the file minigzip.c. The
-compression library itself is composed of all source files except example.c and
-minigzip.c.
-
-To compile all files and run the test program, follow the instructions given at
-the top of Makefile. In short "make test; make install" should work for most
-machines. For Unix: "./configure; make test; make install". For MSDOS, use one
-of the special makefiles such as Makefile.msc. For VMS, use make_vms.com.
-
-Questions about zlib should be sent to <zlib@gzip.org>, or to Gilles Vollant
-<info@winimage.com> for the Windows DLL version. The zlib home page is
-http://www.zlib.org or http://www.gzip.org/zlib/ Before reporting a problem,
-please check this site to verify that you have the latest version of zlib;
-otherwise get the latest version and check whether the problem still exists or
-not.
-
-PLEASE read the zlib FAQ http://www.gzip.org/zlib/zlib_faq.html before asking
-for help.
-
-Mark Nelson <markn@ieee.org> wrote an article about zlib for the Jan. 1997
-issue of  Dr. Dobb's Journal; a copy of the article is available in
-http://dogma.net/markn/articles/zlibtool/zlibtool.htm
-
-The changes made in version 1.2.3 are documented in the file ChangeLog.
-
-Unsupported third party contributions are provided in directory "contrib".
-
-A Java implementation of zlib is available in the Java Development Kit
-http://java.sun.com/j2se/1.4.2/docs/api/java/util/zip/package-summary.html
-See the zlib home page http://www.zlib.org for details.
-
-A Perl interface to zlib written by Paul Marquess <pmqs@cpan.org> is in the
-CPAN (Comprehensive Perl Archive Network) sites
-http://www.cpan.org/modules/by-module/Compress/
-
-A Python interface to zlib written by A.M. Kuchling <amk@amk.ca> is
-available in Python 1.5 and later versions, see
-http://www.python.org/doc/lib/module-zlib.html
-
-A zlib binding for TCL written by Andreas Kupries <a.kupries@westend.com> is
-availlable at http://www.oche.de/~akupries/soft/trf/trf_zip.html
-
-An experimental package to read and write files in .zip format, written on top
-of zlib by Gilles Vollant <info@winimage.com>, is available in the
-contrib/minizip directory of zlib.
-
-
-Notes for some targets:
-
-- For Windows DLL versions, please see win32/DLL_FAQ.txt
-
-- For 64-bit Irix, deflate.c must be compiled without any optimization. With
-  -O, one libpng test fails. The test works in 32 bit mode (with the -n32
-  compiler flag). The compiler bug has been reported to SGI.
-
-- zlib doesn't work with gcc 2.6.3 on a DEC 3000/300LX under OSF/1 2.1 it works
-  when compiled with cc.
-
-- On Digital Unix 4.0D (formely OSF/1) on AlphaServer, the cc option -std1 is
-  necessary to get gzprintf working correctly. This is done by configure.
-
-- zlib doesn't work on HP-UX 9.05 with some versions of /bin/cc. It works with
-  other compilers. Use "make test" to check your compiler.
-
-- gzdopen is not supported on RISCOS, BEOS and by some Mac compilers.
-
-- For PalmOs, see http://palmzlib.sourceforge.net/
-
-- When building a shared, i.e. dynamic library on Mac OS X, the library must be
-  installed before testing (do "make install" before "make test"), since the
-  library location is specified in the library.
-
-
-Acknowledgments:
-
-  The deflate format used by zlib was defined by Phil Katz. The deflate
-  and zlib specifications were written by L. Peter Deutsch. Thanks to all the
-  people who reported problems and suggested various improvements in zlib;
-  they are too numerous to cite here.
-
-Copyright notice:
-
- (C) 1995-2004 Jean-loup Gailly and Mark Adler
-
-  This software is provided 'as-is', without any express or implied
-  warranty.  In no event will the authors be held liable for any damages
-  arising from the use of this software.
-
-  Permission is granted to anyone to use this software for any purpose,
-  including commercial applications, and to alter it and redistribute it
-  freely, subject to the following restrictions:
-
-  1. The origin of this software must not be misrepresented; you must not
-     claim that you wrote the original software. If you use this software
-     in a product, an acknowledgment in the product documentation would be
-     appreciated but is not required.
-  2. Altered source versions must be plainly marked as such, and must not be
-     misrepresented as being the original software.
-  3. This notice may not be removed or altered from any source distribution.
-
-  Jean-loup Gailly        Mark Adler
-  jloup@gzip.org          madler@alumni.caltech.edu
-
-If you use the zlib library in a product, we would appreciate *not*
-receiving lengthy legal documents to sign. The sources are provided
-for free but without warranty of any kind.  The library has been
-entirely written by Jean-loup Gailly and Mark Adler; it does not
-include third-party code.
-
-If you redistribute modified sources, we would appreciate that you include
-in the file ChangeLog history information documenting your changes. Please
-read the FAQ for more information on the distribution of modified source
-versions.
diff --git a/security/nss/cmd/zlib/adler32.c b/security/nss/cmd/zlib/adler32.c
deleted file mode 100644
index 007ba2627..000000000
--- a/security/nss/cmd/zlib/adler32.c
+++ /dev/null
@@ -1,149 +0,0 @@
-/* adler32.c -- compute the Adler-32 checksum of a data stream
- * Copyright (C) 1995-2004 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/* @(#) $Id$ */
-
-#define ZLIB_INTERNAL
-#include "zlib.h"
-
-#define BASE 65521UL    /* largest prime smaller than 65536 */
-#define NMAX 5552
-/* NMAX is the largest n such that 255n(n+1)/2 + (n+1)(BASE-1) <= 2^32-1 */
-
-#define DO1(buf,i)  {adler += (buf)[i]; sum2 += adler;}
-#define DO2(buf,i)  DO1(buf,i); DO1(buf,i+1);
-#define DO4(buf,i)  DO2(buf,i); DO2(buf,i+2);
-#define DO8(buf,i)  DO4(buf,i); DO4(buf,i+4);
-#define DO16(buf)   DO8(buf,0); DO8(buf,8);
-
-/* use NO_DIVIDE if your processor does not do division in hardware */
-#ifdef NO_DIVIDE
-#  define MOD(a) \
-    do { \
-        if (a >= (BASE << 16)) a -= (BASE << 16); \
-        if (a >= (BASE << 15)) a -= (BASE << 15); \
-        if (a >= (BASE << 14)) a -= (BASE << 14); \
-        if (a >= (BASE << 13)) a -= (BASE << 13); \
-        if (a >= (BASE << 12)) a -= (BASE << 12); \
-        if (a >= (BASE << 11)) a -= (BASE << 11); \
-        if (a >= (BASE << 10)) a -= (BASE << 10); \
-        if (a >= (BASE << 9)) a -= (BASE << 9); \
-        if (a >= (BASE << 8)) a -= (BASE << 8); \
-        if (a >= (BASE << 7)) a -= (BASE << 7); \
-        if (a >= (BASE << 6)) a -= (BASE << 6); \
-        if (a >= (BASE << 5)) a -= (BASE << 5); \
-        if (a >= (BASE << 4)) a -= (BASE << 4); \
-        if (a >= (BASE << 3)) a -= (BASE << 3); \
-        if (a >= (BASE << 2)) a -= (BASE << 2); \
-        if (a >= (BASE << 1)) a -= (BASE << 1); \
-        if (a >= BASE) a -= BASE; \
-    } while (0)
-#  define MOD4(a) \
-    do { \
-        if (a >= (BASE << 4)) a -= (BASE << 4); \
-        if (a >= (BASE << 3)) a -= (BASE << 3); \
-        if (a >= (BASE << 2)) a -= (BASE << 2); \
-        if (a >= (BASE << 1)) a -= (BASE << 1); \
-        if (a >= BASE) a -= BASE; \
-    } while (0)
-#else
-#  define MOD(a) a %= BASE
-#  define MOD4(a) a %= BASE
-#endif
-
-/* ========================================================================= */
-uLong ZEXPORT adler32(adler, buf, len)
-    uLong adler;
-    const Bytef *buf;
-    uInt len;
-{
-    unsigned long sum2;
-    unsigned n;
-
-    /* split Adler-32 into component sums */
-    sum2 = (adler >> 16) & 0xffff;
-    adler &= 0xffff;
-
-    /* in case user likes doing a byte at a time, keep it fast */
-    if (len == 1) {
-        adler += buf[0];
-        if (adler >= BASE)
-            adler -= BASE;
-        sum2 += adler;
-        if (sum2 >= BASE)
-            sum2 -= BASE;
-        return adler | (sum2 << 16);
-    }
-
-    /* initial Adler-32 value (deferred check for len == 1 speed) */
-    if (buf == Z_NULL)
-        return 1L;
-
-    /* in case short lengths are provided, keep it somewhat fast */
-    if (len < 16) {
-        while (len--) {
-            adler += *buf++;
-            sum2 += adler;
-        }
-        if (adler >= BASE)
-            adler -= BASE;
-        MOD4(sum2);             /* only added so many BASE's */
-        return adler | (sum2 << 16);
-    }
-
-    /* do length NMAX blocks -- requires just one modulo operation */
-    while (len >= NMAX) {
-        len -= NMAX;
-        n = NMAX / 16;          /* NMAX is divisible by 16 */
-        do {
-            DO16(buf);          /* 16 sums unrolled */
-            buf += 16;
-        } while (--n);
-        MOD(adler);
-        MOD(sum2);
-    }
-
-    /* do remaining bytes (less than NMAX, still just one modulo) */
-    if (len) {                  /* avoid modulos if none remaining */
-        while (len >= 16) {
-            len -= 16;
-            DO16(buf);
-            buf += 16;
-        }
-        while (len--) {
-            adler += *buf++;
-            sum2 += adler;
-        }
-        MOD(adler);
-        MOD(sum2);
-    }
-
-    /* return recombined sums */
-    return adler | (sum2 << 16);
-}
-
-/* ========================================================================= */
-uLong ZEXPORT adler32_combine(adler1, adler2, len2)
-    uLong adler1;
-    uLong adler2;
-    z_off_t len2;
-{
-    unsigned long sum1;
-    unsigned long sum2;
-    unsigned rem;
-
-    /* the derivation of this formula is left as an exercise for the reader */
-    rem = (unsigned)(len2 % BASE);
-    sum1 = adler1 & 0xffff;
-    sum2 = rem * sum1;
-    MOD(sum2);
-    sum1 += (adler2 & 0xffff) + BASE - 1;
-    sum2 += ((adler1 >> 16) & 0xffff) + ((adler2 >> 16) & 0xffff) + BASE - rem;
-    if (sum1 > BASE) sum1 -= BASE;
-    if (sum1 > BASE) sum1 -= BASE;
-    if (sum2 > (BASE << 1)) sum2 -= (BASE << 1);
-    if (sum2 > BASE) sum2 -= BASE;
-    return sum1 | (sum2 << 16);
-}
diff --git a/security/nss/cmd/zlib/compress.c b/security/nss/cmd/zlib/compress.c
deleted file mode 100644
index df04f0148..000000000
--- a/security/nss/cmd/zlib/compress.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/* compress.c -- compress a memory buffer
- * Copyright (C) 1995-2003 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/* @(#) $Id$ */
-
-#define ZLIB_INTERNAL
-#include "zlib.h"
-
-/* ===========================================================================
-     Compresses the source buffer into the destination buffer. The level
-   parameter has the same meaning as in deflateInit.  sourceLen is the byte
-   length of the source buffer. Upon entry, destLen is the total size of the
-   destination buffer, which must be at least 0.1% larger than sourceLen plus
-   12 bytes. Upon exit, destLen is the actual size of the compressed buffer.
-
-     compress2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
-   memory, Z_BUF_ERROR if there was not enough room in the output buffer,
-   Z_STREAM_ERROR if the level parameter is invalid.
-*/
-int ZEXPORT compress2 (dest, destLen, source, sourceLen, level)
-    Bytef *dest;
-    uLongf *destLen;
-    const Bytef *source;
-    uLong sourceLen;
-    int level;
-{
-    z_stream stream;
-    int err;
-
-    stream.next_in = (Bytef*)source;
-    stream.avail_in = (uInt)sourceLen;
-#ifdef MAXSEG_64K
-    /* Check for source > 64K on 16-bit machine: */
-    if ((uLong)stream.avail_in != sourceLen) return Z_BUF_ERROR;
-#endif
-    stream.next_out = dest;
-    stream.avail_out = (uInt)*destLen;
-    if ((uLong)stream.avail_out != *destLen) return Z_BUF_ERROR;
-
-    stream.zalloc = (alloc_func)0;
-    stream.zfree = (free_func)0;
-    stream.opaque = (voidpf)0;
-
-    err = deflateInit(&stream, level);
-    if (err != Z_OK) return err;
-
-    err = deflate(&stream, Z_FINISH);
-    if (err != Z_STREAM_END) {
-        deflateEnd(&stream);
-        return err == Z_OK ? Z_BUF_ERROR : err;
-    }
-    *destLen = stream.total_out;
-
-    err = deflateEnd(&stream);
-    return err;
-}
-
-/* ===========================================================================
- */
-int ZEXPORT compress (dest, destLen, source, sourceLen)
-    Bytef *dest;
-    uLongf *destLen;
-    const Bytef *source;
-    uLong sourceLen;
-{
-    return compress2(dest, destLen, source, sourceLen, Z_DEFAULT_COMPRESSION);
-}
-
-/* ===========================================================================
-     If the default memLevel or windowBits for deflateInit() is changed, then
-   this function needs to be updated.
- */
-uLong ZEXPORT compressBound (sourceLen)
-    uLong sourceLen;
-{
-    return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) + 11;
-}
diff --git a/security/nss/cmd/zlib/config.mk b/security/nss/cmd/zlib/config.mk
deleted file mode 100644
index 5471310e2..000000000
--- a/security/nss/cmd/zlib/config.mk
+++ /dev/null
@@ -1,48 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY) $(PROGRAMS)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
-EXTRA_LIBS     = $(LIBRARY)
diff --git a/security/nss/cmd/zlib/crc32.c b/security/nss/cmd/zlib/crc32.c
deleted file mode 100644
index f658a9ef5..000000000
--- a/security/nss/cmd/zlib/crc32.c
+++ /dev/null
@@ -1,423 +0,0 @@
-/* crc32.c -- compute the CRC-32 of a data stream
- * Copyright (C) 1995-2005 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h
- *
- * Thanks to Rodney Brown <rbrown64@csc.com.au> for his contribution of faster
- * CRC methods: exclusive-oring 32 bits of data at a time, and pre-computing
- * tables for updating the shift register in one step with three exclusive-ors
- * instead of four steps with four exclusive-ors.  This results in about a
- * factor of two increase in speed on a Power PC G4 (PPC7455) using gcc -O3.
- */
-
-/* @(#) $Id$ */
-
-/*
-  Note on the use of DYNAMIC_CRC_TABLE: there is no mutex or semaphore
-  protection on the static variables used to control the first-use generation
-  of the crc tables.  Therefore, if you #define DYNAMIC_CRC_TABLE, you should
-  first call get_crc_table() to initialize the tables before allowing more than
-  one thread to use crc32().
- */
-
-#ifdef MAKECRCH
-#  include <stdio.h>
-#  ifndef DYNAMIC_CRC_TABLE
-#    define DYNAMIC_CRC_TABLE
-#  endif /* !DYNAMIC_CRC_TABLE */
-#endif /* MAKECRCH */
-
-#include "zutil.h"      /* for STDC and FAR definitions */
-
-#define local static
-
-/* Find a four-byte integer type for crc32_little() and crc32_big(). */
-#ifndef NOBYFOUR
-#  ifdef STDC           /* need ANSI C limits.h to determine sizes */
-#    include <limits.h>
-#    define BYFOUR
-#    if (UINT_MAX == 0xffffffffUL)
-       typedef unsigned int u4;
-#    else
-#      if (ULONG_MAX == 0xffffffffUL)
-         typedef unsigned long u4;
-#      else
-#        if (USHRT_MAX == 0xffffffffUL)
-           typedef unsigned short u4;
-#        else
-#          undef BYFOUR     /* can't find a four-byte integer type! */
-#        endif
-#      endif
-#    endif
-#  endif /* STDC */
-#endif /* !NOBYFOUR */
-
-/* Definitions for doing the crc four data bytes at a time. */
-#ifdef BYFOUR
-#  define REV(w) (((w)>>24)+(((w)>>8)&0xff00)+ \
-                (((w)&0xff00)<<8)+(((w)&0xff)<<24))
-   local unsigned long crc32_little OF((unsigned long,
-                        const unsigned char FAR *, unsigned));
-   local unsigned long crc32_big OF((unsigned long,
-                        const unsigned char FAR *, unsigned));
-#  define TBLS 8
-#else
-#  define TBLS 1
-#endif /* BYFOUR */
-
-/* Local functions for crc concatenation */
-local unsigned long gf2_matrix_times OF((unsigned long *mat,
-                                         unsigned long vec));
-local void gf2_matrix_square OF((unsigned long *square, unsigned long *mat));
-
-#ifdef DYNAMIC_CRC_TABLE
-
-local volatile int crc_table_empty = 1;
-local unsigned long FAR crc_table[TBLS][256];
-local void make_crc_table OF((void));
-#ifdef MAKECRCH
-   local void write_table OF((FILE *, const unsigned long FAR *));
-#endif /* MAKECRCH */
-/*
-  Generate tables for a byte-wise 32-bit CRC calculation on the polynomial:
-  x^32+x^26+x^23+x^22+x^16+x^12+x^11+x^10+x^8+x^7+x^5+x^4+x^2+x+1.
-
-  Polynomials over GF(2) are represented in binary, one bit per coefficient,
-  with the lowest powers in the most significant bit.  Then adding polynomials
-  is just exclusive-or, and multiplying a polynomial by x is a right shift by
-  one.  If we call the above polynomial p, and represent a byte as the
-  polynomial q, also with the lowest power in the most significant bit (so the
-  byte 0xb1 is the polynomial x^7+x^3+x+1), then the CRC is (q*x^32) mod p,
-  where a mod b means the remainder after dividing a by b.
-
-  This calculation is done using the shift-register method of multiplying and
-  taking the remainder.  The register is initialized to zero, and for each
-  incoming bit, x^32 is added mod p to the register if the bit is a one (where
-  x^32 mod p is p+x^32 = x^26+...+1), and the register is multiplied mod p by
-  x (which is shifting right by one and adding x^32 mod p if the bit shifted
-  out is a one).  We start with the highest power (least significant bit) of
-  q and repeat for all eight bits of q.
-
-  The first table is simply the CRC of all possible eight bit values.  This is
-  all the information needed to generate CRCs on data a byte at a time for all
-  combinations of CRC register values and incoming bytes.  The remaining tables
-  allow for word-at-a-time CRC calculation for both big-endian and little-
-  endian machines, where a word is four bytes.
-*/
-local void make_crc_table()
-{
-    unsigned long c;
-    int n, k;
-    unsigned long poly;                 /* polynomial exclusive-or pattern */
-    /* terms of polynomial defining this crc (except x^32): */
-    static volatile int first = 1;      /* flag to limit concurrent making */
-    static const unsigned char p[] = {0,1,2,4,5,7,8,10,11,12,16,22,23,26};
-
-    /* See if another task is already doing this (not thread-safe, but better
-       than nothing -- significantly reduces duration of vulnerability in
-       case the advice about DYNAMIC_CRC_TABLE is ignored) */
-    if (first) {
-        first = 0;
-
-        /* make exclusive-or pattern from polynomial (0xedb88320UL) */
-        poly = 0UL;
-        for (n = 0; n < sizeof(p)/sizeof(unsigned char); n++)
-            poly |= 1UL << (31 - p[n]);
-
-        /* generate a crc for every 8-bit value */
-        for (n = 0; n < 256; n++) {
-            c = (unsigned long)n;
-            for (k = 0; k < 8; k++)
-                c = c & 1 ? poly ^ (c >> 1) : c >> 1;
-            crc_table[0][n] = c;
-        }
-
-#ifdef BYFOUR
-        /* generate crc for each value followed by one, two, and three zeros,
-           and then the byte reversal of those as well as the first table */
-        for (n = 0; n < 256; n++) {
-            c = crc_table[0][n];
-            crc_table[4][n] = REV(c);
-            for (k = 1; k < 4; k++) {
-                c = crc_table[0][c & 0xff] ^ (c >> 8);
-                crc_table[k][n] = c;
-                crc_table[k + 4][n] = REV(c);
-            }
-        }
-#endif /* BYFOUR */
-
-        crc_table_empty = 0;
-    }
-    else {      /* not first */
-        /* wait for the other guy to finish (not efficient, but rare) */
-        while (crc_table_empty)
-            ;
-    }
-
-#ifdef MAKECRCH
-    /* write out CRC tables to crc32.h */
-    {
-        FILE *out;
-
-        out = fopen("crc32.h", "w");
-        if (out == NULL) return;
-        fprintf(out, "/* crc32.h -- tables for rapid CRC calculation\n");
-        fprintf(out, " * Generated automatically by crc32.c\n */\n\n");
-        fprintf(out, "local const unsigned long FAR ");
-        fprintf(out, "crc_table[TBLS][256] =\n{\n  {\n");
-        write_table(out, crc_table[0]);
-#  ifdef BYFOUR
-        fprintf(out, "#ifdef BYFOUR\n");
-        for (k = 1; k < 8; k++) {
-            fprintf(out, "  },\n  {\n");
-            write_table(out, crc_table[k]);
-        }
-        fprintf(out, "#endif\n");
-#  endif /* BYFOUR */
-        fprintf(out, "  }\n};\n");
-        fclose(out);
-    }
-#endif /* MAKECRCH */
-}
-
-#ifdef MAKECRCH
-local void write_table(out, table)
-    FILE *out;
-    const unsigned long FAR *table;
-{
-    int n;
-
-    for (n = 0; n < 256; n++)
-        fprintf(out, "%s0x%08lxUL%s", n % 5 ? "" : "    ", table[n],
-                n == 255 ? "\n" : (n % 5 == 4 ? ",\n" : ", "));
-}
-#endif /* MAKECRCH */
-
-#else /* !DYNAMIC_CRC_TABLE */
-/* ========================================================================
- * Tables of CRC-32s of all single-byte values, made by make_crc_table().
- */
-#include "crc32.h"
-#endif /* DYNAMIC_CRC_TABLE */
-
-/* =========================================================================
- * This function can be used by asm versions of crc32()
- */
-const unsigned long FAR * ZEXPORT get_crc_table()
-{
-#ifdef DYNAMIC_CRC_TABLE
-    if (crc_table_empty)
-        make_crc_table();
-#endif /* DYNAMIC_CRC_TABLE */
-    return (const unsigned long FAR *)crc_table;
-}
-
-/* ========================================================================= */
-#define DO1 crc = crc_table[0][((int)crc ^ (*buf++)) & 0xff] ^ (crc >> 8)
-#define DO8 DO1; DO1; DO1; DO1; DO1; DO1; DO1; DO1
-
-/* ========================================================================= */
-unsigned long ZEXPORT crc32(crc, buf, len)
-    unsigned long crc;
-    const unsigned char FAR *buf;
-    unsigned len;
-{
-    if (buf == Z_NULL) return 0UL;
-
-#ifdef DYNAMIC_CRC_TABLE
-    if (crc_table_empty)
-        make_crc_table();
-#endif /* DYNAMIC_CRC_TABLE */
-
-#ifdef BYFOUR
-    if (sizeof(void *) == sizeof(ptrdiff_t)) {
-        u4 endian;
-
-        endian = 1;
-        if (*((unsigned char *)(&endian)))
-            return crc32_little(crc, buf, len);
-        else
-            return crc32_big(crc, buf, len);
-    }
-#endif /* BYFOUR */
-    crc = crc ^ 0xffffffffUL;
-    while (len >= 8) {
-        DO8;
-        len -= 8;
-    }
-    if (len) do {
-        DO1;
-    } while (--len);
-    return crc ^ 0xffffffffUL;
-}
-
-#ifdef BYFOUR
-
-/* ========================================================================= */
-#define DOLIT4 c ^= *buf4++; \
-        c = crc_table[3][c & 0xff] ^ crc_table[2][(c >> 8) & 0xff] ^ \
-            crc_table[1][(c >> 16) & 0xff] ^ crc_table[0][c >> 24]
-#define DOLIT32 DOLIT4; DOLIT4; DOLIT4; DOLIT4; DOLIT4; DOLIT4; DOLIT4; DOLIT4
-
-/* ========================================================================= */
-local unsigned long crc32_little(crc, buf, len)
-    unsigned long crc;
-    const unsigned char FAR *buf;
-    unsigned len;
-{
-    register u4 c;
-    register const u4 FAR *buf4;
-
-    c = (u4)crc;
-    c = ~c;
-    while (len && ((ptrdiff_t)buf & 3)) {
-        c = crc_table[0][(c ^ *buf++) & 0xff] ^ (c >> 8);
-        len--;
-    }
-
-    buf4 = (const u4 FAR *)(const void FAR *)buf;
-    while (len >= 32) {
-        DOLIT32;
-        len -= 32;
-    }
-    while (len >= 4) {
-        DOLIT4;
-        len -= 4;
-    }
-    buf = (const unsigned char FAR *)buf4;
-
-    if (len) do {
-        c = crc_table[0][(c ^ *buf++) & 0xff] ^ (c >> 8);
-    } while (--len);
-    c = ~c;
-    return (unsigned long)c;
-}
-
-/* ========================================================================= */
-#define DOBIG4 c ^= *++buf4; \
-        c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
-            crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
-#define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
-
-/* ========================================================================= */
-local unsigned long crc32_big(crc, buf, len)
-    unsigned long crc;
-    const unsigned char FAR *buf;
-    unsigned len;
-{
-    register u4 c;
-    register const u4 FAR *buf4;
-
-    c = REV((u4)crc);
-    c = ~c;
-    while (len && ((ptrdiff_t)buf & 3)) {
-        c = crc_table[4][(c >> 24) ^ *buf++] ^ (c << 8);
-        len--;
-    }
-
-    buf4 = (const u4 FAR *)(const void FAR *)buf;
-    buf4--;
-    while (len >= 32) {
-        DOBIG32;
-        len -= 32;
-    }
-    while (len >= 4) {
-        DOBIG4;
-        len -= 4;
-    }
-    buf4++;
-    buf = (const unsigned char FAR *)buf4;
-
-    if (len) do {
-        c = crc_table[4][(c >> 24) ^ *buf++] ^ (c << 8);
-    } while (--len);
-    c = ~c;
-    return (unsigned long)(REV(c));
-}
-
-#endif /* BYFOUR */
-
-#define GF2_DIM 32      /* dimension of GF(2) vectors (length of CRC) */
-
-/* ========================================================================= */
-local unsigned long gf2_matrix_times(mat, vec)
-    unsigned long *mat;
-    unsigned long vec;
-{
-    unsigned long sum;
-
-    sum = 0;
-    while (vec) {
-        if (vec & 1)
-            sum ^= *mat;
-        vec >>= 1;
-        mat++;
-    }
-    return sum;
-}
-
-/* ========================================================================= */
-local void gf2_matrix_square(square, mat)
-    unsigned long *square;
-    unsigned long *mat;
-{
-    int n;
-
-    for (n = 0; n < GF2_DIM; n++)
-        square[n] = gf2_matrix_times(mat, mat[n]);
-}
-
-/* ========================================================================= */
-uLong ZEXPORT crc32_combine(crc1, crc2, len2)
-    uLong crc1;
-    uLong crc2;
-    z_off_t len2;
-{
-    int n;
-    unsigned long row;
-    unsigned long even[GF2_DIM];    /* even-power-of-two zeros operator */
-    unsigned long odd[GF2_DIM];     /* odd-power-of-two zeros operator */
-
-    /* degenerate case */
-    if (len2 == 0)
-        return crc1;
-
-    /* put operator for one zero bit in odd */
-    odd[0] = 0xedb88320L;           /* CRC-32 polynomial */
-    row = 1;
-    for (n = 1; n < GF2_DIM; n++) {
-        odd[n] = row;
-        row <<= 1;
-    }
-
-    /* put operator for two zero bits in even */
-    gf2_matrix_square(even, odd);
-
-    /* put operator for four zero bits in odd */
-    gf2_matrix_square(odd, even);
-
-    /* apply len2 zeros to crc1 (first square will put the operator for one
-       zero byte, eight zero bits, in even) */
-    do {
-        /* apply zeros operator for this bit of len2 */
-        gf2_matrix_square(even, odd);
-        if (len2 & 1)
-            crc1 = gf2_matrix_times(even, crc1);
-        len2 >>= 1;
-
-        /* if no more bits set, then done */
-        if (len2 == 0)
-            break;
-
-        /* another iteration of the loop with odd and even swapped */
-        gf2_matrix_square(odd, even);
-        if (len2 & 1)
-            crc1 = gf2_matrix_times(odd, crc1);
-        len2 >>= 1;
-
-        /* if no more bits set, then done */
-    } while (len2 != 0);
-
-    /* return combined crc */
-    crc1 ^= crc2;
-    return crc1;
-}
diff --git a/security/nss/cmd/zlib/crc32.h b/security/nss/cmd/zlib/crc32.h
deleted file mode 100644
index 8053b6117..000000000
--- a/security/nss/cmd/zlib/crc32.h
+++ /dev/null
@@ -1,441 +0,0 @@
-/* crc32.h -- tables for rapid CRC calculation
- * Generated automatically by crc32.c
- */
-
-local const unsigned long FAR crc_table[TBLS][256] =
-{
-  {
-    0x00000000UL, 0x77073096UL, 0xee0e612cUL, 0x990951baUL, 0x076dc419UL,
-    0x706af48fUL, 0xe963a535UL, 0x9e6495a3UL, 0x0edb8832UL, 0x79dcb8a4UL,
-    0xe0d5e91eUL, 0x97d2d988UL, 0x09b64c2bUL, 0x7eb17cbdUL, 0xe7b82d07UL,
-    0x90bf1d91UL, 0x1db71064UL, 0x6ab020f2UL, 0xf3b97148UL, 0x84be41deUL,
-    0x1adad47dUL, 0x6ddde4ebUL, 0xf4d4b551UL, 0x83d385c7UL, 0x136c9856UL,
-    0x646ba8c0UL, 0xfd62f97aUL, 0x8a65c9ecUL, 0x14015c4fUL, 0x63066cd9UL,
-    0xfa0f3d63UL, 0x8d080df5UL, 0x3b6e20c8UL, 0x4c69105eUL, 0xd56041e4UL,
-    0xa2677172UL, 0x3c03e4d1UL, 0x4b04d447UL, 0xd20d85fdUL, 0xa50ab56bUL,
-    0x35b5a8faUL, 0x42b2986cUL, 0xdbbbc9d6UL, 0xacbcf940UL, 0x32d86ce3UL,
-    0x45df5c75UL, 0xdcd60dcfUL, 0xabd13d59UL, 0x26d930acUL, 0x51de003aUL,
-    0xc8d75180UL, 0xbfd06116UL, 0x21b4f4b5UL, 0x56b3c423UL, 0xcfba9599UL,
-    0xb8bda50fUL, 0x2802b89eUL, 0x5f058808UL, 0xc60cd9b2UL, 0xb10be924UL,
-    0x2f6f7c87UL, 0x58684c11UL, 0xc1611dabUL, 0xb6662d3dUL, 0x76dc4190UL,
-    0x01db7106UL, 0x98d220bcUL, 0xefd5102aUL, 0x71b18589UL, 0x06b6b51fUL,
-    0x9fbfe4a5UL, 0xe8b8d433UL, 0x7807c9a2UL, 0x0f00f934UL, 0x9609a88eUL,
-    0xe10e9818UL, 0x7f6a0dbbUL, 0x086d3d2dUL, 0x91646c97UL, 0xe6635c01UL,
-    0x6b6b51f4UL, 0x1c6c6162UL, 0x856530d8UL, 0xf262004eUL, 0x6c0695edUL,
-    0x1b01a57bUL, 0x8208f4c1UL, 0xf50fc457UL, 0x65b0d9c6UL, 0x12b7e950UL,
-    0x8bbeb8eaUL, 0xfcb9887cUL, 0x62dd1ddfUL, 0x15da2d49UL, 0x8cd37cf3UL,
-    0xfbd44c65UL, 0x4db26158UL, 0x3ab551ceUL, 0xa3bc0074UL, 0xd4bb30e2UL,
-    0x4adfa541UL, 0x3dd895d7UL, 0xa4d1c46dUL, 0xd3d6f4fbUL, 0x4369e96aUL,
-    0x346ed9fcUL, 0xad678846UL, 0xda60b8d0UL, 0x44042d73UL, 0x33031de5UL,
-    0xaa0a4c5fUL, 0xdd0d7cc9UL, 0x5005713cUL, 0x270241aaUL, 0xbe0b1010UL,
-    0xc90c2086UL, 0x5768b525UL, 0x206f85b3UL, 0xb966d409UL, 0xce61e49fUL,
-    0x5edef90eUL, 0x29d9c998UL, 0xb0d09822UL, 0xc7d7a8b4UL, 0x59b33d17UL,
-    0x2eb40d81UL, 0xb7bd5c3bUL, 0xc0ba6cadUL, 0xedb88320UL, 0x9abfb3b6UL,
-    0x03b6e20cUL, 0x74b1d29aUL, 0xead54739UL, 0x9dd277afUL, 0x04db2615UL,
-    0x73dc1683UL, 0xe3630b12UL, 0x94643b84UL, 0x0d6d6a3eUL, 0x7a6a5aa8UL,
-    0xe40ecf0bUL, 0x9309ff9dUL, 0x0a00ae27UL, 0x7d079eb1UL, 0xf00f9344UL,
-    0x8708a3d2UL, 0x1e01f268UL, 0x6906c2feUL, 0xf762575dUL, 0x806567cbUL,
-    0x196c3671UL, 0x6e6b06e7UL, 0xfed41b76UL, 0x89d32be0UL, 0x10da7a5aUL,
-    0x67dd4accUL, 0xf9b9df6fUL, 0x8ebeeff9UL, 0x17b7be43UL, 0x60b08ed5UL,
-    0xd6d6a3e8UL, 0xa1d1937eUL, 0x38d8c2c4UL, 0x4fdff252UL, 0xd1bb67f1UL,
-    0xa6bc5767UL, 0x3fb506ddUL, 0x48b2364bUL, 0xd80d2bdaUL, 0xaf0a1b4cUL,
-    0x36034af6UL, 0x41047a60UL, 0xdf60efc3UL, 0xa867df55UL, 0x316e8eefUL,
-    0x4669be79UL, 0xcb61b38cUL, 0xbc66831aUL, 0x256fd2a0UL, 0x5268e236UL,
-    0xcc0c7795UL, 0xbb0b4703UL, 0x220216b9UL, 0x5505262fUL, 0xc5ba3bbeUL,
-    0xb2bd0b28UL, 0x2bb45a92UL, 0x5cb36a04UL, 0xc2d7ffa7UL, 0xb5d0cf31UL,
-    0x2cd99e8bUL, 0x5bdeae1dUL, 0x9b64c2b0UL, 0xec63f226UL, 0x756aa39cUL,
-    0x026d930aUL, 0x9c0906a9UL, 0xeb0e363fUL, 0x72076785UL, 0x05005713UL,
-    0x95bf4a82UL, 0xe2b87a14UL, 0x7bb12baeUL, 0x0cb61b38UL, 0x92d28e9bUL,
-    0xe5d5be0dUL, 0x7cdcefb7UL, 0x0bdbdf21UL, 0x86d3d2d4UL, 0xf1d4e242UL,
-    0x68ddb3f8UL, 0x1fda836eUL, 0x81be16cdUL, 0xf6b9265bUL, 0x6fb077e1UL,
-    0x18b74777UL, 0x88085ae6UL, 0xff0f6a70UL, 0x66063bcaUL, 0x11010b5cUL,
-    0x8f659effUL, 0xf862ae69UL, 0x616bffd3UL, 0x166ccf45UL, 0xa00ae278UL,
-    0xd70dd2eeUL, 0x4e048354UL, 0x3903b3c2UL, 0xa7672661UL, 0xd06016f7UL,
-    0x4969474dUL, 0x3e6e77dbUL, 0xaed16a4aUL, 0xd9d65adcUL, 0x40df0b66UL,
-    0x37d83bf0UL, 0xa9bcae53UL, 0xdebb9ec5UL, 0x47b2cf7fUL, 0x30b5ffe9UL,
-    0xbdbdf21cUL, 0xcabac28aUL, 0x53b39330UL, 0x24b4a3a6UL, 0xbad03605UL,
-    0xcdd70693UL, 0x54de5729UL, 0x23d967bfUL, 0xb3667a2eUL, 0xc4614ab8UL,
-    0x5d681b02UL, 0x2a6f2b94UL, 0xb40bbe37UL, 0xc30c8ea1UL, 0x5a05df1bUL,
-    0x2d02ef8dUL
-#ifdef BYFOUR
-  },
-  {
-    0x00000000UL, 0x191b3141UL, 0x32366282UL, 0x2b2d53c3UL, 0x646cc504UL,
-    0x7d77f445UL, 0x565aa786UL, 0x4f4196c7UL, 0xc8d98a08UL, 0xd1c2bb49UL,
-    0xfaefe88aUL, 0xe3f4d9cbUL, 0xacb54f0cUL, 0xb5ae7e4dUL, 0x9e832d8eUL,
-    0x87981ccfUL, 0x4ac21251UL, 0x53d92310UL, 0x78f470d3UL, 0x61ef4192UL,
-    0x2eaed755UL, 0x37b5e614UL, 0x1c98b5d7UL, 0x05838496UL, 0x821b9859UL,
-    0x9b00a918UL, 0xb02dfadbUL, 0xa936cb9aUL, 0xe6775d5dUL, 0xff6c6c1cUL,
-    0xd4413fdfUL, 0xcd5a0e9eUL, 0x958424a2UL, 0x8c9f15e3UL, 0xa7b24620UL,
-    0xbea97761UL, 0xf1e8e1a6UL, 0xe8f3d0e7UL, 0xc3de8324UL, 0xdac5b265UL,
-    0x5d5daeaaUL, 0x44469febUL, 0x6f6bcc28UL, 0x7670fd69UL, 0x39316baeUL,
-    0x202a5aefUL, 0x0b07092cUL, 0x121c386dUL, 0xdf4636f3UL, 0xc65d07b2UL,
-    0xed705471UL, 0xf46b6530UL, 0xbb2af3f7UL, 0xa231c2b6UL, 0x891c9175UL,
-    0x9007a034UL, 0x179fbcfbUL, 0x0e848dbaUL, 0x25a9de79UL, 0x3cb2ef38UL,
-    0x73f379ffUL, 0x6ae848beUL, 0x41c51b7dUL, 0x58de2a3cUL, 0xf0794f05UL,
-    0xe9627e44UL, 0xc24f2d87UL, 0xdb541cc6UL, 0x94158a01UL, 0x8d0ebb40UL,
-    0xa623e883UL, 0xbf38d9c2UL, 0x38a0c50dUL, 0x21bbf44cUL, 0x0a96a78fUL,
-    0x138d96ceUL, 0x5ccc0009UL, 0x45d73148UL, 0x6efa628bUL, 0x77e153caUL,
-    0xbabb5d54UL, 0xa3a06c15UL, 0x888d3fd6UL, 0x91960e97UL, 0xded79850UL,
-    0xc7cca911UL, 0xece1fad2UL, 0xf5facb93UL, 0x7262d75cUL, 0x6b79e61dUL,
-    0x4054b5deUL, 0x594f849fUL, 0x160e1258UL, 0x0f152319UL, 0x243870daUL,
-    0x3d23419bUL, 0x65fd6ba7UL, 0x7ce65ae6UL, 0x57cb0925UL, 0x4ed03864UL,
-    0x0191aea3UL, 0x188a9fe2UL, 0x33a7cc21UL, 0x2abcfd60UL, 0xad24e1afUL,
-    0xb43fd0eeUL, 0x9f12832dUL, 0x8609b26cUL, 0xc94824abUL, 0xd05315eaUL,
-    0xfb7e4629UL, 0xe2657768UL, 0x2f3f79f6UL, 0x362448b7UL, 0x1d091b74UL,
-    0x04122a35UL, 0x4b53bcf2UL, 0x52488db3UL, 0x7965de70UL, 0x607eef31UL,
-    0xe7e6f3feUL, 0xfefdc2bfUL, 0xd5d0917cUL, 0xcccba03dUL, 0x838a36faUL,
-    0x9a9107bbUL, 0xb1bc5478UL, 0xa8a76539UL, 0x3b83984bUL, 0x2298a90aUL,
-    0x09b5fac9UL, 0x10aecb88UL, 0x5fef5d4fUL, 0x46f46c0eUL, 0x6dd93fcdUL,
-    0x74c20e8cUL, 0xf35a1243UL, 0xea412302UL, 0xc16c70c1UL, 0xd8774180UL,
-    0x9736d747UL, 0x8e2de606UL, 0xa500b5c5UL, 0xbc1b8484UL, 0x71418a1aUL,
-    0x685abb5bUL, 0x4377e898UL, 0x5a6cd9d9UL, 0x152d4f1eUL, 0x0c367e5fUL,
-    0x271b2d9cUL, 0x3e001cddUL, 0xb9980012UL, 0xa0833153UL, 0x8bae6290UL,
-    0x92b553d1UL, 0xddf4c516UL, 0xc4eff457UL, 0xefc2a794UL, 0xf6d996d5UL,
-    0xae07bce9UL, 0xb71c8da8UL, 0x9c31de6bUL, 0x852aef2aUL, 0xca6b79edUL,
-    0xd37048acUL, 0xf85d1b6fUL, 0xe1462a2eUL, 0x66de36e1UL, 0x7fc507a0UL,
-    0x54e85463UL, 0x4df36522UL, 0x02b2f3e5UL, 0x1ba9c2a4UL, 0x30849167UL,
-    0x299fa026UL, 0xe4c5aeb8UL, 0xfdde9ff9UL, 0xd6f3cc3aUL, 0xcfe8fd7bUL,
-    0x80a96bbcUL, 0x99b25afdUL, 0xb29f093eUL, 0xab84387fUL, 0x2c1c24b0UL,
-    0x350715f1UL, 0x1e2a4632UL, 0x07317773UL, 0x4870e1b4UL, 0x516bd0f5UL,
-    0x7a468336UL, 0x635db277UL, 0xcbfad74eUL, 0xd2e1e60fUL, 0xf9ccb5ccUL,
-    0xe0d7848dUL, 0xaf96124aUL, 0xb68d230bUL, 0x9da070c8UL, 0x84bb4189UL,
-    0x03235d46UL, 0x1a386c07UL, 0x31153fc4UL, 0x280e0e85UL, 0x674f9842UL,
-    0x7e54a903UL, 0x5579fac0UL, 0x4c62cb81UL, 0x8138c51fUL, 0x9823f45eUL,
-    0xb30ea79dUL, 0xaa1596dcUL, 0xe554001bUL, 0xfc4f315aUL, 0xd7626299UL,
-    0xce7953d8UL, 0x49e14f17UL, 0x50fa7e56UL, 0x7bd72d95UL, 0x62cc1cd4UL,
-    0x2d8d8a13UL, 0x3496bb52UL, 0x1fbbe891UL, 0x06a0d9d0UL, 0x5e7ef3ecUL,
-    0x4765c2adUL, 0x6c48916eUL, 0x7553a02fUL, 0x3a1236e8UL, 0x230907a9UL,
-    0x0824546aUL, 0x113f652bUL, 0x96a779e4UL, 0x8fbc48a5UL, 0xa4911b66UL,
-    0xbd8a2a27UL, 0xf2cbbce0UL, 0xebd08da1UL, 0xc0fdde62UL, 0xd9e6ef23UL,
-    0x14bce1bdUL, 0x0da7d0fcUL, 0x268a833fUL, 0x3f91b27eUL, 0x70d024b9UL,
-    0x69cb15f8UL, 0x42e6463bUL, 0x5bfd777aUL, 0xdc656bb5UL, 0xc57e5af4UL,
-    0xee530937UL, 0xf7483876UL, 0xb809aeb1UL, 0xa1129ff0UL, 0x8a3fcc33UL,
-    0x9324fd72UL
-  },
-  {
-    0x00000000UL, 0x01c26a37UL, 0x0384d46eUL, 0x0246be59UL, 0x0709a8dcUL,
-    0x06cbc2ebUL, 0x048d7cb2UL, 0x054f1685UL, 0x0e1351b8UL, 0x0fd13b8fUL,
-    0x0d9785d6UL, 0x0c55efe1UL, 0x091af964UL, 0x08d89353UL, 0x0a9e2d0aUL,
-    0x0b5c473dUL, 0x1c26a370UL, 0x1de4c947UL, 0x1fa2771eUL, 0x1e601d29UL,
-    0x1b2f0bacUL, 0x1aed619bUL, 0x18abdfc2UL, 0x1969b5f5UL, 0x1235f2c8UL,
-    0x13f798ffUL, 0x11b126a6UL, 0x10734c91UL, 0x153c5a14UL, 0x14fe3023UL,
-    0x16b88e7aUL, 0x177ae44dUL, 0x384d46e0UL, 0x398f2cd7UL, 0x3bc9928eUL,
-    0x3a0bf8b9UL, 0x3f44ee3cUL, 0x3e86840bUL, 0x3cc03a52UL, 0x3d025065UL,
-    0x365e1758UL, 0x379c7d6fUL, 0x35dac336UL, 0x3418a901UL, 0x3157bf84UL,
-    0x3095d5b3UL, 0x32d36beaUL, 0x331101ddUL, 0x246be590UL, 0x25a98fa7UL,
-    0x27ef31feUL, 0x262d5bc9UL, 0x23624d4cUL, 0x22a0277bUL, 0x20e69922UL,
-    0x2124f315UL, 0x2a78b428UL, 0x2bbade1fUL, 0x29fc6046UL, 0x283e0a71UL,
-    0x2d711cf4UL, 0x2cb376c3UL, 0x2ef5c89aUL, 0x2f37a2adUL, 0x709a8dc0UL,
-    0x7158e7f7UL, 0x731e59aeUL, 0x72dc3399UL, 0x7793251cUL, 0x76514f2bUL,
-    0x7417f172UL, 0x75d59b45UL, 0x7e89dc78UL, 0x7f4bb64fUL, 0x7d0d0816UL,
-    0x7ccf6221UL, 0x798074a4UL, 0x78421e93UL, 0x7a04a0caUL, 0x7bc6cafdUL,
-    0x6cbc2eb0UL, 0x6d7e4487UL, 0x6f38fadeUL, 0x6efa90e9UL, 0x6bb5866cUL,
-    0x6a77ec5bUL, 0x68315202UL, 0x69f33835UL, 0x62af7f08UL, 0x636d153fUL,
-    0x612bab66UL, 0x60e9c151UL, 0x65a6d7d4UL, 0x6464bde3UL, 0x662203baUL,
-    0x67e0698dUL, 0x48d7cb20UL, 0x4915a117UL, 0x4b531f4eUL, 0x4a917579UL,
-    0x4fde63fcUL, 0x4e1c09cbUL, 0x4c5ab792UL, 0x4d98dda5UL, 0x46c49a98UL,
-    0x4706f0afUL, 0x45404ef6UL, 0x448224c1UL, 0x41cd3244UL, 0x400f5873UL,
-    0x4249e62aUL, 0x438b8c1dUL, 0x54f16850UL, 0x55330267UL, 0x5775bc3eUL,
-    0x56b7d609UL, 0x53f8c08cUL, 0x523aaabbUL, 0x507c14e2UL, 0x51be7ed5UL,
-    0x5ae239e8UL, 0x5b2053dfUL, 0x5966ed86UL, 0x58a487b1UL, 0x5deb9134UL,
-    0x5c29fb03UL, 0x5e6f455aUL, 0x5fad2f6dUL, 0xe1351b80UL, 0xe0f771b7UL,
-    0xe2b1cfeeUL, 0xe373a5d9UL, 0xe63cb35cUL, 0xe7fed96bUL, 0xe5b86732UL,
-    0xe47a0d05UL, 0xef264a38UL, 0xeee4200fUL, 0xeca29e56UL, 0xed60f461UL,
-    0xe82fe2e4UL, 0xe9ed88d3UL, 0xebab368aUL, 0xea695cbdUL, 0xfd13b8f0UL,
-    0xfcd1d2c7UL, 0xfe976c9eUL, 0xff5506a9UL, 0xfa1a102cUL, 0xfbd87a1bUL,
-    0xf99ec442UL, 0xf85cae75UL, 0xf300e948UL, 0xf2c2837fUL, 0xf0843d26UL,
-    0xf1465711UL, 0xf4094194UL, 0xf5cb2ba3UL, 0xf78d95faUL, 0xf64fffcdUL,
-    0xd9785d60UL, 0xd8ba3757UL, 0xdafc890eUL, 0xdb3ee339UL, 0xde71f5bcUL,
-    0xdfb39f8bUL, 0xddf521d2UL, 0xdc374be5UL, 0xd76b0cd8UL, 0xd6a966efUL,
-    0xd4efd8b6UL, 0xd52db281UL, 0xd062a404UL, 0xd1a0ce33UL, 0xd3e6706aUL,
-    0xd2241a5dUL, 0xc55efe10UL, 0xc49c9427UL, 0xc6da2a7eUL, 0xc7184049UL,
-    0xc25756ccUL, 0xc3953cfbUL, 0xc1d382a2UL, 0xc011e895UL, 0xcb4dafa8UL,
-    0xca8fc59fUL, 0xc8c97bc6UL, 0xc90b11f1UL, 0xcc440774UL, 0xcd866d43UL,
-    0xcfc0d31aUL, 0xce02b92dUL, 0x91af9640UL, 0x906dfc77UL, 0x922b422eUL,
-    0x93e92819UL, 0x96a63e9cUL, 0x976454abUL, 0x9522eaf2UL, 0x94e080c5UL,
-    0x9fbcc7f8UL, 0x9e7eadcfUL, 0x9c381396UL, 0x9dfa79a1UL, 0x98b56f24UL,
-    0x99770513UL, 0x9b31bb4aUL, 0x9af3d17dUL, 0x8d893530UL, 0x8c4b5f07UL,
-    0x8e0de15eUL, 0x8fcf8b69UL, 0x8a809decUL, 0x8b42f7dbUL, 0x89044982UL,
-    0x88c623b5UL, 0x839a6488UL, 0x82580ebfUL, 0x801eb0e6UL, 0x81dcdad1UL,
-    0x8493cc54UL, 0x8551a663UL, 0x8717183aUL, 0x86d5720dUL, 0xa9e2d0a0UL,
-    0xa820ba97UL, 0xaa6604ceUL, 0xaba46ef9UL, 0xaeeb787cUL, 0xaf29124bUL,
-    0xad6fac12UL, 0xacadc625UL, 0xa7f18118UL, 0xa633eb2fUL, 0xa4755576UL,
-    0xa5b73f41UL, 0xa0f829c4UL, 0xa13a43f3UL, 0xa37cfdaaUL, 0xa2be979dUL,
-    0xb5c473d0UL, 0xb40619e7UL, 0xb640a7beUL, 0xb782cd89UL, 0xb2cddb0cUL,
-    0xb30fb13bUL, 0xb1490f62UL, 0xb08b6555UL, 0xbbd72268UL, 0xba15485fUL,
-    0xb853f606UL, 0xb9919c31UL, 0xbcde8ab4UL, 0xbd1ce083UL, 0xbf5a5edaUL,
-    0xbe9834edUL
-  },
-  {
-    0x00000000UL, 0xb8bc6765UL, 0xaa09c88bUL, 0x12b5afeeUL, 0x8f629757UL,
-    0x37def032UL, 0x256b5fdcUL, 0x9dd738b9UL, 0xc5b428efUL, 0x7d084f8aUL,
-    0x6fbde064UL, 0xd7018701UL, 0x4ad6bfb8UL, 0xf26ad8ddUL, 0xe0df7733UL,
-    0x58631056UL, 0x5019579fUL, 0xe8a530faUL, 0xfa109f14UL, 0x42acf871UL,
-    0xdf7bc0c8UL, 0x67c7a7adUL, 0x75720843UL, 0xcdce6f26UL, 0x95ad7f70UL,
-    0x2d111815UL, 0x3fa4b7fbUL, 0x8718d09eUL, 0x1acfe827UL, 0xa2738f42UL,
-    0xb0c620acUL, 0x087a47c9UL, 0xa032af3eUL, 0x188ec85bUL, 0x0a3b67b5UL,
-    0xb28700d0UL, 0x2f503869UL, 0x97ec5f0cUL, 0x8559f0e2UL, 0x3de59787UL,
-    0x658687d1UL, 0xdd3ae0b4UL, 0xcf8f4f5aUL, 0x7733283fUL, 0xeae41086UL,
-    0x525877e3UL, 0x40edd80dUL, 0xf851bf68UL, 0xf02bf8a1UL, 0x48979fc4UL,
-    0x5a22302aUL, 0xe29e574fUL, 0x7f496ff6UL, 0xc7f50893UL, 0xd540a77dUL,
-    0x6dfcc018UL, 0x359fd04eUL, 0x8d23b72bUL, 0x9f9618c5UL, 0x272a7fa0UL,
-    0xbafd4719UL, 0x0241207cUL, 0x10f48f92UL, 0xa848e8f7UL, 0x9b14583dUL,
-    0x23a83f58UL, 0x311d90b6UL, 0x89a1f7d3UL, 0x1476cf6aUL, 0xaccaa80fUL,
-    0xbe7f07e1UL, 0x06c36084UL, 0x5ea070d2UL, 0xe61c17b7UL, 0xf4a9b859UL,
-    0x4c15df3cUL, 0xd1c2e785UL, 0x697e80e0UL, 0x7bcb2f0eUL, 0xc377486bUL,
-    0xcb0d0fa2UL, 0x73b168c7UL, 0x6104c729UL, 0xd9b8a04cUL, 0x446f98f5UL,
-    0xfcd3ff90UL, 0xee66507eUL, 0x56da371bUL, 0x0eb9274dUL, 0xb6054028UL,
-    0xa4b0efc6UL, 0x1c0c88a3UL, 0x81dbb01aUL, 0x3967d77fUL, 0x2bd27891UL,
-    0x936e1ff4UL, 0x3b26f703UL, 0x839a9066UL, 0x912f3f88UL, 0x299358edUL,
-    0xb4446054UL, 0x0cf80731UL, 0x1e4da8dfUL, 0xa6f1cfbaUL, 0xfe92dfecUL,
-    0x462eb889UL, 0x549b1767UL, 0xec277002UL, 0x71f048bbUL, 0xc94c2fdeUL,
-    0xdbf98030UL, 0x6345e755UL, 0x6b3fa09cUL, 0xd383c7f9UL, 0xc1366817UL,
-    0x798a0f72UL, 0xe45d37cbUL, 0x5ce150aeUL, 0x4e54ff40UL, 0xf6e89825UL,
-    0xae8b8873UL, 0x1637ef16UL, 0x048240f8UL, 0xbc3e279dUL, 0x21e91f24UL,
-    0x99557841UL, 0x8be0d7afUL, 0x335cb0caUL, 0xed59b63bUL, 0x55e5d15eUL,
-    0x47507eb0UL, 0xffec19d5UL, 0x623b216cUL, 0xda874609UL, 0xc832e9e7UL,
-    0x708e8e82UL, 0x28ed9ed4UL, 0x9051f9b1UL, 0x82e4565fUL, 0x3a58313aUL,
-    0xa78f0983UL, 0x1f336ee6UL, 0x0d86c108UL, 0xb53aa66dUL, 0xbd40e1a4UL,
-    0x05fc86c1UL, 0x1749292fUL, 0xaff54e4aUL, 0x322276f3UL, 0x8a9e1196UL,
-    0x982bbe78UL, 0x2097d91dUL, 0x78f4c94bUL, 0xc048ae2eUL, 0xd2fd01c0UL,
-    0x6a4166a5UL, 0xf7965e1cUL, 0x4f2a3979UL, 0x5d9f9697UL, 0xe523f1f2UL,
-    0x4d6b1905UL, 0xf5d77e60UL, 0xe762d18eUL, 0x5fdeb6ebUL, 0xc2098e52UL,
-    0x7ab5e937UL, 0x680046d9UL, 0xd0bc21bcUL, 0x88df31eaUL, 0x3063568fUL,
-    0x22d6f961UL, 0x9a6a9e04UL, 0x07bda6bdUL, 0xbf01c1d8UL, 0xadb46e36UL,
-    0x15080953UL, 0x1d724e9aUL, 0xa5ce29ffUL, 0xb77b8611UL, 0x0fc7e174UL,
-    0x9210d9cdUL, 0x2aacbea8UL, 0x38191146UL, 0x80a57623UL, 0xd8c66675UL,
-    0x607a0110UL, 0x72cfaefeUL, 0xca73c99bUL, 0x57a4f122UL, 0xef189647UL,
-    0xfdad39a9UL, 0x45115eccUL, 0x764dee06UL, 0xcef18963UL, 0xdc44268dUL,
-    0x64f841e8UL, 0xf92f7951UL, 0x41931e34UL, 0x5326b1daUL, 0xeb9ad6bfUL,
-    0xb3f9c6e9UL, 0x0b45a18cUL, 0x19f00e62UL, 0xa14c6907UL, 0x3c9b51beUL,
-    0x842736dbUL, 0x96929935UL, 0x2e2efe50UL, 0x2654b999UL, 0x9ee8defcUL,
-    0x8c5d7112UL, 0x34e11677UL, 0xa9362eceUL, 0x118a49abUL, 0x033fe645UL,
-    0xbb838120UL, 0xe3e09176UL, 0x5b5cf613UL, 0x49e959fdUL, 0xf1553e98UL,
-    0x6c820621UL, 0xd43e6144UL, 0xc68bceaaUL, 0x7e37a9cfUL, 0xd67f4138UL,
-    0x6ec3265dUL, 0x7c7689b3UL, 0xc4caeed6UL, 0x591dd66fUL, 0xe1a1b10aUL,
-    0xf3141ee4UL, 0x4ba87981UL, 0x13cb69d7UL, 0xab770eb2UL, 0xb9c2a15cUL,
-    0x017ec639UL, 0x9ca9fe80UL, 0x241599e5UL, 0x36a0360bUL, 0x8e1c516eUL,
-    0x866616a7UL, 0x3eda71c2UL, 0x2c6fde2cUL, 0x94d3b949UL, 0x090481f0UL,
-    0xb1b8e695UL, 0xa30d497bUL, 0x1bb12e1eUL, 0x43d23e48UL, 0xfb6e592dUL,
-    0xe9dbf6c3UL, 0x516791a6UL, 0xccb0a91fUL, 0x740cce7aUL, 0x66b96194UL,
-    0xde0506f1UL
-  },
-  {
-    0x00000000UL, 0x96300777UL, 0x2c610eeeUL, 0xba510999UL, 0x19c46d07UL,
-    0x8ff46a70UL, 0x35a563e9UL, 0xa395649eUL, 0x3288db0eUL, 0xa4b8dc79UL,
-    0x1ee9d5e0UL, 0x88d9d297UL, 0x2b4cb609UL, 0xbd7cb17eUL, 0x072db8e7UL,
-    0x911dbf90UL, 0x6410b71dUL, 0xf220b06aUL, 0x4871b9f3UL, 0xde41be84UL,
-    0x7dd4da1aUL, 0xebe4dd6dUL, 0x51b5d4f4UL, 0xc785d383UL, 0x56986c13UL,
-    0xc0a86b64UL, 0x7af962fdUL, 0xecc9658aUL, 0x4f5c0114UL, 0xd96c0663UL,
-    0x633d0ffaUL, 0xf50d088dUL, 0xc8206e3bUL, 0x5e10694cUL, 0xe44160d5UL,
-    0x727167a2UL, 0xd1e4033cUL, 0x47d4044bUL, 0xfd850dd2UL, 0x6bb50aa5UL,
-    0xfaa8b535UL, 0x6c98b242UL, 0xd6c9bbdbUL, 0x40f9bcacUL, 0xe36cd832UL,
-    0x755cdf45UL, 0xcf0dd6dcUL, 0x593dd1abUL, 0xac30d926UL, 0x3a00de51UL,
-    0x8051d7c8UL, 0x1661d0bfUL, 0xb5f4b421UL, 0x23c4b356UL, 0x9995bacfUL,
-    0x0fa5bdb8UL, 0x9eb80228UL, 0x0888055fUL, 0xb2d90cc6UL, 0x24e90bb1UL,
-    0x877c6f2fUL, 0x114c6858UL, 0xab1d61c1UL, 0x3d2d66b6UL, 0x9041dc76UL,
-    0x0671db01UL, 0xbc20d298UL, 0x2a10d5efUL, 0x8985b171UL, 0x1fb5b606UL,
-    0xa5e4bf9fUL, 0x33d4b8e8UL, 0xa2c90778UL, 0x34f9000fUL, 0x8ea80996UL,
-    0x18980ee1UL, 0xbb0d6a7fUL, 0x2d3d6d08UL, 0x976c6491UL, 0x015c63e6UL,
-    0xf4516b6bUL, 0x62616c1cUL, 0xd8306585UL, 0x4e0062f2UL, 0xed95066cUL,
-    0x7ba5011bUL, 0xc1f40882UL, 0x57c40ff5UL, 0xc6d9b065UL, 0x50e9b712UL,
-    0xeab8be8bUL, 0x7c88b9fcUL, 0xdf1ddd62UL, 0x492dda15UL, 0xf37cd38cUL,
-    0x654cd4fbUL, 0x5861b24dUL, 0xce51b53aUL, 0x7400bca3UL, 0xe230bbd4UL,
-    0x41a5df4aUL, 0xd795d83dUL, 0x6dc4d1a4UL, 0xfbf4d6d3UL, 0x6ae96943UL,
-    0xfcd96e34UL, 0x468867adUL, 0xd0b860daUL, 0x732d0444UL, 0xe51d0333UL,
-    0x5f4c0aaaUL, 0xc97c0dddUL, 0x3c710550UL, 0xaa410227UL, 0x10100bbeUL,
-    0x86200cc9UL, 0x25b56857UL, 0xb3856f20UL, 0x09d466b9UL, 0x9fe461ceUL,
-    0x0ef9de5eUL, 0x98c9d929UL, 0x2298d0b0UL, 0xb4a8d7c7UL, 0x173db359UL,
-    0x810db42eUL, 0x3b5cbdb7UL, 0xad6cbac0UL, 0x2083b8edUL, 0xb6b3bf9aUL,
-    0x0ce2b603UL, 0x9ad2b174UL, 0x3947d5eaUL, 0xaf77d29dUL, 0x1526db04UL,
-    0x8316dc73UL, 0x120b63e3UL, 0x843b6494UL, 0x3e6a6d0dUL, 0xa85a6a7aUL,
-    0x0bcf0ee4UL, 0x9dff0993UL, 0x27ae000aUL, 0xb19e077dUL, 0x44930ff0UL,
-    0xd2a30887UL, 0x68f2011eUL, 0xfec20669UL, 0x5d5762f7UL, 0xcb676580UL,
-    0x71366c19UL, 0xe7066b6eUL, 0x761bd4feUL, 0xe02bd389UL, 0x5a7ada10UL,
-    0xcc4add67UL, 0x6fdfb9f9UL, 0xf9efbe8eUL, 0x43beb717UL, 0xd58eb060UL,
-    0xe8a3d6d6UL, 0x7e93d1a1UL, 0xc4c2d838UL, 0x52f2df4fUL, 0xf167bbd1UL,
-    0x6757bca6UL, 0xdd06b53fUL, 0x4b36b248UL, 0xda2b0dd8UL, 0x4c1b0aafUL,
-    0xf64a0336UL, 0x607a0441UL, 0xc3ef60dfUL, 0x55df67a8UL, 0xef8e6e31UL,
-    0x79be6946UL, 0x8cb361cbUL, 0x1a8366bcUL, 0xa0d26f25UL, 0x36e26852UL,
-    0x95770cccUL, 0x03470bbbUL, 0xb9160222UL, 0x2f260555UL, 0xbe3bbac5UL,
-    0x280bbdb2UL, 0x925ab42bUL, 0x046ab35cUL, 0xa7ffd7c2UL, 0x31cfd0b5UL,
-    0x8b9ed92cUL, 0x1daede5bUL, 0xb0c2649bUL, 0x26f263ecUL, 0x9ca36a75UL,
-    0x0a936d02UL, 0xa906099cUL, 0x3f360eebUL, 0x85670772UL, 0x13570005UL,
-    0x824abf95UL, 0x147ab8e2UL, 0xae2bb17bUL, 0x381bb60cUL, 0x9b8ed292UL,
-    0x0dbed5e5UL, 0xb7efdc7cUL, 0x21dfdb0bUL, 0xd4d2d386UL, 0x42e2d4f1UL,
-    0xf8b3dd68UL, 0x6e83da1fUL, 0xcd16be81UL, 0x5b26b9f6UL, 0xe177b06fUL,
-    0x7747b718UL, 0xe65a0888UL, 0x706a0fffUL, 0xca3b0666UL, 0x5c0b0111UL,
-    0xff9e658fUL, 0x69ae62f8UL, 0xd3ff6b61UL, 0x45cf6c16UL, 0x78e20aa0UL,
-    0xeed20dd7UL, 0x5483044eUL, 0xc2b30339UL, 0x612667a7UL, 0xf71660d0UL,
-    0x4d476949UL, 0xdb776e3eUL, 0x4a6ad1aeUL, 0xdc5ad6d9UL, 0x660bdf40UL,
-    0xf03bd837UL, 0x53aebca9UL, 0xc59ebbdeUL, 0x7fcfb247UL, 0xe9ffb530UL,
-    0x1cf2bdbdUL, 0x8ac2bacaUL, 0x3093b353UL, 0xa6a3b424UL, 0x0536d0baUL,
-    0x9306d7cdUL, 0x2957de54UL, 0xbf67d923UL, 0x2e7a66b3UL, 0xb84a61c4UL,
-    0x021b685dUL, 0x942b6f2aUL, 0x37be0bb4UL, 0xa18e0cc3UL, 0x1bdf055aUL,
-    0x8def022dUL
-  },
-  {
-    0x00000000UL, 0x41311b19UL, 0x82623632UL, 0xc3532d2bUL, 0x04c56c64UL,
-    0x45f4777dUL, 0x86a75a56UL, 0xc796414fUL, 0x088ad9c8UL, 0x49bbc2d1UL,
-    0x8ae8effaUL, 0xcbd9f4e3UL, 0x0c4fb5acUL, 0x4d7eaeb5UL, 0x8e2d839eUL,
-    0xcf1c9887UL, 0x5112c24aUL, 0x1023d953UL, 0xd370f478UL, 0x9241ef61UL,
-    0x55d7ae2eUL, 0x14e6b537UL, 0xd7b5981cUL, 0x96848305UL, 0x59981b82UL,
-    0x18a9009bUL, 0xdbfa2db0UL, 0x9acb36a9UL, 0x5d5d77e6UL, 0x1c6c6cffUL,
-    0xdf3f41d4UL, 0x9e0e5acdUL, 0xa2248495UL, 0xe3159f8cUL, 0x2046b2a7UL,
-    0x6177a9beUL, 0xa6e1e8f1UL, 0xe7d0f3e8UL, 0x2483dec3UL, 0x65b2c5daUL,
-    0xaaae5d5dUL, 0xeb9f4644UL, 0x28cc6b6fUL, 0x69fd7076UL, 0xae6b3139UL,
-    0xef5a2a20UL, 0x2c09070bUL, 0x6d381c12UL, 0xf33646dfUL, 0xb2075dc6UL,
-    0x715470edUL, 0x30656bf4UL, 0xf7f32abbUL, 0xb6c231a2UL, 0x75911c89UL,
-    0x34a00790UL, 0xfbbc9f17UL, 0xba8d840eUL, 0x79dea925UL, 0x38efb23cUL,
-    0xff79f373UL, 0xbe48e86aUL, 0x7d1bc541UL, 0x3c2ade58UL, 0x054f79f0UL,
-    0x447e62e9UL, 0x872d4fc2UL, 0xc61c54dbUL, 0x018a1594UL, 0x40bb0e8dUL,
-    0x83e823a6UL, 0xc2d938bfUL, 0x0dc5a038UL, 0x4cf4bb21UL, 0x8fa7960aUL,
-    0xce968d13UL, 0x0900cc5cUL, 0x4831d745UL, 0x8b62fa6eUL, 0xca53e177UL,
-    0x545dbbbaUL, 0x156ca0a3UL, 0xd63f8d88UL, 0x970e9691UL, 0x5098d7deUL,
-    0x11a9ccc7UL, 0xd2fae1ecUL, 0x93cbfaf5UL, 0x5cd76272UL, 0x1de6796bUL,
-    0xdeb55440UL, 0x9f844f59UL, 0x58120e16UL, 0x1923150fUL, 0xda703824UL,
-    0x9b41233dUL, 0xa76bfd65UL, 0xe65ae67cUL, 0x2509cb57UL, 0x6438d04eUL,
-    0xa3ae9101UL, 0xe29f8a18UL, 0x21cca733UL, 0x60fdbc2aUL, 0xafe124adUL,
-    0xeed03fb4UL, 0x2d83129fUL, 0x6cb20986UL, 0xab2448c9UL, 0xea1553d0UL,
-    0x29467efbUL, 0x687765e2UL, 0xf6793f2fUL, 0xb7482436UL, 0x741b091dUL,
-    0x352a1204UL, 0xf2bc534bUL, 0xb38d4852UL, 0x70de6579UL, 0x31ef7e60UL,
-    0xfef3e6e7UL, 0xbfc2fdfeUL, 0x7c91d0d5UL, 0x3da0cbccUL, 0xfa368a83UL,
-    0xbb07919aUL, 0x7854bcb1UL, 0x3965a7a8UL, 0x4b98833bUL, 0x0aa99822UL,
-    0xc9fab509UL, 0x88cbae10UL, 0x4f5def5fUL, 0x0e6cf446UL, 0xcd3fd96dUL,
-    0x8c0ec274UL, 0x43125af3UL, 0x022341eaUL, 0xc1706cc1UL, 0x804177d8UL,
-    0x47d73697UL, 0x06e62d8eUL, 0xc5b500a5UL, 0x84841bbcUL, 0x1a8a4171UL,
-    0x5bbb5a68UL, 0x98e87743UL, 0xd9d96c5aUL, 0x1e4f2d15UL, 0x5f7e360cUL,
-    0x9c2d1b27UL, 0xdd1c003eUL, 0x120098b9UL, 0x533183a0UL, 0x9062ae8bUL,
-    0xd153b592UL, 0x16c5f4ddUL, 0x57f4efc4UL, 0x94a7c2efUL, 0xd596d9f6UL,
-    0xe9bc07aeUL, 0xa88d1cb7UL, 0x6bde319cUL, 0x2aef2a85UL, 0xed796bcaUL,
-    0xac4870d3UL, 0x6f1b5df8UL, 0x2e2a46e1UL, 0xe136de66UL, 0xa007c57fUL,
-    0x6354e854UL, 0x2265f34dUL, 0xe5f3b202UL, 0xa4c2a91bUL, 0x67918430UL,
-    0x26a09f29UL, 0xb8aec5e4UL, 0xf99fdefdUL, 0x3accf3d6UL, 0x7bfde8cfUL,
-    0xbc6ba980UL, 0xfd5ab299UL, 0x3e099fb2UL, 0x7f3884abUL, 0xb0241c2cUL,
-    0xf1150735UL, 0x32462a1eUL, 0x73773107UL, 0xb4e17048UL, 0xf5d06b51UL,
-    0x3683467aUL, 0x77b25d63UL, 0x4ed7facbUL, 0x0fe6e1d2UL, 0xccb5ccf9UL,
-    0x8d84d7e0UL, 0x4a1296afUL, 0x0b238db6UL, 0xc870a09dUL, 0x8941bb84UL,
-    0x465d2303UL, 0x076c381aUL, 0xc43f1531UL, 0x850e0e28UL, 0x42984f67UL,
-    0x03a9547eUL, 0xc0fa7955UL, 0x81cb624cUL, 0x1fc53881UL, 0x5ef42398UL,
-    0x9da70eb3UL, 0xdc9615aaUL, 0x1b0054e5UL, 0x5a314ffcUL, 0x996262d7UL,
-    0xd85379ceUL, 0x174fe149UL, 0x567efa50UL, 0x952dd77bUL, 0xd41ccc62UL,
-    0x138a8d2dUL, 0x52bb9634UL, 0x91e8bb1fUL, 0xd0d9a006UL, 0xecf37e5eUL,
-    0xadc26547UL, 0x6e91486cUL, 0x2fa05375UL, 0xe836123aUL, 0xa9070923UL,
-    0x6a542408UL, 0x2b653f11UL, 0xe479a796UL, 0xa548bc8fUL, 0x661b91a4UL,
-    0x272a8abdUL, 0xe0bccbf2UL, 0xa18dd0ebUL, 0x62defdc0UL, 0x23efe6d9UL,
-    0xbde1bc14UL, 0xfcd0a70dUL, 0x3f838a26UL, 0x7eb2913fUL, 0xb924d070UL,
-    0xf815cb69UL, 0x3b46e642UL, 0x7a77fd5bUL, 0xb56b65dcUL, 0xf45a7ec5UL,
-    0x370953eeUL, 0x763848f7UL, 0xb1ae09b8UL, 0xf09f12a1UL, 0x33cc3f8aUL,
-    0x72fd2493UL
-  },
-  {
-    0x00000000UL, 0x376ac201UL, 0x6ed48403UL, 0x59be4602UL, 0xdca80907UL,
-    0xebc2cb06UL, 0xb27c8d04UL, 0x85164f05UL, 0xb851130eUL, 0x8f3bd10fUL,
-    0xd685970dUL, 0xe1ef550cUL, 0x64f91a09UL, 0x5393d808UL, 0x0a2d9e0aUL,
-    0x3d475c0bUL, 0x70a3261cUL, 0x47c9e41dUL, 0x1e77a21fUL, 0x291d601eUL,
-    0xac0b2f1bUL, 0x9b61ed1aUL, 0xc2dfab18UL, 0xf5b56919UL, 0xc8f23512UL,
-    0xff98f713UL, 0xa626b111UL, 0x914c7310UL, 0x145a3c15UL, 0x2330fe14UL,
-    0x7a8eb816UL, 0x4de47a17UL, 0xe0464d38UL, 0xd72c8f39UL, 0x8e92c93bUL,
-    0xb9f80b3aUL, 0x3cee443fUL, 0x0b84863eUL, 0x523ac03cUL, 0x6550023dUL,
-    0x58175e36UL, 0x6f7d9c37UL, 0x36c3da35UL, 0x01a91834UL, 0x84bf5731UL,
-    0xb3d59530UL, 0xea6bd332UL, 0xdd011133UL, 0x90e56b24UL, 0xa78fa925UL,
-    0xfe31ef27UL, 0xc95b2d26UL, 0x4c4d6223UL, 0x7b27a022UL, 0x2299e620UL,
-    0x15f32421UL, 0x28b4782aUL, 0x1fdeba2bUL, 0x4660fc29UL, 0x710a3e28UL,
-    0xf41c712dUL, 0xc376b32cUL, 0x9ac8f52eUL, 0xada2372fUL, 0xc08d9a70UL,
-    0xf7e75871UL, 0xae591e73UL, 0x9933dc72UL, 0x1c259377UL, 0x2b4f5176UL,
-    0x72f11774UL, 0x459bd575UL, 0x78dc897eUL, 0x4fb64b7fUL, 0x16080d7dUL,
-    0x2162cf7cUL, 0xa4748079UL, 0x931e4278UL, 0xcaa0047aUL, 0xfdcac67bUL,
-    0xb02ebc6cUL, 0x87447e6dUL, 0xdefa386fUL, 0xe990fa6eUL, 0x6c86b56bUL,
-    0x5bec776aUL, 0x02523168UL, 0x3538f369UL, 0x087faf62UL, 0x3f156d63UL,
-    0x66ab2b61UL, 0x51c1e960UL, 0xd4d7a665UL, 0xe3bd6464UL, 0xba032266UL,
-    0x8d69e067UL, 0x20cbd748UL, 0x17a11549UL, 0x4e1f534bUL, 0x7975914aUL,
-    0xfc63de4fUL, 0xcb091c4eUL, 0x92b75a4cUL, 0xa5dd984dUL, 0x989ac446UL,
-    0xaff00647UL, 0xf64e4045UL, 0xc1248244UL, 0x4432cd41UL, 0x73580f40UL,
-    0x2ae64942UL, 0x1d8c8b43UL, 0x5068f154UL, 0x67023355UL, 0x3ebc7557UL,
-    0x09d6b756UL, 0x8cc0f853UL, 0xbbaa3a52UL, 0xe2147c50UL, 0xd57ebe51UL,
-    0xe839e25aUL, 0xdf53205bUL, 0x86ed6659UL, 0xb187a458UL, 0x3491eb5dUL,
-    0x03fb295cUL, 0x5a456f5eUL, 0x6d2fad5fUL, 0x801b35e1UL, 0xb771f7e0UL,
-    0xeecfb1e2UL, 0xd9a573e3UL, 0x5cb33ce6UL, 0x6bd9fee7UL, 0x3267b8e5UL,
-    0x050d7ae4UL, 0x384a26efUL, 0x0f20e4eeUL, 0x569ea2ecUL, 0x61f460edUL,
-    0xe4e22fe8UL, 0xd388ede9UL, 0x8a36abebUL, 0xbd5c69eaUL, 0xf0b813fdUL,
-    0xc7d2d1fcUL, 0x9e6c97feUL, 0xa90655ffUL, 0x2c101afaUL, 0x1b7ad8fbUL,
-    0x42c49ef9UL, 0x75ae5cf8UL, 0x48e900f3UL, 0x7f83c2f2UL, 0x263d84f0UL,
-    0x115746f1UL, 0x944109f4UL, 0xa32bcbf5UL, 0xfa958df7UL, 0xcdff4ff6UL,
-    0x605d78d9UL, 0x5737bad8UL, 0x0e89fcdaUL, 0x39e33edbUL, 0xbcf571deUL,
-    0x8b9fb3dfUL, 0xd221f5ddUL, 0xe54b37dcUL, 0xd80c6bd7UL, 0xef66a9d6UL,
-    0xb6d8efd4UL, 0x81b22dd5UL, 0x04a462d0UL, 0x33cea0d1UL, 0x6a70e6d3UL,
-    0x5d1a24d2UL, 0x10fe5ec5UL, 0x27949cc4UL, 0x7e2adac6UL, 0x494018c7UL,
-    0xcc5657c2UL, 0xfb3c95c3UL, 0xa282d3c1UL, 0x95e811c0UL, 0xa8af4dcbUL,
-    0x9fc58fcaUL, 0xc67bc9c8UL, 0xf1110bc9UL, 0x740744ccUL, 0x436d86cdUL,
-    0x1ad3c0cfUL, 0x2db902ceUL, 0x4096af91UL, 0x77fc6d90UL, 0x2e422b92UL,
-    0x1928e993UL, 0x9c3ea696UL, 0xab546497UL, 0xf2ea2295UL, 0xc580e094UL,
-    0xf8c7bc9fUL, 0xcfad7e9eUL, 0x9613389cUL, 0xa179fa9dUL, 0x246fb598UL,
-    0x13057799UL, 0x4abb319bUL, 0x7dd1f39aUL, 0x3035898dUL, 0x075f4b8cUL,
-    0x5ee10d8eUL, 0x698bcf8fUL, 0xec9d808aUL, 0xdbf7428bUL, 0x82490489UL,
-    0xb523c688UL, 0x88649a83UL, 0xbf0e5882UL, 0xe6b01e80UL, 0xd1dadc81UL,
-    0x54cc9384UL, 0x63a65185UL, 0x3a181787UL, 0x0d72d586UL, 0xa0d0e2a9UL,
-    0x97ba20a8UL, 0xce0466aaUL, 0xf96ea4abUL, 0x7c78ebaeUL, 0x4b1229afUL,
-    0x12ac6fadUL, 0x25c6adacUL, 0x1881f1a7UL, 0x2feb33a6UL, 0x765575a4UL,
-    0x413fb7a5UL, 0xc429f8a0UL, 0xf3433aa1UL, 0xaafd7ca3UL, 0x9d97bea2UL,
-    0xd073c4b5UL, 0xe71906b4UL, 0xbea740b6UL, 0x89cd82b7UL, 0x0cdbcdb2UL,
-    0x3bb10fb3UL, 0x620f49b1UL, 0x55658bb0UL, 0x6822d7bbUL, 0x5f4815baUL,
-    0x06f653b8UL, 0x319c91b9UL, 0xb48adebcUL, 0x83e01cbdUL, 0xda5e5abfUL,
-    0xed3498beUL
-  },
-  {
-    0x00000000UL, 0x6567bcb8UL, 0x8bc809aaUL, 0xeeafb512UL, 0x5797628fUL,
-    0x32f0de37UL, 0xdc5f6b25UL, 0xb938d79dUL, 0xef28b4c5UL, 0x8a4f087dUL,
-    0x64e0bd6fUL, 0x018701d7UL, 0xb8bfd64aUL, 0xddd86af2UL, 0x3377dfe0UL,
-    0x56106358UL, 0x9f571950UL, 0xfa30a5e8UL, 0x149f10faUL, 0x71f8ac42UL,
-    0xc8c07bdfUL, 0xada7c767UL, 0x43087275UL, 0x266fcecdUL, 0x707fad95UL,
-    0x1518112dUL, 0xfbb7a43fUL, 0x9ed01887UL, 0x27e8cf1aUL, 0x428f73a2UL,
-    0xac20c6b0UL, 0xc9477a08UL, 0x3eaf32a0UL, 0x5bc88e18UL, 0xb5673b0aUL,
-    0xd00087b2UL, 0x6938502fUL, 0x0c5fec97UL, 0xe2f05985UL, 0x8797e53dUL,
-    0xd1878665UL, 0xb4e03addUL, 0x5a4f8fcfUL, 0x3f283377UL, 0x8610e4eaUL,
-    0xe3775852UL, 0x0dd8ed40UL, 0x68bf51f8UL, 0xa1f82bf0UL, 0xc49f9748UL,
-    0x2a30225aUL, 0x4f579ee2UL, 0xf66f497fUL, 0x9308f5c7UL, 0x7da740d5UL,
-    0x18c0fc6dUL, 0x4ed09f35UL, 0x2bb7238dUL, 0xc518969fUL, 0xa07f2a27UL,
-    0x1947fdbaUL, 0x7c204102UL, 0x928ff410UL, 0xf7e848a8UL, 0x3d58149bUL,
-    0x583fa823UL, 0xb6901d31UL, 0xd3f7a189UL, 0x6acf7614UL, 0x0fa8caacUL,
-    0xe1077fbeUL, 0x8460c306UL, 0xd270a05eUL, 0xb7171ce6UL, 0x59b8a9f4UL,
-    0x3cdf154cUL, 0x85e7c2d1UL, 0xe0807e69UL, 0x0e2fcb7bUL, 0x6b4877c3UL,
-    0xa20f0dcbUL, 0xc768b173UL, 0x29c70461UL, 0x4ca0b8d9UL, 0xf5986f44UL,
-    0x90ffd3fcUL, 0x7e5066eeUL, 0x1b37da56UL, 0x4d27b90eUL, 0x284005b6UL,
-    0xc6efb0a4UL, 0xa3880c1cUL, 0x1ab0db81UL, 0x7fd76739UL, 0x9178d22bUL,
-    0xf41f6e93UL, 0x03f7263bUL, 0x66909a83UL, 0x883f2f91UL, 0xed589329UL,
-    0x546044b4UL, 0x3107f80cUL, 0xdfa84d1eUL, 0xbacff1a6UL, 0xecdf92feUL,
-    0x89b82e46UL, 0x67179b54UL, 0x027027ecUL, 0xbb48f071UL, 0xde2f4cc9UL,
-    0x3080f9dbUL, 0x55e74563UL, 0x9ca03f6bUL, 0xf9c783d3UL, 0x176836c1UL,
-    0x720f8a79UL, 0xcb375de4UL, 0xae50e15cUL, 0x40ff544eUL, 0x2598e8f6UL,
-    0x73888baeUL, 0x16ef3716UL, 0xf8408204UL, 0x9d273ebcUL, 0x241fe921UL,
-    0x41785599UL, 0xafd7e08bUL, 0xcab05c33UL, 0x3bb659edUL, 0x5ed1e555UL,
-    0xb07e5047UL, 0xd519ecffUL, 0x6c213b62UL, 0x094687daUL, 0xe7e932c8UL,
-    0x828e8e70UL, 0xd49eed28UL, 0xb1f95190UL, 0x5f56e482UL, 0x3a31583aUL,
-    0x83098fa7UL, 0xe66e331fUL, 0x08c1860dUL, 0x6da63ab5UL, 0xa4e140bdUL,
-    0xc186fc05UL, 0x2f294917UL, 0x4a4ef5afUL, 0xf3762232UL, 0x96119e8aUL,
-    0x78be2b98UL, 0x1dd99720UL, 0x4bc9f478UL, 0x2eae48c0UL, 0xc001fdd2UL,
-    0xa566416aUL, 0x1c5e96f7UL, 0x79392a4fUL, 0x97969f5dUL, 0xf2f123e5UL,
-    0x05196b4dUL, 0x607ed7f5UL, 0x8ed162e7UL, 0xebb6de5fUL, 0x528e09c2UL,
-    0x37e9b57aUL, 0xd9460068UL, 0xbc21bcd0UL, 0xea31df88UL, 0x8f566330UL,
-    0x61f9d622UL, 0x049e6a9aUL, 0xbda6bd07UL, 0xd8c101bfUL, 0x366eb4adUL,
-    0x53090815UL, 0x9a4e721dUL, 0xff29cea5UL, 0x11867bb7UL, 0x74e1c70fUL,
-    0xcdd91092UL, 0xa8beac2aUL, 0x46111938UL, 0x2376a580UL, 0x7566c6d8UL,
-    0x10017a60UL, 0xfeaecf72UL, 0x9bc973caUL, 0x22f1a457UL, 0x479618efUL,
-    0xa939adfdUL, 0xcc5e1145UL, 0x06ee4d76UL, 0x6389f1ceUL, 0x8d2644dcUL,
-    0xe841f864UL, 0x51792ff9UL, 0x341e9341UL, 0xdab12653UL, 0xbfd69aebUL,
-    0xe9c6f9b3UL, 0x8ca1450bUL, 0x620ef019UL, 0x07694ca1UL, 0xbe519b3cUL,
-    0xdb362784UL, 0x35999296UL, 0x50fe2e2eUL, 0x99b95426UL, 0xfcdee89eUL,
-    0x12715d8cUL, 0x7716e134UL, 0xce2e36a9UL, 0xab498a11UL, 0x45e63f03UL,
-    0x208183bbUL, 0x7691e0e3UL, 0x13f65c5bUL, 0xfd59e949UL, 0x983e55f1UL,
-    0x2106826cUL, 0x44613ed4UL, 0xaace8bc6UL, 0xcfa9377eUL, 0x38417fd6UL,
-    0x5d26c36eUL, 0xb389767cUL, 0xd6eecac4UL, 0x6fd61d59UL, 0x0ab1a1e1UL,
-    0xe41e14f3UL, 0x8179a84bUL, 0xd769cb13UL, 0xb20e77abUL, 0x5ca1c2b9UL,
-    0x39c67e01UL, 0x80fea99cUL, 0xe5991524UL, 0x0b36a036UL, 0x6e511c8eUL,
-    0xa7166686UL, 0xc271da3eUL, 0x2cde6f2cUL, 0x49b9d394UL, 0xf0810409UL,
-    0x95e6b8b1UL, 0x7b490da3UL, 0x1e2eb11bUL, 0x483ed243UL, 0x2d596efbUL,
-    0xc3f6dbe9UL, 0xa6916751UL, 0x1fa9b0ccUL, 0x7ace0c74UL, 0x9461b966UL,
-    0xf10605deUL
-#endif
-  }
-};
diff --git a/security/nss/cmd/zlib/deflate.c b/security/nss/cmd/zlib/deflate.c
deleted file mode 100644
index 29ce1f64a..000000000
--- a/security/nss/cmd/zlib/deflate.c
+++ /dev/null
@@ -1,1736 +0,0 @@
-/* deflate.c -- compress data using the deflation algorithm
- * Copyright (C) 1995-2005 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/*
- *  ALGORITHM
- *
- *      The "deflation" process depends on being able to identify portions
- *      of the input text which are identical to earlier input (within a
- *      sliding window trailing behind the input currently being processed).
- *
- *      The most straightforward technique turns out to be the fastest for
- *      most input files: try all possible matches and select the longest.
- *      The key feature of this algorithm is that insertions into the string
- *      dictionary are very simple and thus fast, and deletions are avoided
- *      completely. Insertions are performed at each input character, whereas
- *      string matches are performed only when the previous match ends. So it
- *      is preferable to spend more time in matches to allow very fast string
- *      insertions and avoid deletions. The matching algorithm for small
- *      strings is inspired from that of Rabin & Karp. A brute force approach
- *      is used to find longer strings when a small match has been found.
- *      A similar algorithm is used in comic (by Jan-Mark Wams) and freeze
- *      (by Leonid Broukhis).
- *         A previous version of this file used a more sophisticated algorithm
- *      (by Fiala and Greene) which is guaranteed to run in linear amortized
- *      time, but has a larger average cost, uses more memory and is patented.
- *      However the F&G algorithm may be faster for some highly redundant
- *      files if the parameter max_chain_length (described below) is too large.
- *
- *  ACKNOWLEDGEMENTS
- *
- *      The idea of lazy evaluation of matches is due to Jan-Mark Wams, and
- *      I found it in 'freeze' written by Leonid Broukhis.
- *      Thanks to many people for bug reports and testing.
- *
- *  REFERENCES
- *
- *      Deutsch, L.P.,"DEFLATE Compressed Data Format Specification".
- *      Available in http://www.ietf.org/rfc/rfc1951.txt
- *
- *      A description of the Rabin and Karp algorithm is given in the book
- *         "Algorithms" by R. Sedgewick, Addison-Wesley, p252.
- *
- *      Fiala,E.R., and Greene,D.H.
- *         Data Compression with Finite Windows, Comm.ACM, 32,4 (1989) 490-595
- *
- */
-
-/* @(#) $Id$ */
-
-#include "deflate.h"
-
-const char deflate_copyright[] =
-   " deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly ";
-/*
-  If you use the zlib library in a product, an acknowledgment is welcome
-  in the documentation of your product. If for some reason you cannot
-  include such an acknowledgment, I would appreciate that you keep this
-  copyright string in the executable of your product.
- */
-
-/* ===========================================================================
- *  Function prototypes.
- */
-typedef enum {
-    need_more,      /* block not completed, need more input or more output */
-    block_done,     /* block flush performed */
-    finish_started, /* finish started, need only more output at next deflate */
-    finish_done     /* finish done, accept no more input or output */
-} block_state;
-
-typedef block_state (*compress_func) OF((deflate_state *s, int flush));
-/* Compression function. Returns the block state after the call. */
-
-local void fill_window    OF((deflate_state *s));
-local block_state deflate_stored OF((deflate_state *s, int flush));
-local block_state deflate_fast   OF((deflate_state *s, int flush));
-#ifndef FASTEST
-local block_state deflate_slow   OF((deflate_state *s, int flush));
-#endif
-local void lm_init        OF((deflate_state *s));
-local void putShortMSB    OF((deflate_state *s, uInt b));
-local void flush_pending  OF((z_streamp strm));
-local int read_buf        OF((z_streamp strm, Bytef *buf, unsigned size));
-#ifndef FASTEST
-#ifdef ASMV
-      void match_init OF((void)); /* asm code initialization */
-      uInt longest_match  OF((deflate_state *s, IPos cur_match));
-#else
-local uInt longest_match  OF((deflate_state *s, IPos cur_match));
-#endif
-#endif
-local uInt longest_match_fast OF((deflate_state *s, IPos cur_match));
-
-#ifdef DEBUG
-local  void check_match OF((deflate_state *s, IPos start, IPos match,
-                            int length));
-#endif
-
-/* ===========================================================================
- * Local data
- */
-
-#define NIL 0
-/* Tail of hash chains */
-
-#ifndef TOO_FAR
-#  define TOO_FAR 4096
-#endif
-/* Matches of length 3 are discarded if their distance exceeds TOO_FAR */
-
-#define MIN_LOOKAHEAD (MAX_MATCH+MIN_MATCH+1)
-/* Minimum amount of lookahead, except at the end of the input file.
- * See deflate.c for comments about the MIN_MATCH+1.
- */
-
-/* Values for max_lazy_match, good_match and max_chain_length, depending on
- * the desired pack level (0..9). The values given below have been tuned to
- * exclude worst case performance for pathological files. Better values may be
- * found for specific files.
- */
-typedef struct config_s {
-   ush good_length; /* reduce lazy search above this match length */
-   ush max_lazy;    /* do not perform lazy search above this match length */
-   ush nice_length; /* quit search above this match length */
-   ush max_chain;
-   compress_func func;
-} config;
-
-#ifdef FASTEST
-local const config configuration_table[2] = {
-/*      good lazy nice chain */
-/* 0 */ {0,    0,  0,    0, deflate_stored},  /* store only */
-/* 1 */ {4,    4,  8,    4, deflate_fast}}; /* max speed, no lazy matches */
-#else
-local const config configuration_table[10] = {
-/*      good lazy nice chain */
-/* 0 */ {0,    0,  0,    0, deflate_stored},  /* store only */
-/* 1 */ {4,    4,  8,    4, deflate_fast}, /* max speed, no lazy matches */
-/* 2 */ {4,    5, 16,    8, deflate_fast},
-/* 3 */ {4,    6, 32,   32, deflate_fast},
-
-/* 4 */ {4,    4, 16,   16, deflate_slow},  /* lazy matches */
-/* 5 */ {8,   16, 32,   32, deflate_slow},
-/* 6 */ {8,   16, 128, 128, deflate_slow},
-/* 7 */ {8,   32, 128, 256, deflate_slow},
-/* 8 */ {32, 128, 258, 1024, deflate_slow},
-/* 9 */ {32, 258, 258, 4096, deflate_slow}}; /* max compression */
-#endif
-
-/* Note: the deflate() code requires max_lazy >= MIN_MATCH and max_chain >= 4
- * For deflate_fast() (levels <= 3) good is ignored and lazy has a different
- * meaning.
- */
-
-#define EQUAL 0
-/* result of memcmp for equal strings */
-
-#ifndef NO_DUMMY_DECL
-struct static_tree_desc_s {int dummy;}; /* for buggy compilers */
-#endif
-
-/* ===========================================================================
- * Update a hash value with the given input byte
- * IN  assertion: all calls to to UPDATE_HASH are made with consecutive
- *    input characters, so that a running hash key can be computed from the
- *    previous key instead of complete recalculation each time.
- */
-#define UPDATE_HASH(s,h,c) (h = (((h)<<s->hash_shift) ^ (c)) & s->hash_mask)
-
-
-/* ===========================================================================
- * Insert string str in the dictionary and set match_head to the previous head
- * of the hash chain (the most recent string with same hash key). Return
- * the previous length of the hash chain.
- * If this file is compiled with -DFASTEST, the compression level is forced
- * to 1, and no hash chains are maintained.
- * IN  assertion: all calls to to INSERT_STRING are made with consecutive
- *    input characters and the first MIN_MATCH bytes of str are valid
- *    (except for the last MIN_MATCH-1 bytes of the input file).
- */
-#ifdef FASTEST
-#define INSERT_STRING(s, str, match_head) \
-   (UPDATE_HASH(s, s->ins_h, s->window[(str) + (MIN_MATCH-1)]), \
-    match_head = s->head[s->ins_h], \
-    s->head[s->ins_h] = (Pos)(str))
-#else
-#define INSERT_STRING(s, str, match_head) \
-   (UPDATE_HASH(s, s->ins_h, s->window[(str) + (MIN_MATCH-1)]), \
-    match_head = s->prev[(str) & s->w_mask] = s->head[s->ins_h], \
-    s->head[s->ins_h] = (Pos)(str))
-#endif
-
-/* ===========================================================================
- * Initialize the hash table (avoiding 64K overflow for 16 bit systems).
- * prev[] will be initialized on the fly.
- */
-#define CLEAR_HASH(s) \
-    s->head[s->hash_size-1] = NIL; \
-    zmemzero((Bytef *)s->head, (unsigned)(s->hash_size-1)*sizeof(*s->head));
-
-/* ========================================================================= */
-int ZEXPORT deflateInit_(strm, level, version, stream_size)
-    z_streamp strm;
-    int level;
-    const char *version;
-    int stream_size;
-{
-    return deflateInit2_(strm, level, Z_DEFLATED, MAX_WBITS, DEF_MEM_LEVEL,
-                         Z_DEFAULT_STRATEGY, version, stream_size);
-    /* To do: ignore strm->next_in if we use it as window */
-}
-
-/* ========================================================================= */
-int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
-                  version, stream_size)
-    z_streamp strm;
-    int  level;
-    int  method;
-    int  windowBits;
-    int  memLevel;
-    int  strategy;
-    const char *version;
-    int stream_size;
-{
-    deflate_state *s;
-    int wrap = 1;
-    static const char my_version[] = ZLIB_VERSION;
-
-    ushf *overlay;
-    /* We overlay pending_buf and d_buf+l_buf. This works since the average
-     * output size for (length,distance) codes is <= 24 bits.
-     */
-
-    if (version == Z_NULL || version[0] != my_version[0] ||
-        stream_size != sizeof(z_stream)) {
-        return Z_VERSION_ERROR;
-    }
-    if (strm == Z_NULL) return Z_STREAM_ERROR;
-
-    strm->msg = Z_NULL;
-    if (strm->zalloc == (alloc_func)0) {
-        strm->zalloc = zcalloc;
-        strm->opaque = (voidpf)0;
-    }
-    if (strm->zfree == (free_func)0) strm->zfree = zcfree;
-
-#ifdef FASTEST
-    if (level != 0) level = 1;
-#else
-    if (level == Z_DEFAULT_COMPRESSION) level = 6;
-#endif
-
-    if (windowBits < 0) { /* suppress zlib wrapper */
-        wrap = 0;
-        windowBits = -windowBits;
-    }
-#ifdef GZIP
-    else if (windowBits > 15) {
-        wrap = 2;       /* write gzip wrapper instead */
-        windowBits -= 16;
-    }
-#endif
-    if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method != Z_DEFLATED ||
-        windowBits < 8 || windowBits > 15 || level < 0 || level > 9 ||
-        strategy < 0 || strategy > Z_FIXED) {
-        return Z_STREAM_ERROR;
-    }
-    if (windowBits == 8) windowBits = 9;  /* until 256-byte window bug fixed */
-    s = (deflate_state *) ZALLOC(strm, 1, sizeof(deflate_state));
-    if (s == Z_NULL) return Z_MEM_ERROR;
-    strm->state = (struct internal_state FAR *)s;
-    s->strm = strm;
-
-    s->wrap = wrap;
-    s->gzhead = Z_NULL;
-    s->w_bits = windowBits;
-    s->w_size = 1 << s->w_bits;
-    s->w_mask = s->w_size - 1;
-
-    s->hash_bits = memLevel + 7;
-    s->hash_size = 1 << s->hash_bits;
-    s->hash_mask = s->hash_size - 1;
-    s->hash_shift =  ((s->hash_bits+MIN_MATCH-1)/MIN_MATCH);
-
-    s->window = (Bytef *) ZALLOC(strm, s->w_size, 2*sizeof(Byte));
-    s->prev   = (Posf *)  ZALLOC(strm, s->w_size, sizeof(Pos));
-    s->head   = (Posf *)  ZALLOC(strm, s->hash_size, sizeof(Pos));
-
-    s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
-
-    overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
-    s->pending_buf = (uchf *) overlay;
-    s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L);
-
-    if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||
-        s->pending_buf == Z_NULL) {
-        s->status = FINISH_STATE;
-        strm->msg = (char*)ERR_MSG(Z_MEM_ERROR);
-        deflateEnd (strm);
-        return Z_MEM_ERROR;
-    }
-    s->d_buf = overlay + s->lit_bufsize/sizeof(ush);
-    s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize;
-
-    s->level = level;
-    s->strategy = strategy;
-    s->method = (Byte)method;
-
-    return deflateReset(strm);
-}
-
-/* ========================================================================= */
-int ZEXPORT deflateSetDictionary (strm, dictionary, dictLength)
-    z_streamp strm;
-    const Bytef *dictionary;
-    uInt  dictLength;
-{
-    deflate_state *s;
-    uInt length = dictLength;
-    uInt n;
-    IPos hash_head = 0;
-
-    if (strm == Z_NULL || strm->state == Z_NULL || dictionary == Z_NULL ||
-        strm->state->wrap == 2 ||
-        (strm->state->wrap == 1 && strm->state->status != INIT_STATE))
-        return Z_STREAM_ERROR;
-
-    s = strm->state;
-    if (s->wrap)
-        strm->adler = adler32(strm->adler, dictionary, dictLength);
-
-    if (length < MIN_MATCH) return Z_OK;
-    if (length > MAX_DIST(s)) {
-        length = MAX_DIST(s);
-        dictionary += dictLength - length; /* use the tail of the dictionary */
-    }
-    zmemcpy(s->window, dictionary, length);
-    s->strstart = length;
-    s->block_start = (long)length;
-
-    /* Insert all strings in the hash table (except for the last two bytes).
-     * s->lookahead stays null, so s->ins_h will be recomputed at the next
-     * call of fill_window.
-     */
-    s->ins_h = s->window[0];
-    UPDATE_HASH(s, s->ins_h, s->window[1]);
-    for (n = 0; n <= length - MIN_MATCH; n++) {
-        INSERT_STRING(s, n, hash_head);
-    }
-    if (hash_head) hash_head = 0;  /* to make compiler happy */
-    return Z_OK;
-}
-
-/* ========================================================================= */
-int ZEXPORT deflateReset (strm)
-    z_streamp strm;
-{
-    deflate_state *s;
-
-    if (strm == Z_NULL || strm->state == Z_NULL ||
-        strm->zalloc == (alloc_func)0 || strm->zfree == (free_func)0) {
-        return Z_STREAM_ERROR;
-    }
-
-    strm->total_in = strm->total_out = 0;
-    strm->msg = Z_NULL; /* use zfree if we ever allocate msg dynamically */
-    strm->data_type = Z_UNKNOWN;
-
-    s = (deflate_state *)strm->state;
-    s->pending = 0;
-    s->pending_out = s->pending_buf;
-
-    if (s->wrap < 0) {
-        s->wrap = -s->wrap; /* was made negative by deflate(..., Z_FINISH); */
-    }
-    s->status = s->wrap ? INIT_STATE : BUSY_STATE;
-    strm->adler =
-#ifdef GZIP
-        s->wrap == 2 ? crc32(0L, Z_NULL, 0) :
-#endif
-        adler32(0L, Z_NULL, 0);
-    s->last_flush = Z_NO_FLUSH;
-
-    _tr_init(s);
-    lm_init(s);
-
-    return Z_OK;
-}
-
-/* ========================================================================= */
-int ZEXPORT deflateSetHeader (strm, head)
-    z_streamp strm;
-    gz_headerp head;
-{
-    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
-    if (strm->state->wrap != 2) return Z_STREAM_ERROR;
-    strm->state->gzhead = head;
-    return Z_OK;
-}
-
-/* ========================================================================= */
-int ZEXPORT deflatePrime (strm, bits, value)
-    z_streamp strm;
-    int bits;
-    int value;
-{
-    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
-    strm->state->bi_valid = bits;
-    strm->state->bi_buf = (ush)(value & ((1 << bits) - 1));
-    return Z_OK;
-}
-
-/* ========================================================================= */
-int ZEXPORT deflateParams(strm, level, strategy)
-    z_streamp strm;
-    int level;
-    int strategy;
-{
-    deflate_state *s;
-    compress_func func;
-    int err = Z_OK;
-
-    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
-    s = strm->state;
-
-#ifdef FASTEST
-    if (level != 0) level = 1;
-#else
-    if (level == Z_DEFAULT_COMPRESSION) level = 6;
-#endif
-    if (level < 0 || level > 9 || strategy < 0 || strategy > Z_FIXED) {
-        return Z_STREAM_ERROR;
-    }
-    func = configuration_table[s->level].func;
-
-    if (func != configuration_table[level].func && strm->total_in != 0) {
-        /* Flush the last buffer: */
-        err = deflate(strm, Z_PARTIAL_FLUSH);
-    }
-    if (s->level != level) {
-        s->level = level;
-        s->max_lazy_match   = configuration_table[level].max_lazy;
-        s->good_match       = configuration_table[level].good_length;
-        s->nice_match       = configuration_table[level].nice_length;
-        s->max_chain_length = configuration_table[level].max_chain;
-    }
-    s->strategy = strategy;
-    return err;
-}
-
-/* ========================================================================= */
-int ZEXPORT deflateTune(strm, good_length, max_lazy, nice_length, max_chain)
-    z_streamp strm;
-    int good_length;
-    int max_lazy;
-    int nice_length;
-    int max_chain;
-{
-    deflate_state *s;
-
-    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
-    s = strm->state;
-    s->good_match = good_length;
-    s->max_lazy_match = max_lazy;
-    s->nice_match = nice_length;
-    s->max_chain_length = max_chain;
-    return Z_OK;
-}
-
-/* =========================================================================
- * For the default windowBits of 15 and memLevel of 8, this function returns
- * a close to exact, as well as small, upper bound on the compressed size.
- * They are coded as constants here for a reason--if the #define's are
- * changed, then this function needs to be changed as well.  The return
- * value for 15 and 8 only works for those exact settings.
- *
- * For any setting other than those defaults for windowBits and memLevel,
- * the value returned is a conservative worst case for the maximum expansion
- * resulting from using fixed blocks instead of stored blocks, which deflate
- * can emit on compressed data for some combinations of the parameters.
- *
- * This function could be more sophisticated to provide closer upper bounds
- * for every combination of windowBits and memLevel, as well as wrap.
- * But even the conservative upper bound of about 14% expansion does not
- * seem onerous for output buffer allocation.
- */
-uLong ZEXPORT deflateBound(strm, sourceLen)
-    z_streamp strm;
-    uLong sourceLen;
-{
-    deflate_state *s;
-    uLong destLen;
-
-    /* conservative upper bound */
-    destLen = sourceLen +
-              ((sourceLen + 7) >> 3) + ((sourceLen + 63) >> 6) + 11;
-
-    /* if can't get parameters, return conservative bound */
-    if (strm == Z_NULL || strm->state == Z_NULL)
-        return destLen;
-
-    /* if not default parameters, return conservative bound */
-    s = strm->state;
-    if (s->w_bits != 15 || s->hash_bits != 8 + 7)
-        return destLen;
-
-    /* default settings: return tight bound for that case */
-    return compressBound(sourceLen);
-}
-
-/* =========================================================================
- * Put a short in the pending buffer. The 16-bit value is put in MSB order.
- * IN assertion: the stream state is correct and there is enough room in
- * pending_buf.
- */
-local void putShortMSB (s, b)
-    deflate_state *s;
-    uInt b;
-{
-    put_byte(s, (Byte)(b >> 8));
-    put_byte(s, (Byte)(b & 0xff));
-}
-
-/* =========================================================================
- * Flush as much pending output as possible. All deflate() output goes
- * through this function so some applications may wish to modify it
- * to avoid allocating a large strm->next_out buffer and copying into it.
- * (See also read_buf()).
- */
-local void flush_pending(strm)
-    z_streamp strm;
-{
-    unsigned len = strm->state->pending;
-
-    if (len > strm->avail_out) len = strm->avail_out;
-    if (len == 0) return;
-
-    zmemcpy(strm->next_out, strm->state->pending_out, len);
-    strm->next_out  += len;
-    strm->state->pending_out  += len;
-    strm->total_out += len;
-    strm->avail_out  -= len;
-    strm->state->pending -= len;
-    if (strm->state->pending == 0) {
-        strm->state->pending_out = strm->state->pending_buf;
-    }
-}
-
-/* ========================================================================= */
-int ZEXPORT deflate (strm, flush)
-    z_streamp strm;
-    int flush;
-{
-    int old_flush; /* value of flush param for previous deflate call */
-    deflate_state *s;
-
-    if (strm == Z_NULL || strm->state == Z_NULL ||
-        flush > Z_FINISH || flush < 0) {
-        return Z_STREAM_ERROR;
-    }
-    s = strm->state;
-
-    if (strm->next_out == Z_NULL ||
-        (strm->next_in == Z_NULL && strm->avail_in != 0) ||
-        (s->status == FINISH_STATE && flush != Z_FINISH)) {
-        ERR_RETURN(strm, Z_STREAM_ERROR);
-    }
-    if (strm->avail_out == 0) ERR_RETURN(strm, Z_BUF_ERROR);
-
-    s->strm = strm; /* just in case */
-    old_flush = s->last_flush;
-    s->last_flush = flush;
-
-    /* Write the header */
-    if (s->status == INIT_STATE) {
-#ifdef GZIP
-        if (s->wrap == 2) {
-            strm->adler = crc32(0L, Z_NULL, 0);
-            put_byte(s, 31);
-            put_byte(s, 139);
-            put_byte(s, 8);
-            if (s->gzhead == NULL) {
-                put_byte(s, 0);
-                put_byte(s, 0);
-                put_byte(s, 0);
-                put_byte(s, 0);
-                put_byte(s, 0);
-                put_byte(s, s->level == 9 ? 2 :
-                            (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2 ?
-                             4 : 0));
-                put_byte(s, OS_CODE);
-                s->status = BUSY_STATE;
-            }
-            else {
-                put_byte(s, (s->gzhead->text ? 1 : 0) +
-                            (s->gzhead->hcrc ? 2 : 0) +
-                            (s->gzhead->extra == Z_NULL ? 0 : 4) +
-                            (s->gzhead->name == Z_NULL ? 0 : 8) +
-                            (s->gzhead->comment == Z_NULL ? 0 : 16)
-                        );
-                put_byte(s, (Byte)(s->gzhead->time & 0xff));
-                put_byte(s, (Byte)((s->gzhead->time >> 8) & 0xff));
-                put_byte(s, (Byte)((s->gzhead->time >> 16) & 0xff));
-                put_byte(s, (Byte)((s->gzhead->time >> 24) & 0xff));
-                put_byte(s, s->level == 9 ? 2 :
-                            (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2 ?
-                             4 : 0));
-                put_byte(s, s->gzhead->os & 0xff);
-                if (s->gzhead->extra != NULL) {
-                    put_byte(s, s->gzhead->extra_len & 0xff);
-                    put_byte(s, (s->gzhead->extra_len >> 8) & 0xff);
-                }
-                if (s->gzhead->hcrc)
-                    strm->adler = crc32(strm->adler, s->pending_buf,
-                                        s->pending);
-                s->gzindex = 0;
-                s->status = EXTRA_STATE;
-            }
-        }
-        else
-#endif
-        {
-            uInt header = (Z_DEFLATED + ((s->w_bits-8)<<4)) << 8;
-            uInt level_flags;
-
-            if (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2)
-                level_flags = 0;
-            else if (s->level < 6)
-                level_flags = 1;
-            else if (s->level == 6)
-                level_flags = 2;
-            else
-                level_flags = 3;
-            header |= (level_flags << 6);
-            if (s->strstart != 0) header |= PRESET_DICT;
-            header += 31 - (header % 31);
-
-            s->status = BUSY_STATE;
-            putShortMSB(s, header);
-
-            /* Save the adler32 of the preset dictionary: */
-            if (s->strstart != 0) {
-                putShortMSB(s, (uInt)(strm->adler >> 16));
-                putShortMSB(s, (uInt)(strm->adler & 0xffff));
-            }
-            strm->adler = adler32(0L, Z_NULL, 0);
-        }
-    }
-#ifdef GZIP
-    if (s->status == EXTRA_STATE) {
-        if (s->gzhead->extra != NULL) {
-            uInt beg = s->pending;  /* start of bytes to update crc */
-
-            while (s->gzindex < (s->gzhead->extra_len & 0xffff)) {
-                if (s->pending == s->pending_buf_size) {
-                    if (s->gzhead->hcrc && s->pending > beg)
-                        strm->adler = crc32(strm->adler, s->pending_buf + beg,
-                                            s->pending - beg);
-                    flush_pending(strm);
-                    beg = s->pending;
-                    if (s->pending == s->pending_buf_size)
-                        break;
-                }
-                put_byte(s, s->gzhead->extra[s->gzindex]);
-                s->gzindex++;
-            }
-            if (s->gzhead->hcrc && s->pending > beg)
-                strm->adler = crc32(strm->adler, s->pending_buf + beg,
-                                    s->pending - beg);
-            if (s->gzindex == s->gzhead->extra_len) {
-                s->gzindex = 0;
-                s->status = NAME_STATE;
-            }
-        }
-        else
-            s->status = NAME_STATE;
-    }
-    if (s->status == NAME_STATE) {
-        if (s->gzhead->name != NULL) {
-            uInt beg = s->pending;  /* start of bytes to update crc */
-            int val;
-
-            do {
-                if (s->pending == s->pending_buf_size) {
-                    if (s->gzhead->hcrc && s->pending > beg)
-                        strm->adler = crc32(strm->adler, s->pending_buf + beg,
-                                            s->pending - beg);
-                    flush_pending(strm);
-                    beg = s->pending;
-                    if (s->pending == s->pending_buf_size) {
-                        val = 1;
-                        break;
-                    }
-                }
-                val = s->gzhead->name[s->gzindex++];
-                put_byte(s, val);
-            } while (val != 0);
-            if (s->gzhead->hcrc && s->pending > beg)
-                strm->adler = crc32(strm->adler, s->pending_buf + beg,
-                                    s->pending - beg);
-            if (val == 0) {
-                s->gzindex = 0;
-                s->status = COMMENT_STATE;
-            }
-        }
-        else
-            s->status = COMMENT_STATE;
-    }
-    if (s->status == COMMENT_STATE) {
-        if (s->gzhead->comment != NULL) {
-            uInt beg = s->pending;  /* start of bytes to update crc */
-            int val;
-
-            do {
-                if (s->pending == s->pending_buf_size) {
-                    if (s->gzhead->hcrc && s->pending > beg)
-                        strm->adler = crc32(strm->adler, s->pending_buf + beg,
-                                            s->pending - beg);
-                    flush_pending(strm);
-                    beg = s->pending;
-                    if (s->pending == s->pending_buf_size) {
-                        val = 1;
-                        break;
-                    }
-                }
-                val = s->gzhead->comment[s->gzindex++];
-                put_byte(s, val);
-            } while (val != 0);
-            if (s->gzhead->hcrc && s->pending > beg)
-                strm->adler = crc32(strm->adler, s->pending_buf + beg,
-                                    s->pending - beg);
-            if (val == 0)
-                s->status = HCRC_STATE;
-        }
-        else
-            s->status = HCRC_STATE;
-    }
-    if (s->status == HCRC_STATE) {
-        if (s->gzhead->hcrc) {
-            if (s->pending + 2 > s->pending_buf_size)
-                flush_pending(strm);
-            if (s->pending + 2 <= s->pending_buf_size) {
-                put_byte(s, (Byte)(strm->adler & 0xff));
-                put_byte(s, (Byte)((strm->adler >> 8) & 0xff));
-                strm->adler = crc32(0L, Z_NULL, 0);
-                s->status = BUSY_STATE;
-            }
-        }
-        else
-            s->status = BUSY_STATE;
-    }
-#endif
-
-    /* Flush as much pending output as possible */
-    if (s->pending != 0) {
-        flush_pending(strm);
-        if (strm->avail_out == 0) {
-            /* Since avail_out is 0, deflate will be called again with
-             * more output space, but possibly with both pending and
-             * avail_in equal to zero. There won't be anything to do,
-             * but this is not an error situation so make sure we
-             * return OK instead of BUF_ERROR at next call of deflate:
-             */
-            s->last_flush = -1;
-            return Z_OK;
-        }
-
-    /* Make sure there is something to do and avoid duplicate consecutive
-     * flushes. For repeated and useless calls with Z_FINISH, we keep
-     * returning Z_STREAM_END instead of Z_BUF_ERROR.
-     */
-    } else if (strm->avail_in == 0 && flush <= old_flush &&
-               flush != Z_FINISH) {
-        ERR_RETURN(strm, Z_BUF_ERROR);
-    }
-
-    /* User must not provide more input after the first FINISH: */
-    if (s->status == FINISH_STATE && strm->avail_in != 0) {
-        ERR_RETURN(strm, Z_BUF_ERROR);
-    }
-
-    /* Start a new block or continue the current one.
-     */
-    if (strm->avail_in != 0 || s->lookahead != 0 ||
-        (flush != Z_NO_FLUSH && s->status != FINISH_STATE)) {
-        block_state bstate;
-
-        bstate = (*(configuration_table[s->level].func))(s, flush);
-
-        if (bstate == finish_started || bstate == finish_done) {
-            s->status = FINISH_STATE;
-        }
-        if (bstate == need_more || bstate == finish_started) {
-            if (strm->avail_out == 0) {
-                s->last_flush = -1; /* avoid BUF_ERROR next call, see above */
-            }
-            return Z_OK;
-            /* If flush != Z_NO_FLUSH && avail_out == 0, the next call
-             * of deflate should use the same flush parameter to make sure
-             * that the flush is complete. So we don't have to output an
-             * empty block here, this will be done at next call. This also
-             * ensures that for a very small output buffer, we emit at most
-             * one empty block.
-             */
-        }
-        if (bstate == block_done) {
-            if (flush == Z_PARTIAL_FLUSH) {
-                _tr_align(s);
-            } else { /* FULL_FLUSH or SYNC_FLUSH */
-                _tr_stored_block(s, (char*)0, 0L, 0);
-                /* For a full flush, this empty block will be recognized
-                 * as a special marker by inflate_sync().
-                 */
-                if (flush == Z_FULL_FLUSH) {
-                    CLEAR_HASH(s);             /* forget history */
-                }
-            }
-            flush_pending(strm);
-            if (strm->avail_out == 0) {
-              s->last_flush = -1; /* avoid BUF_ERROR at next call, see above */
-              return Z_OK;
-            }
-        }
-    }
-    Assert(strm->avail_out > 0, "bug2");
-
-    if (flush != Z_FINISH) return Z_OK;
-    if (s->wrap <= 0) return Z_STREAM_END;
-
-    /* Write the trailer */
-#ifdef GZIP
-    if (s->wrap == 2) {
-        put_byte(s, (Byte)(strm->adler & 0xff));
-        put_byte(s, (Byte)((strm->adler >> 8) & 0xff));
-        put_byte(s, (Byte)((strm->adler >> 16) & 0xff));
-        put_byte(s, (Byte)((strm->adler >> 24) & 0xff));
-        put_byte(s, (Byte)(strm->total_in & 0xff));
-        put_byte(s, (Byte)((strm->total_in >> 8) & 0xff));
-        put_byte(s, (Byte)((strm->total_in >> 16) & 0xff));
-        put_byte(s, (Byte)((strm->total_in >> 24) & 0xff));
-    }
-    else
-#endif
-    {
-        putShortMSB(s, (uInt)(strm->adler >> 16));
-        putShortMSB(s, (uInt)(strm->adler & 0xffff));
-    }
-    flush_pending(strm);
-    /* If avail_out is zero, the application will call deflate again
-     * to flush the rest.
-     */
-    if (s->wrap > 0) s->wrap = -s->wrap; /* write the trailer only once! */
-    return s->pending != 0 ? Z_OK : Z_STREAM_END;
-}
-
-/* ========================================================================= */
-int ZEXPORT deflateEnd (strm)
-    z_streamp strm;
-{
-    int status;
-
-    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
-
-    status = strm->state->status;
-    if (status != INIT_STATE &&
-        status != EXTRA_STATE &&
-        status != NAME_STATE &&
-        status != COMMENT_STATE &&
-        status != HCRC_STATE &&
-        status != BUSY_STATE &&
-        status != FINISH_STATE) {
-      return Z_STREAM_ERROR;
-    }
-
-    /* Deallocate in reverse order of allocations: */
-    TRY_FREE(strm, strm->state->pending_buf);
-    TRY_FREE(strm, strm->state->head);
-    TRY_FREE(strm, strm->state->prev);
-    TRY_FREE(strm, strm->state->window);
-
-    ZFREE(strm, strm->state);
-    strm->state = Z_NULL;
-
-    return status == BUSY_STATE ? Z_DATA_ERROR : Z_OK;
-}
-
-/* =========================================================================
- * Copy the source state to the destination state.
- * To simplify the source, this is not supported for 16-bit MSDOS (which
- * doesn't have enough memory anyway to duplicate compression states).
- */
-int ZEXPORT deflateCopy (dest, source)
-    z_streamp dest;
-    z_streamp source;
-{
-#ifdef MAXSEG_64K
-    return Z_STREAM_ERROR;
-#else
-    deflate_state *ds;
-    deflate_state *ss;
-    ushf *overlay;
-
-
-    if (source == Z_NULL || dest == Z_NULL || source->state == Z_NULL) {
-        return Z_STREAM_ERROR;
-    }
-
-    ss = source->state;
-
-    zmemcpy(dest, source, sizeof(z_stream));
-
-    ds = (deflate_state *) ZALLOC(dest, 1, sizeof(deflate_state));
-    if (ds == Z_NULL) return Z_MEM_ERROR;
-    dest->state = (struct internal_state FAR *) ds;
-    zmemcpy(ds, ss, sizeof(deflate_state));
-    ds->strm = dest;
-
-    ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte));
-    ds->prev   = (Posf *)  ZALLOC(dest, ds->w_size, sizeof(Pos));
-    ds->head   = (Posf *)  ZALLOC(dest, ds->hash_size, sizeof(Pos));
-    overlay = (ushf *) ZALLOC(dest, ds->lit_bufsize, sizeof(ush)+2);
-    ds->pending_buf = (uchf *) overlay;
-
-    if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL ||
-        ds->pending_buf == Z_NULL) {
-        deflateEnd (dest);
-        return Z_MEM_ERROR;
-    }
-    /* following zmemcpy do not work for 16-bit MSDOS */
-    zmemcpy(ds->window, ss->window, ds->w_size * 2 * sizeof(Byte));
-    zmemcpy(ds->prev, ss->prev, ds->w_size * sizeof(Pos));
-    zmemcpy(ds->head, ss->head, ds->hash_size * sizeof(Pos));
-    zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size);
-
-    ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf);
-    ds->d_buf = overlay + ds->lit_bufsize/sizeof(ush);
-    ds->l_buf = ds->pending_buf + (1+sizeof(ush))*ds->lit_bufsize;
-
-    ds->l_desc.dyn_tree = ds->dyn_ltree;
-    ds->d_desc.dyn_tree = ds->dyn_dtree;
-    ds->bl_desc.dyn_tree = ds->bl_tree;
-
-    return Z_OK;
-#endif /* MAXSEG_64K */
-}
-
-/* ===========================================================================
- * Read a new buffer from the current input stream, update the adler32
- * and total number of bytes read.  All deflate() input goes through
- * this function so some applications may wish to modify it to avoid
- * allocating a large strm->next_in buffer and copying from it.
- * (See also flush_pending()).
- */
-local int read_buf(strm, buf, size)
-    z_streamp strm;
-    Bytef *buf;
-    unsigned size;
-{
-    unsigned len = strm->avail_in;
-
-    if (len > size) len = size;
-    if (len == 0) return 0;
-
-    strm->avail_in  -= len;
-
-    if (strm->state->wrap == 1) {
-        strm->adler = adler32(strm->adler, strm->next_in, len);
-    }
-#ifdef GZIP
-    else if (strm->state->wrap == 2) {
-        strm->adler = crc32(strm->adler, strm->next_in, len);
-    }
-#endif
-    zmemcpy(buf, strm->next_in, len);
-    strm->next_in  += len;
-    strm->total_in += len;
-
-    return (int)len;
-}
-
-/* ===========================================================================
- * Initialize the "longest match" routines for a new zlib stream
- */
-local void lm_init (s)
-    deflate_state *s;
-{
-    s->window_size = (ulg)2L*s->w_size;
-
-    CLEAR_HASH(s);
-
-    /* Set the default configuration parameters:
-     */
-    s->max_lazy_match   = configuration_table[s->level].max_lazy;
-    s->good_match       = configuration_table[s->level].good_length;
-    s->nice_match       = configuration_table[s->level].nice_length;
-    s->max_chain_length = configuration_table[s->level].max_chain;
-
-    s->strstart = 0;
-    s->block_start = 0L;
-    s->lookahead = 0;
-    s->match_length = s->prev_length = MIN_MATCH-1;
-    s->match_available = 0;
-    s->ins_h = 0;
-#ifndef FASTEST
-#ifdef ASMV
-    match_init(); /* initialize the asm code */
-#endif
-#endif
-}
-
-#ifndef FASTEST
-/* ===========================================================================
- * Set match_start to the longest match starting at the given string and
- * return its length. Matches shorter or equal to prev_length are discarded,
- * in which case the result is equal to prev_length and match_start is
- * garbage.
- * IN assertions: cur_match is the head of the hash chain for the current
- *   string (strstart) and its distance is <= MAX_DIST, and prev_length >= 1
- * OUT assertion: the match length is not greater than s->lookahead.
- */
-#ifndef ASMV
-/* For 80x86 and 680x0, an optimized version will be provided in match.asm or
- * match.S. The code will be functionally equivalent.
- */
-local uInt longest_match(s, cur_match)
-    deflate_state *s;
-    IPos cur_match;                             /* current match */
-{
-    unsigned chain_length = s->max_chain_length;/* max hash chain length */
-    register Bytef *scan = s->window + s->strstart; /* current string */
-    register Bytef *match;                       /* matched string */
-    register int len;                           /* length of current match */
-    int best_len = s->prev_length;              /* best match length so far */
-    int nice_match = s->nice_match;             /* stop if match long enough */
-    IPos limit = s->strstart > (IPos)MAX_DIST(s) ?
-        s->strstart - (IPos)MAX_DIST(s) : NIL;
-    /* Stop when cur_match becomes <= limit. To simplify the code,
-     * we prevent matches with the string of window index 0.
-     */
-    Posf *prev = s->prev;
-    uInt wmask = s->w_mask;
-
-#ifdef UNALIGNED_OK
-    /* Compare two bytes at a time. Note: this is not always beneficial.
-     * Try with and without -DUNALIGNED_OK to check.
-     */
-    register Bytef *strend = s->window + s->strstart + MAX_MATCH - 1;
-    register ush scan_start = *(ushf*)scan;
-    register ush scan_end   = *(ushf*)(scan+best_len-1);
-#else
-    register Bytef *strend = s->window + s->strstart + MAX_MATCH;
-    register Byte scan_end1  = scan[best_len-1];
-    register Byte scan_end   = scan[best_len];
-#endif
-
-    /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16.
-     * It is easy to get rid of this optimization if necessary.
-     */
-    Assert(s->hash_bits >= 8 && MAX_MATCH == 258, "Code too clever");
-
-    /* Do not waste too much time if we already have a good match: */
-    if (s->prev_length >= s->good_match) {
-        chain_length >>= 2;
-    }
-    /* Do not look for matches beyond the end of the input. This is necessary
-     * to make deflate deterministic.
-     */
-    if ((uInt)nice_match > s->lookahead) nice_match = s->lookahead;
-
-    Assert((ulg)s->strstart <= s->window_size-MIN_LOOKAHEAD, "need lookahead");
-
-    do {
-        Assert(cur_match < s->strstart, "no future");
-        match = s->window + cur_match;
-
-        /* Skip to next match if the match length cannot increase
-         * or if the match length is less than 2.  Note that the checks below
-         * for insufficient lookahead only occur occasionally for performance
-         * reasons.  Therefore uninitialized memory will be accessed, and
-         * conditional jumps will be made that depend on those values.
-         * However the length of the match is limited to the lookahead, so
-         * the output of deflate is not affected by the uninitialized values.
-         */
-#if (defined(UNALIGNED_OK) && MAX_MATCH == 258)
-        /* This code assumes sizeof(unsigned short) == 2. Do not use
-         * UNALIGNED_OK if your compiler uses a different size.
-         */
-        if (*(ushf*)(match+best_len-1) != scan_end ||
-            *(ushf*)match != scan_start) continue;
-
-        /* It is not necessary to compare scan[2] and match[2] since they are
-         * always equal when the other bytes match, given that the hash keys
-         * are equal and that HASH_BITS >= 8. Compare 2 bytes at a time at
-         * strstart+3, +5, ... up to strstart+257. We check for insufficient
-         * lookahead only every 4th comparison; the 128th check will be made
-         * at strstart+257. If MAX_MATCH-2 is not a multiple of 8, it is
-         * necessary to put more guard bytes at the end of the window, or
-         * to check more often for insufficient lookahead.
-         */
-        Assert(scan[2] == match[2], "scan[2]?");
-        scan++, match++;
-        do {
-        } while (*(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
-                 *(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
-                 *(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
-                 *(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
-                 scan < strend);
-        /* The funny "do {}" generates better code on most compilers */
-
-        /* Here, scan <= window+strstart+257 */
-        Assert(scan <= s->window+(unsigned)(s->window_size-1), "wild scan");
-        if (*scan == *match) scan++;
-
-        len = (MAX_MATCH - 1) - (int)(strend-scan);
-        scan = strend - (MAX_MATCH-1);
-
-#else /* UNALIGNED_OK */
-
-        if (match[best_len]   != scan_end  ||
-            match[best_len-1] != scan_end1 ||
-            *match            != *scan     ||
-            *++match          != scan[1])      continue;
-
-        /* The check at best_len-1 can be removed because it will be made
-         * again later. (This heuristic is not always a win.)
-         * It is not necessary to compare scan[2] and match[2] since they
-         * are always equal when the other bytes match, given that
-         * the hash keys are equal and that HASH_BITS >= 8.
-         */
-        scan += 2, match++;
-        Assert(*scan == *match, "match[2]?");
-
-        /* We check for insufficient lookahead only every 8th comparison;
-         * the 256th check will be made at strstart+258.
-         */
-        do {
-        } while (*++scan == *++match && *++scan == *++match &&
-                 *++scan == *++match && *++scan == *++match &&
-                 *++scan == *++match && *++scan == *++match &&
-                 *++scan == *++match && *++scan == *++match &&
-                 scan < strend);
-
-        Assert(scan <= s->window+(unsigned)(s->window_size-1), "wild scan");
-
-        len = MAX_MATCH - (int)(strend - scan);
-        scan = strend - MAX_MATCH;
-
-#endif /* UNALIGNED_OK */
-
-        if (len > best_len) {
-            s->match_start = cur_match;
-            best_len = len;
-            if (len >= nice_match) break;
-#ifdef UNALIGNED_OK
-            scan_end = *(ushf*)(scan+best_len-1);
-#else
-            scan_end1  = scan[best_len-1];
-            scan_end   = scan[best_len];
-#endif
-        }
-    } while ((cur_match = prev[cur_match & wmask]) > limit
-             && --chain_length != 0);
-
-    if ((uInt)best_len <= s->lookahead) return (uInt)best_len;
-    return s->lookahead;
-}
-#endif /* ASMV */
-#endif /* FASTEST */
-
-/* ---------------------------------------------------------------------------
- * Optimized version for level == 1 or strategy == Z_RLE only
- */
-local uInt longest_match_fast(s, cur_match)
-    deflate_state *s;
-    IPos cur_match;                             /* current match */
-{
-    register Bytef *scan = s->window + s->strstart; /* current string */
-    register Bytef *match;                       /* matched string */
-    register int len;                           /* length of current match */
-    register Bytef *strend = s->window + s->strstart + MAX_MATCH;
-
-    /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16.
-     * It is easy to get rid of this optimization if necessary.
-     */
-    Assert(s->hash_bits >= 8 && MAX_MATCH == 258, "Code too clever");
-
-    Assert((ulg)s->strstart <= s->window_size-MIN_LOOKAHEAD, "need lookahead");
-
-    Assert(cur_match < s->strstart, "no future");
-
-    match = s->window + cur_match;
-
-    /* Return failure if the match length is less than 2:
-     */
-    if (match[0] != scan[0] || match[1] != scan[1]) return MIN_MATCH-1;
-
-    /* The check at best_len-1 can be removed because it will be made
-     * again later. (This heuristic is not always a win.)
-     * It is not necessary to compare scan[2] and match[2] since they
-     * are always equal when the other bytes match, given that
-     * the hash keys are equal and that HASH_BITS >= 8.
-     */
-    scan += 2, match += 2;
-    Assert(*scan == *match, "match[2]?");
-
-    /* We check for insufficient lookahead only every 8th comparison;
-     * the 256th check will be made at strstart+258.
-     */
-    do {
-    } while (*++scan == *++match && *++scan == *++match &&
-             *++scan == *++match && *++scan == *++match &&
-             *++scan == *++match && *++scan == *++match &&
-             *++scan == *++match && *++scan == *++match &&
-             scan < strend);
-
-    Assert(scan <= s->window+(unsigned)(s->window_size-1), "wild scan");
-
-    len = MAX_MATCH - (int)(strend - scan);
-
-    if (len < MIN_MATCH) return MIN_MATCH - 1;
-
-    s->match_start = cur_match;
-    return (uInt)len <= s->lookahead ? (uInt)len : s->lookahead;
-}
-
-#ifdef DEBUG
-/* ===========================================================================
- * Check that the match at match_start is indeed a match.
- */
-local void check_match(s, start, match, length)
-    deflate_state *s;
-    IPos start, match;
-    int length;
-{
-    /* check that the match is indeed a match */
-    if (zmemcmp(s->window + match,
-                s->window + start, length) != EQUAL) {
-        fprintf(stderr, " start %u, match %u, length %d\n",
-                start, match, length);
-        do {
-            fprintf(stderr, "%c%c", s->window[match++], s->window[start++]);
-        } while (--length != 0);
-        z_error("invalid match");
-    }
-    if (z_verbose > 1) {
-        fprintf(stderr,"\\[%d,%d]", start-match, length);
-        do { putc(s->window[start++], stderr); } while (--length != 0);
-    }
-}
-#else
-#  define check_match(s, start, match, length)
-#endif /* DEBUG */
-
-/* ===========================================================================
- * Fill the window when the lookahead becomes insufficient.
- * Updates strstart and lookahead.
- *
- * IN assertion: lookahead < MIN_LOOKAHEAD
- * OUT assertions: strstart <= window_size-MIN_LOOKAHEAD
- *    At least one byte has been read, or avail_in == 0; reads are
- *    performed for at least two bytes (required for the zip translate_eol
- *    option -- not supported here).
- */
-local void fill_window(s)
-    deflate_state *s;
-{
-    register unsigned n, m;
-    register Posf *p;
-    unsigned more;    /* Amount of free space at the end of the window. */
-    uInt wsize = s->w_size;
-
-    do {
-        more = (unsigned)(s->window_size -(ulg)s->lookahead -(ulg)s->strstart);
-
-        /* Deal with !@#$% 64K limit: */
-        if (sizeof(int) <= 2) {
-            if (more == 0 && s->strstart == 0 && s->lookahead == 0) {
-                more = wsize;
-
-            } else if (more == (unsigned)(-1)) {
-                /* Very unlikely, but possible on 16 bit machine if
-                 * strstart == 0 && lookahead == 1 (input done a byte at time)
-                 */
-                more--;
-            }
-        }
-
-        /* If the window is almost full and there is insufficient lookahead,
-         * move the upper half to the lower one to make room in the upper half.
-         */
-        if (s->strstart >= wsize+MAX_DIST(s)) {
-
-            zmemcpy(s->window, s->window+wsize, (unsigned)wsize);
-            s->match_start -= wsize;
-            s->strstart    -= wsize; /* we now have strstart >= MAX_DIST */
-            s->block_start -= (long) wsize;
-
-            /* Slide the hash table (could be avoided with 32 bit values
-               at the expense of memory usage). We slide even when level == 0
-               to keep the hash table consistent if we switch back to level > 0
-               later. (Using level 0 permanently is not an optimal usage of
-               zlib, so we don't care about this pathological case.)
-             */
-            /* %%% avoid this when Z_RLE */
-            n = s->hash_size;
-            p = &s->head[n];
-            do {
-                m = *--p;
-                *p = (Pos)(m >= wsize ? m-wsize : NIL);
-            } while (--n);
-
-            n = wsize;
-#ifndef FASTEST
-            p = &s->prev[n];
-            do {
-                m = *--p;
-                *p = (Pos)(m >= wsize ? m-wsize : NIL);
-                /* If n is not on any hash chain, prev[n] is garbage but
-                 * its value will never be used.
-                 */
-            } while (--n);
-#endif
-            more += wsize;
-        }
-        if (s->strm->avail_in == 0) return;
-
-        /* If there was no sliding:
-         *    strstart <= WSIZE+MAX_DIST-1 && lookahead <= MIN_LOOKAHEAD - 1 &&
-         *    more == window_size - lookahead - strstart
-         * => more >= window_size - (MIN_LOOKAHEAD-1 + WSIZE + MAX_DIST-1)
-         * => more >= window_size - 2*WSIZE + 2
-         * In the BIG_MEM or MMAP case (not yet supported),
-         *   window_size == input_size + MIN_LOOKAHEAD  &&
-         *   strstart + s->lookahead <= input_size => more >= MIN_LOOKAHEAD.
-         * Otherwise, window_size == 2*WSIZE so more >= 2.
-         * If there was sliding, more >= WSIZE. So in all cases, more >= 2.
-         */
-        Assert(more >= 2, "more < 2");
-
-        n = read_buf(s->strm, s->window + s->strstart + s->lookahead, more);
-        s->lookahead += n;
-
-        /* Initialize the hash value now that we have some input: */
-        if (s->lookahead >= MIN_MATCH) {
-            s->ins_h = s->window[s->strstart];
-            UPDATE_HASH(s, s->ins_h, s->window[s->strstart+1]);
-#if MIN_MATCH != 3
-            Call UPDATE_HASH() MIN_MATCH-3 more times
-#endif
-        }
-        /* If the whole input has less than MIN_MATCH bytes, ins_h is garbage,
-         * but this is not important since only literal bytes will be emitted.
-         */
-
-    } while (s->lookahead < MIN_LOOKAHEAD && s->strm->avail_in != 0);
-}
-
-/* ===========================================================================
- * Flush the current block, with given end-of-file flag.
- * IN assertion: strstart is set to the end of the current match.
- */
-#define FLUSH_BLOCK_ONLY(s, eof) { \
-   _tr_flush_block(s, (s->block_start >= 0L ? \
-                   (charf *)&s->window[(unsigned)s->block_start] : \
-                   (charf *)Z_NULL), \
-                (ulg)((long)s->strstart - s->block_start), \
-                (eof)); \
-   s->block_start = s->strstart; \
-   flush_pending(s->strm); \
-   Tracev((stderr,"[FLUSH]")); \
-}
-
-/* Same but force premature exit if necessary. */
-#define FLUSH_BLOCK(s, eof) { \
-   FLUSH_BLOCK_ONLY(s, eof); \
-   if (s->strm->avail_out == 0) return (eof) ? finish_started : need_more; \
-}
-
-/* ===========================================================================
- * Copy without compression as much as possible from the input stream, return
- * the current block state.
- * This function does not insert new strings in the dictionary since
- * uncompressible data is probably not useful. This function is used
- * only for the level=0 compression option.
- * NOTE: this function should be optimized to avoid extra copying from
- * window to pending_buf.
- */
-local block_state deflate_stored(s, flush)
-    deflate_state *s;
-    int flush;
-{
-    /* Stored blocks are limited to 0xffff bytes, pending_buf is limited
-     * to pending_buf_size, and each stored block has a 5 byte header:
-     */
-    ulg max_block_size = 0xffff;
-    ulg max_start;
-
-    if (max_block_size > s->pending_buf_size - 5) {
-        max_block_size = s->pending_buf_size - 5;
-    }
-
-    /* Copy as much as possible from input to output: */
-    for (;;) {
-        /* Fill the window as much as possible: */
-        if (s->lookahead <= 1) {
-
-            Assert(s->strstart < s->w_size+MAX_DIST(s) ||
-                   s->block_start >= (long)s->w_size, "slide too late");
-
-            fill_window(s);
-            if (s->lookahead == 0 && flush == Z_NO_FLUSH) return need_more;
-
-            if (s->lookahead == 0) break; /* flush the current block */
-        }
-        Assert(s->block_start >= 0L, "block gone");
-
-        s->strstart += s->lookahead;
-        s->lookahead = 0;
-
-        /* Emit a stored block if pending_buf will be full: */
-        max_start = s->block_start + max_block_size;
-        if (s->strstart == 0 || (ulg)s->strstart >= max_start) {
-            /* strstart == 0 is possible when wraparound on 16-bit machine */
-            s->lookahead = (uInt)(s->strstart - max_start);
-            s->strstart = (uInt)max_start;
-            FLUSH_BLOCK(s, 0);
-        }
-        /* Flush if we may have to slide, otherwise block_start may become
-         * negative and the data will be gone:
-         */
-        if (s->strstart - (uInt)s->block_start >= MAX_DIST(s)) {
-            FLUSH_BLOCK(s, 0);
-        }
-    }
-    FLUSH_BLOCK(s, flush == Z_FINISH);
-    return flush == Z_FINISH ? finish_done : block_done;
-}
-
-/* ===========================================================================
- * Compress as much as possible from the input stream, return the current
- * block state.
- * This function does not perform lazy evaluation of matches and inserts
- * new strings in the dictionary only for unmatched strings or for short
- * matches. It is used only for the fast compression options.
- */
-local block_state deflate_fast(s, flush)
-    deflate_state *s;
-    int flush;
-{
-    IPos hash_head = NIL; /* head of the hash chain */
-    int bflush;           /* set if current block must be flushed */
-
-    for (;;) {
-        /* Make sure that we always have enough lookahead, except
-         * at the end of the input file. We need MAX_MATCH bytes
-         * for the next match, plus MIN_MATCH bytes to insert the
-         * string following the next match.
-         */
-        if (s->lookahead < MIN_LOOKAHEAD) {
-            fill_window(s);
-            if (s->lookahead < MIN_LOOKAHEAD && flush == Z_NO_FLUSH) {
-                return need_more;
-            }
-            if (s->lookahead == 0) break; /* flush the current block */
-        }
-
-        /* Insert the string window[strstart .. strstart+2] in the
-         * dictionary, and set hash_head to the head of the hash chain:
-         */
-        if (s->lookahead >= MIN_MATCH) {
-            INSERT_STRING(s, s->strstart, hash_head);
-        }
-
-        /* Find the longest match, discarding those <= prev_length.
-         * At this point we have always match_length < MIN_MATCH
-         */
-        if (hash_head != NIL && s->strstart - hash_head <= MAX_DIST(s)) {
-            /* To simplify the code, we prevent matches with the string
-             * of window index 0 (in particular we have to avoid a match
-             * of the string with itself at the start of the input file).
-             */
-#ifdef FASTEST
-            if ((s->strategy != Z_HUFFMAN_ONLY && s->strategy != Z_RLE) ||
-                (s->strategy == Z_RLE && s->strstart - hash_head == 1)) {
-                s->match_length = longest_match_fast (s, hash_head);
-            }
-#else
-            if (s->strategy != Z_HUFFMAN_ONLY && s->strategy != Z_RLE) {
-                s->match_length = longest_match (s, hash_head);
-            } else if (s->strategy == Z_RLE && s->strstart - hash_head == 1) {
-                s->match_length = longest_match_fast (s, hash_head);
-            }
-#endif
-            /* longest_match() or longest_match_fast() sets match_start */
-        }
-        if (s->match_length >= MIN_MATCH) {
-            check_match(s, s->strstart, s->match_start, s->match_length);
-
-            _tr_tally_dist(s, s->strstart - s->match_start,
-                           s->match_length - MIN_MATCH, bflush);
-
-            s->lookahead -= s->match_length;
-
-            /* Insert new strings in the hash table only if the match length
-             * is not too large. This saves time but degrades compression.
-             */
-#ifndef FASTEST
-            if (s->match_length <= s->max_insert_length &&
-                s->lookahead >= MIN_MATCH) {
-                s->match_length--; /* string at strstart already in table */
-                do {
-                    s->strstart++;
-                    INSERT_STRING(s, s->strstart, hash_head);
-                    /* strstart never exceeds WSIZE-MAX_MATCH, so there are
-                     * always MIN_MATCH bytes ahead.
-                     */
-                } while (--s->match_length != 0);
-                s->strstart++;
-            } else
-#endif
-            {
-                s->strstart += s->match_length;
-                s->match_length = 0;
-                s->ins_h = s->window[s->strstart];
-                UPDATE_HASH(s, s->ins_h, s->window[s->strstart+1]);
-#if MIN_MATCH != 3
-                Call UPDATE_HASH() MIN_MATCH-3 more times
-#endif
-                /* If lookahead < MIN_MATCH, ins_h is garbage, but it does not
-                 * matter since it will be recomputed at next deflate call.
-                 */
-            }
-        } else {
-            /* No match, output a literal byte */
-            Tracevv((stderr,"%c", s->window[s->strstart]));
-            _tr_tally_lit (s, s->window[s->strstart], bflush);
-            s->lookahead--;
-            s->strstart++;
-        }
-        if (bflush) FLUSH_BLOCK(s, 0);
-    }
-    FLUSH_BLOCK(s, flush == Z_FINISH);
-    return flush == Z_FINISH ? finish_done : block_done;
-}
-
-#ifndef FASTEST
-/* ===========================================================================
- * Same as above, but achieves better compression. We use a lazy
- * evaluation for matches: a match is finally adopted only if there is
- * no better match at the next window position.
- */
-local block_state deflate_slow(s, flush)
-    deflate_state *s;
-    int flush;
-{
-    IPos hash_head = NIL;    /* head of hash chain */
-    int bflush;              /* set if current block must be flushed */
-
-    /* Process the input block. */
-    for (;;) {
-        /* Make sure that we always have enough lookahead, except
-         * at the end of the input file. We need MAX_MATCH bytes
-         * for the next match, plus MIN_MATCH bytes to insert the
-         * string following the next match.
-         */
-        if (s->lookahead < MIN_LOOKAHEAD) {
-            fill_window(s);
-            if (s->lookahead < MIN_LOOKAHEAD && flush == Z_NO_FLUSH) {
-                return need_more;
-            }
-            if (s->lookahead == 0) break; /* flush the current block */
-        }
-
-        /* Insert the string window[strstart .. strstart+2] in the
-         * dictionary, and set hash_head to the head of the hash chain:
-         */
-        if (s->lookahead >= MIN_MATCH) {
-            INSERT_STRING(s, s->strstart, hash_head);
-        }
-
-        /* Find the longest match, discarding those <= prev_length.
-         */
-        s->prev_length = s->match_length, s->prev_match = s->match_start;
-        s->match_length = MIN_MATCH-1;
-
-        if (hash_head != NIL && s->prev_length < s->max_lazy_match &&
-            s->strstart - hash_head <= MAX_DIST(s)) {
-            /* To simplify the code, we prevent matches with the string
-             * of window index 0 (in particular we have to avoid a match
-             * of the string with itself at the start of the input file).
-             */
-            if (s->strategy != Z_HUFFMAN_ONLY && s->strategy != Z_RLE) {
-                s->match_length = longest_match (s, hash_head);
-            } else if (s->strategy == Z_RLE && s->strstart - hash_head == 1) {
-                s->match_length = longest_match_fast (s, hash_head);
-            }
-            /* longest_match() or longest_match_fast() sets match_start */
-
-            if (s->match_length <= 5 && (s->strategy == Z_FILTERED
-#if TOO_FAR <= 32767
-                || (s->match_length == MIN_MATCH &&
-                    s->strstart - s->match_start > TOO_FAR)
-#endif
-                )) {
-
-                /* If prev_match is also MIN_MATCH, match_start is garbage
-                 * but we will ignore the current match anyway.
-                 */
-                s->match_length = MIN_MATCH-1;
-            }
-        }
-        /* If there was a match at the previous step and the current
-         * match is not better, output the previous match:
-         */
-        if (s->prev_length >= MIN_MATCH && s->match_length <= s->prev_length) {
-            uInt max_insert = s->strstart + s->lookahead - MIN_MATCH;
-            /* Do not insert strings in hash table beyond this. */
-
-            check_match(s, s->strstart-1, s->prev_match, s->prev_length);
-
-            _tr_tally_dist(s, s->strstart -1 - s->prev_match,
-                           s->prev_length - MIN_MATCH, bflush);
-
-            /* Insert in hash table all strings up to the end of the match.
-             * strstart-1 and strstart are already inserted. If there is not
-             * enough lookahead, the last two strings are not inserted in
-             * the hash table.
-             */
-            s->lookahead -= s->prev_length-1;
-            s->prev_length -= 2;
-            do {
-                if (++s->strstart <= max_insert) {
-                    INSERT_STRING(s, s->strstart, hash_head);
-                }
-            } while (--s->prev_length != 0);
-            s->match_available = 0;
-            s->match_length = MIN_MATCH-1;
-            s->strstart++;
-
-            if (bflush) FLUSH_BLOCK(s, 0);
-
-        } else if (s->match_available) {
-            /* If there was no match at the previous position, output a
-             * single literal. If there was a match but the current match
-             * is longer, truncate the previous match to a single literal.
-             */
-            Tracevv((stderr,"%c", s->window[s->strstart-1]));
-            _tr_tally_lit(s, s->window[s->strstart-1], bflush);
-            if (bflush) {
-                FLUSH_BLOCK_ONLY(s, 0);
-            }
-            s->strstart++;
-            s->lookahead--;
-            if (s->strm->avail_out == 0) return need_more;
-        } else {
-            /* There is no previous match to compare with, wait for
-             * the next step to decide.
-             */
-            s->match_available = 1;
-            s->strstart++;
-            s->lookahead--;
-        }
-    }
-    Assert (flush != Z_NO_FLUSH, "no flush?");
-    if (s->match_available) {
-        Tracevv((stderr,"%c", s->window[s->strstart-1]));
-        _tr_tally_lit(s, s->window[s->strstart-1], bflush);
-        s->match_available = 0;
-    }
-    FLUSH_BLOCK(s, flush == Z_FINISH);
-    return flush == Z_FINISH ? finish_done : block_done;
-}
-#endif /* FASTEST */
-
-#if 0
-/* ===========================================================================
- * For Z_RLE, simply look for runs of bytes, generate matches only of distance
- * one.  Do not maintain a hash table.  (It will be regenerated if this run of
- * deflate switches away from Z_RLE.)
- */
-local block_state deflate_rle(s, flush)
-    deflate_state *s;
-    int flush;
-{
-    int bflush;         /* set if current block must be flushed */
-    uInt run;           /* length of run */
-    uInt max;           /* maximum length of run */
-    uInt prev;          /* byte at distance one to match */
-    Bytef *scan;        /* scan for end of run */
-
-    for (;;) {
-        /* Make sure that we always have enough lookahead, except
-         * at the end of the input file. We need MAX_MATCH bytes
-         * for the longest encodable run.
-         */
-        if (s->lookahead < MAX_MATCH) {
-            fill_window(s);
-            if (s->lookahead < MAX_MATCH && flush == Z_NO_FLUSH) {
-                return need_more;
-            }
-            if (s->lookahead == 0) break; /* flush the current block */
-        }
-
-        /* See how many times the previous byte repeats */
-        run = 0;
-        if (s->strstart > 0) {      /* if there is a previous byte, that is */
-            max = s->lookahead < MAX_MATCH ? s->lookahead : MAX_MATCH;
-            scan = s->window + s->strstart - 1;
-            prev = *scan++;
-            do {
-                if (*scan++ != prev)
-                    break;
-            } while (++run < max);
-        }
-
-        /* Emit match if have run of MIN_MATCH or longer, else emit literal */
-        if (run >= MIN_MATCH) {
-            check_match(s, s->strstart, s->strstart - 1, run);
-            _tr_tally_dist(s, 1, run - MIN_MATCH, bflush);
-            s->lookahead -= run;
-            s->strstart += run;
-        } else {
-            /* No match, output a literal byte */
-            Tracevv((stderr,"%c", s->window[s->strstart]));
-            _tr_tally_lit (s, s->window[s->strstart], bflush);
-            s->lookahead--;
-            s->strstart++;
-        }
-        if (bflush) FLUSH_BLOCK(s, 0);
-    }
-    FLUSH_BLOCK(s, flush == Z_FINISH);
-    return flush == Z_FINISH ? finish_done : block_done;
-}
-#endif
diff --git a/security/nss/cmd/zlib/deflate.h b/security/nss/cmd/zlib/deflate.h
deleted file mode 100644
index 05a5ab3a2..000000000
--- a/security/nss/cmd/zlib/deflate.h
+++ /dev/null
@@ -1,331 +0,0 @@
-/* deflate.h -- internal compression state
- * Copyright (C) 1995-2004 Jean-loup Gailly
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/* WARNING: this file should *not* be used by applications. It is
-   part of the implementation of the compression library and is
-   subject to change. Applications should only use zlib.h.
- */
-
-/* @(#) $Id$ */
-
-#ifndef DEFLATE_H
-#define DEFLATE_H
-
-#include "zutil.h"
-
-/* define NO_GZIP when compiling if you want to disable gzip header and
-   trailer creation by deflate().  NO_GZIP would be used to avoid linking in
-   the crc code when it is not needed.  For shared libraries, gzip encoding
-   should be left enabled. */
-#ifndef NO_GZIP
-#  define GZIP
-#endif
-
-/* ===========================================================================
- * Internal compression state.
- */
-
-#define LENGTH_CODES 29
-/* number of length codes, not counting the special END_BLOCK code */
-
-#define LITERALS  256
-/* number of literal bytes 0..255 */
-
-#define L_CODES (LITERALS+1+LENGTH_CODES)
-/* number of Literal or Length codes, including the END_BLOCK code */
-
-#define D_CODES   30
-/* number of distance codes */
-
-#define BL_CODES  19
-/* number of codes used to transfer the bit lengths */
-
-#define HEAP_SIZE (2*L_CODES+1)
-/* maximum heap size */
-
-#define MAX_BITS 15
-/* All codes must not exceed MAX_BITS bits */
-
-#define INIT_STATE    42
-#define EXTRA_STATE   69
-#define NAME_STATE    73
-#define COMMENT_STATE 91
-#define HCRC_STATE   103
-#define BUSY_STATE   113
-#define FINISH_STATE 666
-/* Stream status */
-
-
-/* Data structure describing a single value and its code string. */
-typedef struct ct_data_s {
-    union {
-        ush  freq;       /* frequency count */
-        ush  code;       /* bit string */
-    } fc;
-    union {
-        ush  dad;        /* father node in Huffman tree */
-        ush  len;        /* length of bit string */
-    } dl;
-} FAR ct_data;
-
-#define Freq fc.freq
-#define Code fc.code
-#define Dad  dl.dad
-#define Len  dl.len
-
-typedef struct static_tree_desc_s  static_tree_desc;
-
-typedef struct tree_desc_s {
-    ct_data *dyn_tree;           /* the dynamic tree */
-    int     max_code;            /* largest code with non zero frequency */
-    static_tree_desc *stat_desc; /* the corresponding static tree */
-} FAR tree_desc;
-
-typedef ush Pos;
-typedef Pos FAR Posf;
-typedef unsigned IPos;
-
-/* A Pos is an index in the character window. We use short instead of int to
- * save space in the various tables. IPos is used only for parameter passing.
- */
-
-typedef struct internal_state {
-    z_streamp strm;      /* pointer back to this zlib stream */
-    int   status;        /* as the name implies */
-    Bytef *pending_buf;  /* output still pending */
-    ulg   pending_buf_size; /* size of pending_buf */
-    Bytef *pending_out;  /* next pending byte to output to the stream */
-    uInt   pending;      /* nb of bytes in the pending buffer */
-    int   wrap;          /* bit 0 true for zlib, bit 1 true for gzip */
-    gz_headerp  gzhead;  /* gzip header information to write */
-    uInt   gzindex;      /* where in extra, name, or comment */
-    Byte  method;        /* STORED (for zip only) or DEFLATED */
-    int   last_flush;    /* value of flush param for previous deflate call */
-
-                /* used by deflate.c: */
-
-    uInt  w_size;        /* LZ77 window size (32K by default) */
-    uInt  w_bits;        /* log2(w_size)  (8..16) */
-    uInt  w_mask;        /* w_size - 1 */
-
-    Bytef *window;
-    /* Sliding window. Input bytes are read into the second half of the window,
-     * and move to the first half later to keep a dictionary of at least wSize
-     * bytes. With this organization, matches are limited to a distance of
-     * wSize-MAX_MATCH bytes, but this ensures that IO is always
-     * performed with a length multiple of the block size. Also, it limits
-     * the window size to 64K, which is quite useful on MSDOS.
-     * To do: use the user input buffer as sliding window.
-     */
-
-    ulg window_size;
-    /* Actual size of window: 2*wSize, except when the user input buffer
-     * is directly used as sliding window.
-     */
-
-    Posf *prev;
-    /* Link to older string with same hash index. To limit the size of this
-     * array to 64K, this link is maintained only for the last 32K strings.
-     * An index in this array is thus a window index modulo 32K.
-     */
-
-    Posf *head; /* Heads of the hash chains or NIL. */
-
-    uInt  ins_h;          /* hash index of string to be inserted */
-    uInt  hash_size;      /* number of elements in hash table */
-    uInt  hash_bits;      /* log2(hash_size) */
-    uInt  hash_mask;      /* hash_size-1 */
-
-    uInt  hash_shift;
-    /* Number of bits by which ins_h must be shifted at each input
-     * step. It must be such that after MIN_MATCH steps, the oldest
-     * byte no longer takes part in the hash key, that is:
-     *   hash_shift * MIN_MATCH >= hash_bits
-     */
-
-    long block_start;
-    /* Window position at the beginning of the current output block. Gets
-     * negative when the window is moved backwards.
-     */
-
-    uInt match_length;           /* length of best match */
-    IPos prev_match;             /* previous match */
-    int match_available;         /* set if previous match exists */
-    uInt strstart;               /* start of string to insert */
-    uInt match_start;            /* start of matching string */
-    uInt lookahead;              /* number of valid bytes ahead in window */
-
-    uInt prev_length;
-    /* Length of the best match at previous step. Matches not greater than this
-     * are discarded. This is used in the lazy match evaluation.
-     */
-
-    uInt max_chain_length;
-    /* To speed up deflation, hash chains are never searched beyond this
-     * length.  A higher limit improves compression ratio but degrades the
-     * speed.
-     */
-
-    uInt max_lazy_match;
-    /* Attempt to find a better match only when the current match is strictly
-     * smaller than this value. This mechanism is used only for compression
-     * levels >= 4.
-     */
-#   define max_insert_length  max_lazy_match
-    /* Insert new strings in the hash table only if the match length is not
-     * greater than this length. This saves time but degrades compression.
-     * max_insert_length is used only for compression levels <= 3.
-     */
-
-    int level;    /* compression level (1..9) */
-    int strategy; /* favor or force Huffman coding*/
-
-    uInt good_match;
-    /* Use a faster search when the previous match is longer than this */
-
-    int nice_match; /* Stop searching when current match exceeds this */
-
-                /* used by trees.c: */
-    /* Didn't use ct_data typedef below to supress compiler warning */
-    struct ct_data_s dyn_ltree[HEAP_SIZE];   /* literal and length tree */
-    struct ct_data_s dyn_dtree[2*D_CODES+1]; /* distance tree */
-    struct ct_data_s bl_tree[2*BL_CODES+1];  /* Huffman tree for bit lengths */
-
-    struct tree_desc_s l_desc;               /* desc. for literal tree */
-    struct tree_desc_s d_desc;               /* desc. for distance tree */
-    struct tree_desc_s bl_desc;              /* desc. for bit length tree */
-
-    ush bl_count[MAX_BITS+1];
-    /* number of codes at each bit length for an optimal tree */
-
-    int heap[2*L_CODES+1];      /* heap used to build the Huffman trees */
-    int heap_len;               /* number of elements in the heap */
-    int heap_max;               /* element of largest frequency */
-    /* The sons of heap[n] are heap[2*n] and heap[2*n+1]. heap[0] is not used.
-     * The same heap array is used to build all trees.
-     */
-
-    uch depth[2*L_CODES+1];
-    /* Depth of each subtree used as tie breaker for trees of equal frequency
-     */
-
-    uchf *l_buf;          /* buffer for literals or lengths */
-
-    uInt  lit_bufsize;
-    /* Size of match buffer for literals/lengths.  There are 4 reasons for
-     * limiting lit_bufsize to 64K:
-     *   - frequencies can be kept in 16 bit counters
-     *   - if compression is not successful for the first block, all input
-     *     data is still in the window so we can still emit a stored block even
-     *     when input comes from standard input.  (This can also be done for
-     *     all blocks if lit_bufsize is not greater than 32K.)
-     *   - if compression is not successful for a file smaller than 64K, we can
-     *     even emit a stored file instead of a stored block (saving 5 bytes).
-     *     This is applicable only for zip (not gzip or zlib).
-     *   - creating new Huffman trees less frequently may not provide fast
-     *     adaptation to changes in the input data statistics. (Take for
-     *     example a binary file with poorly compressible code followed by
-     *     a highly compressible string table.) Smaller buffer sizes give
-     *     fast adaptation but have of course the overhead of transmitting
-     *     trees more frequently.
-     *   - I can't count above 4
-     */
-
-    uInt last_lit;      /* running index in l_buf */
-
-    ushf *d_buf;
-    /* Buffer for distances. To simplify the code, d_buf and l_buf have
-     * the same number of elements. To use different lengths, an extra flag
-     * array would be necessary.
-     */
-
-    ulg opt_len;        /* bit length of current block with optimal trees */
-    ulg static_len;     /* bit length of current block with static trees */
-    uInt matches;       /* number of string matches in current block */
-    int last_eob_len;   /* bit length of EOB code for last block */
-
-#ifdef DEBUG
-    ulg compressed_len; /* total bit length of compressed file mod 2^32 */
-    ulg bits_sent;      /* bit length of compressed data sent mod 2^32 */
-#endif
-
-    ush bi_buf;
-    /* Output buffer. bits are inserted starting at the bottom (least
-     * significant bits).
-     */
-    int bi_valid;
-    /* Number of valid bits in bi_buf.  All bits above the last valid bit
-     * are always zero.
-     */
-
-} FAR deflate_state;
-
-/* Output a byte on the stream.
- * IN assertion: there is enough room in pending_buf.
- */
-#define put_byte(s, c) {s->pending_buf[s->pending++] = (c);}
-
-
-#define MIN_LOOKAHEAD (MAX_MATCH+MIN_MATCH+1)
-/* Minimum amount of lookahead, except at the end of the input file.
- * See deflate.c for comments about the MIN_MATCH+1.
- */
-
-#define MAX_DIST(s)  ((s)->w_size-MIN_LOOKAHEAD)
-/* In order to simplify the code, particularly on 16 bit machines, match
- * distances are limited to MAX_DIST instead of WSIZE.
- */
-
-        /* in trees.c */
-void _tr_init         OF((deflate_state *s));
-int  _tr_tally        OF((deflate_state *s, unsigned dist, unsigned lc));
-void _tr_flush_block  OF((deflate_state *s, charf *buf, ulg stored_len,
-                          int eof));
-void _tr_align        OF((deflate_state *s));
-void _tr_stored_block OF((deflate_state *s, charf *buf, ulg stored_len,
-                          int eof));
-
-#define d_code(dist) \
-   ((dist) < 256 ? _dist_code[dist] : _dist_code[256+((dist)>>7)])
-/* Mapping from a distance to a distance code. dist is the distance - 1 and
- * must not have side effects. _dist_code[256] and _dist_code[257] are never
- * used.
- */
-
-#ifndef DEBUG
-/* Inline versions of _tr_tally for speed: */
-
-#if defined(GEN_TREES_H) || !defined(STDC)
-  extern uch _length_code[];
-  extern uch _dist_code[];
-#else
-  extern const uch _length_code[];
-  extern const uch _dist_code[];
-#endif
-
-# define _tr_tally_lit(s, c, flush) \
-  { uch cc = (c); \
-    s->d_buf[s->last_lit] = 0; \
-    s->l_buf[s->last_lit++] = cc; \
-    s->dyn_ltree[cc].Freq++; \
-    flush = (s->last_lit == s->lit_bufsize-1); \
-   }
-# define _tr_tally_dist(s, distance, length, flush) \
-  { uch len = (length); \
-    ush dist = (distance); \
-    s->d_buf[s->last_lit] = dist; \
-    s->l_buf[s->last_lit++] = len; \
-    dist--; \
-    s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \
-    s->dyn_dtree[d_code(dist)].Freq++; \
-    flush = (s->last_lit == s->lit_bufsize-1); \
-  }
-#else
-# define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
-# define _tr_tally_dist(s, distance, length, flush) \
-              flush = _tr_tally(s, distance, length)
-#endif
-
-#endif /* DEFLATE_H */
diff --git a/security/nss/cmd/zlib/example.c b/security/nss/cmd/zlib/example.c
deleted file mode 100644
index 6c8a0ee76..000000000
--- a/security/nss/cmd/zlib/example.c
+++ /dev/null
@@ -1,565 +0,0 @@
-/* example.c -- usage example of the zlib compression library
- * Copyright (C) 1995-2004 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/* @(#) $Id$ */
-
-#include <stdio.h>
-#include "zlib.h"
-
-#ifdef STDC
-#  include <string.h>
-#  include <stdlib.h>
-#endif
-
-#if defined(VMS) || defined(RISCOS)
-#  define TESTFILE "foo-gz"
-#else
-#  define TESTFILE "foo.gz"
-#endif
-
-#define CHECK_ERR(err, msg) { \
-    if (err != Z_OK) { \
-        fprintf(stderr, "%s error: %d\n", msg, err); \
-        exit(1); \
-    } \
-}
-
-const char hello[] = "hello, hello!";
-/* "hello world" would be more standard, but the repeated "hello"
- * stresses the compression code better, sorry...
- */
-
-const char dictionary[] = "hello";
-uLong dictId; /* Adler32 value of the dictionary */
-
-void test_compress      OF((Byte *compr, uLong comprLen,
-                            Byte *uncompr, uLong uncomprLen));
-void test_gzio          OF((const char *fname,
-                            Byte *uncompr, uLong uncomprLen));
-void test_deflate       OF((Byte *compr, uLong comprLen));
-void test_inflate       OF((Byte *compr, uLong comprLen,
-                            Byte *uncompr, uLong uncomprLen));
-void test_large_deflate OF((Byte *compr, uLong comprLen,
-                            Byte *uncompr, uLong uncomprLen));
-void test_large_inflate OF((Byte *compr, uLong comprLen,
-                            Byte *uncompr, uLong uncomprLen));
-void test_flush         OF((Byte *compr, uLong *comprLen));
-void test_sync          OF((Byte *compr, uLong comprLen,
-                            Byte *uncompr, uLong uncomprLen));
-void test_dict_deflate  OF((Byte *compr, uLong comprLen));
-void test_dict_inflate  OF((Byte *compr, uLong comprLen,
-                            Byte *uncompr, uLong uncomprLen));
-int  main               OF((int argc, char *argv[]));
-
-/* ===========================================================================
- * Test compress() and uncompress()
- */
-void test_compress(compr, comprLen, uncompr, uncomprLen)
-    Byte *compr, *uncompr;
-    uLong comprLen, uncomprLen;
-{
-    int err;
-    uLong len = (uLong)strlen(hello)+1;
-
-    err = compress(compr, &comprLen, (const Bytef*)hello, len);
-    CHECK_ERR(err, "compress");
-
-    strcpy((char*)uncompr, "garbage");
-
-    err = uncompress(uncompr, &uncomprLen, compr, comprLen);
-    CHECK_ERR(err, "uncompress");
-
-    if (strcmp((char*)uncompr, hello)) {
-        fprintf(stderr, "bad uncompress\n");
-        exit(1);
-    } else {
-        printf("uncompress(): %s\n", (char *)uncompr);
-    }
-}
-
-/* ===========================================================================
- * Test read/write of .gz files
- */
-void test_gzio(fname, uncompr, uncomprLen)
-    const char *fname; /* compressed file name */
-    Byte *uncompr;
-    uLong uncomprLen;
-{
-#ifdef NO_GZCOMPRESS
-    fprintf(stderr, "NO_GZCOMPRESS -- gz* functions cannot compress\n");
-#else
-    int err;
-    int len = (int)strlen(hello)+1;
-    gzFile file;
-    z_off_t pos;
-
-    file = gzopen(fname, "wb");
-    if (file == NULL) {
-        fprintf(stderr, "gzopen error\n");
-        exit(1);
-    }
-    gzputc(file, 'h');
-    if (gzputs(file, "ello") != 4) {
-        fprintf(stderr, "gzputs err: %s\n", gzerror(file, &err));
-        exit(1);
-    }
-    if (gzprintf(file, ", %s!", "hello") != 8) {
-        fprintf(stderr, "gzprintf err: %s\n", gzerror(file, &err));
-        exit(1);
-    }
-    gzseek(file, 1L, SEEK_CUR); /* add one zero byte */
-    gzclose(file);
-
-    file = gzopen(fname, "rb");
-    if (file == NULL) {
-        fprintf(stderr, "gzopen error\n");
-        exit(1);
-    }
-    strcpy((char*)uncompr, "garbage");
-
-    if (gzread(file, uncompr, (unsigned)uncomprLen) != len) {
-        fprintf(stderr, "gzread err: %s\n", gzerror(file, &err));
-        exit(1);
-    }
-    if (strcmp((char*)uncompr, hello)) {
-        fprintf(stderr, "bad gzread: %s\n", (char*)uncompr);
-        exit(1);
-    } else {
-        printf("gzread(): %s\n", (char*)uncompr);
-    }
-
-    pos = gzseek(file, -8L, SEEK_CUR);
-    if (pos != 6 || gztell(file) != pos) {
-        fprintf(stderr, "gzseek error, pos=%ld, gztell=%ld\n",
-                (long)pos, (long)gztell(file));
-        exit(1);
-    }
-
-    if (gzgetc(file) != ' ') {
-        fprintf(stderr, "gzgetc error\n");
-        exit(1);
-    }
-
-    if (gzungetc(' ', file) != ' ') {
-        fprintf(stderr, "gzungetc error\n");
-        exit(1);
-    }
-
-    gzgets(file, (char*)uncompr, (int)uncomprLen);
-    if (strlen((char*)uncompr) != 7) { /* " hello!" */
-        fprintf(stderr, "gzgets err after gzseek: %s\n", gzerror(file, &err));
-        exit(1);
-    }
-    if (strcmp((char*)uncompr, hello + 6)) {
-        fprintf(stderr, "bad gzgets after gzseek\n");
-        exit(1);
-    } else {
-        printf("gzgets() after gzseek: %s\n", (char*)uncompr);
-    }
-
-    gzclose(file);
-#endif
-}
-
-/* ===========================================================================
- * Test deflate() with small buffers
- */
-void test_deflate(compr, comprLen)
-    Byte *compr;
-    uLong comprLen;
-{
-    z_stream c_stream; /* compression stream */
-    int err;
-    uLong len = (uLong)strlen(hello)+1;
-
-    c_stream.zalloc = (alloc_func)0;
-    c_stream.zfree = (free_func)0;
-    c_stream.opaque = (voidpf)0;
-
-    err = deflateInit(&c_stream, Z_DEFAULT_COMPRESSION);
-    CHECK_ERR(err, "deflateInit");
-
-    c_stream.next_in  = (Bytef*)hello;
-    c_stream.next_out = compr;
-
-    while (c_stream.total_in != len && c_stream.total_out < comprLen) {
-        c_stream.avail_in = c_stream.avail_out = 1; /* force small buffers */
-        err = deflate(&c_stream, Z_NO_FLUSH);
-        CHECK_ERR(err, "deflate");
-    }
-    /* Finish the stream, still forcing small buffers: */
-    for (;;) {
-        c_stream.avail_out = 1;
-        err = deflate(&c_stream, Z_FINISH);
-        if (err == Z_STREAM_END) break;
-        CHECK_ERR(err, "deflate");
-    }
-
-    err = deflateEnd(&c_stream);
-    CHECK_ERR(err, "deflateEnd");
-}
-
-/* ===========================================================================
- * Test inflate() with small buffers
- */
-void test_inflate(compr, comprLen, uncompr, uncomprLen)
-    Byte *compr, *uncompr;
-    uLong comprLen, uncomprLen;
-{
-    int err;
-    z_stream d_stream; /* decompression stream */
-
-    strcpy((char*)uncompr, "garbage");
-
-    d_stream.zalloc = (alloc_func)0;
-    d_stream.zfree = (free_func)0;
-    d_stream.opaque = (voidpf)0;
-
-    d_stream.next_in  = compr;
-    d_stream.avail_in = 0;
-    d_stream.next_out = uncompr;
-
-    err = inflateInit(&d_stream);
-    CHECK_ERR(err, "inflateInit");
-
-    while (d_stream.total_out < uncomprLen && d_stream.total_in < comprLen) {
-        d_stream.avail_in = d_stream.avail_out = 1; /* force small buffers */
-        err = inflate(&d_stream, Z_NO_FLUSH);
-        if (err == Z_STREAM_END) break;
-        CHECK_ERR(err, "inflate");
-    }
-
-    err = inflateEnd(&d_stream);
-    CHECK_ERR(err, "inflateEnd");
-
-    if (strcmp((char*)uncompr, hello)) {
-        fprintf(stderr, "bad inflate\n");
-        exit(1);
-    } else {
-        printf("inflate(): %s\n", (char *)uncompr);
-    }
-}
-
-/* ===========================================================================
- * Test deflate() with large buffers and dynamic change of compression level
- */
-void test_large_deflate(compr, comprLen, uncompr, uncomprLen)
-    Byte *compr, *uncompr;
-    uLong comprLen, uncomprLen;
-{
-    z_stream c_stream; /* compression stream */
-    int err;
-
-    c_stream.zalloc = (alloc_func)0;
-    c_stream.zfree = (free_func)0;
-    c_stream.opaque = (voidpf)0;
-
-    err = deflateInit(&c_stream, Z_BEST_SPEED);
-    CHECK_ERR(err, "deflateInit");
-
-    c_stream.next_out = compr;
-    c_stream.avail_out = (uInt)comprLen;
-
-    /* At this point, uncompr is still mostly zeroes, so it should compress
-     * very well:
-     */
-    c_stream.next_in = uncompr;
-    c_stream.avail_in = (uInt)uncomprLen;
-    err = deflate(&c_stream, Z_NO_FLUSH);
-    CHECK_ERR(err, "deflate");
-    if (c_stream.avail_in != 0) {
-        fprintf(stderr, "deflate not greedy\n");
-        exit(1);
-    }
-
-    /* Feed in already compressed data and switch to no compression: */
-    deflateParams(&c_stream, Z_NO_COMPRESSION, Z_DEFAULT_STRATEGY);
-    c_stream.next_in = compr;
-    c_stream.avail_in = (uInt)comprLen/2;
-    err = deflate(&c_stream, Z_NO_FLUSH);
-    CHECK_ERR(err, "deflate");
-
-    /* Switch back to compressing mode: */
-    deflateParams(&c_stream, Z_BEST_COMPRESSION, Z_FILTERED);
-    c_stream.next_in = uncompr;
-    c_stream.avail_in = (uInt)uncomprLen;
-    err = deflate(&c_stream, Z_NO_FLUSH);
-    CHECK_ERR(err, "deflate");
-
-    err = deflate(&c_stream, Z_FINISH);
-    if (err != Z_STREAM_END) {
-        fprintf(stderr, "deflate should report Z_STREAM_END\n");
-        exit(1);
-    }
-    err = deflateEnd(&c_stream);
-    CHECK_ERR(err, "deflateEnd");
-}
-
-/* ===========================================================================
- * Test inflate() with large buffers
- */
-void test_large_inflate(compr, comprLen, uncompr, uncomprLen)
-    Byte *compr, *uncompr;
-    uLong comprLen, uncomprLen;
-{
-    int err;
-    z_stream d_stream; /* decompression stream */
-
-    strcpy((char*)uncompr, "garbage");
-
-    d_stream.zalloc = (alloc_func)0;
-    d_stream.zfree = (free_func)0;
-    d_stream.opaque = (voidpf)0;
-
-    d_stream.next_in  = compr;
-    d_stream.avail_in = (uInt)comprLen;
-
-    err = inflateInit(&d_stream);
-    CHECK_ERR(err, "inflateInit");
-
-    for (;;) {
-        d_stream.next_out = uncompr;            /* discard the output */
-        d_stream.avail_out = (uInt)uncomprLen;
-        err = inflate(&d_stream, Z_NO_FLUSH);
-        if (err == Z_STREAM_END) break;
-        CHECK_ERR(err, "large inflate");
-    }
-
-    err = inflateEnd(&d_stream);
-    CHECK_ERR(err, "inflateEnd");
-
-    if (d_stream.total_out != 2*uncomprLen + comprLen/2) {
-        fprintf(stderr, "bad large inflate: %ld\n", d_stream.total_out);
-        exit(1);
-    } else {
-        printf("large_inflate(): OK\n");
-    }
-}
-
-/* ===========================================================================
- * Test deflate() with full flush
- */
-void test_flush(compr, comprLen)
-    Byte *compr;
-    uLong *comprLen;
-{
-    z_stream c_stream; /* compression stream */
-    int err;
-    uInt len = (uInt)strlen(hello)+1;
-
-    c_stream.zalloc = (alloc_func)0;
-    c_stream.zfree = (free_func)0;
-    c_stream.opaque = (voidpf)0;
-
-    err = deflateInit(&c_stream, Z_DEFAULT_COMPRESSION);
-    CHECK_ERR(err, "deflateInit");
-
-    c_stream.next_in  = (Bytef*)hello;
-    c_stream.next_out = compr;
-    c_stream.avail_in = 3;
-    c_stream.avail_out = (uInt)*comprLen;
-    err = deflate(&c_stream, Z_FULL_FLUSH);
-    CHECK_ERR(err, "deflate");
-
-    compr[3]++; /* force an error in first compressed block */
-    c_stream.avail_in = len - 3;
-
-    err = deflate(&c_stream, Z_FINISH);
-    if (err != Z_STREAM_END) {
-        CHECK_ERR(err, "deflate");
-    }
-    err = deflateEnd(&c_stream);
-    CHECK_ERR(err, "deflateEnd");
-
-    *comprLen = c_stream.total_out;
-}
-
-/* ===========================================================================
- * Test inflateSync()
- */
-void test_sync(compr, comprLen, uncompr, uncomprLen)
-    Byte *compr, *uncompr;
-    uLong comprLen, uncomprLen;
-{
-    int err;
-    z_stream d_stream; /* decompression stream */
-
-    strcpy((char*)uncompr, "garbage");
-
-    d_stream.zalloc = (alloc_func)0;
-    d_stream.zfree = (free_func)0;
-    d_stream.opaque = (voidpf)0;
-
-    d_stream.next_in  = compr;
-    d_stream.avail_in = 2; /* just read the zlib header */
-
-    err = inflateInit(&d_stream);
-    CHECK_ERR(err, "inflateInit");
-
-    d_stream.next_out = uncompr;
-    d_stream.avail_out = (uInt)uncomprLen;
-
-    inflate(&d_stream, Z_NO_FLUSH);
-    CHECK_ERR(err, "inflate");
-
-    d_stream.avail_in = (uInt)comprLen-2;   /* read all compressed data */
-    err = inflateSync(&d_stream);           /* but skip the damaged part */
-    CHECK_ERR(err, "inflateSync");
-
-    err = inflate(&d_stream, Z_FINISH);
-    if (err != Z_DATA_ERROR) {
-        fprintf(stderr, "inflate should report DATA_ERROR\n");
-        /* Because of incorrect adler32 */
-        exit(1);
-    }
-    err = inflateEnd(&d_stream);
-    CHECK_ERR(err, "inflateEnd");
-
-    printf("after inflateSync(): hel%s\n", (char *)uncompr);
-}
-
-/* ===========================================================================
- * Test deflate() with preset dictionary
- */
-void test_dict_deflate(compr, comprLen)
-    Byte *compr;
-    uLong comprLen;
-{
-    z_stream c_stream; /* compression stream */
-    int err;
-
-    c_stream.zalloc = (alloc_func)0;
-    c_stream.zfree = (free_func)0;
-    c_stream.opaque = (voidpf)0;
-
-    err = deflateInit(&c_stream, Z_BEST_COMPRESSION);
-    CHECK_ERR(err, "deflateInit");
-
-    err = deflateSetDictionary(&c_stream,
-                               (const Bytef*)dictionary, sizeof(dictionary));
-    CHECK_ERR(err, "deflateSetDictionary");
-
-    dictId = c_stream.adler;
-    c_stream.next_out = compr;
-    c_stream.avail_out = (uInt)comprLen;
-
-    c_stream.next_in = (Bytef*)hello;
-    c_stream.avail_in = (uInt)strlen(hello)+1;
-
-    err = deflate(&c_stream, Z_FINISH);
-    if (err != Z_STREAM_END) {
-        fprintf(stderr, "deflate should report Z_STREAM_END\n");
-        exit(1);
-    }
-    err = deflateEnd(&c_stream);
-    CHECK_ERR(err, "deflateEnd");
-}
-
-/* ===========================================================================
- * Test inflate() with a preset dictionary
- */
-void test_dict_inflate(compr, comprLen, uncompr, uncomprLen)
-    Byte *compr, *uncompr;
-    uLong comprLen, uncomprLen;
-{
-    int err;
-    z_stream d_stream; /* decompression stream */
-
-    strcpy((char*)uncompr, "garbage");
-
-    d_stream.zalloc = (alloc_func)0;
-    d_stream.zfree = (free_func)0;
-    d_stream.opaque = (voidpf)0;
-
-    d_stream.next_in  = compr;
-    d_stream.avail_in = (uInt)comprLen;
-
-    err = inflateInit(&d_stream);
-    CHECK_ERR(err, "inflateInit");
-
-    d_stream.next_out = uncompr;
-    d_stream.avail_out = (uInt)uncomprLen;
-
-    for (;;) {
-        err = inflate(&d_stream, Z_NO_FLUSH);
-        if (err == Z_STREAM_END) break;
-        if (err == Z_NEED_DICT) {
-            if (d_stream.adler != dictId) {
-                fprintf(stderr, "unexpected dictionary");
-                exit(1);
-            }
-            err = inflateSetDictionary(&d_stream, (const Bytef*)dictionary,
-                                       sizeof(dictionary));
-        }
-        CHECK_ERR(err, "inflate with dict");
-    }
-
-    err = inflateEnd(&d_stream);
-    CHECK_ERR(err, "inflateEnd");
-
-    if (strcmp((char*)uncompr, hello)) {
-        fprintf(stderr, "bad inflate with dict\n");
-        exit(1);
-    } else {
-        printf("inflate with dictionary: %s\n", (char *)uncompr);
-    }
-}
-
-/* ===========================================================================
- * Usage:  example [output.gz  [input.gz]]
- */
-
-int main(argc, argv)
-    int argc;
-    char *argv[];
-{
-    Byte *compr, *uncompr;
-    uLong comprLen = 10000*sizeof(int); /* don't overflow on MSDOS */
-    uLong uncomprLen = comprLen;
-    static const char* myVersion = ZLIB_VERSION;
-
-    if (zlibVersion()[0] != myVersion[0]) {
-        fprintf(stderr, "incompatible zlib version\n");
-        exit(1);
-
-    } else if (strcmp(zlibVersion(), ZLIB_VERSION) != 0) {
-        fprintf(stderr, "warning: different zlib version\n");
-    }
-
-    printf("zlib version %s = 0x%04x, compile flags = 0x%lx\n",
-            ZLIB_VERSION, ZLIB_VERNUM, zlibCompileFlags());
-
-    compr    = (Byte*)calloc((uInt)comprLen, 1);
-    uncompr  = (Byte*)calloc((uInt)uncomprLen, 1);
-    /* compr and uncompr are cleared to avoid reading uninitialized
-     * data and to ensure that uncompr compresses well.
-     */
-    if (compr == Z_NULL || uncompr == Z_NULL) {
-        printf("out of memory\n");
-        exit(1);
-    }
-    test_compress(compr, comprLen, uncompr, uncomprLen);
-
-    test_gzio((argc > 1 ? argv[1] : TESTFILE),
-              uncompr, uncomprLen);
-
-    test_deflate(compr, comprLen);
-    test_inflate(compr, comprLen, uncompr, uncomprLen);
-
-    test_large_deflate(compr, comprLen, uncompr, uncomprLen);
-    test_large_inflate(compr, comprLen, uncompr, uncomprLen);
-
-    test_flush(compr, &comprLen);
-    test_sync(compr, comprLen, uncompr, uncomprLen);
-    comprLen = uncomprLen;
-
-    test_dict_deflate(compr, comprLen);
-    test_dict_inflate(compr, comprLen, uncompr, uncomprLen);
-
-    free(compr);
-    free(uncompr);
-
-    return 0;
-}
diff --git a/security/nss/cmd/zlib/gzio.c b/security/nss/cmd/zlib/gzio.c
deleted file mode 100644
index 7e90f4928..000000000
--- a/security/nss/cmd/zlib/gzio.c
+++ /dev/null
@@ -1,1026 +0,0 @@
-/* gzio.c -- IO on .gz files
- * Copyright (C) 1995-2005 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h
- *
- * Compile this file with -DNO_GZCOMPRESS to avoid the compression code.
- */
-
-/* @(#) $Id$ */
-
-#include <stdio.h>
-
-#include "zutil.h"
-
-#ifdef NO_DEFLATE       /* for compatibility with old definition */
-#  define NO_GZCOMPRESS
-#endif
-
-#ifndef NO_DUMMY_DECL
-struct internal_state {int dummy;}; /* for buggy compilers */
-#endif
-
-#ifndef Z_BUFSIZE
-#  ifdef MAXSEG_64K
-#    define Z_BUFSIZE 4096 /* minimize memory usage for 16-bit DOS */
-#  else
-#    define Z_BUFSIZE 16384
-#  endif
-#endif
-#ifndef Z_PRINTF_BUFSIZE
-#  define Z_PRINTF_BUFSIZE 4096
-#endif
-
-#ifdef __MVS__
-#  pragma map (fdopen , "\174\174FDOPEN")
-   FILE *fdopen(int, const char *);
-#endif
-
-#ifndef STDC
-extern voidp  malloc OF((uInt size));
-extern void   free   OF((voidpf ptr));
-#endif
-
-#define ALLOC(size) malloc(size)
-#define TRYFREE(p) {if (p) free(p);}
-
-static int const gz_magic[2] = {0x1f, 0x8b}; /* gzip magic header */
-
-/* gzip flag byte */
-#define ASCII_FLAG   0x01 /* bit 0 set: file probably ascii text */
-#define HEAD_CRC     0x02 /* bit 1 set: header CRC present */
-#define EXTRA_FIELD  0x04 /* bit 2 set: extra field present */
-#define ORIG_NAME    0x08 /* bit 3 set: original file name present */
-#define COMMENT      0x10 /* bit 4 set: file comment present */
-#define RESERVED     0xE0 /* bits 5..7: reserved */
-
-typedef struct gz_stream {
-    z_stream stream;
-    int      z_err;   /* error code for last stream operation */
-    int      z_eof;   /* set if end of input file */
-    FILE     *file;   /* .gz file */
-    Byte     *inbuf;  /* input buffer */
-    Byte     *outbuf; /* output buffer */
-    uLong    crc;     /* crc32 of uncompressed data */
-    char     *msg;    /* error message */
-    char     *path;   /* path name for debugging only */
-    int      transparent; /* 1 if input file is not a .gz file */
-    char     mode;    /* 'w' or 'r' */
-    z_off_t  start;   /* start of compressed data in file (header skipped) */
-    z_off_t  in;      /* bytes into deflate or inflate */
-    z_off_t  out;     /* bytes out of deflate or inflate */
-    int      back;    /* one character push-back */
-    int      last;    /* true if push-back is last character */
-} gz_stream;
-
-
-local gzFile gz_open      OF((const char *path, const char *mode, int  fd));
-local int do_flush        OF((gzFile file, int flush));
-local int    get_byte     OF((gz_stream *s));
-local void   check_header OF((gz_stream *s));
-local int    destroy      OF((gz_stream *s));
-local void   putLong      OF((FILE *file, uLong x));
-local uLong  getLong      OF((gz_stream *s));
-
-/* ===========================================================================
-     Opens a gzip (.gz) file for reading or writing. The mode parameter
-   is as in fopen ("rb" or "wb"). The file is given either by file descriptor
-   or path name (if fd == -1).
-     gz_open returns NULL if the file could not be opened or if there was
-   insufficient memory to allocate the (de)compression state; errno
-   can be checked to distinguish the two cases (if errno is zero, the
-   zlib error is Z_MEM_ERROR).
-*/
-local gzFile gz_open (path, mode, fd)
-    const char *path;
-    const char *mode;
-    int  fd;
-{
-    int err;
-    int level = Z_DEFAULT_COMPRESSION; /* compression level */
-    int strategy = Z_DEFAULT_STRATEGY; /* compression strategy */
-    char *p = (char*)mode;
-    gz_stream *s;
-    char fmode[80]; /* copy of mode, without the compression level */
-    char *m = fmode;
-
-    if (!path || !mode) return Z_NULL;
-
-    s = (gz_stream *)ALLOC(sizeof(gz_stream));
-    if (!s) return Z_NULL;
-
-    s->stream.zalloc = (alloc_func)0;
-    s->stream.zfree = (free_func)0;
-    s->stream.opaque = (voidpf)0;
-    s->stream.next_in = s->inbuf = Z_NULL;
-    s->stream.next_out = s->outbuf = Z_NULL;
-    s->stream.avail_in = s->stream.avail_out = 0;
-    s->file = NULL;
-    s->z_err = Z_OK;
-    s->z_eof = 0;
-    s->in = 0;
-    s->out = 0;
-    s->back = EOF;
-    s->crc = crc32(0L, Z_NULL, 0);
-    s->msg = NULL;
-    s->transparent = 0;
-
-    s->path = (char*)ALLOC(strlen(path)+1);
-    if (s->path == NULL) {
-        return destroy(s), (gzFile)Z_NULL;
-    }
-    strcpy(s->path, path); /* do this early for debugging */
-
-    s->mode = '\0';
-    do {
-        if (*p == 'r') s->mode = 'r';
-        if (*p == 'w' || *p == 'a') s->mode = 'w';
-        if (*p >= '0' && *p <= '9') {
-            level = *p - '0';
-        } else if (*p == 'f') {
-          strategy = Z_FILTERED;
-        } else if (*p == 'h') {
-          strategy = Z_HUFFMAN_ONLY;
-        } else if (*p == 'R') {
-          strategy = Z_RLE;
-        } else {
-            *m++ = *p; /* copy the mode */
-        }
-    } while (*p++ && m != fmode + sizeof(fmode));
-    if (s->mode == '\0') return destroy(s), (gzFile)Z_NULL;
-
-    if (s->mode == 'w') {
-#ifdef NO_GZCOMPRESS
-        err = Z_STREAM_ERROR;
-#else
-        err = deflateInit2(&(s->stream), level,
-                           Z_DEFLATED, -MAX_WBITS, DEF_MEM_LEVEL, strategy);
-        /* windowBits is passed < 0 to suppress zlib header */
-
-        s->stream.next_out = s->outbuf = (Byte*)ALLOC(Z_BUFSIZE);
-#endif
-        if (err != Z_OK || s->outbuf == Z_NULL) {
-            return destroy(s), (gzFile)Z_NULL;
-        }
-    } else {
-        s->stream.next_in  = s->inbuf = (Byte*)ALLOC(Z_BUFSIZE);
-
-        err = inflateInit2(&(s->stream), -MAX_WBITS);
-        /* windowBits is passed < 0 to tell that there is no zlib header.
-         * Note that in this case inflate *requires* an extra "dummy" byte
-         * after the compressed stream in order to complete decompression and
-         * return Z_STREAM_END. Here the gzip CRC32 ensures that 4 bytes are
-         * present after the compressed stream.
-         */
-        if (err != Z_OK || s->inbuf == Z_NULL) {
-            return destroy(s), (gzFile)Z_NULL;
-        }
-    }
-    s->stream.avail_out = Z_BUFSIZE;
-
-    errno = 0;
-    s->file = fd < 0 ? F_OPEN(path, fmode) : (FILE*)fdopen(fd, fmode);
-
-    if (s->file == NULL) {
-        return destroy(s), (gzFile)Z_NULL;
-    }
-    if (s->mode == 'w') {
-        /* Write a very simple .gz header:
-         */
-        fprintf(s->file, "%c%c%c%c%c%c%c%c%c%c", gz_magic[0], gz_magic[1],
-             Z_DEFLATED, 0 /*flags*/, 0,0,0,0 /*time*/, 0 /*xflags*/, OS_CODE);
-        s->start = 10L;
-        /* We use 10L instead of ftell(s->file) to because ftell causes an
-         * fflush on some systems. This version of the library doesn't use
-         * start anyway in write mode, so this initialization is not
-         * necessary.
-         */
-    } else {
-        check_header(s); /* skip the .gz header */
-        s->start = ftell(s->file) - s->stream.avail_in;
-    }
-
-    return (gzFile)s;
-}
-
-/* ===========================================================================
-     Opens a gzip (.gz) file for reading or writing.
-*/
-gzFile ZEXPORT gzopen (path, mode)
-    const char *path;
-    const char *mode;
-{
-    return gz_open (path, mode, -1);
-}
-
-/* ===========================================================================
-     Associate a gzFile with the file descriptor fd. fd is not dup'ed here
-   to mimic the behavio(u)r of fdopen.
-*/
-gzFile ZEXPORT gzdopen (fd, mode)
-    int fd;
-    const char *mode;
-{
-    char name[46];      /* allow for up to 128-bit integers */
-
-    if (fd < 0) return (gzFile)Z_NULL;
-    sprintf(name, "<fd:%d>", fd); /* for debugging */
-
-    return gz_open (name, mode, fd);
-}
-
-/* ===========================================================================
- * Update the compression level and strategy
- */
-int ZEXPORT gzsetparams (file, level, strategy)
-    gzFile file;
-    int level;
-    int strategy;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || s->mode != 'w') return Z_STREAM_ERROR;
-
-    /* Make room to allow flushing */
-    if (s->stream.avail_out == 0) {
-
-        s->stream.next_out = s->outbuf;
-        if (fwrite(s->outbuf, 1, Z_BUFSIZE, s->file) != Z_BUFSIZE) {
-            s->z_err = Z_ERRNO;
-        }
-        s->stream.avail_out = Z_BUFSIZE;
-    }
-
-    return deflateParams (&(s->stream), level, strategy);
-}
-
-/* ===========================================================================
-     Read a byte from a gz_stream; update next_in and avail_in. Return EOF
-   for end of file.
-   IN assertion: the stream s has been sucessfully opened for reading.
-*/
-local int get_byte(s)
-    gz_stream *s;
-{
-    if (s->z_eof) return EOF;
-    if (s->stream.avail_in == 0) {
-        errno = 0;
-        s->stream.avail_in = (uInt)fread(s->inbuf, 1, Z_BUFSIZE, s->file);
-        if (s->stream.avail_in == 0) {
-            s->z_eof = 1;
-            if (ferror(s->file)) s->z_err = Z_ERRNO;
-            return EOF;
-        }
-        s->stream.next_in = s->inbuf;
-    }
-    s->stream.avail_in--;
-    return *(s->stream.next_in)++;
-}
-
-/* ===========================================================================
-      Check the gzip header of a gz_stream opened for reading. Set the stream
-    mode to transparent if the gzip magic header is not present; set s->err
-    to Z_DATA_ERROR if the magic header is present but the rest of the header
-    is incorrect.
-    IN assertion: the stream s has already been created sucessfully;
-       s->stream.avail_in is zero for the first time, but may be non-zero
-       for concatenated .gz files.
-*/
-local void check_header(s)
-    gz_stream *s;
-{
-    int method; /* method byte */
-    int flags;  /* flags byte */
-    uInt len;
-    int c;
-
-    /* Assure two bytes in the buffer so we can peek ahead -- handle case
-       where first byte of header is at the end of the buffer after the last
-       gzip segment */
-    len = s->stream.avail_in;
-    if (len < 2) {
-        if (len) s->inbuf[0] = s->stream.next_in[0];
-        errno = 0;
-        len = (uInt)fread(s->inbuf + len, 1, Z_BUFSIZE >> len, s->file);
-        if (len == 0 && ferror(s->file)) s->z_err = Z_ERRNO;
-        s->stream.avail_in += len;
-        s->stream.next_in = s->inbuf;
-        if (s->stream.avail_in < 2) {
-            s->transparent = s->stream.avail_in;
-            return;
-        }
-    }
-
-    /* Peek ahead to check the gzip magic header */
-    if (s->stream.next_in[0] != gz_magic[0] ||
-        s->stream.next_in[1] != gz_magic[1]) {
-        s->transparent = 1;
-        return;
-    }
-    s->stream.avail_in -= 2;
-    s->stream.next_in += 2;
-
-    /* Check the rest of the gzip header */
-    method = get_byte(s);
-    flags = get_byte(s);
-    if (method != Z_DEFLATED || (flags & RESERVED) != 0) {
-        s->z_err = Z_DATA_ERROR;
-        return;
-    }
-
-    /* Discard time, xflags and OS code: */
-    for (len = 0; len < 6; len++) (void)get_byte(s);
-
-    if ((flags & EXTRA_FIELD) != 0) { /* skip the extra field */
-        len  =  (uInt)get_byte(s);
-        len += ((uInt)get_byte(s))<<8;
-        /* len is garbage if EOF but the loop below will quit anyway */
-        while (len-- != 0 && get_byte(s) != EOF) ;
-    }
-    if ((flags & ORIG_NAME) != 0) { /* skip the original file name */
-        while ((c = get_byte(s)) != 0 && c != EOF) ;
-    }
-    if ((flags & COMMENT) != 0) {   /* skip the .gz file comment */
-        while ((c = get_byte(s)) != 0 && c != EOF) ;
-    }
-    if ((flags & HEAD_CRC) != 0) {  /* skip the header crc */
-        for (len = 0; len < 2; len++) (void)get_byte(s);
-    }
-    s->z_err = s->z_eof ? Z_DATA_ERROR : Z_OK;
-}
-
- /* ===========================================================================
- * Cleanup then free the given gz_stream. Return a zlib error code.
-   Try freeing in the reverse order of allocations.
- */
-local int destroy (s)
-    gz_stream *s;
-{
-    int err = Z_OK;
-
-    if (!s) return Z_STREAM_ERROR;
-
-    TRYFREE(s->msg);
-
-    if (s->stream.state != NULL) {
-        if (s->mode == 'w') {
-#ifdef NO_GZCOMPRESS
-            err = Z_STREAM_ERROR;
-#else
-            err = deflateEnd(&(s->stream));
-#endif
-        } else if (s->mode == 'r') {
-            err = inflateEnd(&(s->stream));
-        }
-    }
-    if (s->file != NULL && fclose(s->file)) {
-#ifdef ESPIPE
-        if (errno != ESPIPE) /* fclose is broken for pipes in HP/UX */
-#endif
-            err = Z_ERRNO;
-    }
-    if (s->z_err < 0) err = s->z_err;
-
-    TRYFREE(s->inbuf);
-    TRYFREE(s->outbuf);
-    TRYFREE(s->path);
-    TRYFREE(s);
-    return err;
-}
-
-/* ===========================================================================
-     Reads the given number of uncompressed bytes from the compressed file.
-   gzread returns the number of bytes actually read (0 for end of file).
-*/
-int ZEXPORT gzread (file, buf, len)
-    gzFile file;
-    voidp buf;
-    unsigned len;
-{
-    gz_stream *s = (gz_stream*)file;
-    Bytef *start = (Bytef*)buf; /* starting point for crc computation */
-    Byte  *next_out; /* == stream.next_out but not forced far (for MSDOS) */
-
-    if (s == NULL || s->mode != 'r') return Z_STREAM_ERROR;
-
-    if (s->z_err == Z_DATA_ERROR || s->z_err == Z_ERRNO) return -1;
-    if (s->z_err == Z_STREAM_END) return 0;  /* EOF */
-
-    next_out = (Byte*)buf;
-    s->stream.next_out = (Bytef*)buf;
-    s->stream.avail_out = len;
-
-    if (s->stream.avail_out && s->back != EOF) {
-        *next_out++ = s->back;
-        s->stream.next_out++;
-        s->stream.avail_out--;
-        s->back = EOF;
-        s->out++;
-        start++;
-        if (s->last) {
-            s->z_err = Z_STREAM_END;
-            return 1;
-        }
-    }
-
-    while (s->stream.avail_out != 0) {
-
-        if (s->transparent) {
-            /* Copy first the lookahead bytes: */
-            uInt n = s->stream.avail_in;
-            if (n > s->stream.avail_out) n = s->stream.avail_out;
-            if (n > 0) {
-                zmemcpy(s->stream.next_out, s->stream.next_in, n);
-                next_out += n;
-                s->stream.next_out = next_out;
-                s->stream.next_in   += n;
-                s->stream.avail_out -= n;
-                s->stream.avail_in  -= n;
-            }
-            if (s->stream.avail_out > 0) {
-                s->stream.avail_out -=
-                    (uInt)fread(next_out, 1, s->stream.avail_out, s->file);
-            }
-            len -= s->stream.avail_out;
-            s->in  += len;
-            s->out += len;
-            if (len == 0) s->z_eof = 1;
-            return (int)len;
-        }
-        if (s->stream.avail_in == 0 && !s->z_eof) {
-
-            errno = 0;
-            s->stream.avail_in = (uInt)fread(s->inbuf, 1, Z_BUFSIZE, s->file);
-            if (s->stream.avail_in == 0) {
-                s->z_eof = 1;
-                if (ferror(s->file)) {
-                    s->z_err = Z_ERRNO;
-                    break;
-                }
-            }
-            s->stream.next_in = s->inbuf;
-        }
-        s->in += s->stream.avail_in;
-        s->out += s->stream.avail_out;
-        s->z_err = inflate(&(s->stream), Z_NO_FLUSH);
-        s->in -= s->stream.avail_in;
-        s->out -= s->stream.avail_out;
-
-        if (s->z_err == Z_STREAM_END) {
-            /* Check CRC and original size */
-            s->crc = crc32(s->crc, start, (uInt)(s->stream.next_out - start));
-            start = s->stream.next_out;
-
-            if (getLong(s) != s->crc) {
-                s->z_err = Z_DATA_ERROR;
-            } else {
-                (void)getLong(s);
-                /* The uncompressed length returned by above getlong() may be
-                 * different from s->out in case of concatenated .gz files.
-                 * Check for such files:
-                 */
-                check_header(s);
-                if (s->z_err == Z_OK) {
-                    inflateReset(&(s->stream));
-                    s->crc = crc32(0L, Z_NULL, 0);
-                }
-            }
-        }
-        if (s->z_err != Z_OK || s->z_eof) break;
-    }
-    s->crc = crc32(s->crc, start, (uInt)(s->stream.next_out - start));
-
-    if (len == s->stream.avail_out &&
-        (s->z_err == Z_DATA_ERROR || s->z_err == Z_ERRNO))
-        return -1;
-    return (int)(len - s->stream.avail_out);
-}
-
-
-/* ===========================================================================
-      Reads one byte from the compressed file. gzgetc returns this byte
-   or -1 in case of end of file or error.
-*/
-int ZEXPORT gzgetc(file)
-    gzFile file;
-{
-    unsigned char c;
-
-    return gzread(file, &c, 1) == 1 ? c : -1;
-}
-
-
-/* ===========================================================================
-      Push one byte back onto the stream.
-*/
-int ZEXPORT gzungetc(c, file)
-    int c;
-    gzFile file;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || s->mode != 'r' || c == EOF || s->back != EOF) return EOF;
-    s->back = c;
-    s->out--;
-    s->last = (s->z_err == Z_STREAM_END);
-    if (s->last) s->z_err = Z_OK;
-    s->z_eof = 0;
-    return c;
-}
-
-
-/* ===========================================================================
-      Reads bytes from the compressed file until len-1 characters are
-   read, or a newline character is read and transferred to buf, or an
-   end-of-file condition is encountered.  The string is then terminated
-   with a null character.
-      gzgets returns buf, or Z_NULL in case of error.
-
-      The current implementation is not optimized at all.
-*/
-char * ZEXPORT gzgets(file, buf, len)
-    gzFile file;
-    char *buf;
-    int len;
-{
-    char *b = buf;
-    if (buf == Z_NULL || len <= 0) return Z_NULL;
-
-    while (--len > 0 && gzread(file, buf, 1) == 1 && *buf++ != '\n') ;
-    *buf = '\0';
-    return b == buf && len > 0 ? Z_NULL : b;
-}
-
-
-#ifndef NO_GZCOMPRESS
-/* ===========================================================================
-     Writes the given number of uncompressed bytes into the compressed file.
-   gzwrite returns the number of bytes actually written (0 in case of error).
-*/
-int ZEXPORT gzwrite (file, buf, len)
-    gzFile file;
-    voidpc buf;
-    unsigned len;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || s->mode != 'w') return Z_STREAM_ERROR;
-
-    s->stream.next_in = (Bytef*)buf;
-    s->stream.avail_in = len;
-
-    while (s->stream.avail_in != 0) {
-
-        if (s->stream.avail_out == 0) {
-
-            s->stream.next_out = s->outbuf;
-            if (fwrite(s->outbuf, 1, Z_BUFSIZE, s->file) != Z_BUFSIZE) {
-                s->z_err = Z_ERRNO;
-                break;
-            }
-            s->stream.avail_out = Z_BUFSIZE;
-        }
-        s->in += s->stream.avail_in;
-        s->out += s->stream.avail_out;
-        s->z_err = deflate(&(s->stream), Z_NO_FLUSH);
-        s->in -= s->stream.avail_in;
-        s->out -= s->stream.avail_out;
-        if (s->z_err != Z_OK) break;
-    }
-    s->crc = crc32(s->crc, (const Bytef *)buf, len);
-
-    return (int)(len - s->stream.avail_in);
-}
-
-
-/* ===========================================================================
-     Converts, formats, and writes the args to the compressed file under
-   control of the format string, as in fprintf. gzprintf returns the number of
-   uncompressed bytes actually written (0 in case of error).
-*/
-#ifdef STDC
-#include <stdarg.h>
-
-int ZEXPORTVA gzprintf (gzFile file, const char *format, /* args */ ...)
-{
-    char buf[Z_PRINTF_BUFSIZE];
-    va_list va;
-    int len;
-
-    buf[sizeof(buf) - 1] = 0;
-    va_start(va, format);
-#ifdef NO_vsnprintf
-#  ifdef HAS_vsprintf_void
-    (void)vsprintf(buf, format, va);
-    va_end(va);
-    for (len = 0; len < sizeof(buf); len++)
-        if (buf[len] == 0) break;
-#  else
-    len = vsprintf(buf, format, va);
-    va_end(va);
-#  endif
-#else
-#  ifdef HAS_vsnprintf_void
-    (void)vsnprintf(buf, sizeof(buf), format, va);
-    va_end(va);
-    len = strlen(buf);
-#  else
-    len = vsnprintf(buf, sizeof(buf), format, va);
-    va_end(va);
-#  endif
-#endif
-    if (len <= 0 || len >= (int)sizeof(buf) || buf[sizeof(buf) - 1] != 0)
-        return 0;
-    return gzwrite(file, buf, (unsigned)len);
-}
-#else /* not ANSI C */
-
-int ZEXPORTVA gzprintf (file, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10,
-                       a11, a12, a13, a14, a15, a16, a17, a18, a19, a20)
-    gzFile file;
-    const char *format;
-    int a1, a2, a3, a4, a5, a6, a7, a8, a9, a10,
-        a11, a12, a13, a14, a15, a16, a17, a18, a19, a20;
-{
-    char buf[Z_PRINTF_BUFSIZE];
-    int len;
-
-    buf[sizeof(buf) - 1] = 0;
-#ifdef NO_snprintf
-#  ifdef HAS_sprintf_void
-    sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
-            a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
-    for (len = 0; len < sizeof(buf); len++)
-        if (buf[len] == 0) break;
-#  else
-    len = sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
-                a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
-#  endif
-#else
-#  ifdef HAS_snprintf_void
-    snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
-             a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
-    len = strlen(buf);
-#  else
-    len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
-                 a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
-#  endif
-#endif
-    if (len <= 0 || len >= sizeof(buf) || buf[sizeof(buf) - 1] != 0)
-        return 0;
-    return gzwrite(file, buf, len);
-}
-#endif
-
-/* ===========================================================================
-      Writes c, converted to an unsigned char, into the compressed file.
-   gzputc returns the value that was written, or -1 in case of error.
-*/
-int ZEXPORT gzputc(file, c)
-    gzFile file;
-    int c;
-{
-    unsigned char cc = (unsigned char) c; /* required for big endian systems */
-
-    return gzwrite(file, &cc, 1) == 1 ? (int)cc : -1;
-}
-
-
-/* ===========================================================================
-      Writes the given null-terminated string to the compressed file, excluding
-   the terminating null character.
-      gzputs returns the number of characters written, or -1 in case of error.
-*/
-int ZEXPORT gzputs(file, s)
-    gzFile file;
-    const char *s;
-{
-    return gzwrite(file, (char*)s, (unsigned)strlen(s));
-}
-
-
-/* ===========================================================================
-     Flushes all pending output into the compressed file. The parameter
-   flush is as in the deflate() function.
-*/
-local int do_flush (file, flush)
-    gzFile file;
-    int flush;
-{
-    uInt len;
-    int done = 0;
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || s->mode != 'w') return Z_STREAM_ERROR;
-
-    s->stream.avail_in = 0; /* should be zero already anyway */
-
-    for (;;) {
-        len = Z_BUFSIZE - s->stream.avail_out;
-
-        if (len != 0) {
-            if ((uInt)fwrite(s->outbuf, 1, len, s->file) != len) {
-                s->z_err = Z_ERRNO;
-                return Z_ERRNO;
-            }
-            s->stream.next_out = s->outbuf;
-            s->stream.avail_out = Z_BUFSIZE;
-        }
-        if (done) break;
-        s->out += s->stream.avail_out;
-        s->z_err = deflate(&(s->stream), flush);
-        s->out -= s->stream.avail_out;
-
-        /* Ignore the second of two consecutive flushes: */
-        if (len == 0 && s->z_err == Z_BUF_ERROR) s->z_err = Z_OK;
-
-        /* deflate has finished flushing only when it hasn't used up
-         * all the available space in the output buffer:
-         */
-        done = (s->stream.avail_out != 0 || s->z_err == Z_STREAM_END);
-
-        if (s->z_err != Z_OK && s->z_err != Z_STREAM_END) break;
-    }
-    return  s->z_err == Z_STREAM_END ? Z_OK : s->z_err;
-}
-
-int ZEXPORT gzflush (file, flush)
-     gzFile file;
-     int flush;
-{
-    gz_stream *s = (gz_stream*)file;
-    int err = do_flush (file, flush);
-
-    if (err) return err;
-    fflush(s->file);
-    return  s->z_err == Z_STREAM_END ? Z_OK : s->z_err;
-}
-#endif /* NO_GZCOMPRESS */
-
-/* ===========================================================================
-      Sets the starting position for the next gzread or gzwrite on the given
-   compressed file. The offset represents a number of bytes in the
-      gzseek returns the resulting offset location as measured in bytes from
-   the beginning of the uncompressed stream, or -1 in case of error.
-      SEEK_END is not implemented, returns error.
-      In this version of the library, gzseek can be extremely slow.
-*/
-z_off_t ZEXPORT gzseek (file, offset, whence)
-    gzFile file;
-    z_off_t offset;
-    int whence;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || whence == SEEK_END ||
-        s->z_err == Z_ERRNO || s->z_err == Z_DATA_ERROR) {
-        return -1L;
-    }
-
-    if (s->mode == 'w') {
-#ifdef NO_GZCOMPRESS
-        return -1L;
-#else
-        if (whence == SEEK_SET) {
-            offset -= s->in;
-        }
-        if (offset < 0) return -1L;
-
-        /* At this point, offset is the number of zero bytes to write. */
-        if (s->inbuf == Z_NULL) {
-            s->inbuf = (Byte*)ALLOC(Z_BUFSIZE); /* for seeking */
-            if (s->inbuf == Z_NULL) return -1L;
-            zmemzero(s->inbuf, Z_BUFSIZE);
-        }
-        while (offset > 0)  {
-            uInt size = Z_BUFSIZE;
-            if (offset < Z_BUFSIZE) size = (uInt)offset;
-
-            size = gzwrite(file, s->inbuf, size);
-            if (size == 0) return -1L;
-
-            offset -= size;
-        }
-        return s->in;
-#endif
-    }
-    /* Rest of function is for reading only */
-
-    /* compute absolute position */
-    if (whence == SEEK_CUR) {
-        offset += s->out;
-    }
-    if (offset < 0) return -1L;
-
-    if (s->transparent) {
-        /* map to fseek */
-        s->back = EOF;
-        s->stream.avail_in = 0;
-        s->stream.next_in = s->inbuf;
-        if (fseek(s->file, offset, SEEK_SET) < 0) return -1L;
-
-        s->in = s->out = offset;
-        return offset;
-    }
-
-    /* For a negative seek, rewind and use positive seek */
-    if (offset >= s->out) {
-        offset -= s->out;
-    } else if (gzrewind(file) < 0) {
-        return -1L;
-    }
-    /* offset is now the number of bytes to skip. */
-
-    if (offset != 0 && s->outbuf == Z_NULL) {
-        s->outbuf = (Byte*)ALLOC(Z_BUFSIZE);
-        if (s->outbuf == Z_NULL) return -1L;
-    }
-    if (offset && s->back != EOF) {
-        s->back = EOF;
-        s->out++;
-        offset--;
-        if (s->last) s->z_err = Z_STREAM_END;
-    }
-    while (offset > 0)  {
-        int size = Z_BUFSIZE;
-        if (offset < Z_BUFSIZE) size = (int)offset;
-
-        size = gzread(file, s->outbuf, (uInt)size);
-        if (size <= 0) return -1L;
-        offset -= size;
-    }
-    return s->out;
-}
-
-/* ===========================================================================
-     Rewinds input file.
-*/
-int ZEXPORT gzrewind (file)
-    gzFile file;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || s->mode != 'r') return -1;
-
-    s->z_err = Z_OK;
-    s->z_eof = 0;
-    s->back = EOF;
-    s->stream.avail_in = 0;
-    s->stream.next_in = s->inbuf;
-    s->crc = crc32(0L, Z_NULL, 0);
-    if (!s->transparent) (void)inflateReset(&s->stream);
-    s->in = 0;
-    s->out = 0;
-    return fseek(s->file, s->start, SEEK_SET);
-}
-
-/* ===========================================================================
-     Returns the starting position for the next gzread or gzwrite on the
-   given compressed file. This position represents a number of bytes in the
-   uncompressed data stream.
-*/
-z_off_t ZEXPORT gztell (file)
-    gzFile file;
-{
-    return gzseek(file, 0L, SEEK_CUR);
-}
-
-/* ===========================================================================
-     Returns 1 when EOF has previously been detected reading the given
-   input stream, otherwise zero.
-*/
-int ZEXPORT gzeof (file)
-    gzFile file;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    /* With concatenated compressed files that can have embedded
-     * crc trailers, z_eof is no longer the only/best indicator of EOF
-     * on a gz_stream. Handle end-of-stream error explicitly here.
-     */
-    if (s == NULL || s->mode != 'r') return 0;
-    if (s->z_eof) return 1;
-    return s->z_err == Z_STREAM_END;
-}
-
-/* ===========================================================================
-     Returns 1 if reading and doing so transparently, otherwise zero.
-*/
-int ZEXPORT gzdirect (file)
-    gzFile file;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || s->mode != 'r') return 0;
-    return s->transparent;
-}
-
-/* ===========================================================================
-   Outputs a long in LSB order to the given file
-*/
-local void putLong (file, x)
-    FILE *file;
-    uLong x;
-{
-    int n;
-    for (n = 0; n < 4; n++) {
-        fputc((int)(x & 0xff), file);
-        x >>= 8;
-    }
-}
-
-/* ===========================================================================
-   Reads a long in LSB order from the given gz_stream. Sets z_err in case
-   of error.
-*/
-local uLong getLong (s)
-    gz_stream *s;
-{
-    uLong x = (uLong)get_byte(s);
-    int c;
-
-    x += ((uLong)get_byte(s))<<8;
-    x += ((uLong)get_byte(s))<<16;
-    c = get_byte(s);
-    if (c == EOF) s->z_err = Z_DATA_ERROR;
-    x += ((uLong)c)<<24;
-    return x;
-}
-
-/* ===========================================================================
-     Flushes all pending output if necessary, closes the compressed file
-   and deallocates all the (de)compression state.
-*/
-int ZEXPORT gzclose (file)
-    gzFile file;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL) return Z_STREAM_ERROR;
-
-    if (s->mode == 'w') {
-#ifdef NO_GZCOMPRESS
-        return Z_STREAM_ERROR;
-#else
-        if (do_flush (file, Z_FINISH) != Z_OK)
-            return destroy((gz_stream*)file);
-
-        putLong (s->file, s->crc);
-        putLong (s->file, (uLong)(s->in & 0xffffffff));
-#endif
-    }
-    return destroy((gz_stream*)file);
-}
-
-#ifdef STDC
-#  define zstrerror(errnum) strerror(errnum)
-#else
-#  define zstrerror(errnum) ""
-#endif
-
-/* ===========================================================================
-     Returns the error message for the last error which occurred on the
-   given compressed file. errnum is set to zlib error number. If an
-   error occurred in the file system and not in the compression library,
-   errnum is set to Z_ERRNO and the application may consult errno
-   to get the exact error code.
-*/
-const char * ZEXPORT gzerror (file, errnum)
-    gzFile file;
-    int *errnum;
-{
-    char *m;
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL) {
-        *errnum = Z_STREAM_ERROR;
-        return (const char*)ERR_MSG(Z_STREAM_ERROR);
-    }
-    *errnum = s->z_err;
-    if (*errnum == Z_OK) return (const char*)"";
-
-    m = (char*)(*errnum == Z_ERRNO ? zstrerror(errno) : s->stream.msg);
-
-    if (m == NULL || *m == '\0') m = (char*)ERR_MSG(s->z_err);
-
-    TRYFREE(s->msg);
-    s->msg = (char*)ALLOC(strlen(s->path) + strlen(m) + 3);
-    if (s->msg == Z_NULL) return (const char*)ERR_MSG(Z_MEM_ERROR);
-    strcpy(s->msg, s->path);
-    strcat(s->msg, ": ");
-    strcat(s->msg, m);
-    return (const char*)s->msg;
-}
-
-/* ===========================================================================
-     Clear the error and end-of-file flags, and do the same for the real file.
-*/
-void ZEXPORT gzclearerr (file)
-    gzFile file;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL) return;
-    if (s->z_err != Z_STREAM_END) s->z_err = Z_OK;
-    s->z_eof = 0;
-    clearerr(s->file);
-}
diff --git a/security/nss/cmd/zlib/infback.c b/security/nss/cmd/zlib/infback.c
deleted file mode 100644
index 455dbc9ee..000000000
--- a/security/nss/cmd/zlib/infback.c
+++ /dev/null
@@ -1,623 +0,0 @@
-/* infback.c -- inflate using a call-back interface
- * Copyright (C) 1995-2005 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/*
-   This code is largely copied from inflate.c.  Normally either infback.o or
-   inflate.o would be linked into an application--not both.  The interface
-   with inffast.c is retained so that optimized assembler-coded versions of
-   inflate_fast() can be used with either inflate.c or infback.c.
- */
-
-#include "zutil.h"
-#include "inftrees.h"
-#include "inflate.h"
-#include "inffast.h"
-
-/* function prototypes */
-local void fixedtables OF((struct inflate_state FAR *state));
-
-/*
-   strm provides memory allocation functions in zalloc and zfree, or
-   Z_NULL to use the library memory allocation functions.
-
-   windowBits is in the range 8..15, and window is a user-supplied
-   window and output buffer that is 2**windowBits bytes.
- */
-int ZEXPORT inflateBackInit_(strm, windowBits, window, version, stream_size)
-z_streamp strm;
-int windowBits;
-unsigned char FAR *window;
-const char *version;
-int stream_size;
-{
-    struct inflate_state FAR *state;
-
-    if (version == Z_NULL || version[0] != ZLIB_VERSION[0] ||
-        stream_size != (int)(sizeof(z_stream)))
-        return Z_VERSION_ERROR;
-    if (strm == Z_NULL || window == Z_NULL ||
-        windowBits < 8 || windowBits > 15)
-        return Z_STREAM_ERROR;
-    strm->msg = Z_NULL;                 /* in case we return an error */
-    if (strm->zalloc == (alloc_func)0) {
-        strm->zalloc = zcalloc;
-        strm->opaque = (voidpf)0;
-    }
-    if (strm->zfree == (free_func)0) strm->zfree = zcfree;
-    state = (struct inflate_state FAR *)ZALLOC(strm, 1,
-                                               sizeof(struct inflate_state));
-    if (state == Z_NULL) return Z_MEM_ERROR;
-    Tracev((stderr, "inflate: allocated\n"));
-    strm->state = (struct internal_state FAR *)state;
-    state->dmax = 32768U;
-    state->wbits = windowBits;
-    state->wsize = 1U << windowBits;
-    state->window = window;
-    state->write = 0;
-    state->whave = 0;
-    return Z_OK;
-}
-
-/*
-   Return state with length and distance decoding tables and index sizes set to
-   fixed code decoding.  Normally this returns fixed tables from inffixed.h.
-   If BUILDFIXED is defined, then instead this routine builds the tables the
-   first time it's called, and returns those tables the first time and
-   thereafter.  This reduces the size of the code by about 2K bytes, in
-   exchange for a little execution time.  However, BUILDFIXED should not be
-   used for threaded applications, since the rewriting of the tables and virgin
-   may not be thread-safe.
- */
-local void fixedtables(state)
-struct inflate_state FAR *state;
-{
-#ifdef BUILDFIXED
-    static int virgin = 1;
-    static code *lenfix, *distfix;
-    static code fixed[544];
-
-    /* build fixed huffman tables if first call (may not be thread safe) */
-    if (virgin) {
-        unsigned sym, bits;
-        static code *next;
-
-        /* literal/length table */
-        sym = 0;
-        while (sym < 144) state->lens[sym++] = 8;
-        while (sym < 256) state->lens[sym++] = 9;
-        while (sym < 280) state->lens[sym++] = 7;
-        while (sym < 288) state->lens[sym++] = 8;
-        next = fixed;
-        lenfix = next;
-        bits = 9;
-        inflate_table(LENS, state->lens, 288, &(next), &(bits), state->work);
-
-        /* distance table */
-        sym = 0;
-        while (sym < 32) state->lens[sym++] = 5;
-        distfix = next;
-        bits = 5;
-        inflate_table(DISTS, state->lens, 32, &(next), &(bits), state->work);
-
-        /* do this just once */
-        virgin = 0;
-    }
-#else /* !BUILDFIXED */
-#   include "inffixed.h"
-#endif /* BUILDFIXED */
-    state->lencode = lenfix;
-    state->lenbits = 9;
-    state->distcode = distfix;
-    state->distbits = 5;
-}
-
-/* Macros for inflateBack(): */
-
-/* Load returned state from inflate_fast() */
-#define LOAD() \
-    do { \
-        put = strm->next_out; \
-        left = strm->avail_out; \
-        next = strm->next_in; \
-        have = strm->avail_in; \
-        hold = state->hold; \
-        bits = state->bits; \
-    } while (0)
-
-/* Set state from registers for inflate_fast() */
-#define RESTORE() \
-    do { \
-        strm->next_out = put; \
-        strm->avail_out = left; \
-        strm->next_in = next; \
-        strm->avail_in = have; \
-        state->hold = hold; \
-        state->bits = bits; \
-    } while (0)
-
-/* Clear the input bit accumulator */
-#define INITBITS() \
-    do { \
-        hold = 0; \
-        bits = 0; \
-    } while (0)
-
-/* Assure that some input is available.  If input is requested, but denied,
-   then return a Z_BUF_ERROR from inflateBack(). */
-#define PULL() \
-    do { \
-        if (have == 0) { \
-            have = in(in_desc, &next); \
-            if (have == 0) { \
-                next = Z_NULL; \
-                ret = Z_BUF_ERROR; \
-                goto inf_leave; \
-            } \
-        } \
-    } while (0)
-
-/* Get a byte of input into the bit accumulator, or return from inflateBack()
-   with an error if there is no input available. */
-#define PULLBYTE() \
-    do { \
-        PULL(); \
-        have--; \
-        hold += (unsigned long)(*next++) << bits; \
-        bits += 8; \
-    } while (0)
-
-/* Assure that there are at least n bits in the bit accumulator.  If there is
-   not enough available input to do that, then return from inflateBack() with
-   an error. */
-#define NEEDBITS(n) \
-    do { \
-        while (bits < (unsigned)(n)) \
-            PULLBYTE(); \
-    } while (0)
-
-/* Return the low n bits of the bit accumulator (n < 16) */
-#define BITS(n) \
-    ((unsigned)hold & ((1U << (n)) - 1))
-
-/* Remove n bits from the bit accumulator */
-#define DROPBITS(n) \
-    do { \
-        hold >>= (n); \
-        bits -= (unsigned)(n); \
-    } while (0)
-
-/* Remove zero to seven bits as needed to go to a byte boundary */
-#define BYTEBITS() \
-    do { \
-        hold >>= bits & 7; \
-        bits -= bits & 7; \
-    } while (0)
-
-/* Assure that some output space is available, by writing out the window
-   if it's full.  If the write fails, return from inflateBack() with a
-   Z_BUF_ERROR. */
-#define ROOM() \
-    do { \
-        if (left == 0) { \
-            put = state->window; \
-            left = state->wsize; \
-            state->whave = left; \
-            if (out(out_desc, put, left)) { \
-                ret = Z_BUF_ERROR; \
-                goto inf_leave; \
-            } \
-        } \
-    } while (0)
-
-/*
-   strm provides the memory allocation functions and window buffer on input,
-   and provides information on the unused input on return.  For Z_DATA_ERROR
-   returns, strm will also provide an error message.
-
-   in() and out() are the call-back input and output functions.  When
-   inflateBack() needs more input, it calls in().  When inflateBack() has
-   filled the window with output, or when it completes with data in the
-   window, it calls out() to write out the data.  The application must not
-   change the provided input until in() is called again or inflateBack()
-   returns.  The application must not change the window/output buffer until
-   inflateBack() returns.
-
-   in() and out() are called with a descriptor parameter provided in the
-   inflateBack() call.  This parameter can be a structure that provides the
-   information required to do the read or write, as well as accumulated
-   information on the input and output such as totals and check values.
-
-   in() should return zero on failure.  out() should return non-zero on
-   failure.  If either in() or out() fails, than inflateBack() returns a
-   Z_BUF_ERROR.  strm->next_in can be checked for Z_NULL to see whether it
-   was in() or out() that caused in the error.  Otherwise,  inflateBack()
-   returns Z_STREAM_END on success, Z_DATA_ERROR for an deflate format
-   error, or Z_MEM_ERROR if it could not allocate memory for the state.
-   inflateBack() can also return Z_STREAM_ERROR if the input parameters
-   are not correct, i.e. strm is Z_NULL or the state was not initialized.
- */
-int ZEXPORT inflateBack(strm, in, in_desc, out, out_desc)
-z_streamp strm;
-in_func in;
-void FAR *in_desc;
-out_func out;
-void FAR *out_desc;
-{
-    struct inflate_state FAR *state;
-    unsigned char FAR *next;    /* next input */
-    unsigned char FAR *put;     /* next output */
-    unsigned have, left;        /* available input and output */
-    unsigned long hold;         /* bit buffer */
-    unsigned bits;              /* bits in bit buffer */
-    unsigned copy;              /* number of stored or match bytes to copy */
-    unsigned char FAR *from;    /* where to copy match bytes from */
-    code this;                  /* current decoding table entry */
-    code last;                  /* parent table entry */
-    unsigned len;               /* length to copy for repeats, bits to drop */
-    int ret;                    /* return code */
-    static const unsigned short order[19] = /* permutation of code lengths */
-        {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};
-
-    /* Check that the strm exists and that the state was initialized */
-    if (strm == Z_NULL || strm->state == Z_NULL)
-        return Z_STREAM_ERROR;
-    state = (struct inflate_state FAR *)strm->state;
-
-    /* Reset the state */
-    strm->msg = Z_NULL;
-    state->mode = TYPE;
-    state->last = 0;
-    state->whave = 0;
-    next = strm->next_in;
-    have = next != Z_NULL ? strm->avail_in : 0;
-    hold = 0;
-    bits = 0;
-    put = state->window;
-    left = state->wsize;
-
-    /* Inflate until end of block marked as last */
-    for (;;)
-        switch (state->mode) {
-        case TYPE:
-            /* determine and dispatch block type */
-            if (state->last) {
-                BYTEBITS();
-                state->mode = DONE;
-                break;
-            }
-            NEEDBITS(3);
-            state->last = BITS(1);
-            DROPBITS(1);
-            switch (BITS(2)) {
-            case 0:                             /* stored block */
-                Tracev((stderr, "inflate:     stored block%s\n",
-                        state->last ? " (last)" : ""));
-                state->mode = STORED;
-                break;
-            case 1:                             /* fixed block */
-                fixedtables(state);
-                Tracev((stderr, "inflate:     fixed codes block%s\n",
-                        state->last ? " (last)" : ""));
-                state->mode = LEN;              /* decode codes */
-                break;
-            case 2:                             /* dynamic block */
-                Tracev((stderr, "inflate:     dynamic codes block%s\n",
-                        state->last ? " (last)" : ""));
-                state->mode = TABLE;
-                break;
-            case 3:
-                strm->msg = (char *)"invalid block type";
-                state->mode = BAD;
-            }
-            DROPBITS(2);
-            break;
-
-        case STORED:
-            /* get and verify stored block length */
-            BYTEBITS();                         /* go to byte boundary */
-            NEEDBITS(32);
-            if ((hold & 0xffff) != ((hold >> 16) ^ 0xffff)) {
-                strm->msg = (char *)"invalid stored block lengths";
-                state->mode = BAD;
-                break;
-            }
-            state->length = (unsigned)hold & 0xffff;
-            Tracev((stderr, "inflate:       stored length %u\n",
-                    state->length));
-            INITBITS();
-
-            /* copy stored block from input to output */
-            while (state->length != 0) {
-                copy = state->length;
-                PULL();
-                ROOM();
-                if (copy > have) copy = have;
-                if (copy > left) copy = left;
-                zmemcpy(put, next, copy);
-                have -= copy;
-                next += copy;
-                left -= copy;
-                put += copy;
-                state->length -= copy;
-            }
-            Tracev((stderr, "inflate:       stored end\n"));
-            state->mode = TYPE;
-            break;
-
-        case TABLE:
-            /* get dynamic table entries descriptor */
-            NEEDBITS(14);
-            state->nlen = BITS(5) + 257;
-            DROPBITS(5);
-            state->ndist = BITS(5) + 1;
-            DROPBITS(5);
-            state->ncode = BITS(4) + 4;
-            DROPBITS(4);
-#ifndef PKZIP_BUG_WORKAROUND
-            if (state->nlen > 286 || state->ndist > 30) {
-                strm->msg = (char *)"too many length or distance symbols";
-                state->mode = BAD;
-                break;
-            }
-#endif
-            Tracev((stderr, "inflate:       table sizes ok\n"));
-
-            /* get code length code lengths (not a typo) */
-            state->have = 0;
-            while (state->have < state->ncode) {
-                NEEDBITS(3);
-                state->lens[order[state->have++]] = (unsigned short)BITS(3);
-                DROPBITS(3);
-            }
-            while (state->have < 19)
-                state->lens[order[state->have++]] = 0;
-            state->next = state->codes;
-            state->lencode = (code const FAR *)(state->next);
-            state->lenbits = 7;
-            ret = inflate_table(CODES, state->lens, 19, &(state->next),
-                                &(state->lenbits), state->work);
-            if (ret) {
-                strm->msg = (char *)"invalid code lengths set";
-                state->mode = BAD;
-                break;
-            }
-            Tracev((stderr, "inflate:       code lengths ok\n"));
-
-            /* get length and distance code code lengths */
-            state->have = 0;
-            while (state->have < state->nlen + state->ndist) {
-                for (;;) {
-                    this = state->lencode[BITS(state->lenbits)];
-                    if ((unsigned)(this.bits) <= bits) break;
-                    PULLBYTE();
-                }
-                if (this.val < 16) {
-                    NEEDBITS(this.bits);
-                    DROPBITS(this.bits);
-                    state->lens[state->have++] = this.val;
-                }
-                else {
-                    if (this.val == 16) {
-                        NEEDBITS(this.bits + 2);
-                        DROPBITS(this.bits);
-                        if (state->have == 0) {
-                            strm->msg = (char *)"invalid bit length repeat";
-                            state->mode = BAD;
-                            break;
-                        }
-                        len = (unsigned)(state->lens[state->have - 1]);
-                        copy = 3 + BITS(2);
-                        DROPBITS(2);
-                    }
-                    else if (this.val == 17) {
-                        NEEDBITS(this.bits + 3);
-                        DROPBITS(this.bits);
-                        len = 0;
-                        copy = 3 + BITS(3);
-                        DROPBITS(3);
-                    }
-                    else {
-                        NEEDBITS(this.bits + 7);
-                        DROPBITS(this.bits);
-                        len = 0;
-                        copy = 11 + BITS(7);
-                        DROPBITS(7);
-                    }
-                    if (state->have + copy > state->nlen + state->ndist) {
-                        strm->msg = (char *)"invalid bit length repeat";
-                        state->mode = BAD;
-                        break;
-                    }
-                    while (copy--)
-                        state->lens[state->have++] = (unsigned short)len;
-                }
-            }
-
-            /* handle error breaks in while */
-            if (state->mode == BAD) break;
-
-            /* build code tables */
-            state->next = state->codes;
-            state->lencode = (code const FAR *)(state->next);
-            state->lenbits = 9;
-            ret = inflate_table(LENS, state->lens, state->nlen, &(state->next),
-                                &(state->lenbits), state->work);
-            if (ret) {
-                strm->msg = (char *)"invalid literal/lengths set";
-                state->mode = BAD;
-                break;
-            }
-            state->distcode = (code const FAR *)(state->next);
-            state->distbits = 6;
-            ret = inflate_table(DISTS, state->lens + state->nlen, state->ndist,
-                            &(state->next), &(state->distbits), state->work);
-            if (ret) {
-                strm->msg = (char *)"invalid distances set";
-                state->mode = BAD;
-                break;
-            }
-            Tracev((stderr, "inflate:       codes ok\n"));
-            state->mode = LEN;
-
-        case LEN:
-            /* use inflate_fast() if we have enough input and output */
-            if (have >= 6 && left >= 258) {
-                RESTORE();
-                if (state->whave < state->wsize)
-                    state->whave = state->wsize - left;
-                inflate_fast(strm, state->wsize);
-                LOAD();
-                break;
-            }
-
-            /* get a literal, length, or end-of-block code */
-            for (;;) {
-                this = state->lencode[BITS(state->lenbits)];
-                if ((unsigned)(this.bits) <= bits) break;
-                PULLBYTE();
-            }
-            if (this.op && (this.op & 0xf0) == 0) {
-                last = this;
-                for (;;) {
-                    this = state->lencode[last.val +
-                            (BITS(last.bits + last.op) >> last.bits)];
-                    if ((unsigned)(last.bits + this.bits) <= bits) break;
-                    PULLBYTE();
-                }
-                DROPBITS(last.bits);
-            }
-            DROPBITS(this.bits);
-            state->length = (unsigned)this.val;
-
-            /* process literal */
-            if (this.op == 0) {
-                Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ?
-                        "inflate:         literal '%c'\n" :
-                        "inflate:         literal 0x%02x\n", this.val));
-                ROOM();
-                *put++ = (unsigned char)(state->length);
-                left--;
-                state->mode = LEN;
-                break;
-            }
-
-            /* process end of block */
-            if (this.op & 32) {
-                Tracevv((stderr, "inflate:         end of block\n"));
-                state->mode = TYPE;
-                break;
-            }
-
-            /* invalid code */
-            if (this.op & 64) {
-                strm->msg = (char *)"invalid literal/length code";
-                state->mode = BAD;
-                break;
-            }
-
-            /* length code -- get extra bits, if any */
-            state->extra = (unsigned)(this.op) & 15;
-            if (state->extra != 0) {
-                NEEDBITS(state->extra);
-                state->length += BITS(state->extra);
-                DROPBITS(state->extra);
-            }
-            Tracevv((stderr, "inflate:         length %u\n", state->length));
-
-            /* get distance code */
-            for (;;) {
-                this = state->distcode[BITS(state->distbits)];
-                if ((unsigned)(this.bits) <= bits) break;
-                PULLBYTE();
-            }
-            if ((this.op & 0xf0) == 0) {
-                last = this;
-                for (;;) {
-                    this = state->distcode[last.val +
-                            (BITS(last.bits + last.op) >> last.bits)];
-                    if ((unsigned)(last.bits + this.bits) <= bits) break;
-                    PULLBYTE();
-                }
-                DROPBITS(last.bits);
-            }
-            DROPBITS(this.bits);
-            if (this.op & 64) {
-                strm->msg = (char *)"invalid distance code";
-                state->mode = BAD;
-                break;
-            }
-            state->offset = (unsigned)this.val;
-
-            /* get distance extra bits, if any */
-            state->extra = (unsigned)(this.op) & 15;
-            if (state->extra != 0) {
-                NEEDBITS(state->extra);
-                state->offset += BITS(state->extra);
-                DROPBITS(state->extra);
-            }
-            if (state->offset > state->wsize - (state->whave < state->wsize ?
-                                                left : 0)) {
-                strm->msg = (char *)"invalid distance too far back";
-                state->mode = BAD;
-                break;
-            }
-            Tracevv((stderr, "inflate:         distance %u\n", state->offset));
-
-            /* copy match from window to output */
-            do {
-                ROOM();
-                copy = state->wsize - state->offset;
-                if (copy < left) {
-                    from = put + copy;
-                    copy = left - copy;
-                }
-                else {
-                    from = put - state->offset;
-                    copy = left;
-                }
-                if (copy > state->length) copy = state->length;
-                state->length -= copy;
-                left -= copy;
-                do {
-                    *put++ = *from++;
-                } while (--copy);
-            } while (state->length != 0);
-            break;
-
-        case DONE:
-            /* inflate stream terminated properly -- write leftover output */
-            ret = Z_STREAM_END;
-            if (left < state->wsize) {
-                if (out(out_desc, state->window, state->wsize - left))
-                    ret = Z_BUF_ERROR;
-            }
-            goto inf_leave;
-
-        case BAD:
-            ret = Z_DATA_ERROR;
-            goto inf_leave;
-
-        default:                /* can't happen, but makes compilers happy */
-            ret = Z_STREAM_ERROR;
-            goto inf_leave;
-        }
-
-    /* Return unused input */
-  inf_leave:
-    strm->next_in = next;
-    strm->avail_in = have;
-    return ret;
-}
-
-int ZEXPORT inflateBackEnd(strm)
-z_streamp strm;
-{
-    if (strm == Z_NULL || strm->state == Z_NULL || strm->zfree == (free_func)0)
-        return Z_STREAM_ERROR;
-    ZFREE(strm, strm->state);
-    strm->state = Z_NULL;
-    Tracev((stderr, "inflate: end\n"));
-    return Z_OK;
-}
diff --git a/security/nss/cmd/zlib/inffast.c b/security/nss/cmd/zlib/inffast.c
deleted file mode 100644
index bbee92ed1..000000000
--- a/security/nss/cmd/zlib/inffast.c
+++ /dev/null
@@ -1,318 +0,0 @@
-/* inffast.c -- fast decoding
- * Copyright (C) 1995-2004 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-#include "zutil.h"
-#include "inftrees.h"
-#include "inflate.h"
-#include "inffast.h"
-
-#ifndef ASMINF
-
-/* Allow machine dependent optimization for post-increment or pre-increment.
-   Based on testing to date,
-   Pre-increment preferred for:
-   - PowerPC G3 (Adler)
-   - MIPS R5000 (Randers-Pehrson)
-   Post-increment preferred for:
-   - none
-   No measurable difference:
-   - Pentium III (Anderson)
-   - M68060 (Nikl)
- */
-#ifdef POSTINC
-#  define OFF 0
-#  define PUP(a) *(a)++
-#else
-#  define OFF 1
-#  define PUP(a) *++(a)
-#endif
-
-/*
-   Decode literal, length, and distance codes and write out the resulting
-   literal and match bytes until either not enough input or output is
-   available, an end-of-block is encountered, or a data error is encountered.
-   When large enough input and output buffers are supplied to inflate(), for
-   example, a 16K input buffer and a 64K output buffer, more than 95% of the
-   inflate execution time is spent in this routine.
-
-   Entry assumptions:
-
-        state->mode == LEN
-        strm->avail_in >= 6
-        strm->avail_out >= 258
-        start >= strm->avail_out
-        state->bits < 8
-
-   On return, state->mode is one of:
-
-        LEN -- ran out of enough output space or enough available input
-        TYPE -- reached end of block code, inflate() to interpret next block
-        BAD -- error in block data
-
-   Notes:
-
-    - The maximum input bits used by a length/distance pair is 15 bits for the
-      length code, 5 bits for the length extra, 15 bits for the distance code,
-      and 13 bits for the distance extra.  This totals 48 bits, or six bytes.
-      Therefore if strm->avail_in >= 6, then there is enough input to avoid
-      checking for available input while decoding.
-
-    - The maximum bytes that a single length/distance pair can output is 258
-      bytes, which is the maximum length that can be coded.  inflate_fast()
-      requires strm->avail_out >= 258 for each loop to avoid checking for
-      output space.
- */
-void inflate_fast(strm, start)
-z_streamp strm;
-unsigned start;         /* inflate()'s starting value for strm->avail_out */
-{
-    struct inflate_state FAR *state;
-    unsigned char FAR *in;      /* local strm->next_in */
-    unsigned char FAR *last;    /* while in < last, enough input available */
-    unsigned char FAR *out;     /* local strm->next_out */
-    unsigned char FAR *beg;     /* inflate()'s initial strm->next_out */
-    unsigned char FAR *end;     /* while out < end, enough space available */
-#ifdef INFLATE_STRICT
-    unsigned dmax;              /* maximum distance from zlib header */
-#endif
-    unsigned wsize;             /* window size or zero if not using window */
-    unsigned whave;             /* valid bytes in the window */
-    unsigned write;             /* window write index */
-    unsigned char FAR *window;  /* allocated sliding window, if wsize != 0 */
-    unsigned long hold;         /* local strm->hold */
-    unsigned bits;              /* local strm->bits */
-    code const FAR *lcode;      /* local strm->lencode */
-    code const FAR *dcode;      /* local strm->distcode */
-    unsigned lmask;             /* mask for first level of length codes */
-    unsigned dmask;             /* mask for first level of distance codes */
-    code this;                  /* retrieved table entry */
-    unsigned op;                /* code bits, operation, extra bits, or */
-                                /*  window position, window bytes to copy */
-    unsigned len;               /* match length, unused bytes */
-    unsigned dist;              /* match distance */
-    unsigned char FAR *from;    /* where to copy match from */
-
-    /* copy state to local variables */
-    state = (struct inflate_state FAR *)strm->state;
-    in = strm->next_in - OFF;
-    last = in + (strm->avail_in - 5);
-    out = strm->next_out - OFF;
-    beg = out - (start - strm->avail_out);
-    end = out + (strm->avail_out - 257);
-#ifdef INFLATE_STRICT
-    dmax = state->dmax;
-#endif
-    wsize = state->wsize;
-    whave = state->whave;
-    write = state->write;
-    window = state->window;
-    hold = state->hold;
-    bits = state->bits;
-    lcode = state->lencode;
-    dcode = state->distcode;
-    lmask = (1U << state->lenbits) - 1;
-    dmask = (1U << state->distbits) - 1;
-
-    /* decode literals and length/distances until end-of-block or not enough
-       input data or output space */
-    do {
-        if (bits < 15) {
-            hold += (unsigned long)(PUP(in)) << bits;
-            bits += 8;
-            hold += (unsigned long)(PUP(in)) << bits;
-            bits += 8;
-        }
-        this = lcode[hold & lmask];
-      dolen:
-        op = (unsigned)(this.bits);
-        hold >>= op;
-        bits -= op;
-        op = (unsigned)(this.op);
-        if (op == 0) {                          /* literal */
-            Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ?
-                    "inflate:         literal '%c'\n" :
-                    "inflate:         literal 0x%02x\n", this.val));
-            PUP(out) = (unsigned char)(this.val);
-        }
-        else if (op & 16) {                     /* length base */
-            len = (unsigned)(this.val);
-            op &= 15;                           /* number of extra bits */
-            if (op) {
-                if (bits < op) {
-                    hold += (unsigned long)(PUP(in)) << bits;
-                    bits += 8;
-                }
-                len += (unsigned)hold & ((1U << op) - 1);
-                hold >>= op;
-                bits -= op;
-            }
-            Tracevv((stderr, "inflate:         length %u\n", len));
-            if (bits < 15) {
-                hold += (unsigned long)(PUP(in)) << bits;
-                bits += 8;
-                hold += (unsigned long)(PUP(in)) << bits;
-                bits += 8;
-            }
-            this = dcode[hold & dmask];
-          dodist:
-            op = (unsigned)(this.bits);
-            hold >>= op;
-            bits -= op;
-            op = (unsigned)(this.op);
-            if (op & 16) {                      /* distance base */
-                dist = (unsigned)(this.val);
-                op &= 15;                       /* number of extra bits */
-                if (bits < op) {
-                    hold += (unsigned long)(PUP(in)) << bits;
-                    bits += 8;
-                    if (bits < op) {
-                        hold += (unsigned long)(PUP(in)) << bits;
-                        bits += 8;
-                    }
-                }
-                dist += (unsigned)hold & ((1U << op) - 1);
-#ifdef INFLATE_STRICT
-                if (dist > dmax) {
-                    strm->msg = (char *)"invalid distance too far back";
-                    state->mode = BAD;
-                    break;
-                }
-#endif
-                hold >>= op;
-                bits -= op;
-                Tracevv((stderr, "inflate:         distance %u\n", dist));
-                op = (unsigned)(out - beg);     /* max distance in output */
-                if (dist > op) {                /* see if copy from window */
-                    op = dist - op;             /* distance back in window */
-                    if (op > whave) {
-                        strm->msg = (char *)"invalid distance too far back";
-                        state->mode = BAD;
-                        break;
-                    }
-                    from = window - OFF;
-                    if (write == 0) {           /* very common case */
-                        from += wsize - op;
-                        if (op < len) {         /* some from window */
-                            len -= op;
-                            do {
-                                PUP(out) = PUP(from);
-                            } while (--op);
-                            from = out - dist;  /* rest from output */
-                        }
-                    }
-                    else if (write < op) {      /* wrap around window */
-                        from += wsize + write - op;
-                        op -= write;
-                        if (op < len) {         /* some from end of window */
-                            len -= op;
-                            do {
-                                PUP(out) = PUP(from);
-                            } while (--op);
-                            from = window - OFF;
-                            if (write < len) {  /* some from start of window */
-                                op = write;
-                                len -= op;
-                                do {
-                                    PUP(out) = PUP(from);
-                                } while (--op);
-                                from = out - dist;      /* rest from output */
-                            }
-                        }
-                    }
-                    else {                      /* contiguous in window */
-                        from += write - op;
-                        if (op < len) {         /* some from window */
-                            len -= op;
-                            do {
-                                PUP(out) = PUP(from);
-                            } while (--op);
-                            from = out - dist;  /* rest from output */
-                        }
-                    }
-                    while (len > 2) {
-                        PUP(out) = PUP(from);
-                        PUP(out) = PUP(from);
-                        PUP(out) = PUP(from);
-                        len -= 3;
-                    }
-                    if (len) {
-                        PUP(out) = PUP(from);
-                        if (len > 1)
-                            PUP(out) = PUP(from);
-                    }
-                }
-                else {
-                    from = out - dist;          /* copy direct from output */
-                    do {                        /* minimum length is three */
-                        PUP(out) = PUP(from);
-                        PUP(out) = PUP(from);
-                        PUP(out) = PUP(from);
-                        len -= 3;
-                    } while (len > 2);
-                    if (len) {
-                        PUP(out) = PUP(from);
-                        if (len > 1)
-                            PUP(out) = PUP(from);
-                    }
-                }
-            }
-            else if ((op & 64) == 0) {          /* 2nd level distance code */
-                this = dcode[this.val + (hold & ((1U << op) - 1))];
-                goto dodist;
-            }
-            else {
-                strm->msg = (char *)"invalid distance code";
-                state->mode = BAD;
-                break;
-            }
-        }
-        else if ((op & 64) == 0) {              /* 2nd level length code */
-            this = lcode[this.val + (hold & ((1U << op) - 1))];
-            goto dolen;
-        }
-        else if (op & 32) {                     /* end-of-block */
-            Tracevv((stderr, "inflate:         end of block\n"));
-            state->mode = TYPE;
-            break;
-        }
-        else {
-            strm->msg = (char *)"invalid literal/length code";
-            state->mode = BAD;
-            break;
-        }
-    } while (in < last && out < end);
-
-    /* return unused bytes (on entry, bits < 8, so in won't go too far back) */
-    len = bits >> 3;
-    in -= len;
-    bits -= len << 3;
-    hold &= (1U << bits) - 1;
-
-    /* update state and return */
-    strm->next_in = in + OFF;
-    strm->next_out = out + OFF;
-    strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last));
-    strm->avail_out = (unsigned)(out < end ?
-                                 257 + (end - out) : 257 - (out - end));
-    state->hold = hold;
-    state->bits = bits;
-    return;
-}
-
-/*
-   inflate_fast() speedups that turned out slower (on a PowerPC G3 750CXe):
-   - Using bit fields for code structure
-   - Different op definition to avoid & for extra bits (do & for table bits)
-   - Three separate decoding do-loops for direct, window, and write == 0
-   - Special case for distance > 1 copies to do overlapped load and store copy
-   - Explicit branch predictions (based on measured branch probabilities)
-   - Deferring match copy and interspersed it with decoding subsequent codes
-   - Swapping literal/length else
-   - Swapping window/direct else
-   - Larger unrolled copy loops (three is about right)
-   - Moving len -= 3 statement into middle of loop
- */
-
-#endif /* !ASMINF */
diff --git a/security/nss/cmd/zlib/inffast.h b/security/nss/cmd/zlib/inffast.h
deleted file mode 100644
index 1e88d2d97..000000000
--- a/security/nss/cmd/zlib/inffast.h
+++ /dev/null
@@ -1,11 +0,0 @@
-/* inffast.h -- header to use inffast.c
- * Copyright (C) 1995-2003 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/* WARNING: this file should *not* be used by applications. It is
-   part of the implementation of the compression library and is
-   subject to change. Applications should only use zlib.h.
- */
-
-void inflate_fast OF((z_streamp strm, unsigned start));
diff --git a/security/nss/cmd/zlib/inffixed.h b/security/nss/cmd/zlib/inffixed.h
deleted file mode 100644
index 75ed4b597..000000000
--- a/security/nss/cmd/zlib/inffixed.h
+++ /dev/null
@@ -1,94 +0,0 @@
-    /* inffixed.h -- table for decoding fixed codes
-     * Generated automatically by makefixed().
-     */
-
-    /* WARNING: this file should *not* be used by applications. It
-       is part of the implementation of the compression library and
-       is subject to change. Applications should only use zlib.h.
-     */
-
-    static const code lenfix[512] = {
-        {96,7,0},{0,8,80},{0,8,16},{20,8,115},{18,7,31},{0,8,112},{0,8,48},
-        {0,9,192},{16,7,10},{0,8,96},{0,8,32},{0,9,160},{0,8,0},{0,8,128},
-        {0,8,64},{0,9,224},{16,7,6},{0,8,88},{0,8,24},{0,9,144},{19,7,59},
-        {0,8,120},{0,8,56},{0,9,208},{17,7,17},{0,8,104},{0,8,40},{0,9,176},
-        {0,8,8},{0,8,136},{0,8,72},{0,9,240},{16,7,4},{0,8,84},{0,8,20},
-        {21,8,227},{19,7,43},{0,8,116},{0,8,52},{0,9,200},{17,7,13},{0,8,100},
-        {0,8,36},{0,9,168},{0,8,4},{0,8,132},{0,8,68},{0,9,232},{16,7,8},
-        {0,8,92},{0,8,28},{0,9,152},{20,7,83},{0,8,124},{0,8,60},{0,9,216},
-        {18,7,23},{0,8,108},{0,8,44},{0,9,184},{0,8,12},{0,8,140},{0,8,76},
-        {0,9,248},{16,7,3},{0,8,82},{0,8,18},{21,8,163},{19,7,35},{0,8,114},
-        {0,8,50},{0,9,196},{17,7,11},{0,8,98},{0,8,34},{0,9,164},{0,8,2},
-        {0,8,130},{0,8,66},{0,9,228},{16,7,7},{0,8,90},{0,8,26},{0,9,148},
-        {20,7,67},{0,8,122},{0,8,58},{0,9,212},{18,7,19},{0,8,106},{0,8,42},
-        {0,9,180},{0,8,10},{0,8,138},{0,8,74},{0,9,244},{16,7,5},{0,8,86},
-        {0,8,22},{64,8,0},{19,7,51},{0,8,118},{0,8,54},{0,9,204},{17,7,15},
-        {0,8,102},{0,8,38},{0,9,172},{0,8,6},{0,8,134},{0,8,70},{0,9,236},
-        {16,7,9},{0,8,94},{0,8,30},{0,9,156},{20,7,99},{0,8,126},{0,8,62},
-        {0,9,220},{18,7,27},{0,8,110},{0,8,46},{0,9,188},{0,8,14},{0,8,142},
-        {0,8,78},{0,9,252},{96,7,0},{0,8,81},{0,8,17},{21,8,131},{18,7,31},
-        {0,8,113},{0,8,49},{0,9,194},{16,7,10},{0,8,97},{0,8,33},{0,9,162},
-        {0,8,1},{0,8,129},{0,8,65},{0,9,226},{16,7,6},{0,8,89},{0,8,25},
-        {0,9,146},{19,7,59},{0,8,121},{0,8,57},{0,9,210},{17,7,17},{0,8,105},
-        {0,8,41},{0,9,178},{0,8,9},{0,8,137},{0,8,73},{0,9,242},{16,7,4},
-        {0,8,85},{0,8,21},{16,8,258},{19,7,43},{0,8,117},{0,8,53},{0,9,202},
-        {17,7,13},{0,8,101},{0,8,37},{0,9,170},{0,8,5},{0,8,133},{0,8,69},
-        {0,9,234},{16,7,8},{0,8,93},{0,8,29},{0,9,154},{20,7,83},{0,8,125},
-        {0,8,61},{0,9,218},{18,7,23},{0,8,109},{0,8,45},{0,9,186},{0,8,13},
-        {0,8,141},{0,8,77},{0,9,250},{16,7,3},{0,8,83},{0,8,19},{21,8,195},
-        {19,7,35},{0,8,115},{0,8,51},{0,9,198},{17,7,11},{0,8,99},{0,8,35},
-        {0,9,166},{0,8,3},{0,8,131},{0,8,67},{0,9,230},{16,7,7},{0,8,91},
-        {0,8,27},{0,9,150},{20,7,67},{0,8,123},{0,8,59},{0,9,214},{18,7,19},
-        {0,8,107},{0,8,43},{0,9,182},{0,8,11},{0,8,139},{0,8,75},{0,9,246},
-        {16,7,5},{0,8,87},{0,8,23},{64,8,0},{19,7,51},{0,8,119},{0,8,55},
-        {0,9,206},{17,7,15},{0,8,103},{0,8,39},{0,9,174},{0,8,7},{0,8,135},
-        {0,8,71},{0,9,238},{16,7,9},{0,8,95},{0,8,31},{0,9,158},{20,7,99},
-        {0,8,127},{0,8,63},{0,9,222},{18,7,27},{0,8,111},{0,8,47},{0,9,190},
-        {0,8,15},{0,8,143},{0,8,79},{0,9,254},{96,7,0},{0,8,80},{0,8,16},
-        {20,8,115},{18,7,31},{0,8,112},{0,8,48},{0,9,193},{16,7,10},{0,8,96},
-        {0,8,32},{0,9,161},{0,8,0},{0,8,128},{0,8,64},{0,9,225},{16,7,6},
-        {0,8,88},{0,8,24},{0,9,145},{19,7,59},{0,8,120},{0,8,56},{0,9,209},
-        {17,7,17},{0,8,104},{0,8,40},{0,9,177},{0,8,8},{0,8,136},{0,8,72},
-        {0,9,241},{16,7,4},{0,8,84},{0,8,20},{21,8,227},{19,7,43},{0,8,116},
-        {0,8,52},{0,9,201},{17,7,13},{0,8,100},{0,8,36},{0,9,169},{0,8,4},
-        {0,8,132},{0,8,68},{0,9,233},{16,7,8},{0,8,92},{0,8,28},{0,9,153},
-        {20,7,83},{0,8,124},{0,8,60},{0,9,217},{18,7,23},{0,8,108},{0,8,44},
-        {0,9,185},{0,8,12},{0,8,140},{0,8,76},{0,9,249},{16,7,3},{0,8,82},
-        {0,8,18},{21,8,163},{19,7,35},{0,8,114},{0,8,50},{0,9,197},{17,7,11},
-        {0,8,98},{0,8,34},{0,9,165},{0,8,2},{0,8,130},{0,8,66},{0,9,229},
-        {16,7,7},{0,8,90},{0,8,26},{0,9,149},{20,7,67},{0,8,122},{0,8,58},
-        {0,9,213},{18,7,19},{0,8,106},{0,8,42},{0,9,181},{0,8,10},{0,8,138},
-        {0,8,74},{0,9,245},{16,7,5},{0,8,86},{0,8,22},{64,8,0},{19,7,51},
-        {0,8,118},{0,8,54},{0,9,205},{17,7,15},{0,8,102},{0,8,38},{0,9,173},
-        {0,8,6},{0,8,134},{0,8,70},{0,9,237},{16,7,9},{0,8,94},{0,8,30},
-        {0,9,157},{20,7,99},{0,8,126},{0,8,62},{0,9,221},{18,7,27},{0,8,110},
-        {0,8,46},{0,9,189},{0,8,14},{0,8,142},{0,8,78},{0,9,253},{96,7,0},
-        {0,8,81},{0,8,17},{21,8,131},{18,7,31},{0,8,113},{0,8,49},{0,9,195},
-        {16,7,10},{0,8,97},{0,8,33},{0,9,163},{0,8,1},{0,8,129},{0,8,65},
-        {0,9,227},{16,7,6},{0,8,89},{0,8,25},{0,9,147},{19,7,59},{0,8,121},
-        {0,8,57},{0,9,211},{17,7,17},{0,8,105},{0,8,41},{0,9,179},{0,8,9},
-        {0,8,137},{0,8,73},{0,9,243},{16,7,4},{0,8,85},{0,8,21},{16,8,258},
-        {19,7,43},{0,8,117},{0,8,53},{0,9,203},{17,7,13},{0,8,101},{0,8,37},
-        {0,9,171},{0,8,5},{0,8,133},{0,8,69},{0,9,235},{16,7,8},{0,8,93},
-        {0,8,29},{0,9,155},{20,7,83},{0,8,125},{0,8,61},{0,9,219},{18,7,23},
-        {0,8,109},{0,8,45},{0,9,187},{0,8,13},{0,8,141},{0,8,77},{0,9,251},
-        {16,7,3},{0,8,83},{0,8,19},{21,8,195},{19,7,35},{0,8,115},{0,8,51},
-        {0,9,199},{17,7,11},{0,8,99},{0,8,35},{0,9,167},{0,8,3},{0,8,131},
-        {0,8,67},{0,9,231},{16,7,7},{0,8,91},{0,8,27},{0,9,151},{20,7,67},
-        {0,8,123},{0,8,59},{0,9,215},{18,7,19},{0,8,107},{0,8,43},{0,9,183},
-        {0,8,11},{0,8,139},{0,8,75},{0,9,247},{16,7,5},{0,8,87},{0,8,23},
-        {64,8,0},{19,7,51},{0,8,119},{0,8,55},{0,9,207},{17,7,15},{0,8,103},
-        {0,8,39},{0,9,175},{0,8,7},{0,8,135},{0,8,71},{0,9,239},{16,7,9},
-        {0,8,95},{0,8,31},{0,9,159},{20,7,99},{0,8,127},{0,8,63},{0,9,223},
-        {18,7,27},{0,8,111},{0,8,47},{0,9,191},{0,8,15},{0,8,143},{0,8,79},
-        {0,9,255}
-    };
-
-    static const code distfix[32] = {
-        {16,5,1},{23,5,257},{19,5,17},{27,5,4097},{17,5,5},{25,5,1025},
-        {21,5,65},{29,5,16385},{16,5,3},{24,5,513},{20,5,33},{28,5,8193},
-        {18,5,9},{26,5,2049},{22,5,129},{64,5,0},{16,5,2},{23,5,385},
-        {19,5,25},{27,5,6145},{17,5,7},{25,5,1537},{21,5,97},{29,5,24577},
-        {16,5,4},{24,5,769},{20,5,49},{28,5,12289},{18,5,13},{26,5,3073},
-        {22,5,193},{64,5,0}
-    };
diff --git a/security/nss/cmd/zlib/inflate.c b/security/nss/cmd/zlib/inflate.c
deleted file mode 100644
index 792fdee8e..000000000
--- a/security/nss/cmd/zlib/inflate.c
+++ /dev/null
@@ -1,1368 +0,0 @@
-/* inflate.c -- zlib decompression
- * Copyright (C) 1995-2005 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/*
- * Change history:
- *
- * 1.2.beta0    24 Nov 2002
- * - First version -- complete rewrite of inflate to simplify code, avoid
- *   creation of window when not needed, minimize use of window when it is
- *   needed, make inffast.c even faster, implement gzip decoding, and to
- *   improve code readability and style over the previous zlib inflate code
- *
- * 1.2.beta1    25 Nov 2002
- * - Use pointers for available input and output checking in inffast.c
- * - Remove input and output counters in inffast.c
- * - Change inffast.c entry and loop from avail_in >= 7 to >= 6
- * - Remove unnecessary second byte pull from length extra in inffast.c
- * - Unroll direct copy to three copies per loop in inffast.c
- *
- * 1.2.beta2    4 Dec 2002
- * - Change external routine names to reduce potential conflicts
- * - Correct filename to inffixed.h for fixed tables in inflate.c
- * - Make hbuf[] unsigned char to match parameter type in inflate.c
- * - Change strm->next_out[-state->offset] to *(strm->next_out - state->offset)
- *   to avoid negation problem on Alphas (64 bit) in inflate.c
- *
- * 1.2.beta3    22 Dec 2002
- * - Add comments on state->bits assertion in inffast.c
- * - Add comments on op field in inftrees.h
- * - Fix bug in reuse of allocated window after inflateReset()
- * - Remove bit fields--back to byte structure for speed
- * - Remove distance extra == 0 check in inflate_fast()--only helps for lengths
- * - Change post-increments to pre-increments in inflate_fast(), PPC biased?
- * - Add compile time option, POSTINC, to use post-increments instead (Intel?)
- * - Make MATCH copy in inflate() much faster for when inflate_fast() not used
- * - Use local copies of stream next and avail values, as well as local bit
- *   buffer and bit count in inflate()--for speed when inflate_fast() not used
- *
- * 1.2.beta4    1 Jan 2003
- * - Split ptr - 257 statements in inflate_table() to avoid compiler warnings
- * - Move a comment on output buffer sizes from inffast.c to inflate.c
- * - Add comments in inffast.c to introduce the inflate_fast() routine
- * - Rearrange window copies in inflate_fast() for speed and simplification
- * - Unroll last copy for window match in inflate_fast()
- * - Use local copies of window variables in inflate_fast() for speed
- * - Pull out common write == 0 case for speed in inflate_fast()
- * - Make op and len in inflate_fast() unsigned for consistency
- * - Add FAR to lcode and dcode declarations in inflate_fast()
- * - Simplified bad distance check in inflate_fast()
- * - Added inflateBackInit(), inflateBack(), and inflateBackEnd() in new
- *   source file infback.c to provide a call-back interface to inflate for
- *   programs like gzip and unzip -- uses window as output buffer to avoid
- *   window copying
- *
- * 1.2.beta5    1 Jan 2003
- * - Improved inflateBack() interface to allow the caller to provide initial
- *   input in strm.
- * - Fixed stored blocks bug in inflateBack()
- *
- * 1.2.beta6    4 Jan 2003
- * - Added comments in inffast.c on effectiveness of POSTINC
- * - Typecasting all around to reduce compiler warnings
- * - Changed loops from while (1) or do {} while (1) to for (;;), again to
- *   make compilers happy
- * - Changed type of window in inflateBackInit() to unsigned char *
- *
- * 1.2.beta7    27 Jan 2003
- * - Changed many types to unsigned or unsigned short to avoid warnings
- * - Added inflateCopy() function
- *
- * 1.2.0        9 Mar 2003
- * - Changed inflateBack() interface to provide separate opaque descriptors
- *   for the in() and out() functions
- * - Changed inflateBack() argument and in_func typedef to swap the length
- *   and buffer address return values for the input function
- * - Check next_in and next_out for Z_NULL on entry to inflate()
- *
- * The history for versions after 1.2.0 are in ChangeLog in zlib distribution.
- */
-
-#include "zutil.h"
-#include "inftrees.h"
-#include "inflate.h"
-#include "inffast.h"
-
-#ifdef MAKEFIXED
-#  ifndef BUILDFIXED
-#    define BUILDFIXED
-#  endif
-#endif
-
-/* function prototypes */
-local void fixedtables OF((struct inflate_state FAR *state));
-local int updatewindow OF((z_streamp strm, unsigned out));
-#ifdef BUILDFIXED
-   void makefixed OF((void));
-#endif
-local unsigned syncsearch OF((unsigned FAR *have, unsigned char FAR *buf,
-                              unsigned len));
-
-int ZEXPORT inflateReset(strm)
-z_streamp strm;
-{
-    struct inflate_state FAR *state;
-
-    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
-    state = (struct inflate_state FAR *)strm->state;
-    strm->total_in = strm->total_out = state->total = 0;
-    strm->msg = Z_NULL;
-    strm->adler = 1;        /* to support ill-conceived Java test suite */
-    state->mode = HEAD;
-    state->last = 0;
-    state->havedict = 0;
-    state->dmax = 32768U;
-    state->head = Z_NULL;
-    state->wsize = 0;
-    state->whave = 0;
-    state->write = 0;
-    state->hold = 0;
-    state->bits = 0;
-    state->lencode = state->distcode = state->next = state->codes;
-    Tracev((stderr, "inflate: reset\n"));
-    return Z_OK;
-}
-
-int ZEXPORT inflatePrime(strm, bits, value)
-z_streamp strm;
-int bits;
-int value;
-{
-    struct inflate_state FAR *state;
-
-    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
-    state = (struct inflate_state FAR *)strm->state;
-    if (bits > 16 || state->bits + bits > 32) return Z_STREAM_ERROR;
-    value &= (1L << bits) - 1;
-    state->hold += value << state->bits;
-    state->bits += bits;
-    return Z_OK;
-}
-
-int ZEXPORT inflateInit2_(strm, windowBits, version, stream_size)
-z_streamp strm;
-int windowBits;
-const char *version;
-int stream_size;
-{
-    struct inflate_state FAR *state;
-
-    if (version == Z_NULL || version[0] != ZLIB_VERSION[0] ||
-        stream_size != (int)(sizeof(z_stream)))
-        return Z_VERSION_ERROR;
-    if (strm == Z_NULL) return Z_STREAM_ERROR;
-    strm->msg = Z_NULL;                 /* in case we return an error */
-    if (strm->zalloc == (alloc_func)0) {
-        strm->zalloc = zcalloc;
-        strm->opaque = (voidpf)0;
-    }
-    if (strm->zfree == (free_func)0) strm->zfree = zcfree;
-    state = (struct inflate_state FAR *)
-            ZALLOC(strm, 1, sizeof(struct inflate_state));
-    if (state == Z_NULL) return Z_MEM_ERROR;
-    Tracev((stderr, "inflate: allocated\n"));
-    strm->state = (struct internal_state FAR *)state;
-    if (windowBits < 0) {
-        state->wrap = 0;
-        windowBits = -windowBits;
-    }
-    else {
-        state->wrap = (windowBits >> 4) + 1;
-#ifdef GUNZIP
-        if (windowBits < 48) windowBits &= 15;
-#endif
-    }
-    if (windowBits < 8 || windowBits > 15) {
-        ZFREE(strm, state);
-        strm->state = Z_NULL;
-        return Z_STREAM_ERROR;
-    }
-    state->wbits = (unsigned)windowBits;
-    state->window = Z_NULL;
-    return inflateReset(strm);
-}
-
-int ZEXPORT inflateInit_(strm, version, stream_size)
-z_streamp strm;
-const char *version;
-int stream_size;
-{
-    return inflateInit2_(strm, DEF_WBITS, version, stream_size);
-}
-
-/*
-   Return state with length and distance decoding tables and index sizes set to
-   fixed code decoding.  Normally this returns fixed tables from inffixed.h.
-   If BUILDFIXED is defined, then instead this routine builds the tables the
-   first time it's called, and returns those tables the first time and
-   thereafter.  This reduces the size of the code by about 2K bytes, in
-   exchange for a little execution time.  However, BUILDFIXED should not be
-   used for threaded applications, since the rewriting of the tables and virgin
-   may not be thread-safe.
- */
-local void fixedtables(state)
-struct inflate_state FAR *state;
-{
-#ifdef BUILDFIXED
-    static int virgin = 1;
-    static code *lenfix, *distfix;
-    static code fixed[544];
-
-    /* build fixed huffman tables if first call (may not be thread safe) */
-    if (virgin) {
-        unsigned sym, bits;
-        static code *next;
-
-        /* literal/length table */
-        sym = 0;
-        while (sym < 144) state->lens[sym++] = 8;
-        while (sym < 256) state->lens[sym++] = 9;
-        while (sym < 280) state->lens[sym++] = 7;
-        while (sym < 288) state->lens[sym++] = 8;
-        next = fixed;
-        lenfix = next;
-        bits = 9;
-        inflate_table(LENS, state->lens, 288, &(next), &(bits), state->work);
-
-        /* distance table */
-        sym = 0;
-        while (sym < 32) state->lens[sym++] = 5;
-        distfix = next;
-        bits = 5;
-        inflate_table(DISTS, state->lens, 32, &(next), &(bits), state->work);
-
-        /* do this just once */
-        virgin = 0;
-    }
-#else /* !BUILDFIXED */
-#   include "inffixed.h"
-#endif /* BUILDFIXED */
-    state->lencode = lenfix;
-    state->lenbits = 9;
-    state->distcode = distfix;
-    state->distbits = 5;
-}
-
-#ifdef MAKEFIXED
-#include <stdio.h>
-
-/*
-   Write out the inffixed.h that is #include'd above.  Defining MAKEFIXED also
-   defines BUILDFIXED, so the tables are built on the fly.  makefixed() writes
-   those tables to stdout, which would be piped to inffixed.h.  A small program
-   can simply call makefixed to do this:
-
-    void makefixed(void);
-
-    int main(void)
-    {
-        makefixed();
-        return 0;
-    }
-
-   Then that can be linked with zlib built with MAKEFIXED defined and run:
-
-    a.out > inffixed.h
- */
-void makefixed()
-{
-    unsigned low, size;
-    struct inflate_state state;
-
-    fixedtables(&state);
-    puts("    /* inffixed.h -- table for decoding fixed codes");
-    puts("     * Generated automatically by makefixed().");
-    puts("     */");
-    puts("");
-    puts("    /* WARNING: this file should *not* be used by applications.");
-    puts("       It is part of the implementation of this library and is");
-    puts("       subject to change. Applications should only use zlib.h.");
-    puts("     */");
-    puts("");
-    size = 1U << 9;
-    printf("    static const code lenfix[%u] = {", size);
-    low = 0;
-    for (;;) {
-        if ((low % 7) == 0) printf("\n        ");
-        printf("{%u,%u,%d}", state.lencode[low].op, state.lencode[low].bits,
-               state.lencode[low].val);
-        if (++low == size) break;
-        putchar(',');
-    }
-    puts("\n    };");
-    size = 1U << 5;
-    printf("\n    static const code distfix[%u] = {", size);
-    low = 0;
-    for (;;) {
-        if ((low % 6) == 0) printf("\n        ");
-        printf("{%u,%u,%d}", state.distcode[low].op, state.distcode[low].bits,
-               state.distcode[low].val);
-        if (++low == size) break;
-        putchar(',');
-    }
-    puts("\n    };");
-}
-#endif /* MAKEFIXED */
-
-/*
-   Update the window with the last wsize (normally 32K) bytes written before
-   returning.  If window does not exist yet, create it.  This is only called
-   when a window is already in use, or when output has been written during this
-   inflate call, but the end of the deflate stream has not been reached yet.
-   It is also called to create a window for dictionary data when a dictionary
-   is loaded.
-
-   Providing output buffers larger than 32K to inflate() should provide a speed
-   advantage, since only the last 32K of output is copied to the sliding window
-   upon return from inflate(), and since all distances after the first 32K of
-   output will fall in the output data, making match copies simpler and faster.
-   The advantage may be dependent on the size of the processor's data caches.
- */
-local int updatewindow(strm, out)
-z_streamp strm;
-unsigned out;
-{
-    struct inflate_state FAR *state;
-    unsigned copy, dist;
-
-    state = (struct inflate_state FAR *)strm->state;
-
-    /* if it hasn't been done already, allocate space for the window */
-    if (state->window == Z_NULL) {
-        state->window = (unsigned char FAR *)
-                        ZALLOC(strm, 1U << state->wbits,
-                               sizeof(unsigned char));
-        if (state->window == Z_NULL) return 1;
-    }
-
-    /* if window not in use yet, initialize */
-    if (state->wsize == 0) {
-        state->wsize = 1U << state->wbits;
-        state->write = 0;
-        state->whave = 0;
-    }
-
-    /* copy state->wsize or less output bytes into the circular window */
-    copy = out - strm->avail_out;
-    if (copy >= state->wsize) {
-        zmemcpy(state->window, strm->next_out - state->wsize, state->wsize);
-        state->write = 0;
-        state->whave = state->wsize;
-    }
-    else {
-        dist = state->wsize - state->write;
-        if (dist > copy) dist = copy;
-        zmemcpy(state->window + state->write, strm->next_out - copy, dist);
-        copy -= dist;
-        if (copy) {
-            zmemcpy(state->window, strm->next_out - copy, copy);
-            state->write = copy;
-            state->whave = state->wsize;
-        }
-        else {
-            state->write += dist;
-            if (state->write == state->wsize) state->write = 0;
-            if (state->whave < state->wsize) state->whave += dist;
-        }
-    }
-    return 0;
-}
-
-/* Macros for inflate(): */
-
-/* check function to use adler32() for zlib or crc32() for gzip */
-#ifdef GUNZIP
-#  define UPDATE(check, buf, len) \
-    (state->flags ? crc32(check, buf, len) : adler32(check, buf, len))
-#else
-#  define UPDATE(check, buf, len) adler32(check, buf, len)
-#endif
-
-/* check macros for header crc */
-#ifdef GUNZIP
-#  define CRC2(check, word) \
-    do { \
-        hbuf[0] = (unsigned char)(word); \
-        hbuf[1] = (unsigned char)((word) >> 8); \
-        check = crc32(check, hbuf, 2); \
-    } while (0)
-
-#  define CRC4(check, word) \
-    do { \
-        hbuf[0] = (unsigned char)(word); \
-        hbuf[1] = (unsigned char)((word) >> 8); \
-        hbuf[2] = (unsigned char)((word) >> 16); \
-        hbuf[3] = (unsigned char)((word) >> 24); \
-        check = crc32(check, hbuf, 4); \
-    } while (0)
-#endif
-
-/* Load registers with state in inflate() for speed */
-#define LOAD() \
-    do { \
-        put = strm->next_out; \
-        left = strm->avail_out; \
-        next = strm->next_in; \
-        have = strm->avail_in; \
-        hold = state->hold; \
-        bits = state->bits; \
-    } while (0)
-
-/* Restore state from registers in inflate() */
-#define RESTORE() \
-    do { \
-        strm->next_out = put; \
-        strm->avail_out = left; \
-        strm->next_in = next; \
-        strm->avail_in = have; \
-        state->hold = hold; \
-        state->bits = bits; \
-    } while (0)
-
-/* Clear the input bit accumulator */
-#define INITBITS() \
-    do { \
-        hold = 0; \
-        bits = 0; \
-    } while (0)
-
-/* Get a byte of input into the bit accumulator, or return from inflate()
-   if there is no input available. */
-#define PULLBYTE() \
-    do { \
-        if (have == 0) goto inf_leave; \
-        have--; \
-        hold += (unsigned long)(*next++) << bits; \
-        bits += 8; \
-    } while (0)
-
-/* Assure that there are at least n bits in the bit accumulator.  If there is
-   not enough available input to do that, then return from inflate(). */
-#define NEEDBITS(n) \
-    do { \
-        while (bits < (unsigned)(n)) \
-            PULLBYTE(); \
-    } while (0)
-
-/* Return the low n bits of the bit accumulator (n < 16) */
-#define BITS(n) \
-    ((unsigned)hold & ((1U << (n)) - 1))
-
-/* Remove n bits from the bit accumulator */
-#define DROPBITS(n) \
-    do { \
-        hold >>= (n); \
-        bits -= (unsigned)(n); \
-    } while (0)
-
-/* Remove zero to seven bits as needed to go to a byte boundary */
-#define BYTEBITS() \
-    do { \
-        hold >>= bits & 7; \
-        bits -= bits & 7; \
-    } while (0)
-
-/* Reverse the bytes in a 32-bit value */
-#define REVERSE(q) \
-    ((((q) >> 24) & 0xff) + (((q) >> 8) & 0xff00) + \
-     (((q) & 0xff00) << 8) + (((q) & 0xff) << 24))
-
-/*
-   inflate() uses a state machine to process as much input data and generate as
-   much output data as possible before returning.  The state machine is
-   structured roughly as follows:
-
-    for (;;) switch (state) {
-    ...
-    case STATEn:
-        if (not enough input data or output space to make progress)
-            return;
-        ... make progress ...
-        state = STATEm;
-        break;
-    ...
-    }
-
-   so when inflate() is called again, the same case is attempted again, and
-   if the appropriate resources are provided, the machine proceeds to the
-   next state.  The NEEDBITS() macro is usually the way the state evaluates
-   whether it can proceed or should return.  NEEDBITS() does the return if
-   the requested bits are not available.  The typical use of the BITS macros
-   is:
-
-        NEEDBITS(n);
-        ... do something with BITS(n) ...
-        DROPBITS(n);
-
-   where NEEDBITS(n) either returns from inflate() if there isn't enough
-   input left to load n bits into the accumulator, or it continues.  BITS(n)
-   gives the low n bits in the accumulator.  When done, DROPBITS(n) drops
-   the low n bits off the accumulator.  INITBITS() clears the accumulator
-   and sets the number of available bits to zero.  BYTEBITS() discards just
-   enough bits to put the accumulator on a byte boundary.  After BYTEBITS()
-   and a NEEDBITS(8), then BITS(8) would return the next byte in the stream.
-
-   NEEDBITS(n) uses PULLBYTE() to get an available byte of input, or to return
-   if there is no input available.  The decoding of variable length codes uses
-   PULLBYTE() directly in order to pull just enough bytes to decode the next
-   code, and no more.
-
-   Some states loop until they get enough input, making sure that enough
-   state information is maintained to continue the loop where it left off
-   if NEEDBITS() returns in the loop.  For example, want, need, and keep
-   would all have to actually be part of the saved state in case NEEDBITS()
-   returns:
-
-    case STATEw:
-        while (want < need) {
-            NEEDBITS(n);
-            keep[want++] = BITS(n);
-            DROPBITS(n);
-        }
-        state = STATEx;
-    case STATEx:
-
-   As shown above, if the next state is also the next case, then the break
-   is omitted.
-
-   A state may also return if there is not enough output space available to
-   complete that state.  Those states are copying stored data, writing a
-   literal byte, and copying a matching string.
-
-   When returning, a "goto inf_leave" is used to update the total counters,
-   update the check value, and determine whether any progress has been made
-   during that inflate() call in order to return the proper return code.
-   Progress is defined as a change in either strm->avail_in or strm->avail_out.
-   When there is a window, goto inf_leave will update the window with the last
-   output written.  If a goto inf_leave occurs in the middle of decompression
-   and there is no window currently, goto inf_leave will create one and copy
-   output to the window for the next call of inflate().
-
-   In this implementation, the flush parameter of inflate() only affects the
-   return code (per zlib.h).  inflate() always writes as much as possible to
-   strm->next_out, given the space available and the provided input--the effect
-   documented in zlib.h of Z_SYNC_FLUSH.  Furthermore, inflate() always defers
-   the allocation of and copying into a sliding window until necessary, which
-   provides the effect documented in zlib.h for Z_FINISH when the entire input
-   stream available.  So the only thing the flush parameter actually does is:
-   when flush is set to Z_FINISH, inflate() cannot return Z_OK.  Instead it
-   will return Z_BUF_ERROR if it has not reached the end of the stream.
- */
-
-int ZEXPORT inflate(strm, flush)
-z_streamp strm;
-int flush;
-{
-    struct inflate_state FAR *state;
-    unsigned char FAR *next;    /* next input */
-    unsigned char FAR *put;     /* next output */
-    unsigned have, left;        /* available input and output */
-    unsigned long hold;         /* bit buffer */
-    unsigned bits;              /* bits in bit buffer */
-    unsigned in, out;           /* save starting available input and output */
-    unsigned copy;              /* number of stored or match bytes to copy */
-    unsigned char FAR *from;    /* where to copy match bytes from */
-    code this;                  /* current decoding table entry */
-    code last;                  /* parent table entry */
-    unsigned len;               /* length to copy for repeats, bits to drop */
-    int ret;                    /* return code */
-#ifdef GUNZIP
-    unsigned char hbuf[4];      /* buffer for gzip header crc calculation */
-#endif
-    static const unsigned short order[19] = /* permutation of code lengths */
-        {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};
-
-    if (strm == Z_NULL || strm->state == Z_NULL || strm->next_out == Z_NULL ||
-        (strm->next_in == Z_NULL && strm->avail_in != 0))
-        return Z_STREAM_ERROR;
-
-    state = (struct inflate_state FAR *)strm->state;
-    if (state->mode == TYPE) state->mode = TYPEDO;      /* skip check */
-    LOAD();
-    in = have;
-    out = left;
-    ret = Z_OK;
-    for (;;)
-        switch (state->mode) {
-        case HEAD:
-            if (state->wrap == 0) {
-                state->mode = TYPEDO;
-                break;
-            }
-            NEEDBITS(16);
-#ifdef GUNZIP
-            if ((state->wrap & 2) && hold == 0x8b1f) {  /* gzip header */
-                state->check = crc32(0L, Z_NULL, 0);
-                CRC2(state->check, hold);
-                INITBITS();
-                state->mode = FLAGS;
-                break;
-            }
-            state->flags = 0;           /* expect zlib header */
-            if (state->head != Z_NULL)
-                state->head->done = -1;
-            if (!(state->wrap & 1) ||   /* check if zlib header allowed */
-#else
-            if (
-#endif
-                ((BITS(8) << 8) + (hold >> 8)) % 31) {
-                strm->msg = (char *)"incorrect header check";
-                state->mode = BAD;
-                break;
-            }
-            if (BITS(4) != Z_DEFLATED) {
-                strm->msg = (char *)"unknown compression method";
-                state->mode = BAD;
-                break;
-            }
-            DROPBITS(4);
-            len = BITS(4) + 8;
-            if (len > state->wbits) {
-                strm->msg = (char *)"invalid window size";
-                state->mode = BAD;
-                break;
-            }
-            state->dmax = 1U << len;
-            Tracev((stderr, "inflate:   zlib header ok\n"));
-            strm->adler = state->check = adler32(0L, Z_NULL, 0);
-            state->mode = hold & 0x200 ? DICTID : TYPE;
-            INITBITS();
-            break;
-#ifdef GUNZIP
-        case FLAGS:
-            NEEDBITS(16);
-            state->flags = (int)(hold);
-            if ((state->flags & 0xff) != Z_DEFLATED) {
-                strm->msg = (char *)"unknown compression method";
-                state->mode = BAD;
-                break;
-            }
-            if (state->flags & 0xe000) {
-                strm->msg = (char *)"unknown header flags set";
-                state->mode = BAD;
-                break;
-            }
-            if (state->head != Z_NULL)
-                state->head->text = (int)((hold >> 8) & 1);
-            if (state->flags & 0x0200) CRC2(state->check, hold);
-            INITBITS();
-            state->mode = TIME;
-        case TIME:
-            NEEDBITS(32);
-            if (state->head != Z_NULL)
-                state->head->time = hold;
-            if (state->flags & 0x0200) CRC4(state->check, hold);
-            INITBITS();
-            state->mode = OS;
-        case OS:
-            NEEDBITS(16);
-            if (state->head != Z_NULL) {
-                state->head->xflags = (int)(hold & 0xff);
-                state->head->os = (int)(hold >> 8);
-            }
-            if (state->flags & 0x0200) CRC2(state->check, hold);
-            INITBITS();
-            state->mode = EXLEN;
-        case EXLEN:
-            if (state->flags & 0x0400) {
-                NEEDBITS(16);
-                state->length = (unsigned)(hold);
-                if (state->head != Z_NULL)
-                    state->head->extra_len = (unsigned)hold;
-                if (state->flags & 0x0200) CRC2(state->check, hold);
-                INITBITS();
-            }
-            else if (state->head != Z_NULL)
-                state->head->extra = Z_NULL;
-            state->mode = EXTRA;
-        case EXTRA:
-            if (state->flags & 0x0400) {
-                copy = state->length;
-                if (copy > have) copy = have;
-                if (copy) {
-                    if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
-                        zmemcpy(state->head->extra + len, next,
-                                len + copy > state->head->extra_max ?
-                                state->head->extra_max - len : copy);
-                    }
-                    if (state->flags & 0x0200)
-                        state->check = crc32(state->check, next, copy);
-                    have -= copy;
-                    next += copy;
-                    state->length -= copy;
-                }
-                if (state->length) goto inf_leave;
-            }
-            state->length = 0;
-            state->mode = NAME;
-        case NAME:
-            if (state->flags & 0x0800) {
-                if (have == 0) goto inf_leave;
-                copy = 0;
-                do {
-                    len = (unsigned)(next[copy++]);
-                    if (state->head != Z_NULL &&
-                            state->head->name != Z_NULL &&
-                            state->length < state->head->name_max)
-                        state->head->name[state->length++] = len;
-                } while (len && copy < have);
-                if (state->flags & 0x0200)
-                    state->check = crc32(state->check, next, copy);
-                have -= copy;
-                next += copy;
-                if (len) goto inf_leave;
-            }
-            else if (state->head != Z_NULL)
-                state->head->name = Z_NULL;
-            state->length = 0;
-            state->mode = COMMENT;
-        case COMMENT:
-            if (state->flags & 0x1000) {
-                if (have == 0) goto inf_leave;
-                copy = 0;
-                do {
-                    len = (unsigned)(next[copy++]);
-                    if (state->head != Z_NULL &&
-                            state->head->comment != Z_NULL &&
-                            state->length < state->head->comm_max)
-                        state->head->comment[state->length++] = len;
-                } while (len && copy < have);
-                if (state->flags & 0x0200)
-                    state->check = crc32(state->check, next, copy);
-                have -= copy;
-                next += copy;
-                if (len) goto inf_leave;
-            }
-            else if (state->head != Z_NULL)
-                state->head->comment = Z_NULL;
-            state->mode = HCRC;
-        case HCRC:
-            if (state->flags & 0x0200) {
-                NEEDBITS(16);
-                if (hold != (state->check & 0xffff)) {
-                    strm->msg = (char *)"header crc mismatch";
-                    state->mode = BAD;
-                    break;
-                }
-                INITBITS();
-            }
-            if (state->head != Z_NULL) {
-                state->head->hcrc = (int)((state->flags >> 9) & 1);
-                state->head->done = 1;
-            }
-            strm->adler = state->check = crc32(0L, Z_NULL, 0);
-            state->mode = TYPE;
-            break;
-#endif
-        case DICTID:
-            NEEDBITS(32);
-            strm->adler = state->check = REVERSE(hold);
-            INITBITS();
-            state->mode = DICT;
-        case DICT:
-            if (state->havedict == 0) {
-                RESTORE();
-                return Z_NEED_DICT;
-            }
-            strm->adler = state->check = adler32(0L, Z_NULL, 0);
-            state->mode = TYPE;
-        case TYPE:
-            if (flush == Z_BLOCK) goto inf_leave;
-        case TYPEDO:
-            if (state->last) {
-                BYTEBITS();
-                state->mode = CHECK;
-                break;
-            }
-            NEEDBITS(3);
-            state->last = BITS(1);
-            DROPBITS(1);
-            switch (BITS(2)) {
-            case 0:                             /* stored block */
-                Tracev((stderr, "inflate:     stored block%s\n",
-                        state->last ? " (last)" : ""));
-                state->mode = STORED;
-                break;
-            case 1:                             /* fixed block */
-                fixedtables(state);
-                Tracev((stderr, "inflate:     fixed codes block%s\n",
-                        state->last ? " (last)" : ""));
-                state->mode = LEN;              /* decode codes */
-                break;
-            case 2:                             /* dynamic block */
-                Tracev((stderr, "inflate:     dynamic codes block%s\n",
-                        state->last ? " (last)" : ""));
-                state->mode = TABLE;
-                break;
-            case 3:
-                strm->msg = (char *)"invalid block type";
-                state->mode = BAD;
-            }
-            DROPBITS(2);
-            break;
-        case STORED:
-            BYTEBITS();                         /* go to byte boundary */
-            NEEDBITS(32);
-            if ((hold & 0xffff) != ((hold >> 16) ^ 0xffff)) {
-                strm->msg = (char *)"invalid stored block lengths";
-                state->mode = BAD;
-                break;
-            }
-            state->length = (unsigned)hold & 0xffff;
-            Tracev((stderr, "inflate:       stored length %u\n",
-                    state->length));
-            INITBITS();
-            state->mode = COPY;
-        case COPY:
-            copy = state->length;
-            if (copy) {
-                if (copy > have) copy = have;
-                if (copy > left) copy = left;
-                if (copy == 0) goto inf_leave;
-                zmemcpy(put, next, copy);
-                have -= copy;
-                next += copy;
-                left -= copy;
-                put += copy;
-                state->length -= copy;
-                break;
-            }
-            Tracev((stderr, "inflate:       stored end\n"));
-            state->mode = TYPE;
-            break;
-        case TABLE:
-            NEEDBITS(14);
-            state->nlen = BITS(5) + 257;
-            DROPBITS(5);
-            state->ndist = BITS(5) + 1;
-            DROPBITS(5);
-            state->ncode = BITS(4) + 4;
-            DROPBITS(4);
-#ifndef PKZIP_BUG_WORKAROUND
-            if (state->nlen > 286 || state->ndist > 30) {
-                strm->msg = (char *)"too many length or distance symbols";
-                state->mode = BAD;
-                break;
-            }
-#endif
-            Tracev((stderr, "inflate:       table sizes ok\n"));
-            state->have = 0;
-            state->mode = LENLENS;
-        case LENLENS:
-            while (state->have < state->ncode) {
-                NEEDBITS(3);
-                state->lens[order[state->have++]] = (unsigned short)BITS(3);
-                DROPBITS(3);
-            }
-            while (state->have < 19)
-                state->lens[order[state->have++]] = 0;
-            state->next = state->codes;
-            state->lencode = (code const FAR *)(state->next);
-            state->lenbits = 7;
-            ret = inflate_table(CODES, state->lens, 19, &(state->next),
-                                &(state->lenbits), state->work);
-            if (ret) {
-                strm->msg = (char *)"invalid code lengths set";
-                state->mode = BAD;
-                break;
-            }
-            Tracev((stderr, "inflate:       code lengths ok\n"));
-            state->have = 0;
-            state->mode = CODELENS;
-        case CODELENS:
-            while (state->have < state->nlen + state->ndist) {
-                for (;;) {
-                    this = state->lencode[BITS(state->lenbits)];
-                    if ((unsigned)(this.bits) <= bits) break;
-                    PULLBYTE();
-                }
-                if (this.val < 16) {
-                    NEEDBITS(this.bits);
-                    DROPBITS(this.bits);
-                    state->lens[state->have++] = this.val;
-                }
-                else {
-                    if (this.val == 16) {
-                        NEEDBITS(this.bits + 2);
-                        DROPBITS(this.bits);
-                        if (state->have == 0) {
-                            strm->msg = (char *)"invalid bit length repeat";
-                            state->mode = BAD;
-                            break;
-                        }
-                        len = state->lens[state->have - 1];
-                        copy = 3 + BITS(2);
-                        DROPBITS(2);
-                    }
-                    else if (this.val == 17) {
-                        NEEDBITS(this.bits + 3);
-                        DROPBITS(this.bits);
-                        len = 0;
-                        copy = 3 + BITS(3);
-                        DROPBITS(3);
-                    }
-                    else {
-                        NEEDBITS(this.bits + 7);
-                        DROPBITS(this.bits);
-                        len = 0;
-                        copy = 11 + BITS(7);
-                        DROPBITS(7);
-                    }
-                    if (state->have + copy > state->nlen + state->ndist) {
-                        strm->msg = (char *)"invalid bit length repeat";
-                        state->mode = BAD;
-                        break;
-                    }
-                    while (copy--)
-                        state->lens[state->have++] = (unsigned short)len;
-                }
-            }
-
-            /* handle error breaks in while */
-            if (state->mode == BAD) break;
-
-            /* build code tables */
-            state->next = state->codes;
-            state->lencode = (code const FAR *)(state->next);
-            state->lenbits = 9;
-            ret = inflate_table(LENS, state->lens, state->nlen, &(state->next),
-                                &(state->lenbits), state->work);
-            if (ret) {
-                strm->msg = (char *)"invalid literal/lengths set";
-                state->mode = BAD;
-                break;
-            }
-            state->distcode = (code const FAR *)(state->next);
-            state->distbits = 6;
-            ret = inflate_table(DISTS, state->lens + state->nlen, state->ndist,
-                            &(state->next), &(state->distbits), state->work);
-            if (ret) {
-                strm->msg = (char *)"invalid distances set";
-                state->mode = BAD;
-                break;
-            }
-            Tracev((stderr, "inflate:       codes ok\n"));
-            state->mode = LEN;
-        case LEN:
-            if (have >= 6 && left >= 258) {
-                RESTORE();
-                inflate_fast(strm, out);
-                LOAD();
-                break;
-            }
-            for (;;) {
-                this = state->lencode[BITS(state->lenbits)];
-                if ((unsigned)(this.bits) <= bits) break;
-                PULLBYTE();
-            }
-            if (this.op && (this.op & 0xf0) == 0) {
-                last = this;
-                for (;;) {
-                    this = state->lencode[last.val +
-                            (BITS(last.bits + last.op) >> last.bits)];
-                    if ((unsigned)(last.bits + this.bits) <= bits) break;
-                    PULLBYTE();
-                }
-                DROPBITS(last.bits);
-            }
-            DROPBITS(this.bits);
-            state->length = (unsigned)this.val;
-            if ((int)(this.op) == 0) {
-                Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ?
-                        "inflate:         literal '%c'\n" :
-                        "inflate:         literal 0x%02x\n", this.val));
-                state->mode = LIT;
-                break;
-            }
-            if (this.op & 32) {
-                Tracevv((stderr, "inflate:         end of block\n"));
-                state->mode = TYPE;
-                break;
-            }
-            if (this.op & 64) {
-                strm->msg = (char *)"invalid literal/length code";
-                state->mode = BAD;
-                break;
-            }
-            state->extra = (unsigned)(this.op) & 15;
-            state->mode = LENEXT;
-        case LENEXT:
-            if (state->extra) {
-                NEEDBITS(state->extra);
-                state->length += BITS(state->extra);
-                DROPBITS(state->extra);
-            }
-            Tracevv((stderr, "inflate:         length %u\n", state->length));
-            state->mode = DIST;
-        case DIST:
-            for (;;) {
-                this = state->distcode[BITS(state->distbits)];
-                if ((unsigned)(this.bits) <= bits) break;
-                PULLBYTE();
-            }
-            if ((this.op & 0xf0) == 0) {
-                last = this;
-                for (;;) {
-                    this = state->distcode[last.val +
-                            (BITS(last.bits + last.op) >> last.bits)];
-                    if ((unsigned)(last.bits + this.bits) <= bits) break;
-                    PULLBYTE();
-                }
-                DROPBITS(last.bits);
-            }
-            DROPBITS(this.bits);
-            if (this.op & 64) {
-                strm->msg = (char *)"invalid distance code";
-                state->mode = BAD;
-                break;
-            }
-            state->offset = (unsigned)this.val;
-            state->extra = (unsigned)(this.op) & 15;
-            state->mode = DISTEXT;
-        case DISTEXT:
-            if (state->extra) {
-                NEEDBITS(state->extra);
-                state->offset += BITS(state->extra);
-                DROPBITS(state->extra);
-            }
-#ifdef INFLATE_STRICT
-            if (state->offset > state->dmax) {
-                strm->msg = (char *)"invalid distance too far back";
-                state->mode = BAD;
-                break;
-            }
-#endif
-            if (state->offset > state->whave + out - left) {
-                strm->msg = (char *)"invalid distance too far back";
-                state->mode = BAD;
-                break;
-            }
-            Tracevv((stderr, "inflate:         distance %u\n", state->offset));
-            state->mode = MATCH;
-        case MATCH:
-            if (left == 0) goto inf_leave;
-            copy = out - left;
-            if (state->offset > copy) {         /* copy from window */
-                copy = state->offset - copy;
-                if (copy > state->write) {
-                    copy -= state->write;
-                    from = state->window + (state->wsize - copy);
-                }
-                else
-                    from = state->window + (state->write - copy);
-                if (copy > state->length) copy = state->length;
-            }
-            else {                              /* copy from output */
-                from = put - state->offset;
-                copy = state->length;
-            }
-            if (copy > left) copy = left;
-            left -= copy;
-            state->length -= copy;
-            do {
-                *put++ = *from++;
-            } while (--copy);
-            if (state->length == 0) state->mode = LEN;
-            break;
-        case LIT:
-            if (left == 0) goto inf_leave;
-            *put++ = (unsigned char)(state->length);
-            left--;
-            state->mode = LEN;
-            break;
-        case CHECK:
-            if (state->wrap) {
-                NEEDBITS(32);
-                out -= left;
-                strm->total_out += out;
-                state->total += out;
-                if (out)
-                    strm->adler = state->check =
-                        UPDATE(state->check, put - out, out);
-                out = left;
-                if ((
-#ifdef GUNZIP
-                     state->flags ? hold :
-#endif
-                     REVERSE(hold)) != state->check) {
-                    strm->msg = (char *)"incorrect data check";
-                    state->mode = BAD;
-                    break;
-                }
-                INITBITS();
-                Tracev((stderr, "inflate:   check matches trailer\n"));
-            }
-#ifdef GUNZIP
-            state->mode = LENGTH;
-        case LENGTH:
-            if (state->wrap && state->flags) {
-                NEEDBITS(32);
-                if (hold != (state->total & 0xffffffffUL)) {
-                    strm->msg = (char *)"incorrect length check";
-                    state->mode = BAD;
-                    break;
-                }
-                INITBITS();
-                Tracev((stderr, "inflate:   length matches trailer\n"));
-            }
-#endif
-            state->mode = DONE;
-        case DONE:
-            ret = Z_STREAM_END;
-            goto inf_leave;
-        case BAD:
-            ret = Z_DATA_ERROR;
-            goto inf_leave;
-        case MEM:
-            return Z_MEM_ERROR;
-        case SYNC:
-        default:
-            return Z_STREAM_ERROR;
-        }
-
-    /*
-       Return from inflate(), updating the total counts and the check value.
-       If there was no progress during the inflate() call, return a buffer
-       error.  Call updatewindow() to create and/or update the window state.
-       Note: a memory error from inflate() is non-recoverable.
-     */
-  inf_leave:
-    RESTORE();
-    if (state->wsize || (state->mode < CHECK && out != strm->avail_out))
-        if (updatewindow(strm, out)) {
-            state->mode = MEM;
-            return Z_MEM_ERROR;
-        }
-    in -= strm->avail_in;
-    out -= strm->avail_out;
-    strm->total_in += in;
-    strm->total_out += out;
-    state->total += out;
-    if (state->wrap && out)
-        strm->adler = state->check =
-            UPDATE(state->check, strm->next_out - out, out);
-    strm->data_type = state->bits + (state->last ? 64 : 0) +
-                      (state->mode == TYPE ? 128 : 0);
-    if (((in == 0 && out == 0) || flush == Z_FINISH) && ret == Z_OK)
-        ret = Z_BUF_ERROR;
-    return ret;
-}
-
-int ZEXPORT inflateEnd(strm)
-z_streamp strm;
-{
-    struct inflate_state FAR *state;
-    if (strm == Z_NULL || strm->state == Z_NULL || strm->zfree == (free_func)0)
-        return Z_STREAM_ERROR;
-    state = (struct inflate_state FAR *)strm->state;
-    if (state->window != Z_NULL) ZFREE(strm, state->window);
-    ZFREE(strm, strm->state);
-    strm->state = Z_NULL;
-    Tracev((stderr, "inflate: end\n"));
-    return Z_OK;
-}
-
-int ZEXPORT inflateSetDictionary(strm, dictionary, dictLength)
-z_streamp strm;
-const Bytef *dictionary;
-uInt dictLength;
-{
-    struct inflate_state FAR *state;
-    unsigned long id;
-
-    /* check state */
-    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
-    state = (struct inflate_state FAR *)strm->state;
-    if (state->wrap != 0 && state->mode != DICT)
-        return Z_STREAM_ERROR;
-
-    /* check for correct dictionary id */
-    if (state->mode == DICT) {
-        id = adler32(0L, Z_NULL, 0);
-        id = adler32(id, dictionary, dictLength);
-        if (id != state->check)
-            return Z_DATA_ERROR;
-    }
-
-    /* copy dictionary to window */
-    if (updatewindow(strm, strm->avail_out)) {
-        state->mode = MEM;
-        return Z_MEM_ERROR;
-    }
-    if (dictLength > state->wsize) {
-        zmemcpy(state->window, dictionary + dictLength - state->wsize,
-                state->wsize);
-        state->whave = state->wsize;
-    }
-    else {
-        zmemcpy(state->window + state->wsize - dictLength, dictionary,
-                dictLength);
-        state->whave = dictLength;
-    }
-    state->havedict = 1;
-    Tracev((stderr, "inflate:   dictionary set\n"));
-    return Z_OK;
-}
-
-int ZEXPORT inflateGetHeader(strm, head)
-z_streamp strm;
-gz_headerp head;
-{
-    struct inflate_state FAR *state;
-
-    /* check state */
-    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
-    state = (struct inflate_state FAR *)strm->state;
-    if ((state->wrap & 2) == 0) return Z_STREAM_ERROR;
-
-    /* save header structure */
-    state->head = head;
-    head->done = 0;
-    return Z_OK;
-}
-
-/*
-   Search buf[0..len-1] for the pattern: 0, 0, 0xff, 0xff.  Return when found
-   or when out of input.  When called, *have is the number of pattern bytes
-   found in order so far, in 0..3.  On return *have is updated to the new
-   state.  If on return *have equals four, then the pattern was found and the
-   return value is how many bytes were read including the last byte of the
-   pattern.  If *have is less than four, then the pattern has not been found
-   yet and the return value is len.  In the latter case, syncsearch() can be
-   called again with more data and the *have state.  *have is initialized to
-   zero for the first call.
- */
-local unsigned syncsearch(have, buf, len)
-unsigned FAR *have;
-unsigned char FAR *buf;
-unsigned len;
-{
-    unsigned got;
-    unsigned next;
-
-    got = *have;
-    next = 0;
-    while (next < len && got < 4) {
-        if ((int)(buf[next]) == (got < 2 ? 0 : 0xff))
-            got++;
-        else if (buf[next])
-            got = 0;
-        else
-            got = 4 - got;
-        next++;
-    }
-    *have = got;
-    return next;
-}
-
-int ZEXPORT inflateSync(strm)
-z_streamp strm;
-{
-    unsigned len;               /* number of bytes to look at or looked at */
-    unsigned long in, out;      /* temporary to save total_in and total_out */
-    unsigned char buf[4];       /* to restore bit buffer to byte string */
-    struct inflate_state FAR *state;
-
-    /* check parameters */
-    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
-    state = (struct inflate_state FAR *)strm->state;
-    if (strm->avail_in == 0 && state->bits < 8) return Z_BUF_ERROR;
-
-    /* if first time, start search in bit buffer */
-    if (state->mode != SYNC) {
-        state->mode = SYNC;
-        state->hold <<= state->bits & 7;
-        state->bits -= state->bits & 7;
-        len = 0;
-        while (state->bits >= 8) {
-            buf[len++] = (unsigned char)(state->hold);
-            state->hold >>= 8;
-            state->bits -= 8;
-        }
-        state->have = 0;
-        syncsearch(&(state->have), buf, len);
-    }
-
-    /* search available input */
-    len = syncsearch(&(state->have), strm->next_in, strm->avail_in);
-    strm->avail_in -= len;
-    strm->next_in += len;
-    strm->total_in += len;
-
-    /* return no joy or set up to restart inflate() on a new block */
-    if (state->have != 4) return Z_DATA_ERROR;
-    in = strm->total_in;  out = strm->total_out;
-    inflateReset(strm);
-    strm->total_in = in;  strm->total_out = out;
-    state->mode = TYPE;
-    return Z_OK;
-}
-
-/*
-   Returns true if inflate is currently at the end of a block generated by
-   Z_SYNC_FLUSH or Z_FULL_FLUSH. This function is used by one PPP
-   implementation to provide an additional safety check. PPP uses
-   Z_SYNC_FLUSH but removes the length bytes of the resulting empty stored
-   block. When decompressing, PPP checks that at the end of input packet,
-   inflate is waiting for these length bytes.
- */
-int ZEXPORT inflateSyncPoint(strm)
-z_streamp strm;
-{
-    struct inflate_state FAR *state;
-
-    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
-    state = (struct inflate_state FAR *)strm->state;
-    return state->mode == STORED && state->bits == 0;
-}
-
-int ZEXPORT inflateCopy(dest, source)
-z_streamp dest;
-z_streamp source;
-{
-    struct inflate_state FAR *state;
-    struct inflate_state FAR *copy;
-    unsigned char FAR *window;
-    unsigned wsize;
-
-    /* check input */
-    if (dest == Z_NULL || source == Z_NULL || source->state == Z_NULL ||
-        source->zalloc == (alloc_func)0 || source->zfree == (free_func)0)
-        return Z_STREAM_ERROR;
-    state = (struct inflate_state FAR *)source->state;
-
-    /* allocate space */
-    copy = (struct inflate_state FAR *)
-           ZALLOC(source, 1, sizeof(struct inflate_state));
-    if (copy == Z_NULL) return Z_MEM_ERROR;
-    window = Z_NULL;
-    if (state->window != Z_NULL) {
-        window = (unsigned char FAR *)
-                 ZALLOC(source, 1U << state->wbits, sizeof(unsigned char));
-        if (window == Z_NULL) {
-            ZFREE(source, copy);
-            return Z_MEM_ERROR;
-        }
-    }
-
-    /* copy state */
-    zmemcpy(dest, source, sizeof(z_stream));
-    zmemcpy(copy, state, sizeof(struct inflate_state));
-    if (state->lencode >= state->codes &&
-        state->lencode <= state->codes + ENOUGH - 1) {
-        copy->lencode = copy->codes + (state->lencode - state->codes);
-        copy->distcode = copy->codes + (state->distcode - state->codes);
-    }
-    copy->next = copy->codes + (state->next - state->codes);
-    if (window != Z_NULL) {
-        wsize = 1U << state->wbits;
-        zmemcpy(window, state->window, wsize);
-    }
-    copy->window = window;
-    dest->state = (struct internal_state FAR *)copy;
-    return Z_OK;
-}
diff --git a/security/nss/cmd/zlib/inflate.h b/security/nss/cmd/zlib/inflate.h
deleted file mode 100644
index 07bd3e78a..000000000
--- a/security/nss/cmd/zlib/inflate.h
+++ /dev/null
@@ -1,115 +0,0 @@
-/* inflate.h -- internal inflate state definition
- * Copyright (C) 1995-2004 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/* WARNING: this file should *not* be used by applications. It is
-   part of the implementation of the compression library and is
-   subject to change. Applications should only use zlib.h.
- */
-
-/* define NO_GZIP when compiling if you want to disable gzip header and
-   trailer decoding by inflate().  NO_GZIP would be used to avoid linking in
-   the crc code when it is not needed.  For shared libraries, gzip decoding
-   should be left enabled. */
-#ifndef NO_GZIP
-#  define GUNZIP
-#endif
-
-/* Possible inflate modes between inflate() calls */
-typedef enum {
-    HEAD,       /* i: waiting for magic header */
-    FLAGS,      /* i: waiting for method and flags (gzip) */
-    TIME,       /* i: waiting for modification time (gzip) */
-    OS,         /* i: waiting for extra flags and operating system (gzip) */
-    EXLEN,      /* i: waiting for extra length (gzip) */
-    EXTRA,      /* i: waiting for extra bytes (gzip) */
-    NAME,       /* i: waiting for end of file name (gzip) */
-    COMMENT,    /* i: waiting for end of comment (gzip) */
-    HCRC,       /* i: waiting for header crc (gzip) */
-    DICTID,     /* i: waiting for dictionary check value */
-    DICT,       /* waiting for inflateSetDictionary() call */
-        TYPE,       /* i: waiting for type bits, including last-flag bit */
-        TYPEDO,     /* i: same, but skip check to exit inflate on new block */
-        STORED,     /* i: waiting for stored size (length and complement) */
-        COPY,       /* i/o: waiting for input or output to copy stored block */
-        TABLE,      /* i: waiting for dynamic block table lengths */
-        LENLENS,    /* i: waiting for code length code lengths */
-        CODELENS,   /* i: waiting for length/lit and distance code lengths */
-            LEN,        /* i: waiting for length/lit code */
-            LENEXT,     /* i: waiting for length extra bits */
-            DIST,       /* i: waiting for distance code */
-            DISTEXT,    /* i: waiting for distance extra bits */
-            MATCH,      /* o: waiting for output space to copy string */
-            LIT,        /* o: waiting for output space to write literal */
-    CHECK,      /* i: waiting for 32-bit check value */
-    LENGTH,     /* i: waiting for 32-bit length (gzip) */
-    DONE,       /* finished check, done -- remain here until reset */
-    BAD,        /* got a data error -- remain here until reset */
-    MEM,        /* got an inflate() memory error -- remain here until reset */
-    SYNC        /* looking for synchronization bytes to restart inflate() */
-} inflate_mode;
-
-/*
-    State transitions between above modes -
-
-    (most modes can go to the BAD or MEM mode -- not shown for clarity)
-
-    Process header:
-        HEAD -> (gzip) or (zlib)
-        (gzip) -> FLAGS -> TIME -> OS -> EXLEN -> EXTRA -> NAME
-        NAME -> COMMENT -> HCRC -> TYPE
-        (zlib) -> DICTID or TYPE
-        DICTID -> DICT -> TYPE
-    Read deflate blocks:
-            TYPE -> STORED or TABLE or LEN or CHECK
-            STORED -> COPY -> TYPE
-            TABLE -> LENLENS -> CODELENS -> LEN
-    Read deflate codes:
-                LEN -> LENEXT or LIT or TYPE
-                LENEXT -> DIST -> DISTEXT -> MATCH -> LEN
-                LIT -> LEN
-    Process trailer:
-        CHECK -> LENGTH -> DONE
- */
-
-/* state maintained between inflate() calls.  Approximately 7K bytes. */
-struct inflate_state {
-    inflate_mode mode;          /* current inflate mode */
-    int last;                   /* true if processing last block */
-    int wrap;                   /* bit 0 true for zlib, bit 1 true for gzip */
-    int havedict;               /* true if dictionary provided */
-    int flags;                  /* gzip header method and flags (0 if zlib) */
-    unsigned dmax;              /* zlib header max distance (INFLATE_STRICT) */
-    unsigned long check;        /* protected copy of check value */
-    unsigned long total;        /* protected copy of output count */
-    gz_headerp head;            /* where to save gzip header information */
-        /* sliding window */
-    unsigned wbits;             /* log base 2 of requested window size */
-    unsigned wsize;             /* window size or zero if not using window */
-    unsigned whave;             /* valid bytes in the window */
-    unsigned write;             /* window write index */
-    unsigned char FAR *window;  /* allocated sliding window, if needed */
-        /* bit accumulator */
-    unsigned long hold;         /* input bit accumulator */
-    unsigned bits;              /* number of bits in "in" */
-        /* for string and stored block copying */
-    unsigned length;            /* literal or length of data to copy */
-    unsigned offset;            /* distance back to copy string from */
-        /* for table and code decoding */
-    unsigned extra;             /* extra bits needed */
-        /* fixed and dynamic code tables */
-    code const FAR *lencode;    /* starting table for length/literal codes */
-    code const FAR *distcode;   /* starting table for distance codes */
-    unsigned lenbits;           /* index bits for lencode */
-    unsigned distbits;          /* index bits for distcode */
-        /* dynamic table building */
-    unsigned ncode;             /* number of code length code lengths */
-    unsigned nlen;              /* number of length code lengths */
-    unsigned ndist;             /* number of distance code lengths */
-    unsigned have;              /* number of code lengths in lens[] */
-    code FAR *next;             /* next available space in codes[] */
-    unsigned short lens[320];   /* temporary storage for code lengths */
-    unsigned short work[288];   /* work area for code table building */
-    code codes[ENOUGH];         /* space for code tables */
-};
diff --git a/security/nss/cmd/zlib/inftrees.c b/security/nss/cmd/zlib/inftrees.c
deleted file mode 100644
index 8a9c13ff0..000000000
--- a/security/nss/cmd/zlib/inftrees.c
+++ /dev/null
@@ -1,329 +0,0 @@
-/* inftrees.c -- generate Huffman trees for efficient decoding
- * Copyright (C) 1995-2005 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-#include "zutil.h"
-#include "inftrees.h"
-
-#define MAXBITS 15
-
-const char inflate_copyright[] =
-   " inflate 1.2.3 Copyright 1995-2005 Mark Adler ";
-/*
-  If you use the zlib library in a product, an acknowledgment is welcome
-  in the documentation of your product. If for some reason you cannot
-  include such an acknowledgment, I would appreciate that you keep this
-  copyright string in the executable of your product.
- */
-
-/*
-   Build a set of tables to decode the provided canonical Huffman code.
-   The code lengths are lens[0..codes-1].  The result starts at *table,
-   whose indices are 0..2^bits-1.  work is a writable array of at least
-   lens shorts, which is used as a work area.  type is the type of code
-   to be generated, CODES, LENS, or DISTS.  On return, zero is success,
-   -1 is an invalid code, and +1 means that ENOUGH isn't enough.  table
-   on return points to the next available entry's address.  bits is the
-   requested root table index bits, and on return it is the actual root
-   table index bits.  It will differ if the request is greater than the
-   longest code or if it is less than the shortest code.
- */
-int inflate_table(type, lens, codes, table, bits, work)
-codetype type;
-unsigned short FAR *lens;
-unsigned codes;
-code FAR * FAR *table;
-unsigned FAR *bits;
-unsigned short FAR *work;
-{
-    unsigned len;               /* a code's length in bits */
-    unsigned sym;               /* index of code symbols */
-    unsigned min, max;          /* minimum and maximum code lengths */
-    unsigned root;              /* number of index bits for root table */
-    unsigned curr;              /* number of index bits for current table */
-    unsigned drop;              /* code bits to drop for sub-table */
-    int left;                   /* number of prefix codes available */
-    unsigned used;              /* code entries in table used */
-    unsigned huff;              /* Huffman code */
-    unsigned incr;              /* for incrementing code, index */
-    unsigned fill;              /* index for replicating entries */
-    unsigned low;               /* low bits for current root entry */
-    unsigned mask;              /* mask for low root bits */
-    code this;                  /* table entry for duplication */
-    code FAR *next;             /* next available space in table */
-    const unsigned short FAR *base;     /* base value table to use */
-    const unsigned short FAR *extra;    /* extra bits table to use */
-    int end;                    /* use base and extra for symbol > end */
-    unsigned short count[MAXBITS+1];    /* number of codes of each length */
-    unsigned short offs[MAXBITS+1];     /* offsets in table for each length */
-    static const unsigned short lbase[31] = { /* Length codes 257..285 base */
-        3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31,
-        35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258, 0, 0};
-    static const unsigned short lext[31] = { /* Length codes 257..285 extra */
-        16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 18, 18, 18, 18,
-        19, 19, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 16, 201, 196};
-    static const unsigned short dbase[32] = { /* Distance codes 0..29 base */
-        1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193,
-        257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145,
-        8193, 12289, 16385, 24577, 0, 0};
-    static const unsigned short dext[32] = { /* Distance codes 0..29 extra */
-        16, 16, 16, 16, 17, 17, 18, 18, 19, 19, 20, 20, 21, 21, 22, 22,
-        23, 23, 24, 24, 25, 25, 26, 26, 27, 27,
-        28, 28, 29, 29, 64, 64};
-
-    /*
-       Process a set of code lengths to create a canonical Huffman code.  The
-       code lengths are lens[0..codes-1].  Each length corresponds to the
-       symbols 0..codes-1.  The Huffman code is generated by first sorting the
-       symbols by length from short to long, and retaining the symbol order
-       for codes with equal lengths.  Then the code starts with all zero bits
-       for the first code of the shortest length, and the codes are integer
-       increments for the same length, and zeros are appended as the length
-       increases.  For the deflate format, these bits are stored backwards
-       from their more natural integer increment ordering, and so when the
-       decoding tables are built in the large loop below, the integer codes
-       are incremented backwards.
-
-       This routine assumes, but does not check, that all of the entries in
-       lens[] are in the range 0..MAXBITS.  The caller must assure this.
-       1..MAXBITS is interpreted as that code length.  zero means that that
-       symbol does not occur in this code.
-
-       The codes are sorted by computing a count of codes for each length,
-       creating from that a table of starting indices for each length in the
-       sorted table, and then entering the symbols in order in the sorted
-       table.  The sorted table is work[], with that space being provided by
-       the caller.
-
-       The length counts are used for other purposes as well, i.e. finding
-       the minimum and maximum length codes, determining if there are any
-       codes at all, checking for a valid set of lengths, and looking ahead
-       at length counts to determine sub-table sizes when building the
-       decoding tables.
-     */
-
-    /* accumulate lengths for codes (assumes lens[] all in 0..MAXBITS) */
-    for (len = 0; len <= MAXBITS; len++)
-        count[len] = 0;
-    for (sym = 0; sym < codes; sym++)
-        count[lens[sym]]++;
-
-    /* bound code lengths, force root to be within code lengths */
-    root = *bits;
-    for (max = MAXBITS; max >= 1; max--)
-        if (count[max] != 0) break;
-    if (root > max) root = max;
-    if (max == 0) {                     /* no symbols to code at all */
-        this.op = (unsigned char)64;    /* invalid code marker */
-        this.bits = (unsigned char)1;
-        this.val = (unsigned short)0;
-        *(*table)++ = this;             /* make a table to force an error */
-        *(*table)++ = this;
-        *bits = 1;
-        return 0;     /* no symbols, but wait for decoding to report error */
-    }
-    for (min = 1; min <= MAXBITS; min++)
-        if (count[min] != 0) break;
-    if (root < min) root = min;
-
-    /* check for an over-subscribed or incomplete set of lengths */
-    left = 1;
-    for (len = 1; len <= MAXBITS; len++) {
-        left <<= 1;
-        left -= count[len];
-        if (left < 0) return -1;        /* over-subscribed */
-    }
-    if (left > 0 && (type == CODES || max != 1))
-        return -1;                      /* incomplete set */
-
-    /* generate offsets into symbol table for each length for sorting */
-    offs[1] = 0;
-    for (len = 1; len < MAXBITS; len++)
-        offs[len + 1] = offs[len] + count[len];
-
-    /* sort symbols by length, by symbol order within each length */
-    for (sym = 0; sym < codes; sym++)
-        if (lens[sym] != 0) work[offs[lens[sym]]++] = (unsigned short)sym;
-
-    /*
-       Create and fill in decoding tables.  In this loop, the table being
-       filled is at next and has curr index bits.  The code being used is huff
-       with length len.  That code is converted to an index by dropping drop
-       bits off of the bottom.  For codes where len is less than drop + curr,
-       those top drop + curr - len bits are incremented through all values to
-       fill the table with replicated entries.
-
-       root is the number of index bits for the root table.  When len exceeds
-       root, sub-tables are created pointed to by the root entry with an index
-       of the low root bits of huff.  This is saved in low to check for when a
-       new sub-table should be started.  drop is zero when the root table is
-       being filled, and drop is root when sub-tables are being filled.
-
-       When a new sub-table is needed, it is necessary to look ahead in the
-       code lengths to determine what size sub-table is needed.  The length
-       counts are used for this, and so count[] is decremented as codes are
-       entered in the tables.
-
-       used keeps track of how many table entries have been allocated from the
-       provided *table space.  It is checked when a LENS table is being made
-       against the space in *table, ENOUGH, minus the maximum space needed by
-       the worst case distance code, MAXD.  This should never happen, but the
-       sufficiency of ENOUGH has not been proven exhaustively, hence the check.
-       This assumes that when type == LENS, bits == 9.
-
-       sym increments through all symbols, and the loop terminates when
-       all codes of length max, i.e. all codes, have been processed.  This
-       routine permits incomplete codes, so another loop after this one fills
-       in the rest of the decoding tables with invalid code markers.
-     */
-
-    /* set up for code type */
-    switch (type) {
-    case CODES:
-        base = extra = work;    /* dummy value--not used */
-        end = 19;
-        break;
-    case LENS:
-        base = lbase;
-        base -= 257;
-        extra = lext;
-        extra -= 257;
-        end = 256;
-        break;
-    default:            /* DISTS */
-        base = dbase;
-        extra = dext;
-        end = -1;
-    }
-
-    /* initialize state for loop */
-    huff = 0;                   /* starting code */
-    sym = 0;                    /* starting code symbol */
-    len = min;                  /* starting code length */
-    next = *table;              /* current table to fill in */
-    curr = root;                /* current table index bits */
-    drop = 0;                   /* current bits to drop from code for index */
-    low = (unsigned)(-1);       /* trigger new sub-table when len > root */
-    used = 1U << root;          /* use root table entries */
-    mask = used - 1;            /* mask for comparing low */
-
-    /* check available table space */
-    if (type == LENS && used >= ENOUGH - MAXD)
-        return 1;
-
-    /* process all codes and make table entries */
-    for (;;) {
-        /* create table entry */
-        this.bits = (unsigned char)(len - drop);
-        if ((int)(work[sym]) < end) {
-            this.op = (unsigned char)0;
-            this.val = work[sym];
-        }
-        else if ((int)(work[sym]) > end) {
-            this.op = (unsigned char)(extra[work[sym]]);
-            this.val = base[work[sym]];
-        }
-        else {
-            this.op = (unsigned char)(32 + 64);         /* end of block */
-            this.val = 0;
-        }
-
-        /* replicate for those indices with low len bits equal to huff */
-        incr = 1U << (len - drop);
-        fill = 1U << curr;
-        min = fill;                 /* save offset to next table */
-        do {
-            fill -= incr;
-            next[(huff >> drop) + fill] = this;
-        } while (fill != 0);
-
-        /* backwards increment the len-bit code huff */
-        incr = 1U << (len - 1);
-        while (huff & incr)
-            incr >>= 1;
-        if (incr != 0) {
-            huff &= incr - 1;
-            huff += incr;
-        }
-        else
-            huff = 0;
-
-        /* go to next symbol, update count, len */
-        sym++;
-        if (--(count[len]) == 0) {
-            if (len == max) break;
-            len = lens[work[sym]];
-        }
-
-        /* create new sub-table if needed */
-        if (len > root && (huff & mask) != low) {
-            /* if first time, transition to sub-tables */
-            if (drop == 0)
-                drop = root;
-
-            /* increment past last table */
-            next += min;            /* here min is 1 << curr */
-
-            /* determine length of next table */
-            curr = len - drop;
-            left = (int)(1 << curr);
-            while (curr + drop < max) {
-                left -= count[curr + drop];
-                if (left <= 0) break;
-                curr++;
-                left <<= 1;
-            }
-
-            /* check for enough space */
-            used += 1U << curr;
-            if (type == LENS && used >= ENOUGH - MAXD)
-                return 1;
-
-            /* point entry in root table to sub-table */
-            low = huff & mask;
-            (*table)[low].op = (unsigned char)curr;
-            (*table)[low].bits = (unsigned char)root;
-            (*table)[low].val = (unsigned short)(next - *table);
-        }
-    }
-
-    /*
-       Fill in rest of table for incomplete codes.  This loop is similar to the
-       loop above in incrementing huff for table indices.  It is assumed that
-       len is equal to curr + drop, so there is no loop needed to increment
-       through high index bits.  When the current sub-table is filled, the loop
-       drops back to the root table to fill in any remaining entries there.
-     */
-    this.op = (unsigned char)64;                /* invalid code marker */
-    this.bits = (unsigned char)(len - drop);
-    this.val = (unsigned short)0;
-    while (huff != 0) {
-        /* when done with sub-table, drop back to root table */
-        if (drop != 0 && (huff & mask) != low) {
-            drop = 0;
-            len = root;
-            next = *table;
-            this.bits = (unsigned char)len;
-        }
-
-        /* put invalid code marker in table */
-        next[huff >> drop] = this;
-
-        /* backwards increment the len-bit code huff */
-        incr = 1U << (len - 1);
-        while (huff & incr)
-            incr >>= 1;
-        if (incr != 0) {
-            huff &= incr - 1;
-            huff += incr;
-        }
-        else
-            huff = 0;
-    }
-
-    /* set return parameters */
-    *table += used;
-    *bits = root;
-    return 0;
-}
diff --git a/security/nss/cmd/zlib/inftrees.h b/security/nss/cmd/zlib/inftrees.h
deleted file mode 100644
index b1104c87e..000000000
--- a/security/nss/cmd/zlib/inftrees.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/* inftrees.h -- header to use inftrees.c
- * Copyright (C) 1995-2005 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/* WARNING: this file should *not* be used by applications. It is
-   part of the implementation of the compression library and is
-   subject to change. Applications should only use zlib.h.
- */
-
-/* Structure for decoding tables.  Each entry provides either the
-   information needed to do the operation requested by the code that
-   indexed that table entry, or it provides a pointer to another
-   table that indexes more bits of the code.  op indicates whether
-   the entry is a pointer to another table, a literal, a length or
-   distance, an end-of-block, or an invalid code.  For a table
-   pointer, the low four bits of op is the number of index bits of
-   that table.  For a length or distance, the low four bits of op
-   is the number of extra bits to get after the code.  bits is
-   the number of bits in this code or part of the code to drop off
-   of the bit buffer.  val is the actual byte to output in the case
-   of a literal, the base length or distance, or the offset from
-   the current table to the next table.  Each entry is four bytes. */
-typedef struct {
-    unsigned char op;           /* operation, extra bits, table bits */
-    unsigned char bits;         /* bits in this part of the code */
-    unsigned short val;         /* offset in table or code value */
-} code;
-
-/* op values as set by inflate_table():
-    00000000 - literal
-    0000tttt - table link, tttt != 0 is the number of table index bits
-    0001eeee - length or distance, eeee is the number of extra bits
-    01100000 - end of block
-    01000000 - invalid code
- */
-
-/* Maximum size of dynamic tree.  The maximum found in a long but non-
-   exhaustive search was 1444 code structures (852 for length/literals
-   and 592 for distances, the latter actually the result of an
-   exhaustive search).  The true maximum is not known, but the value
-   below is more than safe. */
-#define ENOUGH 2048
-#define MAXD 592
-
-/* Type of code to build for inftable() */
-typedef enum {
-    CODES,
-    LENS,
-    DISTS
-} codetype;
-
-extern int inflate_table OF((codetype type, unsigned short FAR *lens,
-                             unsigned codes, code FAR * FAR *table,
-                             unsigned FAR *bits, unsigned short FAR *work));
diff --git a/security/nss/cmd/zlib/manifest.mn b/security/nss/cmd/zlib/manifest.mn
deleted file mode 100644
index ae4348295..000000000
--- a/security/nss/cmd/zlib/manifest.mn
+++ /dev/null
@@ -1,68 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-PRIVATE_EXPORTS = zlib.h zconf.h
-
-CSRCS =	adler32.c 	\
-	compress.c 	\
-	crc32.c 	\
-	gzio.c  	\
-	uncompr.c 	\
-	deflate.c 	\
-	trees.c 	\
-	zutil.c 	\
-	inflate.c 	\
-	infback.c 	\
-	inftrees.c 	\
-	inffast.c 	\
-	$(NULL)
-
-LIBRARY_NAME = zlib
-
-PROGRAMS = example minigzip
-
-# REQUIRES = nss
-
-# Define verbose as -1 to turn off all zlib trace messages in
-# debug builds.
-DEFINES = -Dverbose=-1
-
-NO_MD_RELEASE = 1
diff --git a/security/nss/cmd/zlib/minigzip.c b/security/nss/cmd/zlib/minigzip.c
deleted file mode 100644
index 4524b96a1..000000000
--- a/security/nss/cmd/zlib/minigzip.c
+++ /dev/null
@@ -1,322 +0,0 @@
-/* minigzip.c -- simulate gzip using the zlib compression library
- * Copyright (C) 1995-2005 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/*
- * minigzip is a minimal implementation of the gzip utility. This is
- * only an example of using zlib and isn't meant to replace the
- * full-featured gzip. No attempt is made to deal with file systems
- * limiting names to 14 or 8+3 characters, etc... Error checking is
- * very limited. So use minigzip only for testing; use gzip for the
- * real thing. On MSDOS, use only on file names without extension
- * or in pipe mode.
- */
-
-/* @(#) $Id$ */
-
-#include <stdio.h>
-#include "zlib.h"
-
-#ifdef STDC
-#  include <string.h>
-#  include <stdlib.h>
-#endif
-
-#ifdef USE_MMAP
-#  include <sys/types.h>
-#  include <sys/mman.h>
-#  include <sys/stat.h>
-#endif
-
-#if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__)
-#  include <fcntl.h>
-#  include <io.h>
-#  define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY)
-#else
-#  define SET_BINARY_MODE(file)
-#endif
-
-#ifdef VMS
-#  define unlink delete
-#  define GZ_SUFFIX "-gz"
-#endif
-#ifdef RISCOS
-#  define unlink remove
-#  define GZ_SUFFIX "-gz"
-#  define fileno(file) file->__file
-#endif
-#if defined(__MWERKS__) && __dest_os != __be_os && __dest_os != __win32_os
-#  include <unix.h> /* for fileno */
-#endif
-
-#ifndef WIN32 /* unlink already in stdio.h for WIN32 */
-  extern int unlink OF((const char *));
-#endif
-
-#ifndef GZ_SUFFIX
-#  define GZ_SUFFIX ".gz"
-#endif
-#define SUFFIX_LEN (sizeof(GZ_SUFFIX)-1)
-
-#define BUFLEN      16384
-#define MAX_NAME_LEN 1024
-
-#ifdef MAXSEG_64K
-#  define local static
-   /* Needed for systems with limitation on stack size. */
-#else
-#  define local
-#endif
-
-char *prog;
-
-void error            OF((const char *msg));
-void gz_compress      OF((FILE   *in, gzFile out));
-#ifdef USE_MMAP
-int  gz_compress_mmap OF((FILE   *in, gzFile out));
-#endif
-void gz_uncompress    OF((gzFile in, FILE   *out));
-void file_compress    OF((char  *file, char *mode));
-void file_uncompress  OF((char  *file));
-int  main             OF((int argc, char *argv[]));
-
-/* ===========================================================================
- * Display error message and exit
- */
-void error(msg)
-    const char *msg;
-{
-    fprintf(stderr, "%s: %s\n", prog, msg);
-    exit(1);
-}
-
-/* ===========================================================================
- * Compress input to output then close both files.
- */
-
-void gz_compress(in, out)
-    FILE   *in;
-    gzFile out;
-{
-    local char buf[BUFLEN];
-    int len;
-    int err;
-
-#ifdef USE_MMAP
-    /* Try first compressing with mmap. If mmap fails (minigzip used in a
-     * pipe), use the normal fread loop.
-     */
-    if (gz_compress_mmap(in, out) == Z_OK) return;
-#endif
-    for (;;) {
-        len = (int)fread(buf, 1, sizeof(buf), in);
-        if (ferror(in)) {
-            perror("fread");
-            exit(1);
-        }
-        if (len == 0) break;
-
-        if (gzwrite(out, buf, (unsigned)len) != len) error(gzerror(out, &err));
-    }
-    fclose(in);
-    if (gzclose(out) != Z_OK) error("failed gzclose");
-}
-
-#ifdef USE_MMAP /* MMAP version, Miguel Albrecht <malbrech@eso.org> */
-
-/* Try compressing the input file at once using mmap. Return Z_OK if
- * if success, Z_ERRNO otherwise.
- */
-int gz_compress_mmap(in, out)
-    FILE   *in;
-    gzFile out;
-{
-    int len;
-    int err;
-    int ifd = fileno(in);
-    caddr_t buf;    /* mmap'ed buffer for the entire input file */
-    off_t buf_len;  /* length of the input file */
-    struct stat sb;
-
-    /* Determine the size of the file, needed for mmap: */
-    if (fstat(ifd, &sb) < 0) return Z_ERRNO;
-    buf_len = sb.st_size;
-    if (buf_len <= 0) return Z_ERRNO;
-
-    /* Now do the actual mmap: */
-    buf = mmap((caddr_t) 0, buf_len, PROT_READ, MAP_SHARED, ifd, (off_t)0);
-    if (buf == (caddr_t)(-1)) return Z_ERRNO;
-
-    /* Compress the whole file at once: */
-    len = gzwrite(out, (char *)buf, (unsigned)buf_len);
-
-    if (len != (int)buf_len) error(gzerror(out, &err));
-
-    munmap(buf, buf_len);
-    fclose(in);
-    if (gzclose(out) != Z_OK) error("failed gzclose");
-    return Z_OK;
-}
-#endif /* USE_MMAP */
-
-/* ===========================================================================
- * Uncompress input to output then close both files.
- */
-void gz_uncompress(in, out)
-    gzFile in;
-    FILE   *out;
-{
-    local char buf[BUFLEN];
-    int len;
-    int err;
-
-    for (;;) {
-        len = gzread(in, buf, sizeof(buf));
-        if (len < 0) error (gzerror(in, &err));
-        if (len == 0) break;
-
-        if ((int)fwrite(buf, 1, (unsigned)len, out) != len) {
-            error("failed fwrite");
-        }
-    }
-    if (fclose(out)) error("failed fclose");
-
-    if (gzclose(in) != Z_OK) error("failed gzclose");
-}
-
-
-/* ===========================================================================
- * Compress the given file: create a corresponding .gz file and remove the
- * original.
- */
-void file_compress(file, mode)
-    char  *file;
-    char  *mode;
-{
-    local char outfile[MAX_NAME_LEN];
-    FILE  *in;
-    gzFile out;
-
-    strcpy(outfile, file);
-    strcat(outfile, GZ_SUFFIX);
-
-    in = fopen(file, "rb");
-    if (in == NULL) {
-        perror(file);
-        exit(1);
-    }
-    out = gzopen(outfile, mode);
-    if (out == NULL) {
-        fprintf(stderr, "%s: can't gzopen %s\n", prog, outfile);
-        exit(1);
-    }
-    gz_compress(in, out);
-
-    unlink(file);
-}
-
-
-/* ===========================================================================
- * Uncompress the given file and remove the original.
- */
-void file_uncompress(file)
-    char  *file;
-{
-    local char buf[MAX_NAME_LEN];
-    char *infile, *outfile;
-    FILE  *out;
-    gzFile in;
-    uInt len = (uInt)strlen(file);
-
-    strcpy(buf, file);
-
-    if (len > SUFFIX_LEN && strcmp(file+len-SUFFIX_LEN, GZ_SUFFIX) == 0) {
-        infile = file;
-        outfile = buf;
-        outfile[len-3] = '\0';
-    } else {
-        outfile = file;
-        infile = buf;
-        strcat(infile, GZ_SUFFIX);
-    }
-    in = gzopen(infile, "rb");
-    if (in == NULL) {
-        fprintf(stderr, "%s: can't gzopen %s\n", prog, infile);
-        exit(1);
-    }
-    out = fopen(outfile, "wb");
-    if (out == NULL) {
-        perror(file);
-        exit(1);
-    }
-
-    gz_uncompress(in, out);
-
-    unlink(infile);
-}
-
-
-/* ===========================================================================
- * Usage:  minigzip [-d] [-f] [-h] [-r] [-1 to -9] [files...]
- *   -d : decompress
- *   -f : compress with Z_FILTERED
- *   -h : compress with Z_HUFFMAN_ONLY
- *   -r : compress with Z_RLE
- *   -1 to -9 : compression level
- */
-
-int main(argc, argv)
-    int argc;
-    char *argv[];
-{
-    int uncompr = 0;
-    gzFile file;
-    char outmode[20];
-
-    strcpy(outmode, "wb6 ");
-
-    prog = argv[0];
-    argc--, argv++;
-
-    while (argc > 0) {
-      if (strcmp(*argv, "-d") == 0)
-        uncompr = 1;
-      else if (strcmp(*argv, "-f") == 0)
-        outmode[3] = 'f';
-      else if (strcmp(*argv, "-h") == 0)
-        outmode[3] = 'h';
-      else if (strcmp(*argv, "-r") == 0)
-        outmode[3] = 'R';
-      else if ((*argv)[0] == '-' && (*argv)[1] >= '1' && (*argv)[1] <= '9' &&
-               (*argv)[2] == 0)
-        outmode[2] = (*argv)[1];
-      else
-        break;
-      argc--, argv++;
-    }
-    if (outmode[3] == ' ')
-        outmode[3] = 0;
-    if (argc == 0) {
-        SET_BINARY_MODE(stdin);
-        SET_BINARY_MODE(stdout);
-        if (uncompr) {
-            file = gzdopen(fileno(stdin), "rb");
-            if (file == NULL) error("can't gzdopen stdin");
-            gz_uncompress(file, stdout);
-        } else {
-            file = gzdopen(fileno(stdout), outmode);
-            if (file == NULL) error("can't gzdopen stdout");
-            gz_compress(stdin, file);
-        }
-    } else {
-        do {
-            if (uncompr) {
-                file_uncompress(*argv);
-            } else {
-                file_compress(*argv, outmode);
-            }
-        } while (argv++, --argc);
-    }
-    return 0;
-}
diff --git a/security/nss/cmd/zlib/trees.c b/security/nss/cmd/zlib/trees.c
deleted file mode 100644
index 395e4e168..000000000
--- a/security/nss/cmd/zlib/trees.c
+++ /dev/null
@@ -1,1219 +0,0 @@
-/* trees.c -- output deflated data using Huffman coding
- * Copyright (C) 1995-2005 Jean-loup Gailly
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/*
- *  ALGORITHM
- *
- *      The "deflation" process uses several Huffman trees. The more
- *      common source values are represented by shorter bit sequences.
- *
- *      Each code tree is stored in a compressed form which is itself
- * a Huffman encoding of the lengths of all the code strings (in
- * ascending order by source values).  The actual code strings are
- * reconstructed from the lengths in the inflate process, as described
- * in the deflate specification.
- *
- *  REFERENCES
- *
- *      Deutsch, L.P.,"'Deflate' Compressed Data Format Specification".
- *      Available in ftp.uu.net:/pub/archiving/zip/doc/deflate-1.1.doc
- *
- *      Storer, James A.
- *          Data Compression:  Methods and Theory, pp. 49-50.
- *          Computer Science Press, 1988.  ISBN 0-7167-8156-5.
- *
- *      Sedgewick, R.
- *          Algorithms, p290.
- *          Addison-Wesley, 1983. ISBN 0-201-06672-6.
- */
-
-/* @(#) $Id$ */
-
-/* #define GEN_TREES_H */
-
-#include "deflate.h"
-
-#ifdef DEBUG
-#  include <ctype.h>
-#endif
-
-/* ===========================================================================
- * Constants
- */
-
-#define MAX_BL_BITS 7
-/* Bit length codes must not exceed MAX_BL_BITS bits */
-
-#define END_BLOCK 256
-/* end of block literal code */
-
-#define REP_3_6      16
-/* repeat previous bit length 3-6 times (2 bits of repeat count) */
-
-#define REPZ_3_10    17
-/* repeat a zero length 3-10 times  (3 bits of repeat count) */
-
-#define REPZ_11_138  18
-/* repeat a zero length 11-138 times  (7 bits of repeat count) */
-
-local const int extra_lbits[LENGTH_CODES] /* extra bits for each length code */
-   = {0,0,0,0,0,0,0,0,1,1,1,1,2,2,2,2,3,3,3,3,4,4,4,4,5,5,5,5,0};
-
-local const int extra_dbits[D_CODES] /* extra bits for each distance code */
-   = {0,0,0,0,1,1,2,2,3,3,4,4,5,5,6,6,7,7,8,8,9,9,10,10,11,11,12,12,13,13};
-
-local const int extra_blbits[BL_CODES]/* extra bits for each bit length code */
-   = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,3,7};
-
-local const uch bl_order[BL_CODES]
-   = {16,17,18,0,8,7,9,6,10,5,11,4,12,3,13,2,14,1,15};
-/* The lengths of the bit length codes are sent in order of decreasing
- * probability, to avoid transmitting the lengths for unused bit length codes.
- */
-
-#define Buf_size (8 * 2*sizeof(char))
-/* Number of bits used within bi_buf. (bi_buf might be implemented on
- * more than 16 bits on some systems.)
- */
-
-/* ===========================================================================
- * Local data. These are initialized only once.
- */
-
-#define DIST_CODE_LEN  512 /* see definition of array dist_code below */
-
-#if defined(GEN_TREES_H) || !defined(STDC)
-/* non ANSI compilers may not accept trees.h */
-
-local ct_data static_ltree[L_CODES+2];
-/* The static literal tree. Since the bit lengths are imposed, there is no
- * need for the L_CODES extra codes used during heap construction. However
- * The codes 286 and 287 are needed to build a canonical tree (see _tr_init
- * below).
- */
-
-local ct_data static_dtree[D_CODES];
-/* The static distance tree. (Actually a trivial tree since all codes use
- * 5 bits.)
- */
-
-uch _dist_code[DIST_CODE_LEN];
-/* Distance codes. The first 256 values correspond to the distances
- * 3 .. 258, the last 256 values correspond to the top 8 bits of
- * the 15 bit distances.
- */
-
-uch _length_code[MAX_MATCH-MIN_MATCH+1];
-/* length code for each normalized match length (0 == MIN_MATCH) */
-
-local int base_length[LENGTH_CODES];
-/* First normalized length for each code (0 = MIN_MATCH) */
-
-local int base_dist[D_CODES];
-/* First normalized distance for each code (0 = distance of 1) */
-
-#else
-#  include "trees.h"
-#endif /* GEN_TREES_H */
-
-struct static_tree_desc_s {
-    const ct_data *static_tree;  /* static tree or NULL */
-    const intf *extra_bits;      /* extra bits for each code or NULL */
-    int     extra_base;          /* base index for extra_bits */
-    int     elems;               /* max number of elements in the tree */
-    int     max_length;          /* max bit length for the codes */
-};
-
-local static_tree_desc  static_l_desc =
-{static_ltree, extra_lbits, LITERALS+1, L_CODES, MAX_BITS};
-
-local static_tree_desc  static_d_desc =
-{static_dtree, extra_dbits, 0,          D_CODES, MAX_BITS};
-
-local static_tree_desc  static_bl_desc =
-{(const ct_data *)0, extra_blbits, 0,   BL_CODES, MAX_BL_BITS};
-
-/* ===========================================================================
- * Local (static) routines in this file.
- */
-
-local void tr_static_init OF((void));
-local void init_block     OF((deflate_state *s));
-local void pqdownheap     OF((deflate_state *s, ct_data *tree, int k));
-local void gen_bitlen     OF((deflate_state *s, tree_desc *desc));
-local void gen_codes      OF((ct_data *tree, int max_code, ushf *bl_count));
-local void build_tree     OF((deflate_state *s, tree_desc *desc));
-local void scan_tree      OF((deflate_state *s, ct_data *tree, int max_code));
-local void send_tree      OF((deflate_state *s, ct_data *tree, int max_code));
-local int  build_bl_tree  OF((deflate_state *s));
-local void send_all_trees OF((deflate_state *s, int lcodes, int dcodes,
-                              int blcodes));
-local void compress_block OF((deflate_state *s, ct_data *ltree,
-                              ct_data *dtree));
-local void set_data_type  OF((deflate_state *s));
-local unsigned bi_reverse OF((unsigned value, int length));
-local void bi_windup      OF((deflate_state *s));
-local void bi_flush       OF((deflate_state *s));
-local void copy_block     OF((deflate_state *s, charf *buf, unsigned len,
-                              int header));
-
-#ifdef GEN_TREES_H
-local void gen_trees_header OF((void));
-#endif
-
-#ifndef DEBUG
-#  define send_code(s, c, tree) send_bits(s, tree[c].Code, tree[c].Len)
-   /* Send a code of the given tree. c and tree must not have side effects */
-
-#else /* DEBUG */
-#  define send_code(s, c, tree) \
-     { if (z_verbose>2) fprintf(stderr,"\ncd %3d ",(c)); \
-       send_bits(s, tree[c].Code, tree[c].Len); }
-#endif
-
-/* ===========================================================================
- * Output a short LSB first on the stream.
- * IN assertion: there is enough room in pendingBuf.
- */
-#define put_short(s, w) { \
-    put_byte(s, (uch)((w) & 0xff)); \
-    put_byte(s, (uch)((ush)(w) >> 8)); \
-}
-
-/* ===========================================================================
- * Send a value on a given number of bits.
- * IN assertion: length <= 16 and value fits in length bits.
- */
-#ifdef DEBUG
-local void send_bits      OF((deflate_state *s, int value, int length));
-
-local void send_bits(s, value, length)
-    deflate_state *s;
-    int value;  /* value to send */
-    int length; /* number of bits */
-{
-    Tracevv((stderr," l %2d v %4x ", length, value));
-    Assert(length > 0 && length <= 15, "invalid length");
-    s->bits_sent += (ulg)length;
-
-    /* If not enough room in bi_buf, use (valid) bits from bi_buf and
-     * (16 - bi_valid) bits from value, leaving (width - (16-bi_valid))
-     * unused bits in value.
-     */
-    if (s->bi_valid > (int)Buf_size - length) {
-        s->bi_buf |= (value << s->bi_valid);
-        put_short(s, s->bi_buf);
-        s->bi_buf = (ush)value >> (Buf_size - s->bi_valid);
-        s->bi_valid += length - Buf_size;
-    } else {
-        s->bi_buf |= value << s->bi_valid;
-        s->bi_valid += length;
-    }
-}
-#else /* !DEBUG */
-
-#define send_bits(s, value, length) \
-{ int len = length;\
-  if (s->bi_valid > (int)Buf_size - len) {\
-    int val = value;\
-    s->bi_buf |= (val << s->bi_valid);\
-    put_short(s, s->bi_buf);\
-    s->bi_buf = (ush)val >> (Buf_size - s->bi_valid);\
-    s->bi_valid += len - Buf_size;\
-  } else {\
-    s->bi_buf |= (value) << s->bi_valid;\
-    s->bi_valid += len;\
-  }\
-}
-#endif /* DEBUG */
-
-
-/* the arguments must not have side effects */
-
-/* ===========================================================================
- * Initialize the various 'constant' tables.
- */
-local void tr_static_init()
-{
-#if defined(GEN_TREES_H) || !defined(STDC)
-    static int static_init_done = 0;
-    int n;        /* iterates over tree elements */
-    int bits;     /* bit counter */
-    int length;   /* length value */
-    int code;     /* code value */
-    int dist;     /* distance index */
-    ush bl_count[MAX_BITS+1];
-    /* number of codes at each bit length for an optimal tree */
-
-    if (static_init_done) return;
-
-    /* For some embedded targets, global variables are not initialized: */
-    static_l_desc.static_tree = static_ltree;
-    static_l_desc.extra_bits = extra_lbits;
-    static_d_desc.static_tree = static_dtree;
-    static_d_desc.extra_bits = extra_dbits;
-    static_bl_desc.extra_bits = extra_blbits;
-
-    /* Initialize the mapping length (0..255) -> length code (0..28) */
-    length = 0;
-    for (code = 0; code < LENGTH_CODES-1; code++) {
-        base_length[code] = length;
-        for (n = 0; n < (1<<extra_lbits[code]); n++) {
-            _length_code[length++] = (uch)code;
-        }
-    }
-    Assert (length == 256, "tr_static_init: length != 256");
-    /* Note that the length 255 (match length 258) can be represented
-     * in two different ways: code 284 + 5 bits or code 285, so we
-     * overwrite length_code[255] to use the best encoding:
-     */
-    _length_code[length-1] = (uch)code;
-
-    /* Initialize the mapping dist (0..32K) -> dist code (0..29) */
-    dist = 0;
-    for (code = 0 ; code < 16; code++) {
-        base_dist[code] = dist;
-        for (n = 0; n < (1<<extra_dbits[code]); n++) {
-            _dist_code[dist++] = (uch)code;
-        }
-    }
-    Assert (dist == 256, "tr_static_init: dist != 256");
-    dist >>= 7; /* from now on, all distances are divided by 128 */
-    for ( ; code < D_CODES; code++) {
-        base_dist[code] = dist << 7;
-        for (n = 0; n < (1<<(extra_dbits[code]-7)); n++) {
-            _dist_code[256 + dist++] = (uch)code;
-        }
-    }
-    Assert (dist == 256, "tr_static_init: 256+dist != 512");
-
-    /* Construct the codes of the static literal tree */
-    for (bits = 0; bits <= MAX_BITS; bits++) bl_count[bits] = 0;
-    n = 0;
-    while (n <= 143) static_ltree[n++].Len = 8, bl_count[8]++;
-    while (n <= 255) static_ltree[n++].Len = 9, bl_count[9]++;
-    while (n <= 279) static_ltree[n++].Len = 7, bl_count[7]++;
-    while (n <= 287) static_ltree[n++].Len = 8, bl_count[8]++;
-    /* Codes 286 and 287 do not exist, but we must include them in the
-     * tree construction to get a canonical Huffman tree (longest code
-     * all ones)
-     */
-    gen_codes((ct_data *)static_ltree, L_CODES+1, bl_count);
-
-    /* The static distance tree is trivial: */
-    for (n = 0; n < D_CODES; n++) {
-        static_dtree[n].Len = 5;
-        static_dtree[n].Code = bi_reverse((unsigned)n, 5);
-    }
-    static_init_done = 1;
-
-#  ifdef GEN_TREES_H
-    gen_trees_header();
-#  endif
-#endif /* defined(GEN_TREES_H) || !defined(STDC) */
-}
-
-/* ===========================================================================
- * Genererate the file trees.h describing the static trees.
- */
-#ifdef GEN_TREES_H
-#  ifndef DEBUG
-#    include <stdio.h>
-#  endif
-
-#  define SEPARATOR(i, last, width) \
-      ((i) == (last)? "\n};\n\n" :    \
-       ((i) % (width) == (width)-1 ? ",\n" : ", "))
-
-void gen_trees_header()
-{
-    FILE *header = fopen("trees.h", "w");
-    int i;
-
-    Assert (header != NULL, "Can't open trees.h");
-    fprintf(header,
-            "/* header created automatically with -DGEN_TREES_H */\n\n");
-
-    fprintf(header, "local const ct_data static_ltree[L_CODES+2] = {\n");
-    for (i = 0; i < L_CODES+2; i++) {
-        fprintf(header, "{{%3u},{%3u}}%s", static_ltree[i].Code,
-                static_ltree[i].Len, SEPARATOR(i, L_CODES+1, 5));
-    }
-
-    fprintf(header, "local const ct_data static_dtree[D_CODES] = {\n");
-    for (i = 0; i < D_CODES; i++) {
-        fprintf(header, "{{%2u},{%2u}}%s", static_dtree[i].Code,
-                static_dtree[i].Len, SEPARATOR(i, D_CODES-1, 5));
-    }
-
-    fprintf(header, "const uch _dist_code[DIST_CODE_LEN] = {\n");
-    for (i = 0; i < DIST_CODE_LEN; i++) {
-        fprintf(header, "%2u%s", _dist_code[i],
-                SEPARATOR(i, DIST_CODE_LEN-1, 20));
-    }
-
-    fprintf(header, "const uch _length_code[MAX_MATCH-MIN_MATCH+1]= {\n");
-    for (i = 0; i < MAX_MATCH-MIN_MATCH+1; i++) {
-        fprintf(header, "%2u%s", _length_code[i],
-                SEPARATOR(i, MAX_MATCH-MIN_MATCH, 20));
-    }
-
-    fprintf(header, "local const int base_length[LENGTH_CODES] = {\n");
-    for (i = 0; i < LENGTH_CODES; i++) {
-        fprintf(header, "%1u%s", base_length[i],
-                SEPARATOR(i, LENGTH_CODES-1, 20));
-    }
-
-    fprintf(header, "local const int base_dist[D_CODES] = {\n");
-    for (i = 0; i < D_CODES; i++) {
-        fprintf(header, "%5u%s", base_dist[i],
-                SEPARATOR(i, D_CODES-1, 10));
-    }
-
-    fclose(header);
-}
-#endif /* GEN_TREES_H */
-
-/* ===========================================================================
- * Initialize the tree data structures for a new zlib stream.
- */
-void _tr_init(s)
-    deflate_state *s;
-{
-    tr_static_init();
-
-    s->l_desc.dyn_tree = s->dyn_ltree;
-    s->l_desc.stat_desc = &static_l_desc;
-
-    s->d_desc.dyn_tree = s->dyn_dtree;
-    s->d_desc.stat_desc = &static_d_desc;
-
-    s->bl_desc.dyn_tree = s->bl_tree;
-    s->bl_desc.stat_desc = &static_bl_desc;
-
-    s->bi_buf = 0;
-    s->bi_valid = 0;
-    s->last_eob_len = 8; /* enough lookahead for inflate */
-#ifdef DEBUG
-    s->compressed_len = 0L;
-    s->bits_sent = 0L;
-#endif
-
-    /* Initialize the first block of the first file: */
-    init_block(s);
-}
-
-/* ===========================================================================
- * Initialize a new block.
- */
-local void init_block(s)
-    deflate_state *s;
-{
-    int n; /* iterates over tree elements */
-
-    /* Initialize the trees. */
-    for (n = 0; n < L_CODES;  n++) s->dyn_ltree[n].Freq = 0;
-    for (n = 0; n < D_CODES;  n++) s->dyn_dtree[n].Freq = 0;
-    for (n = 0; n < BL_CODES; n++) s->bl_tree[n].Freq = 0;
-
-    s->dyn_ltree[END_BLOCK].Freq = 1;
-    s->opt_len = s->static_len = 0L;
-    s->last_lit = s->matches = 0;
-}
-
-#define SMALLEST 1
-/* Index within the heap array of least frequent node in the Huffman tree */
-
-
-/* ===========================================================================
- * Remove the smallest element from the heap and recreate the heap with
- * one less element. Updates heap and heap_len.
- */
-#define pqremove(s, tree, top) \
-{\
-    top = s->heap[SMALLEST]; \
-    s->heap[SMALLEST] = s->heap[s->heap_len--]; \
-    pqdownheap(s, tree, SMALLEST); \
-}
-
-/* ===========================================================================
- * Compares to subtrees, using the tree depth as tie breaker when
- * the subtrees have equal frequency. This minimizes the worst case length.
- */
-#define smaller(tree, n, m, depth) \
-   (tree[n].Freq < tree[m].Freq || \
-   (tree[n].Freq == tree[m].Freq && depth[n] <= depth[m]))
-
-/* ===========================================================================
- * Restore the heap property by moving down the tree starting at node k,
- * exchanging a node with the smallest of its two sons if necessary, stopping
- * when the heap property is re-established (each father smaller than its
- * two sons).
- */
-local void pqdownheap(s, tree, k)
-    deflate_state *s;
-    ct_data *tree;  /* the tree to restore */
-    int k;               /* node to move down */
-{
-    int v = s->heap[k];
-    int j = k << 1;  /* left son of k */
-    while (j <= s->heap_len) {
-        /* Set j to the smallest of the two sons: */
-        if (j < s->heap_len &&
-            smaller(tree, s->heap[j+1], s->heap[j], s->depth)) {
-            j++;
-        }
-        /* Exit if v is smaller than both sons */
-        if (smaller(tree, v, s->heap[j], s->depth)) break;
-
-        /* Exchange v with the smallest son */
-        s->heap[k] = s->heap[j];  k = j;
-
-        /* And continue down the tree, setting j to the left son of k */
-        j <<= 1;
-    }
-    s->heap[k] = v;
-}
-
-/* ===========================================================================
- * Compute the optimal bit lengths for a tree and update the total bit length
- * for the current block.
- * IN assertion: the fields freq and dad are set, heap[heap_max] and
- *    above are the tree nodes sorted by increasing frequency.
- * OUT assertions: the field len is set to the optimal bit length, the
- *     array bl_count contains the frequencies for each bit length.
- *     The length opt_len is updated; static_len is also updated if stree is
- *     not null.
- */
-local void gen_bitlen(s, desc)
-    deflate_state *s;
-    tree_desc *desc;    /* the tree descriptor */
-{
-    ct_data *tree        = desc->dyn_tree;
-    int max_code         = desc->max_code;
-    const ct_data *stree = desc->stat_desc->static_tree;
-    const intf *extra    = desc->stat_desc->extra_bits;
-    int base             = desc->stat_desc->extra_base;
-    int max_length       = desc->stat_desc->max_length;
-    int h;              /* heap index */
-    int n, m;           /* iterate over the tree elements */
-    int bits;           /* bit length */
-    int xbits;          /* extra bits */
-    ush f;              /* frequency */
-    int overflow = 0;   /* number of elements with bit length too large */
-
-    for (bits = 0; bits <= MAX_BITS; bits++) s->bl_count[bits] = 0;
-
-    /* In a first pass, compute the optimal bit lengths (which may
-     * overflow in the case of the bit length tree).
-     */
-    tree[s->heap[s->heap_max]].Len = 0; /* root of the heap */
-
-    for (h = s->heap_max+1; h < HEAP_SIZE; h++) {
-        n = s->heap[h];
-        bits = tree[tree[n].Dad].Len + 1;
-        if (bits > max_length) bits = max_length, overflow++;
-        tree[n].Len = (ush)bits;
-        /* We overwrite tree[n].Dad which is no longer needed */
-
-        if (n > max_code) continue; /* not a leaf node */
-
-        s->bl_count[bits]++;
-        xbits = 0;
-        if (n >= base) xbits = extra[n-base];
-        f = tree[n].Freq;
-        s->opt_len += (ulg)f * (bits + xbits);
-        if (stree) s->static_len += (ulg)f * (stree[n].Len + xbits);
-    }
-    if (overflow == 0) return;
-
-    Trace((stderr,"\nbit length overflow\n"));
-    /* This happens for example on obj2 and pic of the Calgary corpus */
-
-    /* Find the first bit length which could increase: */
-    do {
-        bits = max_length-1;
-        while (s->bl_count[bits] == 0) bits--;
-        s->bl_count[bits]--;      /* move one leaf down the tree */
-        s->bl_count[bits+1] += 2; /* move one overflow item as its brother */
-        s->bl_count[max_length]--;
-        /* The brother of the overflow item also moves one step up,
-         * but this does not affect bl_count[max_length]
-         */
-        overflow -= 2;
-    } while (overflow > 0);
-
-    /* Now recompute all bit lengths, scanning in increasing frequency.
-     * h is still equal to HEAP_SIZE. (It is simpler to reconstruct all
-     * lengths instead of fixing only the wrong ones. This idea is taken
-     * from 'ar' written by Haruhiko Okumura.)
-     */
-    for (bits = max_length; bits != 0; bits--) {
-        n = s->bl_count[bits];
-        while (n != 0) {
-            m = s->heap[--h];
-            if (m > max_code) continue;
-            if ((unsigned) tree[m].Len != (unsigned) bits) {
-                Trace((stderr,"code %d bits %d->%d\n", m, tree[m].Len, bits));
-                s->opt_len += ((long)bits - (long)tree[m].Len)
-                              *(long)tree[m].Freq;
-                tree[m].Len = (ush)bits;
-            }
-            n--;
-        }
-    }
-}
-
-/* ===========================================================================
- * Generate the codes for a given tree and bit counts (which need not be
- * optimal).
- * IN assertion: the array bl_count contains the bit length statistics for
- * the given tree and the field len is set for all tree elements.
- * OUT assertion: the field code is set for all tree elements of non
- *     zero code length.
- */
-local void gen_codes (tree, max_code, bl_count)
-    ct_data *tree;             /* the tree to decorate */
-    int max_code;              /* largest code with non zero frequency */
-    ushf *bl_count;            /* number of codes at each bit length */
-{
-    ush next_code[MAX_BITS+1]; /* next code value for each bit length */
-    ush code = 0;              /* running code value */
-    int bits;                  /* bit index */
-    int n;                     /* code index */
-
-    /* The distribution counts are first used to generate the code values
-     * without bit reversal.
-     */
-    for (bits = 1; bits <= MAX_BITS; bits++) {
-        next_code[bits] = code = (code + bl_count[bits-1]) << 1;
-    }
-    /* Check that the bit counts in bl_count are consistent. The last code
-     * must be all ones.
-     */
-    Assert (code + bl_count[MAX_BITS]-1 == (1<<MAX_BITS)-1,
-            "inconsistent bit counts");
-    Tracev((stderr,"\ngen_codes: max_code %d ", max_code));
-
-    for (n = 0;  n <= max_code; n++) {
-        int len = tree[n].Len;
-        if (len == 0) continue;
-        /* Now reverse the bits */
-        tree[n].Code = bi_reverse(next_code[len]++, len);
-
-        Tracecv(tree != static_ltree, (stderr,"\nn %3d %c l %2d c %4x (%x) ",
-             n, (isgraph(n) ? n : ' '), len, tree[n].Code, next_code[len]-1));
-    }
-}
-
-/* ===========================================================================
- * Construct one Huffman tree and assigns the code bit strings and lengths.
- * Update the total bit length for the current block.
- * IN assertion: the field freq is set for all tree elements.
- * OUT assertions: the fields len and code are set to the optimal bit length
- *     and corresponding code. The length opt_len is updated; static_len is
- *     also updated if stree is not null. The field max_code is set.
- */
-local void build_tree(s, desc)
-    deflate_state *s;
-    tree_desc *desc; /* the tree descriptor */
-{
-    ct_data *tree         = desc->dyn_tree;
-    const ct_data *stree  = desc->stat_desc->static_tree;
-    int elems             = desc->stat_desc->elems;
-    int n, m;          /* iterate over heap elements */
-    int max_code = -1; /* largest code with non zero frequency */
-    int node;          /* new node being created */
-
-    /* Construct the initial heap, with least frequent element in
-     * heap[SMALLEST]. The sons of heap[n] are heap[2*n] and heap[2*n+1].
-     * heap[0] is not used.
-     */
-    s->heap_len = 0, s->heap_max = HEAP_SIZE;
-
-    for (n = 0; n < elems; n++) {
-        if (tree[n].Freq != 0) {
-            s->heap[++(s->heap_len)] = max_code = n;
-            s->depth[n] = 0;
-        } else {
-            tree[n].Len = 0;
-        }
-    }
-
-    /* The pkzip format requires that at least one distance code exists,
-     * and that at least one bit should be sent even if there is only one
-     * possible code. So to avoid special checks later on we force at least
-     * two codes of non zero frequency.
-     */
-    while (s->heap_len < 2) {
-        node = s->heap[++(s->heap_len)] = (max_code < 2 ? ++max_code : 0);
-        tree[node].Freq = 1;
-        s->depth[node] = 0;
-        s->opt_len--; if (stree) s->static_len -= stree[node].Len;
-        /* node is 0 or 1 so it does not have extra bits */
-    }
-    desc->max_code = max_code;
-
-    /* The elements heap[heap_len/2+1 .. heap_len] are leaves of the tree,
-     * establish sub-heaps of increasing lengths:
-     */
-    for (n = s->heap_len/2; n >= 1; n--) pqdownheap(s, tree, n);
-
-    /* Construct the Huffman tree by repeatedly combining the least two
-     * frequent nodes.
-     */
-    node = elems;              /* next internal node of the tree */
-    do {
-        pqremove(s, tree, n);  /* n = node of least frequency */
-        m = s->heap[SMALLEST]; /* m = node of next least frequency */
-
-        s->heap[--(s->heap_max)] = n; /* keep the nodes sorted by frequency */
-        s->heap[--(s->heap_max)] = m;
-
-        /* Create a new node father of n and m */
-        tree[node].Freq = tree[n].Freq + tree[m].Freq;
-        s->depth[node] = (uch)((s->depth[n] >= s->depth[m] ?
-                                s->depth[n] : s->depth[m]) + 1);
-        tree[n].Dad = tree[m].Dad = (ush)node;
-#ifdef DUMP_BL_TREE
-        if (tree == s->bl_tree) {
-            fprintf(stderr,"\nnode %d(%d), sons %d(%d) %d(%d)",
-                    node, tree[node].Freq, n, tree[n].Freq, m, tree[m].Freq);
-        }
-#endif
-        /* and insert the new node in the heap */
-        s->heap[SMALLEST] = node++;
-        pqdownheap(s, tree, SMALLEST);
-
-    } while (s->heap_len >= 2);
-
-    s->heap[--(s->heap_max)] = s->heap[SMALLEST];
-
-    /* At this point, the fields freq and dad are set. We can now
-     * generate the bit lengths.
-     */
-    gen_bitlen(s, (tree_desc *)desc);
-
-    /* The field len is now set, we can generate the bit codes */
-    gen_codes ((ct_data *)tree, max_code, s->bl_count);
-}
-
-/* ===========================================================================
- * Scan a literal or distance tree to determine the frequencies of the codes
- * in the bit length tree.
- */
-local void scan_tree (s, tree, max_code)
-    deflate_state *s;
-    ct_data *tree;   /* the tree to be scanned */
-    int max_code;    /* and its largest code of non zero frequency */
-{
-    int n;                     /* iterates over all tree elements */
-    int prevlen = -1;          /* last emitted length */
-    int curlen;                /* length of current code */
-    int nextlen = tree[0].Len; /* length of next code */
-    int count = 0;             /* repeat count of the current code */
-    int max_count = 7;         /* max repeat count */
-    int min_count = 4;         /* min repeat count */
-
-    if (nextlen == 0) max_count = 138, min_count = 3;
-    tree[max_code+1].Len = (ush)0xffff; /* guard */
-
-    for (n = 0; n <= max_code; n++) {
-        curlen = nextlen; nextlen = tree[n+1].Len;
-        if (++count < max_count && curlen == nextlen) {
-            continue;
-        } else if (count < min_count) {
-            s->bl_tree[curlen].Freq += count;
-        } else if (curlen != 0) {
-            if (curlen != prevlen) s->bl_tree[curlen].Freq++;
-            s->bl_tree[REP_3_6].Freq++;
-        } else if (count <= 10) {
-            s->bl_tree[REPZ_3_10].Freq++;
-        } else {
-            s->bl_tree[REPZ_11_138].Freq++;
-        }
-        count = 0; prevlen = curlen;
-        if (nextlen == 0) {
-            max_count = 138, min_count = 3;
-        } else if (curlen == nextlen) {
-            max_count = 6, min_count = 3;
-        } else {
-            max_count = 7, min_count = 4;
-        }
-    }
-}
-
-/* ===========================================================================
- * Send a literal or distance tree in compressed form, using the codes in
- * bl_tree.
- */
-local void send_tree (s, tree, max_code)
-    deflate_state *s;
-    ct_data *tree; /* the tree to be scanned */
-    int max_code;       /* and its largest code of non zero frequency */
-{
-    int n;                     /* iterates over all tree elements */
-    int prevlen = -1;          /* last emitted length */
-    int curlen;                /* length of current code */
-    int nextlen = tree[0].Len; /* length of next code */
-    int count = 0;             /* repeat count of the current code */
-    int max_count = 7;         /* max repeat count */
-    int min_count = 4;         /* min repeat count */
-
-    /* tree[max_code+1].Len = -1; */  /* guard already set */
-    if (nextlen == 0) max_count = 138, min_count = 3;
-
-    for (n = 0; n <= max_code; n++) {
-        curlen = nextlen; nextlen = tree[n+1].Len;
-        if (++count < max_count && curlen == nextlen) {
-            continue;
-        } else if (count < min_count) {
-            do { send_code(s, curlen, s->bl_tree); } while (--count != 0);
-
-        } else if (curlen != 0) {
-            if (curlen != prevlen) {
-                send_code(s, curlen, s->bl_tree); count--;
-            }
-            Assert(count >= 3 && count <= 6, " 3_6?");
-            send_code(s, REP_3_6, s->bl_tree); send_bits(s, count-3, 2);
-
-        } else if (count <= 10) {
-            send_code(s, REPZ_3_10, s->bl_tree); send_bits(s, count-3, 3);
-
-        } else {
-            send_code(s, REPZ_11_138, s->bl_tree); send_bits(s, count-11, 7);
-        }
-        count = 0; prevlen = curlen;
-        if (nextlen == 0) {
-            max_count = 138, min_count = 3;
-        } else if (curlen == nextlen) {
-            max_count = 6, min_count = 3;
-        } else {
-            max_count = 7, min_count = 4;
-        }
-    }
-}
-
-/* ===========================================================================
- * Construct the Huffman tree for the bit lengths and return the index in
- * bl_order of the last bit length code to send.
- */
-local int build_bl_tree(s)
-    deflate_state *s;
-{
-    int max_blindex;  /* index of last bit length code of non zero freq */
-
-    /* Determine the bit length frequencies for literal and distance trees */
-    scan_tree(s, (ct_data *)s->dyn_ltree, s->l_desc.max_code);
-    scan_tree(s, (ct_data *)s->dyn_dtree, s->d_desc.max_code);
-
-    /* Build the bit length tree: */
-    build_tree(s, (tree_desc *)(&(s->bl_desc)));
-    /* opt_len now includes the length of the tree representations, except
-     * the lengths of the bit lengths codes and the 5+5+4 bits for the counts.
-     */
-
-    /* Determine the number of bit length codes to send. The pkzip format
-     * requires that at least 4 bit length codes be sent. (appnote.txt says
-     * 3 but the actual value used is 4.)
-     */
-    for (max_blindex = BL_CODES-1; max_blindex >= 3; max_blindex--) {
-        if (s->bl_tree[bl_order[max_blindex]].Len != 0) break;
-    }
-    /* Update opt_len to include the bit length tree and counts */
-    s->opt_len += 3*(max_blindex+1) + 5+5+4;
-    Tracev((stderr, "\ndyn trees: dyn %ld, stat %ld",
-            s->opt_len, s->static_len));
-
-    return max_blindex;
-}
-
-/* ===========================================================================
- * Send the header for a block using dynamic Huffman trees: the counts, the
- * lengths of the bit length codes, the literal tree and the distance tree.
- * IN assertion: lcodes >= 257, dcodes >= 1, blcodes >= 4.
- */
-local void send_all_trees(s, lcodes, dcodes, blcodes)
-    deflate_state *s;
-    int lcodes, dcodes, blcodes; /* number of codes for each tree */
-{
-    int rank;                    /* index in bl_order */
-
-    Assert (lcodes >= 257 && dcodes >= 1 && blcodes >= 4, "not enough codes");
-    Assert (lcodes <= L_CODES && dcodes <= D_CODES && blcodes <= BL_CODES,
-            "too many codes");
-    Tracev((stderr, "\nbl counts: "));
-    send_bits(s, lcodes-257, 5); /* not +255 as stated in appnote.txt */
-    send_bits(s, dcodes-1,   5);
-    send_bits(s, blcodes-4,  4); /* not -3 as stated in appnote.txt */
-    for (rank = 0; rank < blcodes; rank++) {
-        Tracev((stderr, "\nbl code %2d ", bl_order[rank]));
-        send_bits(s, s->bl_tree[bl_order[rank]].Len, 3);
-    }
-    Tracev((stderr, "\nbl tree: sent %ld", s->bits_sent));
-
-    send_tree(s, (ct_data *)s->dyn_ltree, lcodes-1); /* literal tree */
-    Tracev((stderr, "\nlit tree: sent %ld", s->bits_sent));
-
-    send_tree(s, (ct_data *)s->dyn_dtree, dcodes-1); /* distance tree */
-    Tracev((stderr, "\ndist tree: sent %ld", s->bits_sent));
-}
-
-/* ===========================================================================
- * Send a stored block
- */
-void _tr_stored_block(s, buf, stored_len, eof)
-    deflate_state *s;
-    charf *buf;       /* input block */
-    ulg stored_len;   /* length of input block */
-    int eof;          /* true if this is the last block for a file */
-{
-    send_bits(s, (STORED_BLOCK<<1)+eof, 3);  /* send block type */
-#ifdef DEBUG
-    s->compressed_len = (s->compressed_len + 3 + 7) & (ulg)~7L;
-    s->compressed_len += (stored_len + 4) << 3;
-#endif
-    copy_block(s, buf, (unsigned)stored_len, 1); /* with header */
-}
-
-/* ===========================================================================
- * Send one empty static block to give enough lookahead for inflate.
- * This takes 10 bits, of which 7 may remain in the bit buffer.
- * The current inflate code requires 9 bits of lookahead. If the
- * last two codes for the previous block (real code plus EOB) were coded
- * on 5 bits or less, inflate may have only 5+3 bits of lookahead to decode
- * the last real code. In this case we send two empty static blocks instead
- * of one. (There are no problems if the previous block is stored or fixed.)
- * To simplify the code, we assume the worst case of last real code encoded
- * on one bit only.
- */
-void _tr_align(s)
-    deflate_state *s;
-{
-    send_bits(s, STATIC_TREES<<1, 3);
-    send_code(s, END_BLOCK, static_ltree);
-#ifdef DEBUG
-    s->compressed_len += 10L; /* 3 for block type, 7 for EOB */
-#endif
-    bi_flush(s);
-    /* Of the 10 bits for the empty block, we have already sent
-     * (10 - bi_valid) bits. The lookahead for the last real code (before
-     * the EOB of the previous block) was thus at least one plus the length
-     * of the EOB plus what we have just sent of the empty static block.
-     */
-    if (1 + s->last_eob_len + 10 - s->bi_valid < 9) {
-        send_bits(s, STATIC_TREES<<1, 3);
-        send_code(s, END_BLOCK, static_ltree);
-#ifdef DEBUG
-        s->compressed_len += 10L;
-#endif
-        bi_flush(s);
-    }
-    s->last_eob_len = 7;
-}
-
-/* ===========================================================================
- * Determine the best encoding for the current block: dynamic trees, static
- * trees or store, and output the encoded block to the zip file.
- */
-void _tr_flush_block(s, buf, stored_len, eof)
-    deflate_state *s;
-    charf *buf;       /* input block, or NULL if too old */
-    ulg stored_len;   /* length of input block */
-    int eof;          /* true if this is the last block for a file */
-{
-    ulg opt_lenb, static_lenb; /* opt_len and static_len in bytes */
-    int max_blindex = 0;  /* index of last bit length code of non zero freq */
-
-    /* Build the Huffman trees unless a stored block is forced */
-    if (s->level > 0) {
-
-        /* Check if the file is binary or text */
-        if (stored_len > 0 && s->strm->data_type == Z_UNKNOWN)
-            set_data_type(s);
-
-        /* Construct the literal and distance trees */
-        build_tree(s, (tree_desc *)(&(s->l_desc)));
-        Tracev((stderr, "\nlit data: dyn %ld, stat %ld", s->opt_len,
-                s->static_len));
-
-        build_tree(s, (tree_desc *)(&(s->d_desc)));
-        Tracev((stderr, "\ndist data: dyn %ld, stat %ld", s->opt_len,
-                s->static_len));
-        /* At this point, opt_len and static_len are the total bit lengths of
-         * the compressed block data, excluding the tree representations.
-         */
-
-        /* Build the bit length tree for the above two trees, and get the index
-         * in bl_order of the last bit length code to send.
-         */
-        max_blindex = build_bl_tree(s);
-
-        /* Determine the best encoding. Compute the block lengths in bytes. */
-        opt_lenb = (s->opt_len+3+7)>>3;
-        static_lenb = (s->static_len+3+7)>>3;
-
-        Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ",
-                opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len,
-                s->last_lit));
-
-        if (static_lenb <= opt_lenb) opt_lenb = static_lenb;
-
-    } else {
-        Assert(buf != (char*)0, "lost buf");
-        opt_lenb = static_lenb = stored_len + 5; /* force a stored block */
-    }
-
-#ifdef FORCE_STORED
-    if (buf != (char*)0) { /* force stored block */
-#else
-    if (stored_len+4 <= opt_lenb && buf != (char*)0) {
-                       /* 4: two words for the lengths */
-#endif
-        /* The test buf != NULL is only necessary if LIT_BUFSIZE > WSIZE.
-         * Otherwise we can't have processed more than WSIZE input bytes since
-         * the last block flush, because compression would have been
-         * successful. If LIT_BUFSIZE <= WSIZE, it is never too late to
-         * transform a block into a stored block.
-         */
-        _tr_stored_block(s, buf, stored_len, eof);
-
-#ifdef FORCE_STATIC
-    } else if (static_lenb >= 0) { /* force static trees */
-#else
-    } else if (s->strategy == Z_FIXED || static_lenb == opt_lenb) {
-#endif
-        send_bits(s, (STATIC_TREES<<1)+eof, 3);
-        compress_block(s, (ct_data *)static_ltree, (ct_data *)static_dtree);
-#ifdef DEBUG
-        s->compressed_len += 3 + s->static_len;
-#endif
-    } else {
-        send_bits(s, (DYN_TREES<<1)+eof, 3);
-        send_all_trees(s, s->l_desc.max_code+1, s->d_desc.max_code+1,
-                       max_blindex+1);
-        compress_block(s, (ct_data *)s->dyn_ltree, (ct_data *)s->dyn_dtree);
-#ifdef DEBUG
-        s->compressed_len += 3 + s->opt_len;
-#endif
-    }
-    Assert (s->compressed_len == s->bits_sent, "bad compressed size");
-    /* The above check is made mod 2^32, for files larger than 512 MB
-     * and uLong implemented on 32 bits.
-     */
-    init_block(s);
-
-    if (eof) {
-        bi_windup(s);
-#ifdef DEBUG
-        s->compressed_len += 7;  /* align on byte boundary */
-#endif
-    }
-    Tracev((stderr,"\ncomprlen %lu(%lu) ", s->compressed_len>>3,
-           s->compressed_len-7*eof));
-}
-
-/* ===========================================================================
- * Save the match info and tally the frequency counts. Return true if
- * the current block must be flushed.
- */
-int _tr_tally (s, dist, lc)
-    deflate_state *s;
-    unsigned dist;  /* distance of matched string */
-    unsigned lc;    /* match length-MIN_MATCH or unmatched char (if dist==0) */
-{
-    s->d_buf[s->last_lit] = (ush)dist;
-    s->l_buf[s->last_lit++] = (uch)lc;
-    if (dist == 0) {
-        /* lc is the unmatched char */
-        s->dyn_ltree[lc].Freq++;
-    } else {
-        s->matches++;
-        /* Here, lc is the match length - MIN_MATCH */
-        dist--;             /* dist = match distance - 1 */
-        Assert((ush)dist < (ush)MAX_DIST(s) &&
-               (ush)lc <= (ush)(MAX_MATCH-MIN_MATCH) &&
-               (ush)d_code(dist) < (ush)D_CODES,  "_tr_tally: bad match");
-
-        s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++;
-        s->dyn_dtree[d_code(dist)].Freq++;
-    }
-
-#ifdef TRUNCATE_BLOCK
-    /* Try to guess if it is profitable to stop the current block here */
-    if ((s->last_lit & 0x1fff) == 0 && s->level > 2) {
-        /* Compute an upper bound for the compressed length */
-        ulg out_length = (ulg)s->last_lit*8L;
-        ulg in_length = (ulg)((long)s->strstart - s->block_start);
-        int dcode;
-        for (dcode = 0; dcode < D_CODES; dcode++) {
-            out_length += (ulg)s->dyn_dtree[dcode].Freq *
-                (5L+extra_dbits[dcode]);
-        }
-        out_length >>= 3;
-        Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ",
-               s->last_lit, in_length, out_length,
-               100L - out_length*100L/in_length));
-        if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1;
-    }
-#endif
-    return (s->last_lit == s->lit_bufsize-1);
-    /* We avoid equality with lit_bufsize because of wraparound at 64K
-     * on 16 bit machines and because stored blocks are restricted to
-     * 64K-1 bytes.
-     */
-}
-
-/* ===========================================================================
- * Send the block data compressed using the given Huffman trees
- */
-local void compress_block(s, ltree, dtree)
-    deflate_state *s;
-    ct_data *ltree; /* literal tree */
-    ct_data *dtree; /* distance tree */
-{
-    unsigned dist;      /* distance of matched string */
-    int lc;             /* match length or unmatched char (if dist == 0) */
-    unsigned lx = 0;    /* running index in l_buf */
-    unsigned code;      /* the code to send */
-    int extra;          /* number of extra bits to send */
-
-    if (s->last_lit != 0) do {
-        dist = s->d_buf[lx];
-        lc = s->l_buf[lx++];
-        if (dist == 0) {
-            send_code(s, lc, ltree); /* send a literal byte */
-            Tracecv(isgraph(lc), (stderr," '%c' ", lc));
-        } else {
-            /* Here, lc is the match length - MIN_MATCH */
-            code = _length_code[lc];
-            send_code(s, code+LITERALS+1, ltree); /* send the length code */
-            extra = extra_lbits[code];
-            if (extra != 0) {
-                lc -= base_length[code];
-                send_bits(s, lc, extra);       /* send the extra length bits */
-            }
-            dist--; /* dist is now the match distance - 1 */
-            code = d_code(dist);
-            Assert (code < D_CODES, "bad d_code");
-
-            send_code(s, code, dtree);       /* send the distance code */
-            extra = extra_dbits[code];
-            if (extra != 0) {
-                dist -= base_dist[code];
-                send_bits(s, dist, extra);   /* send the extra distance bits */
-            }
-        } /* literal or match pair ? */
-
-        /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */
-        Assert((uInt)(s->pending) < s->lit_bufsize + 2*lx,
-               "pendingBuf overflow");
-
-    } while (lx < s->last_lit);
-
-    send_code(s, END_BLOCK, ltree);
-    s->last_eob_len = ltree[END_BLOCK].Len;
-}
-
-/* ===========================================================================
- * Set the data type to BINARY or TEXT, using a crude approximation:
- * set it to Z_TEXT if all symbols are either printable characters (33 to 255)
- * or white spaces (9 to 13, or 32); or set it to Z_BINARY otherwise.
- * IN assertion: the fields Freq of dyn_ltree are set.
- */
-local void set_data_type(s)
-    deflate_state *s;
-{
-    int n;
-
-    for (n = 0; n < 9; n++)
-        if (s->dyn_ltree[n].Freq != 0)
-            break;
-    if (n == 9)
-        for (n = 14; n < 32; n++)
-            if (s->dyn_ltree[n].Freq != 0)
-                break;
-    s->strm->data_type = (n == 32) ? Z_TEXT : Z_BINARY;
-}
-
-/* ===========================================================================
- * Reverse the first len bits of a code, using straightforward code (a faster
- * method would use a table)
- * IN assertion: 1 <= len <= 15
- */
-local unsigned bi_reverse(code, len)
-    unsigned code; /* the value to invert */
-    int len;       /* its bit length */
-{
-    register unsigned res = 0;
-    do {
-        res |= code & 1;
-        code >>= 1, res <<= 1;
-    } while (--len > 0);
-    return res >> 1;
-}
-
-/* ===========================================================================
- * Flush the bit buffer, keeping at most 7 bits in it.
- */
-local void bi_flush(s)
-    deflate_state *s;
-{
-    if (s->bi_valid == 16) {
-        put_short(s, s->bi_buf);
-        s->bi_buf = 0;
-        s->bi_valid = 0;
-    } else if (s->bi_valid >= 8) {
-        put_byte(s, (Byte)s->bi_buf);
-        s->bi_buf >>= 8;
-        s->bi_valid -= 8;
-    }
-}
-
-/* ===========================================================================
- * Flush the bit buffer and align the output on a byte boundary
- */
-local void bi_windup(s)
-    deflate_state *s;
-{
-    if (s->bi_valid > 8) {
-        put_short(s, s->bi_buf);
-    } else if (s->bi_valid > 0) {
-        put_byte(s, (Byte)s->bi_buf);
-    }
-    s->bi_buf = 0;
-    s->bi_valid = 0;
-#ifdef DEBUG
-    s->bits_sent = (s->bits_sent+7) & ~7;
-#endif
-}
-
-/* ===========================================================================
- * Copy a stored block, storing first the length and its
- * one's complement if requested.
- */
-local void copy_block(s, buf, len, header)
-    deflate_state *s;
-    charf    *buf;    /* the input data */
-    unsigned len;     /* its length */
-    int      header;  /* true if block header must be written */
-{
-    bi_windup(s);        /* align on byte boundary */
-    s->last_eob_len = 8; /* enough lookahead for inflate */
-
-    if (header) {
-        put_short(s, (ush)len);
-        put_short(s, (ush)~len);
-#ifdef DEBUG
-        s->bits_sent += 2*16;
-#endif
-    }
-#ifdef DEBUG
-    s->bits_sent += (ulg)len<<3;
-#endif
-    while (len--) {
-        put_byte(s, *buf++);
-    }
-}
diff --git a/security/nss/cmd/zlib/trees.h b/security/nss/cmd/zlib/trees.h
deleted file mode 100644
index 72facf900..000000000
--- a/security/nss/cmd/zlib/trees.h
+++ /dev/null
@@ -1,128 +0,0 @@
-/* header created automatically with -DGEN_TREES_H */
-
-local const ct_data static_ltree[L_CODES+2] = {
-{{ 12},{  8}}, {{140},{  8}}, {{ 76},{  8}}, {{204},{  8}}, {{ 44},{  8}},
-{{172},{  8}}, {{108},{  8}}, {{236},{  8}}, {{ 28},{  8}}, {{156},{  8}},
-{{ 92},{  8}}, {{220},{  8}}, {{ 60},{  8}}, {{188},{  8}}, {{124},{  8}},
-{{252},{  8}}, {{  2},{  8}}, {{130},{  8}}, {{ 66},{  8}}, {{194},{  8}},
-{{ 34},{  8}}, {{162},{  8}}, {{ 98},{  8}}, {{226},{  8}}, {{ 18},{  8}},
-{{146},{  8}}, {{ 82},{  8}}, {{210},{  8}}, {{ 50},{  8}}, {{178},{  8}},
-{{114},{  8}}, {{242},{  8}}, {{ 10},{  8}}, {{138},{  8}}, {{ 74},{  8}},
-{{202},{  8}}, {{ 42},{  8}}, {{170},{  8}}, {{106},{  8}}, {{234},{  8}},
-{{ 26},{  8}}, {{154},{  8}}, {{ 90},{  8}}, {{218},{  8}}, {{ 58},{  8}},
-{{186},{  8}}, {{122},{  8}}, {{250},{  8}}, {{  6},{  8}}, {{134},{  8}},
-{{ 70},{  8}}, {{198},{  8}}, {{ 38},{  8}}, {{166},{  8}}, {{102},{  8}},
-{{230},{  8}}, {{ 22},{  8}}, {{150},{  8}}, {{ 86},{  8}}, {{214},{  8}},
-{{ 54},{  8}}, {{182},{  8}}, {{118},{  8}}, {{246},{  8}}, {{ 14},{  8}},
-{{142},{  8}}, {{ 78},{  8}}, {{206},{  8}}, {{ 46},{  8}}, {{174},{  8}},
-{{110},{  8}}, {{238},{  8}}, {{ 30},{  8}}, {{158},{  8}}, {{ 94},{  8}},
-{{222},{  8}}, {{ 62},{  8}}, {{190},{  8}}, {{126},{  8}}, {{254},{  8}},
-{{  1},{  8}}, {{129},{  8}}, {{ 65},{  8}}, {{193},{  8}}, {{ 33},{  8}},
-{{161},{  8}}, {{ 97},{  8}}, {{225},{  8}}, {{ 17},{  8}}, {{145},{  8}},
-{{ 81},{  8}}, {{209},{  8}}, {{ 49},{  8}}, {{177},{  8}}, {{113},{  8}},
-{{241},{  8}}, {{  9},{  8}}, {{137},{  8}}, {{ 73},{  8}}, {{201},{  8}},
-{{ 41},{  8}}, {{169},{  8}}, {{105},{  8}}, {{233},{  8}}, {{ 25},{  8}},
-{{153},{  8}}, {{ 89},{  8}}, {{217},{  8}}, {{ 57},{  8}}, {{185},{  8}},
-{{121},{  8}}, {{249},{  8}}, {{  5},{  8}}, {{133},{  8}}, {{ 69},{  8}},
-{{197},{  8}}, {{ 37},{  8}}, {{165},{  8}}, {{101},{  8}}, {{229},{  8}},
-{{ 21},{  8}}, {{149},{  8}}, {{ 85},{  8}}, {{213},{  8}}, {{ 53},{  8}},
-{{181},{  8}}, {{117},{  8}}, {{245},{  8}}, {{ 13},{  8}}, {{141},{  8}},
-{{ 77},{  8}}, {{205},{  8}}, {{ 45},{  8}}, {{173},{  8}}, {{109},{  8}},
-{{237},{  8}}, {{ 29},{  8}}, {{157},{  8}}, {{ 93},{  8}}, {{221},{  8}},
-{{ 61},{  8}}, {{189},{  8}}, {{125},{  8}}, {{253},{  8}}, {{ 19},{  9}},
-{{275},{  9}}, {{147},{  9}}, {{403},{  9}}, {{ 83},{  9}}, {{339},{  9}},
-{{211},{  9}}, {{467},{  9}}, {{ 51},{  9}}, {{307},{  9}}, {{179},{  9}},
-{{435},{  9}}, {{115},{  9}}, {{371},{  9}}, {{243},{  9}}, {{499},{  9}},
-{{ 11},{  9}}, {{267},{  9}}, {{139},{  9}}, {{395},{  9}}, {{ 75},{  9}},
-{{331},{  9}}, {{203},{  9}}, {{459},{  9}}, {{ 43},{  9}}, {{299},{  9}},
-{{171},{  9}}, {{427},{  9}}, {{107},{  9}}, {{363},{  9}}, {{235},{  9}},
-{{491},{  9}}, {{ 27},{  9}}, {{283},{  9}}, {{155},{  9}}, {{411},{  9}},
-{{ 91},{  9}}, {{347},{  9}}, {{219},{  9}}, {{475},{  9}}, {{ 59},{  9}},
-{{315},{  9}}, {{187},{  9}}, {{443},{  9}}, {{123},{  9}}, {{379},{  9}},
-{{251},{  9}}, {{507},{  9}}, {{  7},{  9}}, {{263},{  9}}, {{135},{  9}},
-{{391},{  9}}, {{ 71},{  9}}, {{327},{  9}}, {{199},{  9}}, {{455},{  9}},
-{{ 39},{  9}}, {{295},{  9}}, {{167},{  9}}, {{423},{  9}}, {{103},{  9}},
-{{359},{  9}}, {{231},{  9}}, {{487},{  9}}, {{ 23},{  9}}, {{279},{  9}},
-{{151},{  9}}, {{407},{  9}}, {{ 87},{  9}}, {{343},{  9}}, {{215},{  9}},
-{{471},{  9}}, {{ 55},{  9}}, {{311},{  9}}, {{183},{  9}}, {{439},{  9}},
-{{119},{  9}}, {{375},{  9}}, {{247},{  9}}, {{503},{  9}}, {{ 15},{  9}},
-{{271},{  9}}, {{143},{  9}}, {{399},{  9}}, {{ 79},{  9}}, {{335},{  9}},
-{{207},{  9}}, {{463},{  9}}, {{ 47},{  9}}, {{303},{  9}}, {{175},{  9}},
-{{431},{  9}}, {{111},{  9}}, {{367},{  9}}, {{239},{  9}}, {{495},{  9}},
-{{ 31},{  9}}, {{287},{  9}}, {{159},{  9}}, {{415},{  9}}, {{ 95},{  9}},
-{{351},{  9}}, {{223},{  9}}, {{479},{  9}}, {{ 63},{  9}}, {{319},{  9}},
-{{191},{  9}}, {{447},{  9}}, {{127},{  9}}, {{383},{  9}}, {{255},{  9}},
-{{511},{  9}}, {{  0},{  7}}, {{ 64},{  7}}, {{ 32},{  7}}, {{ 96},{  7}},
-{{ 16},{  7}}, {{ 80},{  7}}, {{ 48},{  7}}, {{112},{  7}}, {{  8},{  7}},
-{{ 72},{  7}}, {{ 40},{  7}}, {{104},{  7}}, {{ 24},{  7}}, {{ 88},{  7}},
-{{ 56},{  7}}, {{120},{  7}}, {{  4},{  7}}, {{ 68},{  7}}, {{ 36},{  7}},
-{{100},{  7}}, {{ 20},{  7}}, {{ 84},{  7}}, {{ 52},{  7}}, {{116},{  7}},
-{{  3},{  8}}, {{131},{  8}}, {{ 67},{  8}}, {{195},{  8}}, {{ 35},{  8}},
-{{163},{  8}}, {{ 99},{  8}}, {{227},{  8}}
-};
-
-local const ct_data static_dtree[D_CODES] = {
-{{ 0},{ 5}}, {{16},{ 5}}, {{ 8},{ 5}}, {{24},{ 5}}, {{ 4},{ 5}},
-{{20},{ 5}}, {{12},{ 5}}, {{28},{ 5}}, {{ 2},{ 5}}, {{18},{ 5}},
-{{10},{ 5}}, {{26},{ 5}}, {{ 6},{ 5}}, {{22},{ 5}}, {{14},{ 5}},
-{{30},{ 5}}, {{ 1},{ 5}}, {{17},{ 5}}, {{ 9},{ 5}}, {{25},{ 5}},
-{{ 5},{ 5}}, {{21},{ 5}}, {{13},{ 5}}, {{29},{ 5}}, {{ 3},{ 5}},
-{{19},{ 5}}, {{11},{ 5}}, {{27},{ 5}}, {{ 7},{ 5}}, {{23},{ 5}}
-};
-
-const uch _dist_code[DIST_CODE_LEN] = {
- 0,  1,  2,  3,  4,  4,  5,  5,  6,  6,  6,  6,  7,  7,  7,  7,  8,  8,  8,  8,
- 8,  8,  8,  8,  9,  9,  9,  9,  9,  9,  9,  9, 10, 10, 10, 10, 10, 10, 10, 10,
-10, 10, 10, 10, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11,
-11, 11, 11, 11, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12,
-12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 13, 13, 13, 13,
-13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13,
-13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,
-14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,
-14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,
-14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15,
-15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
-15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
-15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,  0,  0, 16, 17,
-18, 18, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 22, 22, 22, 22, 22, 22, 22, 22,
-23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
-24, 24, 24, 24, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25,
-26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
-26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27,
-27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27,
-27, 27, 27, 27, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,
-28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,
-28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,
-28, 28, 28, 28, 28, 28, 28, 28, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,
-29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,
-29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,
-29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29
-};
-
-const uch _length_code[MAX_MATCH-MIN_MATCH+1]= {
- 0,  1,  2,  3,  4,  5,  6,  7,  8,  8,  9,  9, 10, 10, 11, 11, 12, 12, 12, 12,
-13, 13, 13, 13, 14, 14, 14, 14, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16,
-17, 17, 17, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 18, 18, 18, 19, 19, 19, 19,
-19, 19, 19, 19, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20,
-21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 22, 22, 22, 22,
-22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 23, 23, 23, 23, 23, 23, 23, 23,
-23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
-24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
-25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25,
-25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 26, 26, 26, 26, 26, 26, 26, 26,
-26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
-26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27,
-27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 28
-};
-
-local const int base_length[LENGTH_CODES] = {
-0, 1, 2, 3, 4, 5, 6, 7, 8, 10, 12, 14, 16, 20, 24, 28, 32, 40, 48, 56,
-64, 80, 96, 112, 128, 160, 192, 224, 0
-};
-
-local const int base_dist[D_CODES] = {
-    0,     1,     2,     3,     4,     6,     8,    12,    16,    24,
-   32,    48,    64,    96,   128,   192,   256,   384,   512,   768,
- 1024,  1536,  2048,  3072,  4096,  6144,  8192, 12288, 16384, 24576
-};
-
diff --git a/security/nss/cmd/zlib/uncompr.c b/security/nss/cmd/zlib/uncompr.c
deleted file mode 100644
index b59e3d0de..000000000
--- a/security/nss/cmd/zlib/uncompr.c
+++ /dev/null
@@ -1,61 +0,0 @@
-/* uncompr.c -- decompress a memory buffer
- * Copyright (C) 1995-2003 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/* @(#) $Id$ */
-
-#define ZLIB_INTERNAL
-#include "zlib.h"
-
-/* ===========================================================================
-     Decompresses the source buffer into the destination buffer.  sourceLen is
-   the byte length of the source buffer. Upon entry, destLen is the total
-   size of the destination buffer, which must be large enough to hold the
-   entire uncompressed data. (The size of the uncompressed data must have
-   been saved previously by the compressor and transmitted to the decompressor
-   by some mechanism outside the scope of this compression library.)
-   Upon exit, destLen is the actual size of the compressed buffer.
-     This function can be used to decompress a whole file at once if the
-   input file is mmap'ed.
-
-     uncompress returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_BUF_ERROR if there was not enough room in the output
-   buffer, or Z_DATA_ERROR if the input data was corrupted.
-*/
-int ZEXPORT uncompress (dest, destLen, source, sourceLen)
-    Bytef *dest;
-    uLongf *destLen;
-    const Bytef *source;
-    uLong sourceLen;
-{
-    z_stream stream;
-    int err;
-
-    stream.next_in = (Bytef*)source;
-    stream.avail_in = (uInt)sourceLen;
-    /* Check for source > 64K on 16-bit machine: */
-    if ((uLong)stream.avail_in != sourceLen) return Z_BUF_ERROR;
-
-    stream.next_out = dest;
-    stream.avail_out = (uInt)*destLen;
-    if ((uLong)stream.avail_out != *destLen) return Z_BUF_ERROR;
-
-    stream.zalloc = (alloc_func)0;
-    stream.zfree = (free_func)0;
-
-    err = inflateInit(&stream);
-    if (err != Z_OK) return err;
-
-    err = inflate(&stream, Z_FINISH);
-    if (err != Z_STREAM_END) {
-        inflateEnd(&stream);
-        if (err == Z_NEED_DICT || (err == Z_BUF_ERROR && stream.avail_in == 0))
-            return Z_DATA_ERROR;
-        return err;
-    }
-    *destLen = stream.total_out;
-
-    err = inflateEnd(&stream);
-    return err;
-}
diff --git a/security/nss/cmd/zlib/zconf.h b/security/nss/cmd/zlib/zconf.h
deleted file mode 100644
index 03a9431c8..000000000
--- a/security/nss/cmd/zlib/zconf.h
+++ /dev/null
@@ -1,332 +0,0 @@
-/* zconf.h -- configuration of the zlib compression library
- * Copyright (C) 1995-2005 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/* @(#) $Id$ */
-
-#ifndef ZCONF_H
-#define ZCONF_H
-
-/*
- * If you *really* need a unique prefix for all types and library functions,
- * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it.
- */
-#ifdef Z_PREFIX
-#  define deflateInit_          z_deflateInit_
-#  define deflate               z_deflate
-#  define deflateEnd            z_deflateEnd
-#  define inflateInit_          z_inflateInit_
-#  define inflate               z_inflate
-#  define inflateEnd            z_inflateEnd
-#  define deflateInit2_         z_deflateInit2_
-#  define deflateSetDictionary  z_deflateSetDictionary
-#  define deflateCopy           z_deflateCopy
-#  define deflateReset          z_deflateReset
-#  define deflateParams         z_deflateParams
-#  define deflateBound          z_deflateBound
-#  define deflatePrime          z_deflatePrime
-#  define inflateInit2_         z_inflateInit2_
-#  define inflateSetDictionary  z_inflateSetDictionary
-#  define inflateSync           z_inflateSync
-#  define inflateSyncPoint      z_inflateSyncPoint
-#  define inflateCopy           z_inflateCopy
-#  define inflateReset          z_inflateReset
-#  define inflateBack           z_inflateBack
-#  define inflateBackEnd        z_inflateBackEnd
-#  define compress              z_compress
-#  define compress2             z_compress2
-#  define compressBound         z_compressBound
-#  define uncompress            z_uncompress
-#  define adler32               z_adler32
-#  define crc32                 z_crc32
-#  define get_crc_table         z_get_crc_table
-#  define zError                z_zError
-
-#  define alloc_func            z_alloc_func
-#  define free_func             z_free_func
-#  define in_func               z_in_func
-#  define out_func              z_out_func
-#  define Byte                  z_Byte
-#  define uInt                  z_uInt
-#  define uLong                 z_uLong
-#  define Bytef                 z_Bytef
-#  define charf                 z_charf
-#  define intf                  z_intf
-#  define uIntf                 z_uIntf
-#  define uLongf                z_uLongf
-#  define voidpf                z_voidpf
-#  define voidp                 z_voidp
-#endif
-
-#if defined(__MSDOS__) && !defined(MSDOS)
-#  define MSDOS
-#endif
-#if (defined(OS_2) || defined(__OS2__)) && !defined(OS2)
-#  define OS2
-#endif
-#if defined(_WINDOWS) && !defined(WINDOWS)
-#  define WINDOWS
-#endif
-#if defined(_WIN32) || defined(_WIN32_WCE) || defined(__WIN32__)
-#  ifndef WIN32
-#    define WIN32
-#  endif
-#endif
-#if (defined(MSDOS) || defined(OS2) || defined(WINDOWS)) && !defined(WIN32)
-#  if !defined(__GNUC__) && !defined(__FLAT__) && !defined(__386__)
-#    ifndef SYS16BIT
-#      define SYS16BIT
-#    endif
-#  endif
-#endif
-
-/*
- * Compile with -DMAXSEG_64K if the alloc function cannot allocate more
- * than 64k bytes at a time (needed on systems with 16-bit int).
- */
-#ifdef SYS16BIT
-#  define MAXSEG_64K
-#endif
-#ifdef MSDOS
-#  define UNALIGNED_OK
-#endif
-
-#ifdef __STDC_VERSION__
-#  ifndef STDC
-#    define STDC
-#  endif
-#  if __STDC_VERSION__ >= 199901L
-#    ifndef STDC99
-#      define STDC99
-#    endif
-#  endif
-#endif
-#if !defined(STDC) && (defined(__STDC__) || defined(__cplusplus))
-#  define STDC
-#endif
-#if !defined(STDC) && (defined(__GNUC__) || defined(__BORLANDC__))
-#  define STDC
-#endif
-#if !defined(STDC) && (defined(MSDOS) || defined(WINDOWS) || defined(WIN32))
-#  define STDC
-#endif
-#if !defined(STDC) && (defined(OS2) || defined(__HOS_AIX__))
-#  define STDC
-#endif
-
-#if defined(__OS400__) && !defined(STDC)    /* iSeries (formerly AS/400). */
-#  define STDC
-#endif
-
-#ifndef STDC
-#  ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */
-#    define const       /* note: need a more gentle solution here */
-#  endif
-#endif
-
-/* Some Mac compilers merge all .h files incorrectly: */
-#if defined(__MWERKS__)||defined(applec)||defined(THINK_C)||defined(__SC__)
-#  define NO_DUMMY_DECL
-#endif
-
-/* Maximum value for memLevel in deflateInit2 */
-#ifndef MAX_MEM_LEVEL
-#  ifdef MAXSEG_64K
-#    define MAX_MEM_LEVEL 8
-#  else
-#    define MAX_MEM_LEVEL 9
-#  endif
-#endif
-
-/* Maximum value for windowBits in deflateInit2 and inflateInit2.
- * WARNING: reducing MAX_WBITS makes minigzip unable to extract .gz files
- * created by gzip. (Files created by minigzip can still be extracted by
- * gzip.)
- */
-#ifndef MAX_WBITS
-#  define MAX_WBITS   15 /* 32K LZ77 window */
-#endif
-
-/* The memory requirements for deflate are (in bytes):
-            (1 << (windowBits+2)) +  (1 << (memLevel+9))
- that is: 128K for windowBits=15  +  128K for memLevel = 8  (default values)
- plus a few kilobytes for small objects. For example, if you want to reduce
- the default memory requirements from 256K to 128K, compile with
-     make CFLAGS="-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7"
- Of course this will generally degrade compression (there's no free lunch).
-
-   The memory requirements for inflate are (in bytes) 1 << windowBits
- that is, 32K for windowBits=15 (default value) plus a few kilobytes
- for small objects.
-*/
-
-                        /* Type declarations */
-
-#ifndef OF /* function prototypes */
-#  ifdef STDC
-#    define OF(args)  args
-#  else
-#    define OF(args)  ()
-#  endif
-#endif
-
-/* The following definitions for FAR are needed only for MSDOS mixed
- * model programming (small or medium model with some far allocations).
- * This was tested only with MSC; for other MSDOS compilers you may have
- * to define NO_MEMCPY in zutil.h.  If you don't need the mixed model,
- * just define FAR to be empty.
- */
-#ifdef SYS16BIT
-#  if defined(M_I86SM) || defined(M_I86MM)
-     /* MSC small or medium model */
-#    define SMALL_MEDIUM
-#    ifdef _MSC_VER
-#      define FAR _far
-#    else
-#      define FAR far
-#    endif
-#  endif
-#  if (defined(__SMALL__) || defined(__MEDIUM__))
-     /* Turbo C small or medium model */
-#    define SMALL_MEDIUM
-#    ifdef __BORLANDC__
-#      define FAR _far
-#    else
-#      define FAR far
-#    endif
-#  endif
-#endif
-
-#if defined(WINDOWS) || defined(WIN32)
-   /* If building or using zlib as a DLL, define ZLIB_DLL.
-    * This is not mandatory, but it offers a little performance increase.
-    */
-#  ifdef ZLIB_DLL
-#    if defined(WIN32) && (!defined(__BORLANDC__) || (__BORLANDC__ >= 0x500))
-#      ifdef ZLIB_INTERNAL
-#        define ZEXTERN extern __declspec(dllexport)
-#      else
-#        define ZEXTERN extern __declspec(dllimport)
-#      endif
-#    endif
-#  endif  /* ZLIB_DLL */
-   /* If building or using zlib with the WINAPI/WINAPIV calling convention,
-    * define ZLIB_WINAPI.
-    * Caution: the standard ZLIB1.DLL is NOT compiled using ZLIB_WINAPI.
-    */
-#  ifdef ZLIB_WINAPI
-#    ifdef FAR
-#      undef FAR
-#    endif
-#    include <windows.h>
-     /* No need for _export, use ZLIB.DEF instead. */
-     /* For complete Windows compatibility, use WINAPI, not __stdcall. */
-#    define ZEXPORT WINAPI
-#    ifdef WIN32
-#      define ZEXPORTVA WINAPIV
-#    else
-#      define ZEXPORTVA FAR CDECL
-#    endif
-#  endif
-#endif
-
-#if defined (__BEOS__)
-#  ifdef ZLIB_DLL
-#    ifdef ZLIB_INTERNAL
-#      define ZEXPORT   __declspec(dllexport)
-#      define ZEXPORTVA __declspec(dllexport)
-#    else
-#      define ZEXPORT   __declspec(dllimport)
-#      define ZEXPORTVA __declspec(dllimport)
-#    endif
-#  endif
-#endif
-
-#ifndef ZEXTERN
-#  define ZEXTERN extern
-#endif
-#ifndef ZEXPORT
-#  define ZEXPORT
-#endif
-#ifndef ZEXPORTVA
-#  define ZEXPORTVA
-#endif
-
-#ifndef FAR
-#  define FAR
-#endif
-
-#if !defined(__MACTYPES__)
-typedef unsigned char  Byte;  /* 8 bits */
-#endif
-typedef unsigned int   uInt;  /* 16 bits or more */
-typedef unsigned long  uLong; /* 32 bits or more */
-
-#ifdef SMALL_MEDIUM
-   /* Borland C/C++ and some old MSC versions ignore FAR inside typedef */
-#  define Bytef Byte FAR
-#else
-   typedef Byte  FAR Bytef;
-#endif
-typedef char  FAR charf;
-typedef int   FAR intf;
-typedef uInt  FAR uIntf;
-typedef uLong FAR uLongf;
-
-#ifdef STDC
-   typedef void const *voidpc;
-   typedef void FAR   *voidpf;
-   typedef void       *voidp;
-#else
-   typedef Byte const *voidpc;
-   typedef Byte FAR   *voidpf;
-   typedef Byte       *voidp;
-#endif
-
-#if 0           /* HAVE_UNISTD_H -- this line is updated by ./configure */
-#  include <sys/types.h> /* for off_t */
-#  include <unistd.h>    /* for SEEK_* and off_t */
-#  ifdef VMS
-#    include <unixio.h>   /* for off_t */
-#  endif
-#  define z_off_t off_t
-#endif
-#ifndef SEEK_SET
-#  define SEEK_SET        0       /* Seek from beginning of file.  */
-#  define SEEK_CUR        1       /* Seek from current position.  */
-#  define SEEK_END        2       /* Set file pointer to EOF plus "offset" */
-#endif
-#ifndef z_off_t
-#  define z_off_t long
-#endif
-
-#if defined(__OS400__)
-#  define NO_vsnprintf
-#endif
-
-#if defined(__MVS__)
-#  define NO_vsnprintf
-#  ifdef FAR
-#    undef FAR
-#  endif
-#endif
-
-/* MVS linker does not support external names larger than 8 bytes */
-#if defined(__MVS__)
-#   pragma map(deflateInit_,"DEIN")
-#   pragma map(deflateInit2_,"DEIN2")
-#   pragma map(deflateEnd,"DEEND")
-#   pragma map(deflateBound,"DEBND")
-#   pragma map(inflateInit_,"ININ")
-#   pragma map(inflateInit2_,"ININ2")
-#   pragma map(inflateEnd,"INEND")
-#   pragma map(inflateSync,"INSY")
-#   pragma map(inflateSetDictionary,"INSEDI")
-#   pragma map(compressBound,"CMBND")
-#   pragma map(inflate_table,"INTABL")
-#   pragma map(inflate_fast,"INFA")
-#   pragma map(inflate_copyright,"INCOPY")
-#endif
-
-#endif /* ZCONF_H */
diff --git a/security/nss/cmd/zlib/zlib.h b/security/nss/cmd/zlib/zlib.h
deleted file mode 100644
index 022817927..000000000
--- a/security/nss/cmd/zlib/zlib.h
+++ /dev/null
@@ -1,1357 +0,0 @@
-/* zlib.h -- interface of the 'zlib' general purpose compression library
-  version 1.2.3, July 18th, 2005
-
-  Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
-
-  This software is provided 'as-is', without any express or implied
-  warranty.  In no event will the authors be held liable for any damages
-  arising from the use of this software.
-
-  Permission is granted to anyone to use this software for any purpose,
-  including commercial applications, and to alter it and redistribute it
-  freely, subject to the following restrictions:
-
-  1. The origin of this software must not be misrepresented; you must not
-     claim that you wrote the original software. If you use this software
-     in a product, an acknowledgment in the product documentation would be
-     appreciated but is not required.
-  2. Altered source versions must be plainly marked as such, and must not be
-     misrepresented as being the original software.
-  3. This notice may not be removed or altered from any source distribution.
-
-  Jean-loup Gailly        Mark Adler
-  jloup@gzip.org          madler@alumni.caltech.edu
-
-
-  The data format used by the zlib library is described by RFCs (Request for
-  Comments) 1950 to 1952 in the files http://www.ietf.org/rfc/rfc1950.txt
-  (zlib format), rfc1951.txt (deflate format) and rfc1952.txt (gzip format).
-*/
-
-#ifndef ZLIB_H
-#define ZLIB_H
-
-#include "zconf.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#define ZLIB_VERSION "1.2.3"
-#define ZLIB_VERNUM 0x1230
-
-/*
-     The 'zlib' compression library provides in-memory compression and
-  decompression functions, including integrity checks of the uncompressed
-  data.  This version of the library supports only one compression method
-  (deflation) but other algorithms will be added later and will have the same
-  stream interface.
-
-     Compression can be done in a single step if the buffers are large
-  enough (for example if an input file is mmap'ed), or can be done by
-  repeated calls of the compression function.  In the latter case, the
-  application must provide more input and/or consume the output
-  (providing more output space) before each call.
-
-     The compressed data format used by default by the in-memory functions is
-  the zlib format, which is a zlib wrapper documented in RFC 1950, wrapped
-  around a deflate stream, which is itself documented in RFC 1951.
-
-     The library also supports reading and writing files in gzip (.gz) format
-  with an interface similar to that of stdio using the functions that start
-  with "gz".  The gzip format is different from the zlib format.  gzip is a
-  gzip wrapper, documented in RFC 1952, wrapped around a deflate stream.
-
-     This library can optionally read and write gzip streams in memory as well.
-
-     The zlib format was designed to be compact and fast for use in memory
-  and on communications channels.  The gzip format was designed for single-
-  file compression on file systems, has a larger header than zlib to maintain
-  directory information, and uses a different, slower check method than zlib.
-
-     The library does not install any signal handler. The decoder checks
-  the consistency of the compressed data, so the library should never
-  crash even in case of corrupted input.
-*/
-
-typedef voidpf (*alloc_func) OF((voidpf opaque, uInt items, uInt size));
-typedef void   (*free_func)  OF((voidpf opaque, voidpf address));
-
-struct internal_state;
-
-typedef struct z_stream_s {
-    Bytef    *next_in;  /* next input byte */
-    uInt     avail_in;  /* number of bytes available at next_in */
-    uLong    total_in;  /* total nb of input bytes read so far */
-
-    Bytef    *next_out; /* next output byte should be put there */
-    uInt     avail_out; /* remaining free space at next_out */
-    uLong    total_out; /* total nb of bytes output so far */
-
-    char     *msg;      /* last error message, NULL if no error */
-    struct internal_state FAR *state; /* not visible by applications */
-
-    alloc_func zalloc;  /* used to allocate the internal state */
-    free_func  zfree;   /* used to free the internal state */
-    voidpf     opaque;  /* private data object passed to zalloc and zfree */
-
-    int     data_type;  /* best guess about the data type: binary or text */
-    uLong   adler;      /* adler32 value of the uncompressed data */
-    uLong   reserved;   /* reserved for future use */
-} z_stream;
-
-typedef z_stream FAR *z_streamp;
-
-/*
-     gzip header information passed to and from zlib routines.  See RFC 1952
-  for more details on the meanings of these fields.
-*/
-typedef struct gz_header_s {
-    int     text;       /* true if compressed data believed to be text */
-    uLong   time;       /* modification time */
-    int     xflags;     /* extra flags (not used when writing a gzip file) */
-    int     os;         /* operating system */
-    Bytef   *extra;     /* pointer to extra field or Z_NULL if none */
-    uInt    extra_len;  /* extra field length (valid if extra != Z_NULL) */
-    uInt    extra_max;  /* space at extra (only when reading header) */
-    Bytef   *name;      /* pointer to zero-terminated file name or Z_NULL */
-    uInt    name_max;   /* space at name (only when reading header) */
-    Bytef   *comment;   /* pointer to zero-terminated comment or Z_NULL */
-    uInt    comm_max;   /* space at comment (only when reading header) */
-    int     hcrc;       /* true if there was or will be a header crc */
-    int     done;       /* true when done reading gzip header (not used
-                           when writing a gzip file) */
-} gz_header;
-
-typedef gz_header FAR *gz_headerp;
-
-/*
-   The application must update next_in and avail_in when avail_in has
-   dropped to zero. It must update next_out and avail_out when avail_out
-   has dropped to zero. The application must initialize zalloc, zfree and
-   opaque before calling the init function. All other fields are set by the
-   compression library and must not be updated by the application.
-
-   The opaque value provided by the application will be passed as the first
-   parameter for calls of zalloc and zfree. This can be useful for custom
-   memory management. The compression library attaches no meaning to the
-   opaque value.
-
-   zalloc must return Z_NULL if there is not enough memory for the object.
-   If zlib is used in a multi-threaded application, zalloc and zfree must be
-   thread safe.
-
-   On 16-bit systems, the functions zalloc and zfree must be able to allocate
-   exactly 65536 bytes, but will not be required to allocate more than this
-   if the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS,
-   pointers returned by zalloc for objects of exactly 65536 bytes *must*
-   have their offset normalized to zero. The default allocation function
-   provided by this library ensures this (see zutil.c). To reduce memory
-   requirements and avoid any allocation of 64K objects, at the expense of
-   compression ratio, compile the library with -DMAX_WBITS=14 (see zconf.h).
-
-   The fields total_in and total_out can be used for statistics or
-   progress reports. After compression, total_in holds the total size of
-   the uncompressed data and may be saved for use in the decompressor
-   (particularly if the decompressor wants to decompress everything in
-   a single step).
-*/
-
-                        /* constants */
-
-#define Z_NO_FLUSH      0
-#define Z_PARTIAL_FLUSH 1 /* will be removed, use Z_SYNC_FLUSH instead */
-#define Z_SYNC_FLUSH    2
-#define Z_FULL_FLUSH    3
-#define Z_FINISH        4
-#define Z_BLOCK         5
-/* Allowed flush values; see deflate() and inflate() below for details */
-
-#define Z_OK            0
-#define Z_STREAM_END    1
-#define Z_NEED_DICT     2
-#define Z_ERRNO        (-1)
-#define Z_STREAM_ERROR (-2)
-#define Z_DATA_ERROR   (-3)
-#define Z_MEM_ERROR    (-4)
-#define Z_BUF_ERROR    (-5)
-#define Z_VERSION_ERROR (-6)
-/* Return codes for the compression/decompression functions. Negative
- * values are errors, positive values are used for special but normal events.
- */
-
-#define Z_NO_COMPRESSION         0
-#define Z_BEST_SPEED             1
-#define Z_BEST_COMPRESSION       9
-#define Z_DEFAULT_COMPRESSION  (-1)
-/* compression levels */
-
-#define Z_FILTERED            1
-#define Z_HUFFMAN_ONLY        2
-#define Z_RLE                 3
-#define Z_FIXED               4
-#define Z_DEFAULT_STRATEGY    0
-/* compression strategy; see deflateInit2() below for details */
-
-#define Z_BINARY   0
-#define Z_TEXT     1
-#define Z_ASCII    Z_TEXT   /* for compatibility with 1.2.2 and earlier */
-#define Z_UNKNOWN  2
-/* Possible values of the data_type field (though see inflate()) */
-
-#define Z_DEFLATED   8
-/* The deflate compression method (the only one supported in this version) */
-
-#define Z_NULL  0  /* for initializing zalloc, zfree, opaque */
-
-#define zlib_version zlibVersion()
-/* for compatibility with versions < 1.0.2 */
-
-                        /* basic functions */
-
-ZEXTERN const char * ZEXPORT zlibVersion OF((void));
-/* The application can compare zlibVersion and ZLIB_VERSION for consistency.
-   If the first character differs, the library code actually used is
-   not compatible with the zlib.h header file used by the application.
-   This check is automatically made by deflateInit and inflateInit.
- */
-
-/*
-ZEXTERN int ZEXPORT deflateInit OF((z_streamp strm, int level));
-
-     Initializes the internal stream state for compression. The fields
-   zalloc, zfree and opaque must be initialized before by the caller.
-   If zalloc and zfree are set to Z_NULL, deflateInit updates them to
-   use default allocation functions.
-
-     The compression level must be Z_DEFAULT_COMPRESSION, or between 0 and 9:
-   1 gives best speed, 9 gives best compression, 0 gives no compression at
-   all (the input data is simply copied a block at a time).
-   Z_DEFAULT_COMPRESSION requests a default compromise between speed and
-   compression (currently equivalent to level 6).
-
-     deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_STREAM_ERROR if level is not a valid compression level,
-   Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible
-   with the version assumed by the caller (ZLIB_VERSION).
-   msg is set to null if there is no error message.  deflateInit does not
-   perform any compression: this will be done by deflate().
-*/
-
-
-ZEXTERN int ZEXPORT deflate OF((z_streamp strm, int flush));
-/*
-    deflate compresses as much data as possible, and stops when the input
-  buffer becomes empty or the output buffer becomes full. It may introduce some
-  output latency (reading input without producing any output) except when
-  forced to flush.
-
-    The detailed semantics are as follows. deflate performs one or both of the
-  following actions:
-
-  - Compress more input starting at next_in and update next_in and avail_in
-    accordingly. If not all input can be processed (because there is not
-    enough room in the output buffer), next_in and avail_in are updated and
-    processing will resume at this point for the next call of deflate().
-
-  - Provide more output starting at next_out and update next_out and avail_out
-    accordingly. This action is forced if the parameter flush is non zero.
-    Forcing flush frequently degrades the compression ratio, so this parameter
-    should be set only when necessary (in interactive applications).
-    Some output may be provided even if flush is not set.
-
-  Before the call of deflate(), the application should ensure that at least
-  one of the actions is possible, by providing more input and/or consuming
-  more output, and updating avail_in or avail_out accordingly; avail_out
-  should never be zero before the call. The application can consume the
-  compressed output when it wants, for example when the output buffer is full
-  (avail_out == 0), or after each call of deflate(). If deflate returns Z_OK
-  and with zero avail_out, it must be called again after making room in the
-  output buffer because there might be more output pending.
-
-    Normally the parameter flush is set to Z_NO_FLUSH, which allows deflate to
-  decide how much data to accumualte before producing output, in order to
-  maximize compression.
-
-    If the parameter flush is set to Z_SYNC_FLUSH, all pending output is
-  flushed to the output buffer and the output is aligned on a byte boundary, so
-  that the decompressor can get all input data available so far. (In particular
-  avail_in is zero after the call if enough output space has been provided
-  before the call.)  Flushing may degrade compression for some compression
-  algorithms and so it should be used only when necessary.
-
-    If flush is set to Z_FULL_FLUSH, all output is flushed as with
-  Z_SYNC_FLUSH, and the compression state is reset so that decompression can
-  restart from this point if previous compressed data has been damaged or if
-  random access is desired. Using Z_FULL_FLUSH too often can seriously degrade
-  compression.
-
-    If deflate returns with avail_out == 0, this function must be called again
-  with the same value of the flush parameter and more output space (updated
-  avail_out), until the flush is complete (deflate returns with non-zero
-  avail_out). In the case of a Z_FULL_FLUSH or Z_SYNC_FLUSH, make sure that
-  avail_out is greater than six to avoid repeated flush markers due to
-  avail_out == 0 on return.
-
-    If the parameter flush is set to Z_FINISH, pending input is processed,
-  pending output is flushed and deflate returns with Z_STREAM_END if there
-  was enough output space; if deflate returns with Z_OK, this function must be
-  called again with Z_FINISH and more output space (updated avail_out) but no
-  more input data, until it returns with Z_STREAM_END or an error. After
-  deflate has returned Z_STREAM_END, the only possible operations on the
-  stream are deflateReset or deflateEnd.
-
-    Z_FINISH can be used immediately after deflateInit if all the compression
-  is to be done in a single step. In this case, avail_out must be at least
-  the value returned by deflateBound (see below). If deflate does not return
-  Z_STREAM_END, then it must be called again as described above.
-
-    deflate() sets strm->adler to the adler32 checksum of all input read
-  so far (that is, total_in bytes).
-
-    deflate() may update strm->data_type if it can make a good guess about
-  the input data type (Z_BINARY or Z_TEXT). In doubt, the data is considered
-  binary. This field is only for information purposes and does not affect
-  the compression algorithm in any manner.
-
-    deflate() returns Z_OK if some progress has been made (more input
-  processed or more output produced), Z_STREAM_END if all input has been
-  consumed and all output has been produced (only when flush is set to
-  Z_FINISH), Z_STREAM_ERROR if the stream state was inconsistent (for example
-  if next_in or next_out was NULL), Z_BUF_ERROR if no progress is possible
-  (for example avail_in or avail_out was zero). Note that Z_BUF_ERROR is not
-  fatal, and deflate() can be called again with more input and more output
-  space to continue compressing.
-*/
-
-
-ZEXTERN int ZEXPORT deflateEnd OF((z_streamp strm));
-/*
-     All dynamically allocated data structures for this stream are freed.
-   This function discards any unprocessed input and does not flush any
-   pending output.
-
-     deflateEnd returns Z_OK if success, Z_STREAM_ERROR if the
-   stream state was inconsistent, Z_DATA_ERROR if the stream was freed
-   prematurely (some input or output was discarded). In the error case,
-   msg may be set but then points to a static string (which must not be
-   deallocated).
-*/
-
-
-/*
-ZEXTERN int ZEXPORT inflateInit OF((z_streamp strm));
-
-     Initializes the internal stream state for decompression. The fields
-   next_in, avail_in, zalloc, zfree and opaque must be initialized before by
-   the caller. If next_in is not Z_NULL and avail_in is large enough (the exact
-   value depends on the compression method), inflateInit determines the
-   compression method from the zlib header and allocates all data structures
-   accordingly; otherwise the allocation will be deferred to the first call of
-   inflate.  If zalloc and zfree are set to Z_NULL, inflateInit updates them to
-   use default allocation functions.
-
-     inflateInit returns Z_OK if success, Z_MEM_ERROR if there was not enough
-   memory, Z_VERSION_ERROR if the zlib library version is incompatible with the
-   version assumed by the caller.  msg is set to null if there is no error
-   message. inflateInit does not perform any decompression apart from reading
-   the zlib header if present: this will be done by inflate().  (So next_in and
-   avail_in may be modified, but next_out and avail_out are unchanged.)
-*/
-
-
-ZEXTERN int ZEXPORT inflate OF((z_streamp strm, int flush));
-/*
-    inflate decompresses as much data as possible, and stops when the input
-  buffer becomes empty or the output buffer becomes full. It may introduce
-  some output latency (reading input without producing any output) except when
-  forced to flush.
-
-  The detailed semantics are as follows. inflate performs one or both of the
-  following actions:
-
-  - Decompress more input starting at next_in and update next_in and avail_in
-    accordingly. If not all input can be processed (because there is not
-    enough room in the output buffer), next_in is updated and processing
-    will resume at this point for the next call of inflate().
-
-  - Provide more output starting at next_out and update next_out and avail_out
-    accordingly.  inflate() provides as much output as possible, until there
-    is no more input data or no more space in the output buffer (see below
-    about the flush parameter).
-
-  Before the call of inflate(), the application should ensure that at least
-  one of the actions is possible, by providing more input and/or consuming
-  more output, and updating the next_* and avail_* values accordingly.
-  The application can consume the uncompressed output when it wants, for
-  example when the output buffer is full (avail_out == 0), or after each
-  call of inflate(). If inflate returns Z_OK and with zero avail_out, it
-  must be called again after making room in the output buffer because there
-  might be more output pending.
-
-    The flush parameter of inflate() can be Z_NO_FLUSH, Z_SYNC_FLUSH,
-  Z_FINISH, or Z_BLOCK. Z_SYNC_FLUSH requests that inflate() flush as much
-  output as possible to the output buffer. Z_BLOCK requests that inflate() stop
-  if and when it gets to the next deflate block boundary. When decoding the
-  zlib or gzip format, this will cause inflate() to return immediately after
-  the header and before the first block. When doing a raw inflate, inflate()
-  will go ahead and process the first block, and will return when it gets to
-  the end of that block, or when it runs out of data.
-
-    The Z_BLOCK option assists in appending to or combining deflate streams.
-  Also to assist in this, on return inflate() will set strm->data_type to the
-  number of unused bits in the last byte taken from strm->next_in, plus 64
-  if inflate() is currently decoding the last block in the deflate stream,
-  plus 128 if inflate() returned immediately after decoding an end-of-block
-  code or decoding the complete header up to just before the first byte of the
-  deflate stream. The end-of-block will not be indicated until all of the
-  uncompressed data from that block has been written to strm->next_out.  The
-  number of unused bits may in general be greater than seven, except when
-  bit 7 of data_type is set, in which case the number of unused bits will be
-  less than eight.
-
-    inflate() should normally be called until it returns Z_STREAM_END or an
-  error. However if all decompression is to be performed in a single step
-  (a single call of inflate), the parameter flush should be set to
-  Z_FINISH. In this case all pending input is processed and all pending
-  output is flushed; avail_out must be large enough to hold all the
-  uncompressed data. (The size of the uncompressed data may have been saved
-  by the compressor for this purpose.) The next operation on this stream must
-  be inflateEnd to deallocate the decompression state. The use of Z_FINISH
-  is never required, but can be used to inform inflate that a faster approach
-  may be used for the single inflate() call.
-
-     In this implementation, inflate() always flushes as much output as
-  possible to the output buffer, and always uses the faster approach on the
-  first call. So the only effect of the flush parameter in this implementation
-  is on the return value of inflate(), as noted below, or when it returns early
-  because Z_BLOCK is used.
-
-     If a preset dictionary is needed after this call (see inflateSetDictionary
-  below), inflate sets strm->adler to the adler32 checksum of the dictionary
-  chosen by the compressor and returns Z_NEED_DICT; otherwise it sets
-  strm->adler to the adler32 checksum of all output produced so far (that is,
-  total_out bytes) and returns Z_OK, Z_STREAM_END or an error code as described
-  below. At the end of the stream, inflate() checks that its computed adler32
-  checksum is equal to that saved by the compressor and returns Z_STREAM_END
-  only if the checksum is correct.
-
-    inflate() will decompress and check either zlib-wrapped or gzip-wrapped
-  deflate data.  The header type is detected automatically.  Any information
-  contained in the gzip header is not retained, so applications that need that
-  information should instead use raw inflate, see inflateInit2() below, or
-  inflateBack() and perform their own processing of the gzip header and
-  trailer.
-
-    inflate() returns Z_OK if some progress has been made (more input processed
-  or more output produced), Z_STREAM_END if the end of the compressed data has
-  been reached and all uncompressed output has been produced, Z_NEED_DICT if a
-  preset dictionary is needed at this point, Z_DATA_ERROR if the input data was
-  corrupted (input stream not conforming to the zlib format or incorrect check
-  value), Z_STREAM_ERROR if the stream structure was inconsistent (for example
-  if next_in or next_out was NULL), Z_MEM_ERROR if there was not enough memory,
-  Z_BUF_ERROR if no progress is possible or if there was not enough room in the
-  output buffer when Z_FINISH is used. Note that Z_BUF_ERROR is not fatal, and
-  inflate() can be called again with more input and more output space to
-  continue decompressing. If Z_DATA_ERROR is returned, the application may then
-  call inflateSync() to look for a good compression block if a partial recovery
-  of the data is desired.
-*/
-
-
-ZEXTERN int ZEXPORT inflateEnd OF((z_streamp strm));
-/*
-     All dynamically allocated data structures for this stream are freed.
-   This function discards any unprocessed input and does not flush any
-   pending output.
-
-     inflateEnd returns Z_OK if success, Z_STREAM_ERROR if the stream state
-   was inconsistent. In the error case, msg may be set but then points to a
-   static string (which must not be deallocated).
-*/
-
-                        /* Advanced functions */
-
-/*
-    The following functions are needed only in some special applications.
-*/
-
-/*
-ZEXTERN int ZEXPORT deflateInit2 OF((z_streamp strm,
-                                     int  level,
-                                     int  method,
-                                     int  windowBits,
-                                     int  memLevel,
-                                     int  strategy));
-
-     This is another version of deflateInit with more compression options. The
-   fields next_in, zalloc, zfree and opaque must be initialized before by
-   the caller.
-
-     The method parameter is the compression method. It must be Z_DEFLATED in
-   this version of the library.
-
-     The windowBits parameter is the base two logarithm of the window size
-   (the size of the history buffer). It should be in the range 8..15 for this
-   version of the library. Larger values of this parameter result in better
-   compression at the expense of memory usage. The default value is 15 if
-   deflateInit is used instead.
-
-     windowBits can also be -8..-15 for raw deflate. In this case, -windowBits
-   determines the window size. deflate() will then generate raw deflate data
-   with no zlib header or trailer, and will not compute an adler32 check value.
-
-     windowBits can also be greater than 15 for optional gzip encoding. Add
-   16 to windowBits to write a simple gzip header and trailer around the
-   compressed data instead of a zlib wrapper. The gzip header will have no
-   file name, no extra data, no comment, no modification time (set to zero),
-   no header crc, and the operating system will be set to 255 (unknown).  If a
-   gzip stream is being written, strm->adler is a crc32 instead of an adler32.
-
-     The memLevel parameter specifies how much memory should be allocated
-   for the internal compression state. memLevel=1 uses minimum memory but
-   is slow and reduces compression ratio; memLevel=9 uses maximum memory
-   for optimal speed. The default value is 8. See zconf.h for total memory
-   usage as a function of windowBits and memLevel.
-
-     The strategy parameter is used to tune the compression algorithm. Use the
-   value Z_DEFAULT_STRATEGY for normal data, Z_FILTERED for data produced by a
-   filter (or predictor), Z_HUFFMAN_ONLY to force Huffman encoding only (no
-   string match), or Z_RLE to limit match distances to one (run-length
-   encoding). Filtered data consists mostly of small values with a somewhat
-   random distribution. In this case, the compression algorithm is tuned to
-   compress them better. The effect of Z_FILTERED is to force more Huffman
-   coding and less string matching; it is somewhat intermediate between
-   Z_DEFAULT and Z_HUFFMAN_ONLY. Z_RLE is designed to be almost as fast as
-   Z_HUFFMAN_ONLY, but give better compression for PNG image data. The strategy
-   parameter only affects the compression ratio but not the correctness of the
-   compressed output even if it is not set appropriately.  Z_FIXED prevents the
-   use of dynamic Huffman codes, allowing for a simpler decoder for special
-   applications.
-
-      deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
-   memory, Z_STREAM_ERROR if a parameter is invalid (such as an invalid
-   method). msg is set to null if there is no error message.  deflateInit2 does
-   not perform any compression: this will be done by deflate().
-*/
-
-ZEXTERN int ZEXPORT deflateSetDictionary OF((z_streamp strm,
-                                             const Bytef *dictionary,
-                                             uInt  dictLength));
-/*
-     Initializes the compression dictionary from the given byte sequence
-   without producing any compressed output. This function must be called
-   immediately after deflateInit, deflateInit2 or deflateReset, before any
-   call of deflate. The compressor and decompressor must use exactly the same
-   dictionary (see inflateSetDictionary).
-
-     The dictionary should consist of strings (byte sequences) that are likely
-   to be encountered later in the data to be compressed, with the most commonly
-   used strings preferably put towards the end of the dictionary. Using a
-   dictionary is most useful when the data to be compressed is short and can be
-   predicted with good accuracy; the data can then be compressed better than
-   with the default empty dictionary.
-
-     Depending on the size of the compression data structures selected by
-   deflateInit or deflateInit2, a part of the dictionary may in effect be
-   discarded, for example if the dictionary is larger than the window size in
-   deflate or deflate2. Thus the strings most likely to be useful should be
-   put at the end of the dictionary, not at the front. In addition, the
-   current implementation of deflate will use at most the window size minus
-   262 bytes of the provided dictionary.
-
-     Upon return of this function, strm->adler is set to the adler32 value
-   of the dictionary; the decompressor may later use this value to determine
-   which dictionary has been used by the compressor. (The adler32 value
-   applies to the whole dictionary even if only a subset of the dictionary is
-   actually used by the compressor.) If a raw deflate was requested, then the
-   adler32 value is not computed and strm->adler is not set.
-
-     deflateSetDictionary returns Z_OK if success, or Z_STREAM_ERROR if a
-   parameter is invalid (such as NULL dictionary) or the stream state is
-   inconsistent (for example if deflate has already been called for this stream
-   or if the compression method is bsort). deflateSetDictionary does not
-   perform any compression: this will be done by deflate().
-*/
-
-ZEXTERN int ZEXPORT deflateCopy OF((z_streamp dest,
-                                    z_streamp source));
-/*
-     Sets the destination stream as a complete copy of the source stream.
-
-     This function can be useful when several compression strategies will be
-   tried, for example when there are several ways of pre-processing the input
-   data with a filter. The streams that will be discarded should then be freed
-   by calling deflateEnd.  Note that deflateCopy duplicates the internal
-   compression state which can be quite large, so this strategy is slow and
-   can consume lots of memory.
-
-     deflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_STREAM_ERROR if the source stream state was inconsistent
-   (such as zalloc being NULL). msg is left unchanged in both source and
-   destination.
-*/
-
-ZEXTERN int ZEXPORT deflateReset OF((z_streamp strm));
-/*
-     This function is equivalent to deflateEnd followed by deflateInit,
-   but does not free and reallocate all the internal compression state.
-   The stream will keep the same compression level and any other attributes
-   that may have been set by deflateInit2.
-
-      deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent (such as zalloc or state being NULL).
-*/
-
-ZEXTERN int ZEXPORT deflateParams OF((z_streamp strm,
-                                      int level,
-                                      int strategy));
-/*
-     Dynamically update the compression level and compression strategy.  The
-   interpretation of level and strategy is as in deflateInit2.  This can be
-   used to switch between compression and straight copy of the input data, or
-   to switch to a different kind of input data requiring a different
-   strategy. If the compression level is changed, the input available so far
-   is compressed with the old level (and may be flushed); the new level will
-   take effect only at the next call of deflate().
-
-     Before the call of deflateParams, the stream state must be set as for
-   a call of deflate(), since the currently available input may have to
-   be compressed and flushed. In particular, strm->avail_out must be non-zero.
-
-     deflateParams returns Z_OK if success, Z_STREAM_ERROR if the source
-   stream state was inconsistent or if a parameter was invalid, Z_BUF_ERROR
-   if strm->avail_out was zero.
-*/
-
-ZEXTERN int ZEXPORT deflateTune OF((z_streamp strm,
-                                    int good_length,
-                                    int max_lazy,
-                                    int nice_length,
-                                    int max_chain));
-/*
-     Fine tune deflate's internal compression parameters.  This should only be
-   used by someone who understands the algorithm used by zlib's deflate for
-   searching for the best matching string, and even then only by the most
-   fanatic optimizer trying to squeeze out the last compressed bit for their
-   specific input data.  Read the deflate.c source code for the meaning of the
-   max_lazy, good_length, nice_length, and max_chain parameters.
-
-     deflateTune() can be called after deflateInit() or deflateInit2(), and
-   returns Z_OK on success, or Z_STREAM_ERROR for an invalid deflate stream.
- */
-
-ZEXTERN uLong ZEXPORT deflateBound OF((z_streamp strm,
-                                       uLong sourceLen));
-/*
-     deflateBound() returns an upper bound on the compressed size after
-   deflation of sourceLen bytes.  It must be called after deflateInit()
-   or deflateInit2().  This would be used to allocate an output buffer
-   for deflation in a single pass, and so would be called before deflate().
-*/
-
-ZEXTERN int ZEXPORT deflatePrime OF((z_streamp strm,
-                                     int bits,
-                                     int value));
-/*
-     deflatePrime() inserts bits in the deflate output stream.  The intent
-  is that this function is used to start off the deflate output with the
-  bits leftover from a previous deflate stream when appending to it.  As such,
-  this function can only be used for raw deflate, and must be used before the
-  first deflate() call after a deflateInit2() or deflateReset().  bits must be
-  less than or equal to 16, and that many of the least significant bits of
-  value will be inserted in the output.
-
-      deflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent.
-*/
-
-ZEXTERN int ZEXPORT deflateSetHeader OF((z_streamp strm,
-                                         gz_headerp head));
-/*
-      deflateSetHeader() provides gzip header information for when a gzip
-   stream is requested by deflateInit2().  deflateSetHeader() may be called
-   after deflateInit2() or deflateReset() and before the first call of
-   deflate().  The text, time, os, extra field, name, and comment information
-   in the provided gz_header structure are written to the gzip header (xflag is
-   ignored -- the extra flags are set according to the compression level).  The
-   caller must assure that, if not Z_NULL, name and comment are terminated with
-   a zero byte, and that if extra is not Z_NULL, that extra_len bytes are
-   available there.  If hcrc is true, a gzip header crc is included.  Note that
-   the current versions of the command-line version of gzip (up through version
-   1.3.x) do not support header crc's, and will report that it is a "multi-part
-   gzip file" and give up.
-
-      If deflateSetHeader is not used, the default gzip header has text false,
-   the time set to zero, and os set to 255, with no extra, name, or comment
-   fields.  The gzip header is returned to the default state by deflateReset().
-
-      deflateSetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent.
-*/
-
-/*
-ZEXTERN int ZEXPORT inflateInit2 OF((z_streamp strm,
-                                     int  windowBits));
-
-     This is another version of inflateInit with an extra parameter. The
-   fields next_in, avail_in, zalloc, zfree and opaque must be initialized
-   before by the caller.
-
-     The windowBits parameter is the base two logarithm of the maximum window
-   size (the size of the history buffer).  It should be in the range 8..15 for
-   this version of the library. The default value is 15 if inflateInit is used
-   instead. windowBits must be greater than or equal to the windowBits value
-   provided to deflateInit2() while compressing, or it must be equal to 15 if
-   deflateInit2() was not used. If a compressed stream with a larger window
-   size is given as input, inflate() will return with the error code
-   Z_DATA_ERROR instead of trying to allocate a larger window.
-
-     windowBits can also be -8..-15 for raw inflate. In this case, -windowBits
-   determines the window size. inflate() will then process raw deflate data,
-   not looking for a zlib or gzip header, not generating a check value, and not
-   looking for any check values for comparison at the end of the stream. This
-   is for use with other formats that use the deflate compressed data format
-   such as zip.  Those formats provide their own check values. If a custom
-   format is developed using the raw deflate format for compressed data, it is
-   recommended that a check value such as an adler32 or a crc32 be applied to
-   the uncompressed data as is done in the zlib, gzip, and zip formats.  For
-   most applications, the zlib format should be used as is. Note that comments
-   above on the use in deflateInit2() applies to the magnitude of windowBits.
-
-     windowBits can also be greater than 15 for optional gzip decoding. Add
-   32 to windowBits to enable zlib and gzip decoding with automatic header
-   detection, or add 16 to decode only the gzip format (the zlib format will
-   return a Z_DATA_ERROR).  If a gzip stream is being decoded, strm->adler is
-   a crc32 instead of an adler32.
-
-     inflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
-   memory, Z_STREAM_ERROR if a parameter is invalid (such as a null strm). msg
-   is set to null if there is no error message.  inflateInit2 does not perform
-   any decompression apart from reading the zlib header if present: this will
-   be done by inflate(). (So next_in and avail_in may be modified, but next_out
-   and avail_out are unchanged.)
-*/
-
-ZEXTERN int ZEXPORT inflateSetDictionary OF((z_streamp strm,
-                                             const Bytef *dictionary,
-                                             uInt  dictLength));
-/*
-     Initializes the decompression dictionary from the given uncompressed byte
-   sequence. This function must be called immediately after a call of inflate,
-   if that call returned Z_NEED_DICT. The dictionary chosen by the compressor
-   can be determined from the adler32 value returned by that call of inflate.
-   The compressor and decompressor must use exactly the same dictionary (see
-   deflateSetDictionary).  For raw inflate, this function can be called
-   immediately after inflateInit2() or inflateReset() and before any call of
-   inflate() to set the dictionary.  The application must insure that the
-   dictionary that was used for compression is provided.
-
-     inflateSetDictionary returns Z_OK if success, Z_STREAM_ERROR if a
-   parameter is invalid (such as NULL dictionary) or the stream state is
-   inconsistent, Z_DATA_ERROR if the given dictionary doesn't match the
-   expected one (incorrect adler32 value). inflateSetDictionary does not
-   perform any decompression: this will be done by subsequent calls of
-   inflate().
-*/
-
-ZEXTERN int ZEXPORT inflateSync OF((z_streamp strm));
-/*
-    Skips invalid compressed data until a full flush point (see above the
-  description of deflate with Z_FULL_FLUSH) can be found, or until all
-  available input is skipped. No output is provided.
-
-    inflateSync returns Z_OK if a full flush point has been found, Z_BUF_ERROR
-  if no more input was provided, Z_DATA_ERROR if no flush point has been found,
-  or Z_STREAM_ERROR if the stream structure was inconsistent. In the success
-  case, the application may save the current current value of total_in which
-  indicates where valid compressed data was found. In the error case, the
-  application may repeatedly call inflateSync, providing more input each time,
-  until success or end of the input data.
-*/
-
-ZEXTERN int ZEXPORT inflateCopy OF((z_streamp dest,
-                                    z_streamp source));
-/*
-     Sets the destination stream as a complete copy of the source stream.
-
-     This function can be useful when randomly accessing a large stream.  The
-   first pass through the stream can periodically record the inflate state,
-   allowing restarting inflate at those points when randomly accessing the
-   stream.
-
-     inflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_STREAM_ERROR if the source stream state was inconsistent
-   (such as zalloc being NULL). msg is left unchanged in both source and
-   destination.
-*/
-
-ZEXTERN int ZEXPORT inflateReset OF((z_streamp strm));
-/*
-     This function is equivalent to inflateEnd followed by inflateInit,
-   but does not free and reallocate all the internal decompression state.
-   The stream will keep attributes that may have been set by inflateInit2.
-
-      inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent (such as zalloc or state being NULL).
-*/
-
-ZEXTERN int ZEXPORT inflatePrime OF((z_streamp strm,
-                                     int bits,
-                                     int value));
-/*
-     This function inserts bits in the inflate input stream.  The intent is
-  that this function is used to start inflating at a bit position in the
-  middle of a byte.  The provided bits will be used before any bytes are used
-  from next_in.  This function should only be used with raw inflate, and
-  should be used before the first inflate() call after inflateInit2() or
-  inflateReset().  bits must be less than or equal to 16, and that many of the
-  least significant bits of value will be inserted in the input.
-
-      inflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent.
-*/
-
-ZEXTERN int ZEXPORT inflateGetHeader OF((z_streamp strm,
-                                         gz_headerp head));
-/*
-      inflateGetHeader() requests that gzip header information be stored in the
-   provided gz_header structure.  inflateGetHeader() may be called after
-   inflateInit2() or inflateReset(), and before the first call of inflate().
-   As inflate() processes the gzip stream, head->done is zero until the header
-   is completed, at which time head->done is set to one.  If a zlib stream is
-   being decoded, then head->done is set to -1 to indicate that there will be
-   no gzip header information forthcoming.  Note that Z_BLOCK can be used to
-   force inflate() to return immediately after header processing is complete
-   and before any actual data is decompressed.
-
-      The text, time, xflags, and os fields are filled in with the gzip header
-   contents.  hcrc is set to true if there is a header CRC.  (The header CRC
-   was valid if done is set to one.)  If extra is not Z_NULL, then extra_max
-   contains the maximum number of bytes to write to extra.  Once done is true,
-   extra_len contains the actual extra field length, and extra contains the
-   extra field, or that field truncated if extra_max is less than extra_len.
-   If name is not Z_NULL, then up to name_max characters are written there,
-   terminated with a zero unless the length is greater than name_max.  If
-   comment is not Z_NULL, then up to comm_max characters are written there,
-   terminated with a zero unless the length is greater than comm_max.  When
-   any of extra, name, or comment are not Z_NULL and the respective field is
-   not present in the header, then that field is set to Z_NULL to signal its
-   absence.  This allows the use of deflateSetHeader() with the returned
-   structure to duplicate the header.  However if those fields are set to
-   allocated memory, then the application will need to save those pointers
-   elsewhere so that they can be eventually freed.
-
-      If inflateGetHeader is not used, then the header information is simply
-   discarded.  The header is always checked for validity, including the header
-   CRC if present.  inflateReset() will reset the process to discard the header
-   information.  The application would need to call inflateGetHeader() again to
-   retrieve the header from the next gzip stream.
-
-      inflateGetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent.
-*/
-
-/*
-ZEXTERN int ZEXPORT inflateBackInit OF((z_streamp strm, int windowBits,
-                                        unsigned char FAR *window));
-
-     Initialize the internal stream state for decompression using inflateBack()
-   calls.  The fields zalloc, zfree and opaque in strm must be initialized
-   before the call.  If zalloc and zfree are Z_NULL, then the default library-
-   derived memory allocation routines are used.  windowBits is the base two
-   logarithm of the window size, in the range 8..15.  window is a caller
-   supplied buffer of that size.  Except for special applications where it is
-   assured that deflate was used with small window sizes, windowBits must be 15
-   and a 32K byte window must be supplied to be able to decompress general
-   deflate streams.
-
-     See inflateBack() for the usage of these routines.
-
-     inflateBackInit will return Z_OK on success, Z_STREAM_ERROR if any of
-   the paramaters are invalid, Z_MEM_ERROR if the internal state could not
-   be allocated, or Z_VERSION_ERROR if the version of the library does not
-   match the version of the header file.
-*/
-
-typedef unsigned (*in_func) OF((void FAR *, unsigned char FAR * FAR *));
-typedef int (*out_func) OF((void FAR *, unsigned char FAR *, unsigned));
-
-ZEXTERN int ZEXPORT inflateBack OF((z_streamp strm,
-                                    in_func in, void FAR *in_desc,
-                                    out_func out, void FAR *out_desc));
-/*
-     inflateBack() does a raw inflate with a single call using a call-back
-   interface for input and output.  This is more efficient than inflate() for
-   file i/o applications in that it avoids copying between the output and the
-   sliding window by simply making the window itself the output buffer.  This
-   function trusts the application to not change the output buffer passed by
-   the output function, at least until inflateBack() returns.
-
-     inflateBackInit() must be called first to allocate the internal state
-   and to initialize the state with the user-provided window buffer.
-   inflateBack() may then be used multiple times to inflate a complete, raw
-   deflate stream with each call.  inflateBackEnd() is then called to free
-   the allocated state.
-
-     A raw deflate stream is one with no zlib or gzip header or trailer.
-   This routine would normally be used in a utility that reads zip or gzip
-   files and writes out uncompressed files.  The utility would decode the
-   header and process the trailer on its own, hence this routine expects
-   only the raw deflate stream to decompress.  This is different from the
-   normal behavior of inflate(), which expects either a zlib or gzip header and
-   trailer around the deflate stream.
-
-     inflateBack() uses two subroutines supplied by the caller that are then
-   called by inflateBack() for input and output.  inflateBack() calls those
-   routines until it reads a complete deflate stream and writes out all of the
-   uncompressed data, or until it encounters an error.  The function's
-   parameters and return types are defined above in the in_func and out_func
-   typedefs.  inflateBack() will call in(in_desc, &buf) which should return the
-   number of bytes of provided input, and a pointer to that input in buf.  If
-   there is no input available, in() must return zero--buf is ignored in that
-   case--and inflateBack() will return a buffer error.  inflateBack() will call
-   out(out_desc, buf, len) to write the uncompressed data buf[0..len-1].  out()
-   should return zero on success, or non-zero on failure.  If out() returns
-   non-zero, inflateBack() will return with an error.  Neither in() nor out()
-   are permitted to change the contents of the window provided to
-   inflateBackInit(), which is also the buffer that out() uses to write from.
-   The length written by out() will be at most the window size.  Any non-zero
-   amount of input may be provided by in().
-
-     For convenience, inflateBack() can be provided input on the first call by
-   setting strm->next_in and strm->avail_in.  If that input is exhausted, then
-   in() will be called.  Therefore strm->next_in must be initialized before
-   calling inflateBack().  If strm->next_in is Z_NULL, then in() will be called
-   immediately for input.  If strm->next_in is not Z_NULL, then strm->avail_in
-   must also be initialized, and then if strm->avail_in is not zero, input will
-   initially be taken from strm->next_in[0 .. strm->avail_in - 1].
-
-     The in_desc and out_desc parameters of inflateBack() is passed as the
-   first parameter of in() and out() respectively when they are called.  These
-   descriptors can be optionally used to pass any information that the caller-
-   supplied in() and out() functions need to do their job.
-
-     On return, inflateBack() will set strm->next_in and strm->avail_in to
-   pass back any unused input that was provided by the last in() call.  The
-   return values of inflateBack() can be Z_STREAM_END on success, Z_BUF_ERROR
-   if in() or out() returned an error, Z_DATA_ERROR if there was a format
-   error in the deflate stream (in which case strm->msg is set to indicate the
-   nature of the error), or Z_STREAM_ERROR if the stream was not properly
-   initialized.  In the case of Z_BUF_ERROR, an input or output error can be
-   distinguished using strm->next_in which will be Z_NULL only if in() returned
-   an error.  If strm->next is not Z_NULL, then the Z_BUF_ERROR was due to
-   out() returning non-zero.  (in() will always be called before out(), so
-   strm->next_in is assured to be defined if out() returns non-zero.)  Note
-   that inflateBack() cannot return Z_OK.
-*/
-
-ZEXTERN int ZEXPORT inflateBackEnd OF((z_streamp strm));
-/*
-     All memory allocated by inflateBackInit() is freed.
-
-     inflateBackEnd() returns Z_OK on success, or Z_STREAM_ERROR if the stream
-   state was inconsistent.
-*/
-
-ZEXTERN uLong ZEXPORT zlibCompileFlags OF((void));
-/* Return flags indicating compile-time options.
-
-    Type sizes, two bits each, 00 = 16 bits, 01 = 32, 10 = 64, 11 = other:
-     1.0: size of uInt
-     3.2: size of uLong
-     5.4: size of voidpf (pointer)
-     7.6: size of z_off_t
-
-    Compiler, assembler, and debug options:
-     8: DEBUG
-     9: ASMV or ASMINF -- use ASM code
-     10: ZLIB_WINAPI -- exported functions use the WINAPI calling convention
-     11: 0 (reserved)
-
-    One-time table building (smaller code, but not thread-safe if true):
-     12: BUILDFIXED -- build static block decoding tables when needed
-     13: DYNAMIC_CRC_TABLE -- build CRC calculation tables when needed
-     14,15: 0 (reserved)
-
-    Library content (indicates missing functionality):
-     16: NO_GZCOMPRESS -- gz* functions cannot compress (to avoid linking
-                          deflate code when not needed)
-     17: NO_GZIP -- deflate can't write gzip streams, and inflate can't detect
-                    and decode gzip streams (to avoid linking crc code)
-     18-19: 0 (reserved)
-
-    Operation variations (changes in library functionality):
-     20: PKZIP_BUG_WORKAROUND -- slightly more permissive inflate
-     21: FASTEST -- deflate algorithm with only one, lowest compression level
-     22,23: 0 (reserved)
-
-    The sprintf variant used by gzprintf (zero is best):
-     24: 0 = vs*, 1 = s* -- 1 means limited to 20 arguments after the format
-     25: 0 = *nprintf, 1 = *printf -- 1 means gzprintf() not secure!
-     26: 0 = returns value, 1 = void -- 1 means inferred string length returned
-
-    Remainder:
-     27-31: 0 (reserved)
- */
-
-
-                        /* utility functions */
-
-/*
-     The following utility functions are implemented on top of the
-   basic stream-oriented functions. To simplify the interface, some
-   default options are assumed (compression level and memory usage,
-   standard memory allocation functions). The source code of these
-   utility functions can easily be modified if you need special options.
-*/
-
-ZEXTERN int ZEXPORT compress OF((Bytef *dest,   uLongf *destLen,
-                                 const Bytef *source, uLong sourceLen));
-/*
-     Compresses the source buffer into the destination buffer.  sourceLen is
-   the byte length of the source buffer. Upon entry, destLen is the total
-   size of the destination buffer, which must be at least the value returned
-   by compressBound(sourceLen). Upon exit, destLen is the actual size of the
-   compressed buffer.
-     This function can be used to compress a whole file at once if the
-   input file is mmap'ed.
-     compress returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_BUF_ERROR if there was not enough room in the output
-   buffer.
-*/
-
-ZEXTERN int ZEXPORT compress2 OF((Bytef *dest,   uLongf *destLen,
-                                  const Bytef *source, uLong sourceLen,
-                                  int level));
-/*
-     Compresses the source buffer into the destination buffer. The level
-   parameter has the same meaning as in deflateInit.  sourceLen is the byte
-   length of the source buffer. Upon entry, destLen is the total size of the
-   destination buffer, which must be at least the value returned by
-   compressBound(sourceLen). Upon exit, destLen is the actual size of the
-   compressed buffer.
-
-     compress2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
-   memory, Z_BUF_ERROR if there was not enough room in the output buffer,
-   Z_STREAM_ERROR if the level parameter is invalid.
-*/
-
-ZEXTERN uLong ZEXPORT compressBound OF((uLong sourceLen));
-/*
-     compressBound() returns an upper bound on the compressed size after
-   compress() or compress2() on sourceLen bytes.  It would be used before
-   a compress() or compress2() call to allocate the destination buffer.
-*/
-
-ZEXTERN int ZEXPORT uncompress OF((Bytef *dest,   uLongf *destLen,
-                                   const Bytef *source, uLong sourceLen));
-/*
-     Decompresses the source buffer into the destination buffer.  sourceLen is
-   the byte length of the source buffer. Upon entry, destLen is the total
-   size of the destination buffer, which must be large enough to hold the
-   entire uncompressed data. (The size of the uncompressed data must have
-   been saved previously by the compressor and transmitted to the decompressor
-   by some mechanism outside the scope of this compression library.)
-   Upon exit, destLen is the actual size of the compressed buffer.
-     This function can be used to decompress a whole file at once if the
-   input file is mmap'ed.
-
-     uncompress returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_BUF_ERROR if there was not enough room in the output
-   buffer, or Z_DATA_ERROR if the input data was corrupted or incomplete.
-*/
-
-
-typedef voidp gzFile;
-
-ZEXTERN gzFile ZEXPORT gzopen  OF((const char *path, const char *mode));
-/*
-     Opens a gzip (.gz) file for reading or writing. The mode parameter
-   is as in fopen ("rb" or "wb") but can also include a compression level
-   ("wb9") or a strategy: 'f' for filtered data as in "wb6f", 'h' for
-   Huffman only compression as in "wb1h", or 'R' for run-length encoding
-   as in "wb1R". (See the description of deflateInit2 for more information
-   about the strategy parameter.)
-
-     gzopen can be used to read a file which is not in gzip format; in this
-   case gzread will directly read from the file without decompression.
-
-     gzopen returns NULL if the file could not be opened or if there was
-   insufficient memory to allocate the (de)compression state; errno
-   can be checked to distinguish the two cases (if errno is zero, the
-   zlib error is Z_MEM_ERROR).  */
-
-ZEXTERN gzFile ZEXPORT gzdopen  OF((int fd, const char *mode));
-/*
-     gzdopen() associates a gzFile with the file descriptor fd.  File
-   descriptors are obtained from calls like open, dup, creat, pipe or
-   fileno (in the file has been previously opened with fopen).
-   The mode parameter is as in gzopen.
-     The next call of gzclose on the returned gzFile will also close the
-   file descriptor fd, just like fclose(fdopen(fd), mode) closes the file
-   descriptor fd. If you want to keep fd open, use gzdopen(dup(fd), mode).
-     gzdopen returns NULL if there was insufficient memory to allocate
-   the (de)compression state.
-*/
-
-ZEXTERN int ZEXPORT gzsetparams OF((gzFile file, int level, int strategy));
-/*
-     Dynamically update the compression level or strategy. See the description
-   of deflateInit2 for the meaning of these parameters.
-     gzsetparams returns Z_OK if success, or Z_STREAM_ERROR if the file was not
-   opened for writing.
-*/
-
-ZEXTERN int ZEXPORT    gzread  OF((gzFile file, voidp buf, unsigned len));
-/*
-     Reads the given number of uncompressed bytes from the compressed file.
-   If the input file was not in gzip format, gzread copies the given number
-   of bytes into the buffer.
-     gzread returns the number of uncompressed bytes actually read (0 for
-   end of file, -1 for error). */
-
-ZEXTERN int ZEXPORT    gzwrite OF((gzFile file,
-                                   voidpc buf, unsigned len));
-/*
-     Writes the given number of uncompressed bytes into the compressed file.
-   gzwrite returns the number of uncompressed bytes actually written
-   (0 in case of error).
-*/
-
-ZEXTERN int ZEXPORTVA   gzprintf OF((gzFile file, const char *format, ...));
-/*
-     Converts, formats, and writes the args to the compressed file under
-   control of the format string, as in fprintf. gzprintf returns the number of
-   uncompressed bytes actually written (0 in case of error).  The number of
-   uncompressed bytes written is limited to 4095. The caller should assure that
-   this limit is not exceeded. If it is exceeded, then gzprintf() will return
-   return an error (0) with nothing written. In this case, there may also be a
-   buffer overflow with unpredictable consequences, which is possible only if
-   zlib was compiled with the insecure functions sprintf() or vsprintf()
-   because the secure snprintf() or vsnprintf() functions were not available.
-*/
-
-ZEXTERN int ZEXPORT gzputs OF((gzFile file, const char *s));
-/*
-      Writes the given null-terminated string to the compressed file, excluding
-   the terminating null character.
-      gzputs returns the number of characters written, or -1 in case of error.
-*/
-
-ZEXTERN char * ZEXPORT gzgets OF((gzFile file, char *buf, int len));
-/*
-      Reads bytes from the compressed file until len-1 characters are read, or
-   a newline character is read and transferred to buf, or an end-of-file
-   condition is encountered.  The string is then terminated with a null
-   character.
-      gzgets returns buf, or Z_NULL in case of error.
-*/
-
-ZEXTERN int ZEXPORT    gzputc OF((gzFile file, int c));
-/*
-      Writes c, converted to an unsigned char, into the compressed file.
-   gzputc returns the value that was written, or -1 in case of error.
-*/
-
-ZEXTERN int ZEXPORT    gzgetc OF((gzFile file));
-/*
-      Reads one byte from the compressed file. gzgetc returns this byte
-   or -1 in case of end of file or error.
-*/
-
-ZEXTERN int ZEXPORT    gzungetc OF((int c, gzFile file));
-/*
-      Push one character back onto the stream to be read again later.
-   Only one character of push-back is allowed.  gzungetc() returns the
-   character pushed, or -1 on failure.  gzungetc() will fail if a
-   character has been pushed but not read yet, or if c is -1. The pushed
-   character will be discarded if the stream is repositioned with gzseek()
-   or gzrewind().
-*/
-
-ZEXTERN int ZEXPORT    gzflush OF((gzFile file, int flush));
-/*
-     Flushes all pending output into the compressed file. The parameter
-   flush is as in the deflate() function. The return value is the zlib
-   error number (see function gzerror below). gzflush returns Z_OK if
-   the flush parameter is Z_FINISH and all output could be flushed.
-     gzflush should be called only when strictly necessary because it can
-   degrade compression.
-*/
-
-ZEXTERN z_off_t ZEXPORT    gzseek OF((gzFile file,
-                                      z_off_t offset, int whence));
-/*
-      Sets the starting position for the next gzread or gzwrite on the
-   given compressed file. The offset represents a number of bytes in the
-   uncompressed data stream. The whence parameter is defined as in lseek(2);
-   the value SEEK_END is not supported.
-     If the file is opened for reading, this function is emulated but can be
-   extremely slow. If the file is opened for writing, only forward seeks are
-   supported; gzseek then compresses a sequence of zeroes up to the new
-   starting position.
-
-      gzseek returns the resulting offset location as measured in bytes from
-   the beginning of the uncompressed stream, or -1 in case of error, in
-   particular if the file is opened for writing and the new starting position
-   would be before the current position.
-*/
-
-ZEXTERN int ZEXPORT    gzrewind OF((gzFile file));
-/*
-     Rewinds the given file. This function is supported only for reading.
-
-   gzrewind(file) is equivalent to (int)gzseek(file, 0L, SEEK_SET)
-*/
-
-ZEXTERN z_off_t ZEXPORT    gztell OF((gzFile file));
-/*
-     Returns the starting position for the next gzread or gzwrite on the
-   given compressed file. This position represents a number of bytes in the
-   uncompressed data stream.
-
-   gztell(file) is equivalent to gzseek(file, 0L, SEEK_CUR)
-*/
-
-ZEXTERN int ZEXPORT gzeof OF((gzFile file));
-/*
-     Returns 1 when EOF has previously been detected reading the given
-   input stream, otherwise zero.
-*/
-
-ZEXTERN int ZEXPORT gzdirect OF((gzFile file));
-/*
-     Returns 1 if file is being read directly without decompression, otherwise
-   zero.
-*/
-
-ZEXTERN int ZEXPORT    gzclose OF((gzFile file));
-/*
-     Flushes all pending output if necessary, closes the compressed file
-   and deallocates all the (de)compression state. The return value is the zlib
-   error number (see function gzerror below).
-*/
-
-ZEXTERN const char * ZEXPORT gzerror OF((gzFile file, int *errnum));
-/*
-     Returns the error message for the last error which occurred on the
-   given compressed file. errnum is set to zlib error number. If an
-   error occurred in the file system and not in the compression library,
-   errnum is set to Z_ERRNO and the application may consult errno
-   to get the exact error code.
-*/
-
-ZEXTERN void ZEXPORT gzclearerr OF((gzFile file));
-/*
-     Clears the error and end-of-file flags for file. This is analogous to the
-   clearerr() function in stdio. This is useful for continuing to read a gzip
-   file that is being written concurrently.
-*/
-
-                        /* checksum functions */
-
-/*
-     These functions are not related to compression but are exported
-   anyway because they might be useful in applications using the
-   compression library.
-*/
-
-ZEXTERN uLong ZEXPORT adler32 OF((uLong adler, const Bytef *buf, uInt len));
-/*
-     Update a running Adler-32 checksum with the bytes buf[0..len-1] and
-   return the updated checksum. If buf is NULL, this function returns
-   the required initial value for the checksum.
-   An Adler-32 checksum is almost as reliable as a CRC32 but can be computed
-   much faster. Usage example:
-
-     uLong adler = adler32(0L, Z_NULL, 0);
-
-     while (read_buffer(buffer, length) != EOF) {
-       adler = adler32(adler, buffer, length);
-     }
-     if (adler != original_adler) error();
-*/
-
-ZEXTERN uLong ZEXPORT adler32_combine OF((uLong adler1, uLong adler2,
-                                          z_off_t len2));
-/*
-     Combine two Adler-32 checksums into one.  For two sequences of bytes, seq1
-   and seq2 with lengths len1 and len2, Adler-32 checksums were calculated for
-   each, adler1 and adler2.  adler32_combine() returns the Adler-32 checksum of
-   seq1 and seq2 concatenated, requiring only adler1, adler2, and len2.
-*/
-
-ZEXTERN uLong ZEXPORT crc32   OF((uLong crc, const Bytef *buf, uInt len));
-/*
-     Update a running CRC-32 with the bytes buf[0..len-1] and return the
-   updated CRC-32. If buf is NULL, this function returns the required initial
-   value for the for the crc. Pre- and post-conditioning (one's complement) is
-   performed within this function so it shouldn't be done by the application.
-   Usage example:
-
-     uLong crc = crc32(0L, Z_NULL, 0);
-
-     while (read_buffer(buffer, length) != EOF) {
-       crc = crc32(crc, buffer, length);
-     }
-     if (crc != original_crc) error();
-*/
-
-ZEXTERN uLong ZEXPORT crc32_combine OF((uLong crc1, uLong crc2, z_off_t len2));
-
-/*
-     Combine two CRC-32 check values into one.  For two sequences of bytes,
-   seq1 and seq2 with lengths len1 and len2, CRC-32 check values were
-   calculated for each, crc1 and crc2.  crc32_combine() returns the CRC-32
-   check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and
-   len2.
-*/
-
-
-                        /* various hacks, don't look :) */
-
-/* deflateInit and inflateInit are macros to allow checking the zlib version
- * and the compiler's view of z_stream:
- */
-ZEXTERN int ZEXPORT deflateInit_ OF((z_streamp strm, int level,
-                                     const char *version, int stream_size));
-ZEXTERN int ZEXPORT inflateInit_ OF((z_streamp strm,
-                                     const char *version, int stream_size));
-ZEXTERN int ZEXPORT deflateInit2_ OF((z_streamp strm, int  level, int  method,
-                                      int windowBits, int memLevel,
-                                      int strategy, const char *version,
-                                      int stream_size));
-ZEXTERN int ZEXPORT inflateInit2_ OF((z_streamp strm, int  windowBits,
-                                      const char *version, int stream_size));
-ZEXTERN int ZEXPORT inflateBackInit_ OF((z_streamp strm, int windowBits,
-                                         unsigned char FAR *window,
-                                         const char *version,
-                                         int stream_size));
-#define deflateInit(strm, level) \
-        deflateInit_((strm), (level),       ZLIB_VERSION, sizeof(z_stream))
-#define inflateInit(strm) \
-        inflateInit_((strm),                ZLIB_VERSION, sizeof(z_stream))
-#define deflateInit2(strm, level, method, windowBits, memLevel, strategy) \
-        deflateInit2_((strm),(level),(method),(windowBits),(memLevel),\
-                      (strategy),           ZLIB_VERSION, sizeof(z_stream))
-#define inflateInit2(strm, windowBits) \
-        inflateInit2_((strm), (windowBits), ZLIB_VERSION, sizeof(z_stream))
-#define inflateBackInit(strm, windowBits, window) \
-        inflateBackInit_((strm), (windowBits), (window), \
-        ZLIB_VERSION, sizeof(z_stream))
-
-
-#if !defined(ZUTIL_H) && !defined(NO_DUMMY_DECL)
-    struct internal_state {int dummy;}; /* hack for buggy compilers */
-#endif
-
-ZEXTERN const char   * ZEXPORT zError           OF((int));
-ZEXTERN int            ZEXPORT inflateSyncPoint OF((z_streamp z));
-ZEXTERN const uLongf * ZEXPORT get_crc_table    OF((void));
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* ZLIB_H */
diff --git a/security/nss/cmd/zlib/zutil.c b/security/nss/cmd/zlib/zutil.c
deleted file mode 100644
index d55f5948a..000000000
--- a/security/nss/cmd/zlib/zutil.c
+++ /dev/null
@@ -1,318 +0,0 @@
-/* zutil.c -- target dependent utility functions for the compression library
- * Copyright (C) 1995-2005 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/* @(#) $Id$ */
-
-#include "zutil.h"
-
-#ifndef NO_DUMMY_DECL
-struct internal_state      {int dummy;}; /* for buggy compilers */
-#endif
-
-const char * const z_errmsg[10] = {
-"need dictionary",     /* Z_NEED_DICT       2  */
-"stream end",          /* Z_STREAM_END      1  */
-"",                    /* Z_OK              0  */
-"file error",          /* Z_ERRNO         (-1) */
-"stream error",        /* Z_STREAM_ERROR  (-2) */
-"data error",          /* Z_DATA_ERROR    (-3) */
-"insufficient memory", /* Z_MEM_ERROR     (-4) */
-"buffer error",        /* Z_BUF_ERROR     (-5) */
-"incompatible version",/* Z_VERSION_ERROR (-6) */
-""};
-
-
-const char * ZEXPORT zlibVersion()
-{
-    return ZLIB_VERSION;
-}
-
-uLong ZEXPORT zlibCompileFlags()
-{
-    uLong flags;
-
-    flags = 0;
-    switch (sizeof(uInt)) {
-    case 2:     break;
-    case 4:     flags += 1;     break;
-    case 8:     flags += 2;     break;
-    default:    flags += 3;
-    }
-    switch (sizeof(uLong)) {
-    case 2:     break;
-    case 4:     flags += 1 << 2;        break;
-    case 8:     flags += 2 << 2;        break;
-    default:    flags += 3 << 2;
-    }
-    switch (sizeof(voidpf)) {
-    case 2:     break;
-    case 4:     flags += 1 << 4;        break;
-    case 8:     flags += 2 << 4;        break;
-    default:    flags += 3 << 4;
-    }
-    switch (sizeof(z_off_t)) {
-    case 2:     break;
-    case 4:     flags += 1 << 6;        break;
-    case 8:     flags += 2 << 6;        break;
-    default:    flags += 3 << 6;
-    }
-#ifdef DEBUG
-    flags += 1 << 8;
-#endif
-#if defined(ASMV) || defined(ASMINF)
-    flags += 1 << 9;
-#endif
-#ifdef ZLIB_WINAPI
-    flags += 1 << 10;
-#endif
-#ifdef BUILDFIXED
-    flags += 1 << 12;
-#endif
-#ifdef DYNAMIC_CRC_TABLE
-    flags += 1 << 13;
-#endif
-#ifdef NO_GZCOMPRESS
-    flags += 1L << 16;
-#endif
-#ifdef NO_GZIP
-    flags += 1L << 17;
-#endif
-#ifdef PKZIP_BUG_WORKAROUND
-    flags += 1L << 20;
-#endif
-#ifdef FASTEST
-    flags += 1L << 21;
-#endif
-#ifdef STDC
-#  ifdef NO_vsnprintf
-        flags += 1L << 25;
-#    ifdef HAS_vsprintf_void
-        flags += 1L << 26;
-#    endif
-#  else
-#    ifdef HAS_vsnprintf_void
-        flags += 1L << 26;
-#    endif
-#  endif
-#else
-        flags += 1L << 24;
-#  ifdef NO_snprintf
-        flags += 1L << 25;
-#    ifdef HAS_sprintf_void
-        flags += 1L << 26;
-#    endif
-#  else
-#    ifdef HAS_snprintf_void
-        flags += 1L << 26;
-#    endif
-#  endif
-#endif
-    return flags;
-}
-
-#ifdef DEBUG
-
-#  ifndef verbose
-#    define verbose 0
-#  endif
-int z_verbose = verbose;
-
-void z_error (m)
-    char *m;
-{
-    fprintf(stderr, "%s\n", m);
-    exit(1);
-}
-#endif
-
-/* exported to allow conversion of error code to string for compress() and
- * uncompress()
- */
-const char * ZEXPORT zError(err)
-    int err;
-{
-    return ERR_MSG(err);
-}
-
-#if defined(_WIN32_WCE)
-    /* The Microsoft C Run-Time Library for Windows CE doesn't have
-     * errno.  We define it as a global variable to simplify porting.
-     * Its value is always 0 and should not be used.
-     */
-    int errno = 0;
-#endif
-
-#ifndef HAVE_MEMCPY
-
-void zmemcpy(dest, source, len)
-    Bytef* dest;
-    const Bytef* source;
-    uInt  len;
-{
-    if (len == 0) return;
-    do {
-        *dest++ = *source++; /* ??? to be unrolled */
-    } while (--len != 0);
-}
-
-int zmemcmp(s1, s2, len)
-    const Bytef* s1;
-    const Bytef* s2;
-    uInt  len;
-{
-    uInt j;
-
-    for (j = 0; j < len; j++) {
-        if (s1[j] != s2[j]) return 2*(s1[j] > s2[j])-1;
-    }
-    return 0;
-}
-
-void zmemzero(dest, len)
-    Bytef* dest;
-    uInt  len;
-{
-    if (len == 0) return;
-    do {
-        *dest++ = 0;  /* ??? to be unrolled */
-    } while (--len != 0);
-}
-#endif
-
-
-#ifdef SYS16BIT
-
-#ifdef __TURBOC__
-/* Turbo C in 16-bit mode */
-
-#  define MY_ZCALLOC
-
-/* Turbo C malloc() does not allow dynamic allocation of 64K bytes
- * and farmalloc(64K) returns a pointer with an offset of 8, so we
- * must fix the pointer. Warning: the pointer must be put back to its
- * original form in order to free it, use zcfree().
- */
-
-#define MAX_PTR 10
-/* 10*64K = 640K */
-
-local int next_ptr = 0;
-
-typedef struct ptr_table_s {
-    voidpf org_ptr;
-    voidpf new_ptr;
-} ptr_table;
-
-local ptr_table table[MAX_PTR];
-/* This table is used to remember the original form of pointers
- * to large buffers (64K). Such pointers are normalized with a zero offset.
- * Since MSDOS is not a preemptive multitasking OS, this table is not
- * protected from concurrent access. This hack doesn't work anyway on
- * a protected system like OS/2. Use Microsoft C instead.
- */
-
-voidpf zcalloc (voidpf opaque, unsigned items, unsigned size)
-{
-    voidpf buf = opaque; /* just to make some compilers happy */
-    ulg bsize = (ulg)items*size;
-
-    /* If we allocate less than 65520 bytes, we assume that farmalloc
-     * will return a usable pointer which doesn't have to be normalized.
-     */
-    if (bsize < 65520L) {
-        buf = farmalloc(bsize);
-        if (*(ush*)&buf != 0) return buf;
-    } else {
-        buf = farmalloc(bsize + 16L);
-    }
-    if (buf == NULL || next_ptr >= MAX_PTR) return NULL;
-    table[next_ptr].org_ptr = buf;
-
-    /* Normalize the pointer to seg:0 */
-    *((ush*)&buf+1) += ((ush)((uch*)buf-0) + 15) >> 4;
-    *(ush*)&buf = 0;
-    table[next_ptr++].new_ptr = buf;
-    return buf;
-}
-
-void  zcfree (voidpf opaque, voidpf ptr)
-{
-    int n;
-    if (*(ush*)&ptr != 0) { /* object < 64K */
-        farfree(ptr);
-        return;
-    }
-    /* Find the original pointer */
-    for (n = 0; n < next_ptr; n++) {
-        if (ptr != table[n].new_ptr) continue;
-
-        farfree(table[n].org_ptr);
-        while (++n < next_ptr) {
-            table[n-1] = table[n];
-        }
-        next_ptr--;
-        return;
-    }
-    ptr = opaque; /* just to make some compilers happy */
-    Assert(0, "zcfree: ptr not found");
-}
-
-#endif /* __TURBOC__ */
-
-
-#ifdef M_I86
-/* Microsoft C in 16-bit mode */
-
-#  define MY_ZCALLOC
-
-#if (!defined(_MSC_VER) || (_MSC_VER <= 600))
-#  define _halloc  halloc
-#  define _hfree   hfree
-#endif
-
-voidpf zcalloc (voidpf opaque, unsigned items, unsigned size)
-{
-    if (opaque) opaque = 0; /* to make compiler happy */
-    return _halloc((long)items, size);
-}
-
-void  zcfree (voidpf opaque, voidpf ptr)
-{
-    if (opaque) opaque = 0; /* to make compiler happy */
-    _hfree(ptr);
-}
-
-#endif /* M_I86 */
-
-#endif /* SYS16BIT */
-
-
-#ifndef MY_ZCALLOC /* Any system without a special alloc function */
-
-#ifndef STDC
-extern voidp  malloc OF((uInt size));
-extern voidp  calloc OF((uInt items, uInt size));
-extern void   free   OF((voidpf ptr));
-#endif
-
-voidpf zcalloc (opaque, items, size)
-    voidpf opaque;
-    unsigned items;
-    unsigned size;
-{
-    if (opaque) items += size - size; /* make compiler happy */
-    return sizeof(uInt) > 2 ? (voidpf)malloc(items * size) :
-                              (voidpf)calloc(items, size);
-}
-
-void  zcfree (opaque, ptr)
-    voidpf opaque;
-    voidpf ptr;
-{
-    free(ptr);
-    if (opaque) return; /* make compiler happy */
-}
-
-#endif /* MY_ZCALLOC */
diff --git a/security/nss/cmd/zlib/zutil.h b/security/nss/cmd/zlib/zutil.h
deleted file mode 100644
index fe7a9a7c1..000000000
--- a/security/nss/cmd/zlib/zutil.h
+++ /dev/null
@@ -1,270 +0,0 @@
-/* zutil.h -- internal interface and configuration of the compression library
- * Copyright (C) 1995-2005 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/* WARNING: this file should *not* be used by applications. It is
-   part of the implementation of the compression library and is
-   subject to change. Applications should only use zlib.h.
- */
-
-/* @(#) $Id$ */
-
-#ifndef ZUTIL_H
-#define ZUTIL_H
-
-#define ZLIB_INTERNAL
-#include "zlib.h"
-
-#ifdef STDC
-#  ifndef _WIN32_WCE
-#    include <stddef.h>
-#  endif
-#  include <string.h>
-#  include <stdlib.h>
-#endif
-#ifdef NO_ERRNO_H
-#   ifdef _WIN32_WCE
-      /* The Microsoft C Run-Time Library for Windows CE doesn't have
-       * errno.  We define it as a global variable to simplify porting.
-       * Its value is always 0 and should not be used.  We rename it to
-       * avoid conflict with other libraries that use the same workaround.
-       */
-#     define errno z_errno
-#   endif
-    extern int errno;
-#else
-#  ifndef _WIN32_WCE
-#    include <errno.h>
-#  endif
-#endif
-
-#ifndef local
-#  define local static
-#endif
-/* compile with -Dlocal if your debugger can't find static symbols */
-
-typedef unsigned char  uch;
-typedef uch FAR uchf;
-typedef unsigned short ush;
-typedef ush FAR ushf;
-typedef unsigned long  ulg;
-
-extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */
-/* (size given to avoid silly warnings with Visual C++) */
-
-#define ERR_MSG(err) z_errmsg[Z_NEED_DICT-(err)]
-
-#define ERR_RETURN(strm,err) \
-  return (strm->msg = (char*)ERR_MSG(err), (err))
-/* To be used only when the state is known to be valid */
-
-        /* common constants */
-
-#ifndef DEF_WBITS
-#  define DEF_WBITS MAX_WBITS
-#endif
-/* default windowBits for decompression. MAX_WBITS is for compression only */
-
-#if MAX_MEM_LEVEL >= 8
-#  define DEF_MEM_LEVEL 8
-#else
-#  define DEF_MEM_LEVEL  MAX_MEM_LEVEL
-#endif
-/* default memLevel */
-
-#define STORED_BLOCK 0
-#define STATIC_TREES 1
-#define DYN_TREES    2
-/* The three kinds of block type */
-
-#define MIN_MATCH  3
-#define MAX_MATCH  258
-/* The minimum and maximum match lengths */
-
-#define PRESET_DICT 0x20 /* preset dictionary flag in zlib header */
-
-        /* target dependencies */
-
-#if defined(MSDOS) || (defined(WINDOWS) && !defined(WIN32))
-#  define OS_CODE  0x00
-#  if defined(__TURBOC__) || defined(__BORLANDC__)
-#    if(__STDC__ == 1) && (defined(__LARGE__) || defined(__COMPACT__))
-       /* Allow compilation with ANSI keywords only enabled */
-       void _Cdecl farfree( void *block );
-       void *_Cdecl farmalloc( unsigned long nbytes );
-#    else
-#      include <alloc.h>
-#    endif
-#  else /* MSC or DJGPP */
-#    include <malloc.h>
-#  endif
-#endif
-
-#ifdef AMIGA
-#  define OS_CODE  0x01
-#endif
-
-#if defined(VAXC) || defined(VMS)
-#  define OS_CODE  0x02
-#  define F_OPEN(name, mode) \
-     fopen((name), (mode), "mbc=60", "ctx=stm", "rfm=fix", "mrs=512")
-#endif
-
-#if defined(ATARI) || defined(atarist)
-#  define OS_CODE  0x05
-#endif
-
-#ifdef OS2
-#  define OS_CODE  0x06
-#  ifdef M_I86
-     #include <malloc.h>
-#  endif
-#endif
-
-#if defined(MACOS) || defined(TARGET_OS_MAC)
-#  define OS_CODE  0x07
-#  if defined(__MWERKS__) && __dest_os != __be_os && __dest_os != __win32_os
-#    include <unix.h> /* for fdopen */
-#  else
-#    ifndef fdopen
-#      define fdopen(fd,mode) NULL /* No fdopen() */
-#    endif
-#  endif
-#endif
-
-#ifdef TOPS20
-#  define OS_CODE  0x0a
-#endif
-
-#ifdef WIN32
-#  ifndef __CYGWIN__  /* Cygwin is Unix, not Win32 */
-#    define OS_CODE  0x0b
-#  endif
-#endif
-
-#ifdef __50SERIES /* Prime/PRIMOS */
-#  define OS_CODE  0x0f
-#endif
-
-#if defined(_BEOS_) || defined(RISCOS)
-#  define fdopen(fd,mode) NULL /* No fdopen() */
-#endif
-
-#if (defined(_MSC_VER) && (_MSC_VER > 600))
-#  if defined(_WIN32_WCE)
-#    define fdopen(fd,mode) NULL /* No fdopen() */
-#    ifndef _PTRDIFF_T_DEFINED
-       typedef int ptrdiff_t;
-#      define _PTRDIFF_T_DEFINED
-#    endif
-#  else
-#    define fdopen(fd,type)  _fdopen(fd,type)
-#  endif
-#endif
-
-        /* common defaults */
-
-#ifndef OS_CODE
-#  define OS_CODE  0x03  /* assume Unix */
-#endif
-
-#ifndef F_OPEN
-#  define F_OPEN(name, mode) fopen((name), (mode))
-#endif
-
-         /* functions */
-
-#if defined(STDC99) || (defined(__TURBOC__) && __TURBOC__ >= 0x550) || \
-   (defined(_MSC_VER) && _MSC_VER >= 1500)
-#  ifndef HAVE_VSNPRINTF
-#    define HAVE_VSNPRINTF
-#  endif
-#endif
-#if defined(__CYGWIN__)
-#  ifndef HAVE_VSNPRINTF
-#    define HAVE_VSNPRINTF
-#  endif
-#endif
-#ifndef HAVE_VSNPRINTF
-#  ifdef MSDOS
-     /* vsnprintf may exist on some MS-DOS compilers (DJGPP?),
-        but for now we just assume it doesn't. */
-#    define NO_vsnprintf
-#  endif
-#  ifdef __TURBOC__
-#    define NO_vsnprintf
-#  endif
-#  ifdef WIN32
-     /* In Win32, vsnprintf is available as the "non-ANSI" _vsnprintf. */
-#    if !defined(vsnprintf) && !defined(NO_vsnprintf)
-#      define vsnprintf _vsnprintf
-#    endif
-#  endif
-#  ifdef __SASC
-#    define NO_vsnprintf
-#  endif
-#endif
-#ifdef VMS
-#  define NO_vsnprintf
-#endif
-
-#if defined(pyr)
-#  define NO_MEMCPY
-#endif
-#if defined(SMALL_MEDIUM) && !defined(_MSC_VER) && !defined(__SC__)
- /* Use our own functions for small and medium model with MSC <= 5.0.
-  * You may have to use the same strategy for Borland C (untested).
-  * The __SC__ check is for Symantec.
-  */
-#  define NO_MEMCPY
-#endif
-#if defined(STDC) && !defined(HAVE_MEMCPY) && !defined(NO_MEMCPY)
-#  define HAVE_MEMCPY
-#endif
-#ifdef HAVE_MEMCPY
-#  ifdef SMALL_MEDIUM /* MSDOS small or medium model */
-#    define zmemcpy _fmemcpy
-#    define zmemcmp _fmemcmp
-#    define zmemzero(dest, len) _fmemset(dest, 0, len)
-#  else
-#    define zmemcpy memcpy
-#    define zmemcmp memcmp
-#    define zmemzero(dest, len) memset(dest, 0, len)
-#  endif
-#else
-   extern void zmemcpy  OF((Bytef* dest, const Bytef* source, uInt len));
-   extern int  zmemcmp  OF((const Bytef* s1, const Bytef* s2, uInt len));
-   extern void zmemzero OF((Bytef* dest, uInt len));
-#endif
-
-/* Diagnostic functions */
-#ifdef DEBUG
-#  include <stdio.h>
-   extern int z_verbose;
-   extern void z_error    OF((char *m));
-#  define Assert(cond,msg) {if(!(cond)) z_error(msg);}
-#  define Trace(x) {if (z_verbose>=0) fprintf x ;}
-#  define Tracev(x) {if (z_verbose>0) fprintf x ;}
-#  define Tracevv(x) {if (z_verbose>1) fprintf x ;}
-#  define Tracec(c,x) {if (z_verbose>0 && (c)) fprintf x ;}
-#  define Tracecv(c,x) {if (z_verbose>1 && (c)) fprintf x ;}
-#else
-#  define Assert(cond,msg)
-#  define Trace(x)
-#  define Tracev(x)
-#  define Tracevv(x)
-#  define Tracec(c,x)
-#  define Tracecv(c,x)
-#endif
-
-
-voidpf zcalloc OF((voidpf opaque, unsigned items, unsigned size));
-void   zcfree  OF((voidpf opaque, voidpf ptr));
-
-#define ZALLOC(strm, items, size) \
-           (*((strm)->zalloc))((strm)->opaque, (items), (size))
-#define ZFREE(strm, addr)  (*((strm)->zfree))((strm)->opaque, (voidpf)(addr))
-#define TRY_FREE(s, p) {if (p) ZFREE(s, p);}
-
-#endif /* ZUTIL_H */